How do I know the passion my server?

[alexlii1971]

Hello,

Maybe I missed something, but I did not find the answer after read the documents.

I used outline manger to deploy a VPN server on digitalocean, but I did not received password by email.

Would you please let me know how to get the password?

Also, I am quite confused why there is no step to set password for new fresh server, but still outline manager could install VPN on the server, this questions also is related the server security concern, would you please clarify ?

[warengonzaga]

Hi @alexlii1971,

Outline Manager uses DigitalOcean APIs to automagically communicate with your droplets the same thing with creating and assigning keys on your clients. Hope it helps.

[kasisnu]

Hi, it seems like there isn't a password set for the root account on the instance that's created - that can be recalled either by Outline Manager or recovered without a password reset.

I was able to request a new password with doctl if you don't wish to use the console.

doctl compute droplet list
#...
#...
#...

# Use the ID/Name for the outline server below
doctl compute droplet-action get password-reset <droplet-id>                                                     
ID            Status         Type              Started At                       Completed At    Resource ID    Resource Type    Region
<droplet-action-id>    in-progress    password_reset    2021-06-23 10:59:28 +0000 UTC    <nil>           <droplet-id>      droplet         XXX

If you check your email(~30s later), you'll receive a password. On login, it'll force you to reset the temporary password.

doctl compute ssh <droplet-id>                                                                                                                                                                                                                                                                       
root@X.X.X.X's password:
You are required to change your password immediately (root enforced)
...

Feel free to skip the following. I put it down cause it seemed relevant to server security concerns

As @WarenGonzaga mentioned, the digitalocean api is used to first setup the ssh key and a few other things like a server startup script as part of the droplet launch. The root password isn't set explicitly, and by using an ssh key to launch, Digitalocean itself disables issuing a password for the root user - this is a feature. Once the Outline API is up, the token that Outline manager receives is what gets used for further updates like adding a new key, modifying configuration. This is different from the login(authorization) tokens you can issue for users and yourself. It seems intentional to not request/persist the root password(probably to avoid user errors in configuration that could defeat any security measures but I'm not sure). Nonetheless, security updates from Digitalocean are enabled so those get applied and might occasionally reboot the droplet but keep it up to date with security patches.

This is clearer if you look at launch bare metal steps from Outline Manager

There are two different ports that are in play. The security that we get is a function of a lot of concepts The following is what I've found looking around for a bit. It might be better to wait for a maintainer to confirm/correct.

• Both management and traffic ports are randomly assigned during droplet initialisation and are not the same - this seems important, see below
• The API token for the management api is IN the url(the random string after the host:port) - it's not a header and there are no sessions/cookies
• For the above reason, it's important that the management url doesn't get exposed ever
• Outline manager is strict about using HTTPS, and for that reason the output post startup includes the shasum for the certificate(visible in the image above)
• So, if the management url is lost, the server is essentially compromised(existing keys can be revoked/new keys issued/quotas inspected). best not to share/screenshot it
• Outline Manager had added the shasum that was first returned to it's trust store, so subsequent api calls are considered "secure" as long as the shasum matches.
• This means that the client will realise the server has changed if the shasum for the self-signed certificate ever changes!
• Finally, the keys and url that are shared with users do not contain any references to the management port/api - and at this point the shadowsocks security model takes over iiuc

References:

• Droplet server creation code -> https://github.com/Jigsaw-Code/outline-server/blob/master/src/server_manager/web_app/digitalocean_account.ts#L81-L108
• Droplet initialisation script(answers setup questions most closely) - recommend reading the comments -> https://github.com/Jigsaw-Code/outline-server/blob/master/src/server_manager/install_scripts/do_install_server.sh
• In shasums we trust - https://github.com/Jigsaw-Code/outline-server/blob/master/src/server_manager/electron_app/index.ts#L221-L224

So this might not be super accurate so best to wait for a comment or read the code if super keen. I'll keep updating this if my understanding changes.

[kasisnu]

To add, I don't think(it doesn't seem like) Outline manager ever ssh's again. The private key is lost, but digitalocean remembers which is why you can ssh in if you use doctl or the console, but it prompts for the root password, which wasn't set explicitly or stored anywhere so you'll have to fallback to a password reset, which is more magic but not directly useful here.

If you really want persistent access, you could add your public key after the password reset and that should work okay I think(not tested)