Cover image for LXD password and token Security

LXD Password and Token Security

LXD has many ways of handling authentication. You can use passwords or you can use tokens, you can even use something called Candid for handling authentication with advanced RBAC capabilities. In this post we will cover some best practices for setting up LXD and how to make sure your cluster is secure.

Password Authentication

When you initialize your LXD cluster there is one option where it asks you if you want to setup a password for your cluster. For the most part I would recommend choosing ‘no’ for this. What this option does is it sets up password authentication for the cluster.

When you need to add trusted clients to the cluster you are able to use this password. For simple setups this should be ok. What the official LXD documentation recommends is once you’ve added all the clients you unset the trust password.

You can unset the password by running the following command:

lxc config unset core.trust_password

If you want to set the password to something else you can also do:

lxc config set core.trust_password someSecret

However LXD offers a much better authentication option which is simple and secure.

Token Based Authentication

My recommendation is if you’re using LXD version > 4.23 you have the option of dropping password authentication altogether. You can switch to completely using token based authentication.

Generating a Trust Token

If you wish to add a trusted client to LXD using tokens you can do so by using the following command:

lxc config trust add

Please provide client name: example

If you want to add a token and specify the name without waiting for the prompt you can do so in this way:

lxc config trust add --name example

This will spit out the token right away without a prompt asking for a name.

Once you type the name in LXD will generate a token. You can then give this token to the client who is trying to access your cluster. When they’re asked for the password they can use the token in place of the password.

At this point you may ask, how is this different from passwords. The main difference is the following:

  • Tokens are 1 time use which means once they’re consumed they can’t be used again
  • This inherently means they cannot be shared
  • Because tokens are not persistent the cluster is not suseptible to brute-force attack

Viewing a List of Tokens

If you wish to see a list of issued tokens you can use the following command:

lxc config trust list-tokens

This will spit out all the tokens you’ve issued. If you name your tokens correctly you can easily see who they’re issued to. You can also revoke the token by using the following:

lxc config trust revoke-token example

As you can see tokens offer much better control over how your LXD cluster is accessed.

Managing Clients

Once a client is authenticated to access your cluster you can view a list of clients using the following:

lxc config trust list

This should spit out a list of clients that your LXD cluster trusts. You can also remove clients by using the following:

lxc config trust remove [name]

This post is designed to give you a quick understanding of how authentication works in LXD and how you can have control over who accesses your cluster. We hope you enjoyed it!

Instellar Updates

If you wish to stay informed about instellar.app sign up to our mailing list.