From FedoraProject

Mission

This project's mission is to eliminate the use of predictable passwords in LXC templates. It all started with BZ 1132001 which attached bug reports to fedora-all, EPEL 7, and EPEL 6. The problem exists upstream and the upstream developers are welcoming fixes.

This is part of the Fedora Security Team's 90-day challenge.

Updates

Stéphane Graber would prefer to see two improvements happen in tandem (mentioned in this GitHub PR):

  1. Remove sshd from each template by default
  2. Use a shared shell script so that password handling is identical for all containers.

This presents a challenge as some containers have a normal user with sudo privileges (like Ubuntu).

It seems like a shell script could have logic resembling the following:

  • Did the user provide a password for root (or the regular user with sudo privileges)?
    • If password supplied, use that one for root or the regular user with sudo privileges
    • If password not supplied, generate a random password and present that to the user at the end of the build
  • Is sshd present in the container's rootfs?
    • If yes, remove it
    • If no, pass

Template Status

The upstream templates are on Github. Each template will be documented here as it's reviewed.

Warning.png
Work in progress
This section is being updated regularly. --Mhayden (talk) 17:31, 18 June 2015 (UTC)
Distribution Status Default root
password?
User can override
the default?
Notes
AltLinux Stop (medium size).png rooter No
Busybox Stop (medium size).png root No Passwordless ssh logins allowed
CentOS Checkmark.png randomized Yes
CirrOS Stop (medium size).png cirros/cubswin:)
(cirros user has sudo)
No
Debian Stop (medium size).png root No
Fedora Checkmark.png randomized Yes
Gentoo Stop (medium size).png toor Yes
OpenMandriva Stop (medium size).png root No
Oracle EL Stop (medium size).png root No oracle/oracle exists as well
Plamo Stop (medium size).png root No
Ubuntu Stop (medium size).png ubuntu/ubuntu
(has sudo)
Yes User can set password for ubuntu user during build
Ubuntu Cloud Checkmark.png (see notes) Yes root account is locked unless user passes cloud-init data to configure the account

Details

Alpine

The template can't download an APK that passes verification. It also doesn't seem to set a root password anywhere during the container creation.

AltLinux

The password for root is set to rooter for all builds.

ArchLinux

The user can specify a root password but root's account is left without a password if a password isn't provided.

Busybox

Password for root is set to 'root' by default. Default ssh configuration allows root logins without a password as well.

CentOS

No changes needed as randomized root passwords are already applied during build.

Cirros

The password for root isn't set, but a user called cirros has the password cubswin:).

Debian

The upstream Debian template current sets root's password to root. There's a proposed fix waiting on feedback from Debian's LXC package maintainer.

Fedora

No changes needed as randomized root passwords are already applied during build.

Gentoo

If a root password isn't specified, the root password is set to toor.

OpenMandriva

The root password is set to root by default.

OpenSuse

The root password is set to root by default.

Oracle

The root password is set to root by default. The oracle user has the password oracle.

Plamo

The root password is set to root by default.

Ubuntu

The Ubuntu template disables the root account but makes a regular user with sudo privileges that has ubuntu as a username and password (unless a user password is specified on the command line during build).

A fix has been proposed.

The Ubuntu Cloud template allows a user to specify cloud-init data to configure the container once it's booted. If the user doesn't specify any data, the root account is locked.