coordination #157537
Updated by okurz about 1 month ago
## Motivation
In https://sd.suse.com/servicedesk/customer/portal/1/SD-150437 we are asked to handle "compromised root passwords in QA segments" including s390zl11…16 . We should secure our network and password handling better.
## Acceptance criteria
* **AC1:** No openQA machine test machines directly accessible by SUSE users use ssh root with publically known passwords
## Ideas
1. Be able to set a different password valid for tests, in particular s390kvm…, e.g. be able to set password by test variable and follow through in the complete test platform -> #157555
2. Key based authentication -> #157744
3. Rotating, automatic passwords saved as test variables connected to images, e.g. to be able to use a pre-installed image
4. Better secure the networks to have s390kvm… (and others) less accessible -> We have stated the requirement in https://confluence.suse.com/pages/viewpage.action?pageId=1006108843 that ssh 22/tcp needs to be reachable. We could try to replicate the setup we know from o3 to give OSD a second network interface which allows ssh 22/tcp and block ssh 22/tcp on .oqa.prg2.suse.org as usually we don't need ssh to workers, just from within the oqa network as well as for administrative purposes for which we could go over OSD which we also already normally do for salt. -> #157750
5. If there is a need about securing the VNC server itself take a look into https://github.com/search?q=repo%3Aos-autoinst%2Fos-autoinst-distri-opensuse%20vncpasswd&type=code as in some cases a VNC password is already used.