T-Shoot: Suppressing the VM Maestro "secure storage" prompt in Linux

    Summary

     

    If you run VM Maestro on Linux, including running VM Maestro within the VIRL VM itself, you may be prompted for a "secure storage" password every time you start VM Maestro.  This document explains what that prompt means and what you can do to prevent that pop up.

    secure_storage_prompt.PNG

     

    Background

     

    By default, VM Maestro stores the web service credentials in a platform-specific "secure storage."  For users running VM Maestro on Windows or OS X, VM Maestro integrates with the operating system's keyring.  You may get a prompt to permit VM Maestro to access the keyring, but after that, VM Maestro should not prompt you for your web service credentials.

     

    On Linux, the secure storage mechanism saves credentials in a symmetrically encrypted file.  The secure storage password is used to encrypt and decrypt the secure storage file.  Every time you restart VM Maestro, you will be prompted for the secure storage password once so that VM Maestro can access the secure storage file. The secure storage password has no default value.  The first time you run VM Maestro, it will create the secure storage file and set the password on that file.  Therefore, the secure storage password required to access the VM Maestro web services credentials on a particular VM Maestro installation is whatever the user set for the secure storage password the first time he ran VM Masetro.

     

    Solution

     

    If you do not want to be prompted for the secure storage password every time you start VM Maestro on Linux, there are a two options.

     

    Option 1 - Do not use secure storage

     

    If you choose this option, VM Maestro will not store the web services credentials in secure storage.  Unfortunately that means that VM Maestro will only remember your web service credentials for the length of the session.  Once you stop and restart VM Maestro, you will need to re-enter your web service credentials when VM Maestro first accesses the web services.  Therefore, in this case, you have basically replaced the prompt for the secure storage password with a prompt for the web services password.

     

    To implement this option, simply uncheck the "Store encrypted passwords in system's secure storage" option at the end of the File > Preferences > Web Services dilaog.

     

    Option 2 - Provide the secure storage password via a file

     

    If you choose this option, VM Maestro will read the secure storage password from a plain text file.  If the password in that file is correct, then VM Maestro will use it to decrypt the secure storage file.  It will read your web services credentials from the secure storage file, and it will not need to prompt you for any credentials when you start VM Maestro.  Unfortunately, with this option, your secure storage password is accessible on the Linux system in a plain text file.  If compromised, an attacker could potentially use the secure storage password to decrypt your secure storage file and access any information stored in it.  The information in the secure storage file may include your VIRL web services credentials, your Git credentials (if you use Git from within VM Maestro), and your proxy or SOCKS credentials (if you configured authenticated proxies in VM Maestro's preferences).

     

    To implement this option, you'll need to reset your VM Maestro secure storage contents and master password file.  These instructions assume that your Linux user ID is virl with a home directory of /home/virl/ and a VM Maestro installation in /home/virl/VMMaestro-linux/.  If that is not the case, please adjust the instructions, as appropriate, to match your Linux installation.  In this example, we use the secure storage password mypass, but you should choose your own password to use instead.

     

    1. Shut down VM Maestro.
    2. Open a terminal on your Linux machine.  (In the VIRL VM, for example, you could double click the xterm icon on the desktop to open a terminal.)
    3. rm /home/virl/.eclipse/org.eclipse.equinox.security/secure_storage
    4. rm /home/virl/.master
    5. printf "mypass" > /home/virl/.master
    6. chmod 0600 /home/virl/.master
    7. Find and edit the /home/virl/VMMaestro-linux/VMMaestro.ini  file so that the eclipse.password option is an absolute path, like the following two lines:

      -eclipse.password
      /home/virl/.master

    8. Restart VM Maestro.

     

    Steps 3 and 4 may fail if the files do not exist.  You're removing them just in case to ensure that you're starting from a known state.  This avoids possible complications with trying to reset a secure storage password on an existing secure_storage file.

     

    Step 5 creates the master password file.  We call it .master so that it does not show up in a standard directory listing.  You should use a password of your choice instead of mypass.  You use any filename you want, and you may place this file anywhere on your file system as long as steps 6 an 7 use the same path.

     

    Step 6 sets the permission on the .master file so that only your user account can read it.

     

    Step 7 ensures that VM Maestro can find your file.  Note that it should be two separate lines, the -eclipse.password option on one line and the absolute path to your .master file on the following line.  These options should be placed before the -vmargs line in the VMMaestro.ini file.  The VMMasetro.ini file probably already has an -eclipse.password option.  If it does, just edit the line after it.  The value in the second line should be the full path to the file that you created in step 5.

     

    The first time you restart VM Maestro in step 8, VM Maestro will prompt you for your web services credentials again.  VM Maestro will read your secure storage password automatically, but since we deleted the existing secure storage file in step 3, VM Maestro no longer has access to your web services credentials.   Press the "Change Credentials" button and provide your web services credentials. When you provide the credentials, VM Maestro will store them in the encrypted secure storage file again.  After that, when you restart VM Maestro in the future, it should not prompt you for the web services credentials again.