[lxc-devel] [PATCH] CentOS and Fedora Templates: Harden root passwords and add static MAC network addresses.
Leonid Isaev
lisaev at umail.iu.edu
Tue Dec 31 18:43:02 UTC 2013
On Tue, 31 Dec 2013 12:17:46 -0500
"Michael H. Warfield" <mhw at WittsEnd.com> wrote:
> On Tue, 2013-12-31 at 10:59 -0500, S.Çağlar Onur wrote:
> > Hi Michael,
> >
> > On Thu, Dec 26, 2013 at 6:08 PM, Michael H. Warfield <mhw at wittsend.com>
> > wrote:
> > > CentOS and Fedora Templates: Harden root passwords and add static MAC
> > > network addresses.
> > >
> > > 1) Add logic to root password setting. Root password is now set to
> > > "Root-${name}-${RANDOM} to defeat common brute force scans.
> > > 2) Enhance exit messages to explain root password and password changing.
>
> > Not an objection but a question. What about creating the container
> > using either quiet parameter or via API? In that case user is unlikely
> > to see that output hence won't be able to login the box.
>
> That's a very good question. Certainly, the "chroot ${root_fs} passwd"
> trick is going to work in any case. I had considered adding the
> temporary root password in the config file in comments but then didn't.
One can probably add it to a special file, e.g. <container_name-passwd> with
permissions 600 root:root, alongside the config file. Clearly, this will not
compromise any security.
>
> [Snip]
>
> Regards,
> Mike
Happy holidays,
Leonid.
--
Leonid Isaev
GnuPG key: 0x164B5A6D
Fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20131231/1c521593/attachment.pgp>
More information about the lxc-devel
mailing list