Open alexlii1971 opened 3 years ago
Hi @alexlii1971,
Outline Manager uses DigitalOcean APIs to automagically communicate with your droplets the same thing with creating and assigning keys on your clients. Hope it helps.
Hi, it seems like there isn't a password set for the root account on the instance that's created - that can be recalled either by Outline Manager or recovered without a password reset.
I was able to request a new password with doctl
if you don't wish to use the console.
doctl compute droplet list
#...
#...
#...
# Use the ID/Name for the outline server below
doctl compute droplet-action get password-reset <droplet-id>
ID Status Type Started At Completed At Resource ID Resource Type Region
<droplet-action-id> in-progress password_reset 2021-06-23 10:59:28 +0000 UTC <nil> <droplet-id> droplet XXX
If you check your email(~30s later), you'll receive a password. On login, it'll force you to reset the temporary password.
doctl compute ssh <droplet-id>
root@X.X.X.X's password:
You are required to change your password immediately (root enforced)
...
Feel free to skip the following. I put it down cause it seemed relevant to server security concerns
As @WarenGonzaga mentioned, the digitalocean api is used to first setup the ssh key and a few other things like a server startup script as part of the droplet launch. The root password isn't set explicitly, and by using an ssh key to launch, Digitalocean itself disables issuing a password for the root user - this is a feature. Once the Outline API is up, the token that Outline manager receives is what gets used for further updates like adding a new key, modifying configuration. This is different from the login(authorization) tokens you can issue for users and yourself. It seems intentional to not request/persist the root password(probably to avoid user errors in configuration that could defeat any security measures but I'm not sure). Nonetheless, security updates from Digitalocean are enabled so those get applied and might occasionally reboot the droplet but keep it up to date with security patches.
This is clearer if you look at launch bare metal steps from Outline Manager
There are two different ports that are in play. The security that we get is a function of a lot of concepts The following is what I've found looking around for a bit. It might be better to wait for a maintainer to confirm/correct.
References:
So this might not be super accurate so best to wait for a comment or read the code if super keen. I'll keep updating this if my understanding changes.
To add, I don't think(it doesn't seem like) Outline manager ever ssh's again. The private key is lost, but digitalocean remembers which is why you can ssh in if you use doctl or the console, but it prompts for the root password, which wasn't set explicitly or stored anywhere so you'll have to fallback to a password reset, which is more magic but not directly useful here.
If you really want persistent access, you could add your public key after the password reset and that should work okay I think(not tested)
Hello,
Maybe I missed something, but I did not find the answer after read the documents.
I used outline manger to deploy a VPN server on digitalocean, but I did not received password by email.
Would you please let me know how to get the password?
Also, I am quite confused why there is no step to set password for new fresh server, but still outline manager could install VPN on the server, this questions also is related the server security concern, would you please clarify ?