How to Override Default Configuration Passwords and Verify Exposed Services

Owned by Edward Zarecor (Do Not Use) (Deactivated)
Last updated: Feb 03, 2017
3 min read

To run a secure system, it's important that you change the default passwords.  This page gives a way to randomize passwords.

The configuration repository supplies well known default passwords for services, typically defined in the defaults/main.yml file for any particular role.  By convention all such passwords have a name that clearly indicates they are passwords, typically ROLE_PURPOSE_PASSWORD.

You should ensure that these values are overridden if you are deploying a non-development environment.  There are real world examples of folks losing their data because they had neither updated default password, nor ensured that access to services was blocked at the network.

Please do both and if you have questions about how to do so, ask on Slack.

Randomly Generated Passwords for New Deployments

One way to ensure that your passwords are overridden is to pass in overrides when you are installing Open edX using Ansible.  Ansible lets you pass in a file of overrides using the -e@/path/to/file.yml convention.

As of February 2, 2017, we recommend that you override at least the following values https://raw.githubusercontent.com/edx/configuration/master/playbooks/sample_vars/passwords.yml

That file's contents look like so:

passwords.yml
ANALYTICS_API_EMAIL_HOST_PASSWORD: !!null
ANALYTICS_PIPELINE_OUTPUT_DATABASE_PASSWORD: !!null
ANALYTICS_SCHEDULE_MASTER_SSH_CREDENTIAL_PASSPHRASE: !!null
COMMON_HTPASSWD_PASS: !!null
COMMON_HTPASSWD_USER: !!null
COMMON_MONGO_READ_ONLY_PASS: !!null
COMMON_MYSQL_ADMIN_PASS: !!null
COMMON_MYSQL_MIGRATE_PASS: !!null
COMMON_MYSQL_READ_ONLY_PASS: !!null
...

This can be done easily from the bash command line.  Add the content above to a file named passwords.yml and run the following command from the same directory in which you have created the file.

while IFS= read line; do REPLACE=$(LC_ALL=C < /dev/urandom tr -dc 'A-Za-z0-9' | head -c35) && echo "$line" | sed "s/\!\!null/\'$REPLACE\'/"; done < ./passwords.yml > ./my-passwords.yml

This creates a new file named my-passwords.yml, and its content should look something like the following:

ANALYTICS_API_EMAIL_HOST_PASSWORD: '58Ld0verTyG2M7ht64SzVvMb4rylWXHHzII'
ANALYTICS_PIPELINE_OUTPUT_DATABASE_PASSWORD: 'tjX28dM0QhjXgySJ9JLU9io9nckodjxjJmo'
ANALYTICS_SCHEDULE_MASTER_SSH_CREDENTIAL_PASSPHRASE: 'kBMlvEUqsaGFDSSzasownyDiXK9tTIcGTdZ'
COMMON_HTPASSWD_PASS: 'JKhFjY8SA2LI2GdK8nK0SLM1HgzzFR4cuEb'
COMMON_HTPASSWD_USER: '4xLx6FPc8Bni5MUjRbVLzvThERmSO2AIJBZ'
COMMON_MONGO_READ_ONLY_PASS: 'UXfWWuXnfSb962jQ1yB4gbPaGRQ0dOZCCYh'
COMMON_MYSQL_ADMIN_PASS: 'yxaLDLsZXb4FDAOpj9HD42Sr4UYBLNmLJP2'
COMMON_MYSQL_MIGRATE_PASS: 'CXwSNlQ7QtK6al6MXxsrrt12PfQxfs8ydZf'
COMMON_MYSQL_READ_ONLY_PASS: 'CBnZ0bxVmGGc7HEQQXWlTUc8C0MbVev6mYU'
...

Keep the my-passwords.yml file in a safe location, ideally encrypted.  If you don't have another solution for this, we recommend that you use ansible-vault, which comes with your ansible installation

Starting from a bare Ubuntu Xenial installation, you can follow these steps:

# Ensure your instance is upgraded to the latest Xenial
sudo apt-get update -y
sudo apt-get upgrade -y
reboot

# Installed the edx_ansible role
wget https://raw.githubusercontent.com/edx/configuration/master/util/install/ansible-bootstrap.sh -O - | sudo bash

# Create passwords specific to your installation. Please consider that you'll need to share these across application nodes if you have multiple
# The password files will be owned by root.
cd /edx/app/edx_ansible/
sudo wget https://raw.githubusercontent.com/edx/configuration/master/playbooks/sample_vars/passwords.yml
while IFS= read line; do REPLACE=$(LC_ALL=C < /dev/urandom tr -dc 'A-Za-z0-9' | head -c35) && echo "$line" | sed "s/\!\!null/\'$REPLACE\'/"; done < ./passwords.yml | sudo tee ./my-passwords.yml

# Encrypt your environment specific secrets with Ansible vault.  This step will prompt you to create a password 
# for accessing your encrypted data.  It is IMPERATIVE that you do not lose or forget this password 
sudo /edx/app/edx_ansible/venvs/edx_ansible/bin/ansible-vault encrypt ./my-passwords.yml

# Install the native installation using your encrypted passwords
cd /edx/app/edx_ansible/edx_ansible/playbooks/
sudo /edx/app/edx_ansible/venvs/edx_ansible/bin/ansible-playbook -c local ./edx_sandbox.yml -i 'localhost,' -e@/edx/app/edx_ansible/my-passwords.yml --ask-vault-pass




When you build you deployment environment, ensure that you add `-e@/path/to/my-passwords.yml` to your call to ansible-playbook.

Doing this on an already running system is another matter entirely.  It's possible, but will require more specific expertise around managing MySQL, MongoDB, RabbitMQ and ElasticSearch

Network Access

We strongly recommend that you review the ports that are exposed on your hosts regularly. 

Running the following command from a host that is public from the point of view of your Open edX instance is useful

nmap -Pn -p- edx.mydomain.info

The fewer ports that are open the better.  You should be concerned if more than 80 (http), 443 (https) and 22 (ssh) are open.  Ideally 22, ssh, would also be limited to networks that you control.