LXD Password and Token Security
LXD has many ways of handling authentication. You can use passwords or you can use tokens, you can even use something called Candid for handling authentication with advanced RBAC capabilities. In this post we will cover some best practices for setting up LXD and how to make sure your cluster is secure.
When you initialize your LXD cluster there is one option where it asks you if you want to setup a password for your cluster. For the most part I would recommend choosing ‘no’ for this. What this option does is it sets up password authentication for the cluster.
When you need to add trusted clients to the cluster you are able to use this password. For simple setups this should be ok. What the official LXD documentation recommends is once you’ve added all the clients you
unset the trust password.
You can unset the password by running the following command:
lxc config unset core.trust_password
If you want to set the password to something else you can also do:
lxc config set core.trust_password someSecret
However LXD offers a much better authentication option which is simple and secure.
Token Based Authentication
My recommendation is if you’re using LXD version > 4.23 you have the option of dropping password authentication altogether. You can switch to completely using token based authentication.
Generating a Trust Token
If you wish to add a trusted client to LXD using tokens you can do so by using the following command:
lxc config trust add Please provide client name: example
If you want to add a token and specify the name without waiting for the prompt you can do so in this way:
lxc config trust add --name example
This will spit out the token right away without a prompt asking for a name.
Once you type the name in LXD will generate a token. You can then give this token to the client who is trying to access your cluster. When they’re asked for the password they can use the token in place of the password.
At this point you may ask, how is this different from passwords. The main difference is the following:
- Tokens are 1 time use which means once they’re consumed they can’t be used again
- This inherently means they cannot be shared
- Because tokens are not persistent the cluster is not suseptible to brute-force attack
Viewing a List of Tokens
If you wish to see a list of issued tokens you can use the following command:
lxc config trust list-tokens
This will spit out all the tokens you’ve issued. If you name your tokens correctly you can easily see who they’re issued to. You can also revoke the token by using the following:
lxc config trust revoke-token example
As you can see tokens offer much better control over how your LXD cluster is accessed.
Once a client is authenticated to access your cluster you can view a list of clients using the following:
lxc config trust list
This should spit out a list of clients that your LXD cluster trusts. You can also remove clients by using the following:
lxc config trust remove [name]
This post is designed to give you a quick understanding of how authentication works in LXD and how you can have control over who accesses your cluster. We hope you enjoyed it!