ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    XenServer Disable Root

    Scheduled Pinned Locked Moved IT Discussion
    78 Posts 8 Posters 15.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DustinB3403D
      DustinB3403 @stacksofplates
      last edited by gjacobse

      @stacksofplates said in XenServer Disable Root:

      @DustinB3403 said in XenServer Disable Root:

      So your concern shouldn't be "How do I disable root" but it should be; How do I ensure no one else has XenCenter installed and access to my servers?

      No it should still be how do I disable remote root access. That's the issue that needs to be resolved.

      But that issue has already been solved.
      Remote root access is disabled via the information I've already provided.

      You're contriving a separate issue into this one.

      Remove XenCenter installable from the XS systems, and uninstall it from everyones' computers.

      Problem solved.

      stacksofplatesS 1 Reply Last reply Reply Quote 0
      • stacksofplatesS
        stacksofplates @DustinB3403
        last edited by

        @DustinB3403 said in XenServer Disable Root:

        To which,

        What I would do is remove the XC installable from XenServer's webconsole, and configure everything on Xen Orchestra.

        Then do a sweep of your network ensuring no one has XenCenter that isn't supposed to.

        So first off, I can't do a sweep of our network. We have like 800 people working here and I don't control the network. Second, to meet SCAP we need to disable all remote root access. If I can't do that, then it doesn't work.

        DustinB3403D 1 Reply Last reply Reply Quote 0
        • stacksofplatesS
          stacksofplates @DustinB3403
          last edited by stacksofplates

          @DustinB3403 said in XenServer Disable Root:

          @stacksofplates said in XenServer Disable Root:

          @DustinB3403 said in XenServer Disable Root:

          So your concern shouldn't be "How do I disable root" but it should be; How do I ensure no one else has XenCenter installed and access to my servers?

          No it should still be how do I disable remote root access. That's the issue that needs to be resolved.

          But that issue has already been solved.
          Remote root access is disabled via the information I've already provided.

          You're contriving a separate issue into this one.

          Remove XenCenter installable from the XS systems, and uninstall it from everyones' computers.

          Problem solved.

          No it's not. If I open XenCenter and type root for a username it works. That's remote root access. SSH isn't the only remote access available.

          travisdh1T 1 Reply Last reply Reply Quote 0
          • DustinB3403D
            DustinB3403 @stacksofplates
            last edited by gjacobse

            @stacksofplates said in XenServer Disable Root:

            @DustinB3403 said in XenServer Disable Root:

            To which,

            What I would do is remove the XC installable from XenServer's webconsole, and configure everything on Xen Orchestra.

            Then do a sweep of your network ensuring no one has XenCenter that isn't supposed to.

            So first off, I can't do a sweep of our network. We have like 800 people working here and I don't control the network. Second, to meet SCAP we need to disable all remote root access. If I can't do that, then it doesn't work.

            But you are disabling remote root access.

            Because someone has XenCenter installed gives them console access. It's not considered remote. The solution to this is sweep the network, and remove XC from the network.

            And disable SSH root access as already described.

            1 Reply Last reply Reply Quote -1
            • travisdh1T
              travisdh1 @stacksofplates
              last edited by gjacobse

              @stacksofplates said in XenServer Disable Root:

              @DustinB3403 said in XenServer Disable Root:

              @stacksofplates said in XenServer Disable Root:

              @DustinB3403 said in XenServer Disable Root:

              So your concern shouldn't be "How do I disable root" but it should be; How do I ensure no one else has XenCenter installed and access to my servers?

              No it should still be how do I disable remote root access. That's the issue that needs to be resolved.

              But that issue has already been solved.
              Remote root access is disabled via the information I've already provided.

              You're contriving a separate issue into this one.

              Remove XenCenter installable from the XS systems, and uninstall it from everyones' computers.

              Problem solved.

              No it's not. If I open XenCenter and type root for a username it works. That's remote root access. SSH isn't the only remote access available.

              XenCenter is the LOCAL CONSOLE, it's not "remote" in any way. Literally a pts (tty serial port.)

              1 Reply Last reply Reply Quote 1
              • travisdh1T
                travisdh1
                last edited by

                Why is the management interface even on the standard network instead of on a VLAN or dedicated management network?

                stacksofplatesS 1 Reply Last reply Reply Quote 0
                • stacksofplatesS
                  stacksofplates @travisdh1
                  last edited by

                  @travisdh1 said in XenServer Disable Root:

                  Why is the management interface even on the standard network instead of on a VLAN or dedicated management network?

                  Well it's on our server VLAN, but as I don't control the network I can't see what has access to what. Plus even if that's considered local console access, users created on the system have root access through that console. So if I log in as jhooks through XenCenter, I'm given the root console. So I can't hand off any access to anyone else to just control the VMs.

                  travisdh1T DashrenderD 2 Replies Last reply Reply Quote 0
                  • travisdh1T
                    travisdh1 @stacksofplates
                    last edited by gjacobse

                    @stacksofplates said in XenServer Disable Root:

                    @travisdh1 said in XenServer Disable Root:

                    Why is the management interface even on the standard network instead of on a VLAN or dedicated management network?

                    Well it's on our server VLAN, but as I don't control the network I can't see what has access to what. Plus even if that's considered local console access, users created on the system have root access through that console. So if I log in as jhooks through XenCenter, I'm given the root console. So I can't hand off any access to anyone else to just control the VMs.

                    So someone else HAS to be responsible for that portion. Inform the boss of the requirements, and that it's beyond your assigned duties. Not your problem.

                    stacksofplatesS 1 Reply Last reply Reply Quote 1
                    • DustinB3403D
                      DustinB3403
                      last edited by DustinB3403

                      As far as you've described this topic, the issue is easily resolved.

                      Also in XenCenter you can configure the username used to sign into the systems. So you could very easily configure a user(admin) to login as jhooks on xenserver-one.

                      But this is again the Local Console, and not remote in any way. Other than physically as you aren't sitting at the server with a keyboard and monitor.

                      stacksofplatesS 1 Reply Last reply Reply Quote 2
                      • stacksofplatesS
                        stacksofplates @DustinB3403
                        last edited by

                        @DustinB3403 said in XenServer Disable Root:

                        Also in XenCenter you can configure the username used to sign into the systems.

                        Yes and when you do that they have root access.

                        1 Reply Last reply Reply Quote 0
                        • stacksofplatesS
                          stacksofplates @travisdh1
                          last edited by gjacobse

                          @travisdh1 said in XenServer Disable Root:

                          @stacksofplates said in XenServer Disable Root:

                          @travisdh1 said in XenServer Disable Root:

                          Why is the management interface even on the standard network instead of on a VLAN or dedicated management network?

                          Well it's on our server VLAN, but as I don't control the network I can't see what has access to what. Plus even if that's considered local console access, users created on the system have root access through that console. So if I log in as jhooks through XenCenter, I'm given the root console. So I can't hand off any access to anyone else to just control the VMs.

                          So someone else HAS to be responsible for that portion. Inform the boss of the requirements, and that it's beyond your assigned duties. Not your problem.

                          I'm responsible for our systems meeting our security requirements. If I can't stop things like that from happening, I'll have to use something else.

                          travisdh1T 1 Reply Last reply Reply Quote 0
                          • travisdh1T
                            travisdh1 @stacksofplates
                            last edited by gjacobse

                            @stacksofplates said in XenServer Disable Root:

                            @travisdh1 said in XenServer Disable Root:

                            @stacksofplates said in XenServer Disable Root:

                            @travisdh1 said in XenServer Disable Root:

                            Why is the management interface even on the standard network instead of on a VLAN or dedicated management network?

                            Well it's on our server VLAN, but as I don't control the network I can't see what has access to what. Plus even if that's considered local console access, users created on the system have root access through that console. So if I log in as jhooks through XenCenter, I'm given the root console. So I can't hand off any access to anyone else to just control the VMs.

                            So someone else HAS to be responsible for that portion. Inform the boss of the requirements, and that it's beyond your assigned duties. Not your problem.

                            I'm responsible for our systems meeting our security requirements. If I can't stop things like that from happening, I'll have to use something else. We have

                            So you can't do you're job. You need to communicate this to management, and get that network information. You literally CAN NOT do even basic security without that very basic information!

                            stacksofplatesS 1 Reply Last reply Reply Quote 1
                            • stacksofplatesS
                              stacksofplates @travisdh1
                              last edited by stacksofplates

                              @travisdh1 said in XenServer Disable Root:

                              @stacksofplates said in XenServer Disable Root:

                              @travisdh1 said in XenServer Disable Root:

                              @stacksofplates said in XenServer Disable Root:

                              @travisdh1 said in XenServer Disable Root:

                              Why is the management interface even on the standard network instead of on a VLAN or dedicated management network?

                              Well it's on our server VLAN, but as I don't control the network I can't see what has access to what. Plus even if that's considered local console access, users created on the system have root access through that console. So if I log in as jhooks through XenCenter, I'm given the root console. So I can't hand off any access to anyone else to just control the VMs.

                              So someone else HAS to be responsible for that portion. Inform the boss of the requirements, and that it's beyond your assigned duties. Not your problem.

                              I'm responsible for our systems meeting our security requirements. If I can't stop things like that from happening, I'll have to use something else. We have

                              So you can't do you're job. You need to communicate this to management, and get that network information. You literally CAN NOT do even basic security without that very basic information!

                              Sorry I meant I if I can't stop other people running VMs from having root access on this system I'll need to use something else. That's kind of crazy that if I connect to a host with XenCenter as a non privileged user, I still get the root console. I don't understand that.

                              travisdh1T 1 Reply Last reply Reply Quote 0
                              • travisdh1T
                                travisdh1 @stacksofplates
                                last edited by gjacobse

                                @stacksofplates said in XenServer Disable Root:

                                @travisdh1 said in XenServer Disable Root:

                                @stacksofplates said in XenServer Disable Root:

                                @travisdh1 said in XenServer Disable Root:

                                @stacksofplates said in XenServer Disable Root:

                                @travisdh1 said in XenServer Disable Root:

                                Why is the management interface even on the standard network instead of on a VLAN or dedicated management network?

                                Well it's on our server VLAN, but as I don't control the network I can't see what has access to what. Plus even if that's considered local console access, users created on the system have root access through that console. So if I log in as jhooks through XenCenter, I'm given the root console. So I can't hand off any access to anyone else to just control the VMs.

                                So someone else HAS to be responsible for that portion. Inform the boss of the requirements, and that it's beyond your assigned duties. Not your problem.

                                I'm responsible for our systems meeting our security requirements. If I can't stop things like that from happening, I'll have to use something else. We have

                                So you can't do you're job. You need to communicate this to management, and get that network information. You literally CAN NOT do even basic security without that very basic information!

                                Sorry I meant I if I can't stop other people running VMs from having root access on this system I'll need to use something else. That's kind of crazy that if I connect to a host with XenCenter as a non privileged user, I still get the root console. I don't understand that.

                                I know what you mean. I'm sorry, I don't know how to state this another way so you could maybe understand. This is why you need to know how the network is configured. It's right in the configuration documentation for XenServer. The management interface goes on a private network, period, end of story.

                                stacksofplatesS 1 Reply Last reply Reply Quote -1
                                • stacksofplatesS
                                  stacksofplates @travisdh1
                                  last edited by stacksofplates

                                  @travisdh1 said in XenServer Disable Root:

                                  @stacksofplates said in XenServer Disable Root:

                                  @travisdh1 said in XenServer Disable Root:

                                  @stacksofplates said in XenServer Disable Root:

                                  @travisdh1 said in XenServer Disable Root:

                                  @stacksofplates said in XenServer Disable Root:

                                  @travisdh1 said in XenServer Disable Root:

                                  Why is the management interface even on the standard network instead of on a VLAN or dedicated management network?

                                  Well it's on our server VLAN, but as I don't control the network I can't see what has access to what. Plus even if that's considered local console access, users created on the system have root access through that console. So if I log in as jhooks through XenCenter, I'm given the root console. So I can't hand off any access to anyone else to just control the VMs.

                                  So someone else HAS to be responsible for that portion. Inform the boss of the requirements, and that it's beyond your assigned duties. Not your problem.

                                  I'm responsible for our systems meeting our security requirements. If I can't stop things like that from happening, I'll have to use something else. We have

                                  So you can't do you're job. You need to communicate this to management, and get that network information. You literally CAN NOT do even basic security without that very basic information!

                                  Sorry I meant I if I can't stop other people running VMs from having root access on this system I'll need to use something else. That's kind of crazy that if I connect to a host with XenCenter as a non privileged user, I still get the root console. I don't understand that.

                                  I know what you mean. I'm sorry, I don't know how to state this another way so you could maybe understand. This is why you need to know how the network is configured. It's right in the configuration documentation for XenServer. The management interface goes on a private network, period, end of story.

                                  Ah I see what you were saying. I guess what I was saying was we have people who we don't want to have root access to be able to control and change some VMs. So even on a management VLAN, if we give them a non-sudo account and they use that account in XenCenter they now have root access no matter what.

                                  I guess you could say only give it to people you trust, but that kind of undermines the whole point of role based permissions.

                                  DustinB3403D 1 Reply Last reply Reply Quote 0
                                  • DustinB3403D
                                    DustinB3403 @stacksofplates
                                    last edited by gjacobse

                                    @stacksofplates said in XenServer Disable Root:

                                    @travisdh1 said in XenServer Disable Root:

                                    @stacksofplates said in XenServer Disable Root:

                                    @travisdh1 said in XenServer Disable Root:

                                    @stacksofplates said in XenServer Disable Root:

                                    @travisdh1 said in XenServer Disable Root:

                                    @stacksofplates said in XenServer Disable Root:

                                    @travisdh1 said in XenServer Disable Root:

                                    Why is the management interface even on the standard network instead of on a VLAN or dedicated management network?

                                    Well it's on our server VLAN, but as I don't control the network I can't see what has access to what. Plus even if that's considered local console access, users created on the system have root access through that console. So if I log in as jhooks through XenCenter, I'm given the root console. So I can't hand off any access to anyone else to just control the VMs.

                                    So someone else HAS to be responsible for that portion. Inform the boss of the requirements, and that it's beyond your assigned duties. Not your problem.

                                    I'm responsible for our systems meeting our security requirements. If I can't stop things like that from happening, I'll have to use something else. We have

                                    So you can't do you're job. You need to communicate this to management, and get that network information. You literally CAN NOT do even basic security without that very basic information!

                                    Sorry I meant I if I can't stop other people running VMs from having root access on this system I'll need to use something else. That's kind of crazy that if I connect to a host with XenCenter as a non privileged user, I still get the root console. I don't understand that.

                                    I know what you mean. I'm sorry, I don't know how to state this another way so you could maybe understand. This is why you need to know how the network is configured. It's right in the configuration documentation for XenServer. The management interface goes on a private network, period, end of story.

                                    Ah I see what you were saying. I guess what I was saying was we have people who we don't want to have root access to be able to control and change some VMs. So even on a management VLAN, if we give them a non-sudo account and they use that account in XenCenter they now have root access no matter what.

                                    I guess you could say only give it to people you trust, but that kind of undermines the whole point of role based permissions.

                                    Or you don't install XenCenter for them and configure users to only be able to manage specific VM's on Xen Orchestra.

                                    coliverC 1 Reply Last reply Reply Quote 1
                                    • coliverC
                                      coliver @DustinB3403
                                      last edited by gjacobse

                                      @DustinB3403 said in XenServer Disable Root:

                                      @stacksofplates said in XenServer Disable Root:

                                      @travisdh1 said in XenServer Disable Root:

                                      @stacksofplates said in XenServer Disable Root:

                                      @travisdh1 said in XenServer Disable Root:

                                      @stacksofplates said in XenServer Disable Root:

                                      @travisdh1 said in XenServer Disable Root:

                                      @stacksofplates said in XenServer Disable Root:

                                      @travisdh1 said in XenServer Disable Root:

                                      Why is the management interface even on the standard network instead of on a VLAN or dedicated management network?

                                      Well it's on our server VLAN, but as I don't control the network I can't see what has access to what. Plus even if that's considered local console access, users created on the system have root access through that console. So if I log in as jhooks through XenCenter, I'm given the root console. So I can't hand off any access to anyone else to just control the VMs.

                                      So someone else HAS to be responsible for that portion. Inform the boss of the requirements, and that it's beyond your assigned duties. Not your problem.

                                      I'm responsible for our systems meeting our security requirements. If I can't stop things like that from happening, I'll have to use something else. We have

                                      So you can't do you're job. You need to communicate this to management, and get that network information. You literally CAN NOT do even basic security without that very basic information!

                                      Sorry I meant I if I can't stop other people running VMs from having root access on this system I'll need to use something else. That's kind of crazy that if I connect to a host with XenCenter as a non privileged user, I still get the root console. I don't understand that.

                                      I know what you mean. I'm sorry, I don't know how to state this another way so you could maybe understand. This is why you need to know how the network is configured. It's right in the configuration documentation for XenServer. The management interface goes on a private network, period, end of story.

                                      Ah I see what you were saying. I guess what I was saying was we have people who we don't want to have root access to be able to control and change some VMs. So even on a management VLAN, if we give them a non-sudo account and they use that account in XenCenter they now have root access no matter what.

                                      I guess you could say only give it to people you trust, but that kind of undermines the whole point of role based permissions.

                                      Or you don't install XenCenter for them and configure users to only be able to manage specific VM's on Xen Orchestra.

                                      This, who is going to have XenCenter access? If an errant user installs it they shouldn't be able to navigate to the VLAN that hosts it. XenCenter, at this point, should only be used to get Xen Orchestra setup.

                                      1 Reply Last reply Reply Quote 1
                                      • stacksofplatesS
                                        stacksofplates
                                        last edited by stacksofplates

                                        A big issue is this is all air gapped. So as much as I'd love to use XO, I would need updates by the time I got everything set up. Stuff has to be physically moved to this network. No outside access of any kind on the whole thing makes everything take much longer. So while yes, cloning the git repo is easy, I still have to hand it off to a dedicated person to scan the contents and make sure nothing is malicious and then it has to be moved from there into a repository. Then I go in and move it to where I need it.

                                        scottalanmillerS coliverC 2 Replies Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @stacksofplates
                                          last edited by gjacobse

                                          @stacksofplates said in XenServer Disable Root:

                                          A big issue is this is all air gapped. So as much as I'd love to use XO, I would need updates by the time I got everything set up.

                                          Is that not also true with XenCenter?

                                          stacksofplatesS 1 Reply Last reply Reply Quote 1
                                          • stacksofplatesS
                                            stacksofplates @scottalanmiller
                                            last edited by stacksofplates

                                            @scottalanmiller said in XenServer Disable Root:

                                            @stacksofplates said in XenServer Disable Root:

                                            A big issue is this is all air gapped. So as much as I'd love to use XO, I would need updates by the time I got everything set up.

                                            Is that not also true with XenCenter?

                                            Yes. Which is why I'm kind of leaning towards KVM because updates would all be done from Red Hat. Then everything would be on the same schedule.

                                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 4 / 4
                                            • First post
                                              Last post