[lxc-devel] default root password has to be random in default debian template

Michael H. Warfield mhw at WittsEnd.com
Wed Aug 20 16:32:56 UTC 2014


On Tue, 2014-08-19 at 17:28 +0200, Ondřej Surý wrote:
> Hi,

> [probably also applies to more templates]

> the default security of debian template is horrible. Default sshd_config
> permits root login with password and sets the default password to
> 'root'.

> Please at least pull changes from:
> https://bugs.debian.org/758643
> https://bugs.debian.org/758647

> Note that this needs pwgen to generate new password, so you might
> want to generate random password using some common tool or method
> (openssl, etc...)

> And please do a similar security audit of all templates shipping with
> lxc,
> I have also seen ubuntu/ubuntu in the ubuntu template...

Yes, it does apply to more templates (but not all templates).

This has been discussed before.  Please look at the Fedora and CentOS
templates for how we handle them there.  In those cases, it's
configurable and supports templating.  It's up to the other template
maintainers if they want to pull that over and there are issues with the
download template and its defaults (if you use the download template to
pull a Fedora rootfs, you still get root:root).  I'm not familiar with
who the maintainer of the Debian template is.  I've only contributed to
the Fedora, CentOS, and OpenSUSE templates.

> Cheers,

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 465 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140820/d0cc2436/attachment.sig>


More information about the lxc-devel mailing list