Hardening the vcap user’s password on BOSH VMs

Locking down your BOSH VMs? Here’s a handy guide for some options at your disposal for overriding the default password for BOSH’s vcap user:

Customize it in your manifest

In each resource pool (or VM type) configuration in your BOSH manifest (or cloud config manifest), you can specify env.bosh.password. This will overwrite the value of the password for the vcap user. The value to put in your manifest is a HASH of the password, and should be generated using mkpasswd -s -m sha-512 (you’ll need a Linux VM with the whois package installed). The downside to this approach is that it must be done for each resource pools/VM type you deploy. Cloud Config makes this a little easier, since you are able to re-use VM types across deployments, but it still requires remembering.

Here’s a quick example on BOSH-Lite:

$ mkpasswd -s -m sha-512
$ mkpasswd -s -m sha-512
Password: REDACTED
$6$KhPGar7zCLLtPU$afuBqZMg5PRLM/3opVltVOA7Tm3IZJr14mr6QmECAIioGw5HaJdG2HhhOczDQ2UubHPcZYXHTK6jB6OKyBWBv/
$ cat manifest.yml
...
resource_pools:
  - name: my-job
    cloud_properties: {}
    network: default
    env:
      bosh:
        password: $6$KhPGar7zCLLtPU$afuBqZMg5PRLM/3opVltVOA7Tm3IZJr14mr6QmECAIioGw5HaJdG2HhhOczDQ2U
    stemcell:
      name: bosh-warden-boshlite-ubuntu-trusty-go_agent
      sha1: 7c1c34df689772c7b14ce85322c4c044fafe7dbe
      url: https://bosh.io/d/stemcells/bosh-warden-boshlite-ubuntu-trusty-go_agent?v=3262.2
      version: 3262.2
...

Have BOSH create a random password for each VM

Newer versions of BOSH (v255.4 and above) have a feature that will randomize the password set
for the vcap user on each VM created. This setting works at the director level, and applies to every new VM. On the positive side, you no longer need to remember to specify a new password for each resource pool/VM type. Any time your VMs are recreated, they get new passwords automatically. Additionally, no VM should end up with the same vcap password as any other instance. This also means that no one (including you) will ever know the password BOSH generated for that VM’s vcap user.

To make use of this feature, ensure the following property is set in your BOSH director’s manifest, and redeploy:

properties:
  director:
    generate_vm_passwords: true

This feature will eventually be turned on by default in BOSH directors.

Recommendations

We recommend you use the first method to harden the password of the vcap user to a specific password when deploying your BOSH director with bosh-init. At the same time, configure the director to randomly generate passwords for all other VMs’ vcap users. You can see this in action in our bosh templates for Genesis.