vic-machine debug --rootpw enables SSH

[stuclem]

@stuclem commented on Wed Sep 06 2017

From Slack:

Eduardo Meirelles [7:47 PM]
BTW… not sure if you guys have a chance to look at --rootpw behavior…when I ran debug --rootpw it also enabled SSH access, even though I did not specify --enable-ssh option.

Matt Williamson [8:00 PM]
i just confirmed that using the rootpw flag in 1.1.1 also enabled ssh access.

[8:00]
the docs should be updated to reflect that rootpw enables SSH AND changes the default password

[8:00]
where enable_ssh turns it on with the default password

---

@stuclem commented on Mon Sep 18 2017

@mdubya66 and @emeirell if I remember correctly the discussions that I had with @hickeng at the time that he added these options, this is actually a bug in the implementation of --rootpw.

I believe that the intention is for vic-machine debug to work as documented, i.e. --rootpw activates Shell access only, and then if used in combination with --enable-ssh, it enables shell and SSH access, using the same password. I can't fully remember why this separation was necessary, but @hickeng and I did go around the houses a few times when I wrote up these topics (with substantial contribution from @hickeng, IIRC).

Of course, even if the docs do present the desired behaviour, they do not present the actual behaviour. So, we have two options:

• Make the current behaviour the official behaviour and rewrite the docs accordingly.
• Fix the implementation of --rootpw in the product, and in the meantime, document the fact that --rootpw also enables SSH as a Known Issue in the release notes.

Which do you prefer?

---

@emeirell commented on Mon Sep 18 2017

Fixing the implementation of --rootpw seems the right thing to do.
This security granularity control is greatly appreciated within customers.

---

@stuclem commented on Thu Sep 21 2017

In the meantime, I'll add this as a Known Issue in the release notes.

---

@stuclem commented on Thu Sep 21 2017

Moving this to the vic repo, as this is an engineering issue rather than a doc issue. I did not find an existing issue about --rootpw enabling SSH.

[hickeng]

Concur - we should just fix the behaviour to work as described. The conflation of ssh with setting of password appears to be in the Dispatcher call for DebugVCH (lib/install/management/debug.go).

We should also update cmd/vic-init/toolbox.go to use the recently added LaunchUtility instead of working around the lack of exitCodes in the presence of a child reaper.

[stuclem]

Added to https://github.com/vmware/vic/releases/tag/v1.2.1#knownissues. Leaving the doc as they are currently, as they describe the correct behavior.