Skip to content

Improve password posture#165

Merged
Alphasite merged 1 commit intocloudfoundry:windows-2019from
ay901246:improve-password-posture
Apr 17, 2026
Merged

Improve password posture#165
Alphasite merged 1 commit intocloudfoundry:windows-2019from
ay901246:improve-password-posture

Conversation

@ay901246
Copy link
Copy Markdown
Contributor

@ay901246 ay901246 commented Apr 16, 2026
edited
Loading

Rev 2

Realized there might be backwards compatibility issues if we remove password auth entirely; going to remove that change since the new password should be very secure anyway.

Password Generation Enhancements (AutomationHelpers.psm1)

  • Transitioned from the legacy Get-Random method to [System.Security.Cryptography.RandomNumberGenerator]::Create() for a more robust and modern source of entropy.
  • Optimized performance and memory management by instantiating the generator and byte array outside of the while loop, reducing unnecessary garbage collector pressure.

SSH Configuration Updates (BOSH.SSH.psm1)

  • Updated Edit-DefaultOpenSSHConfig with a regex replacement to ensure PasswordAuthentication is explicitly set to no.
  • This standardizes the authentication flow by enforcing key-based access for the Administrator account over SSH.

Test Suite Improvements (AutomationHelpers.Tests.ps1 & BOSH.SSH.Tests.ps1)

  • Replaced static hardcoded mocks (e.g., 'changeMe123!') with dynamic evaluations of the actual generated output.
  • Added test coverage to verify that the generated passwords meet the required length (24 characters) and are unique on subsequent calls.
  • Preserved and updated the 200-attempt loop failure test to ensure it accurately triggers based on the Valid-Password helper.
  • Added a dedicated test case to verify the OpenSSH config regex correctly updates the password authentication setting.

Note: Rewrote the Pester tests to evaluate actual string length, validate output uniqueness across subsequent calls, and properly test the 200-attempt loop failure state. SSH config tests have been updated to prove the new regex behaves exactly as intended.

Verification

  • Executed Pester tests against the modified modules.
  • All targeted password generation and SSH validation tests pass successfully.

Made-with: Cursor

aramprice
aramprice previously approved these changes Apr 16, 2026
View reviewed changes
@github-project-automation github-project-automation Bot moved this from Inbox to Pending Merge | Prioritized in Foundational Infrastructure Working Group Apr 16, 2026
@aramprice aramprice requested review from Alphasite and ystros April 16, 2026 17:16
ystros
ystros reviewed Apr 16, 2026
View reviewed changes
Comment thread stembuild/stemcell-automation/AutomationHelpers.Tests.ps1
Comment thread modules/BOSH.SSH/BOSH.SSH.psm1 Outdated
| ForEach-Object{ $_ -replace ".*AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys.*", "#$&" } `
| ForEach-Object{ $_ -replace "#RekeyLimit default none", "$&`r`n# Disable cipher to mitigate CVE-2023-48795`r`nCiphers -chacha20-poly1305@openssh.com`r`n" }
| ForEach-Object{ $_ -replace "#RekeyLimit default none", "$&`r`n# Disable cipher to mitigate CVE-2023-48795`r`nCiphers -chacha20-poly1305@openssh.com`r`n" } `
| ForEach-Object{ $_ -replace "^#?PasswordAuthentication.*", "PasswordAuthentication no" }
Copy link
Copy Markdown
Contributor

@ystros ystros Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't believe this would be considered a breaking change since users should use bosh ssh for SSH rather than direct password auth.

Copy link
Copy Markdown
Contributor

@Alphasite Alphasite Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this does break using extensions which enable password auth for ssh like os-conf/windows-utilities which has an enable_ssh job

Copy link
Copy Markdown
Contributor Author

@ay901246 ay901246 Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed this.

@ay901246 ay901246 force-pushed the improve-password-posture branch from e76091c to 6e9d979 Compare April 16, 2026 21:31
@ay901246 ay901246 changed the title Improve password posture and SSH defaults Improve password posture Apr 16, 2026
Alphasite
Alphasite previously approved these changes Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Alphasite Alphasite left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that looks ok

@Alphasite Alphasite requested a review from Copilot April 16, 2026 21:42
@Alphasite
Copy link
Copy Markdown
Contributor

Alphasite commented Apr 16, 2026

@coderabbitai review https://github.com/cloudfoundry/bosh-windows-stemcell-builder/pull/166/changes

Copilot AI reviewed Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Improves the password-generation implementation in the stemcell automation PowerShell module by switching to a cryptographically secure RNG and updates Pester tests accordingly.

Changes:

  • Replaced Get-Random-based password generation with System.Security.Cryptography.RandomNumberGenerator and reused the byte buffer across attempts.
  • Updated Pester tests to stop mocking the generated password and to add basic length/uniqueness assertions.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
stembuild/stemcell-automation/AutomationHelpers.psm1 Uses a crypto RNG + byte buffer to generate 24-char passwords in the retry loop.
stembuild/stemcell-automation/AutomationHelpers.Tests.ps1 Adjusts tests for the new generation approach; adds length and uniqueness checks.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread stembuild/stemcell-automation/AutomationHelpers.psm1 Outdated
Comment thread stembuild/stemcell-automation/AutomationHelpers.psm1 Outdated
Comment thread stembuild/stemcell-automation/AutomationHelpers.Tests.ps1
@ay901246 ay901246 force-pushed the improve-password-posture branch from 6e9d979 to ec5ff76 Compare April 17, 2026 15:54
@Alphasite Alphasite merged commit a54da4f into cloudfoundry:windows-2019 Apr 17, 2026
5 checks passed
@github-project-automation github-project-automation Bot moved this from Pending Merge | Prioritized to Done in Foundational Infrastructure Working Group Apr 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ystros ystros ystros left review comments

Copilot code review Copilot Copilot left review comments

@Alphasite Alphasite Alphasite approved these changes

@aramprice aramprice aramprice left review comments

Assignees

No one assigned

Labels

None yet

Projects

Foundational Infrastructure Working Group
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ay901246 @Alphasite @aramprice @ystros