[lxc-devel] Strawman proposal... Default passwords in templates...

Michael H. Warfield mhw at WittsEnd.com
Thu Jan 2 15:09:59 UTC 2014


On Wed, 2014-01-01 at 23:50 -0600, Serge Hallyn wrote: 
> Quoting Michael H. Warfield (mhw at WittsEnd.com):
> > > Why not purely random?  I also liked the suggestion of putting the
> > > password in a file under $lxcpath/$lxcname - though chmod 600 owned
> > > by the calling user, not root.  I prefer not outputting it in
> > > stdout during create, but am not *strongly* against it.
> > 
> > I'm actually largely against "purely random" passwords, particularly
> 
> Well by purely random I of course meant using a reasonable char set.
> But I'm lazy and prefer to type (if I have to) 8 random chars to a bunch
> of boilerplate including mylongcontainername...  And realistically, if
> I'm not using ssh keys, and we have the pwd in a file, i'll be having a
> script fetch the pwd from the file for me on login.

Either way, you'd only need it once, since it's marked "expired" and you
have to change it to one of your choice.

> > when we're just trying to defeat a particular attack vector like this,
> > especially when combined with expiring the password.  I'm not sure
> > there's really anything significant left on the attack tree we need to
> > worry about (especially with the current state of affairs) and purely
> > random passwords are a significant PITA.  I think xkcd had it nailed
> > here:
> > 
> > https://xkcd.com/936/

> OTOH for most of the containers I create I'll log in at most once, so
> memorable passwords are not useful.  Also your proposal still had some
> random chars, so at least with my throwaway approach to containers 2 or
> 8 random chars makes no difference - I'll have to look it up.

> But it sounds like we may want to be able to pass a password template,
> i.e.  "lxc_${name}_XXX" (or if on private network then maybe "root")
> into the template.

Oooo...  Now there's a thought.  Feed a tempate like that into "mktemp
-u" and take the output.  Better character set distribution and more
versatile.

> > I'm open to storing it in a file and, yeah, adding a chown 600 is fine.
> > Raises and issue though that a number of these templates will only run
> > as root and have not been adapted for running under a non-priv user.
> > That's another discussion that I think you and I and others need to
> > engage in.
> 
> Sadly some will never work as non-priv user.  Including 'ubuntu'.  At
> least until we get an in-kernel workaround enabling user namespaces to
> create some devices, which debootstrap insists on doing.

I suspect the CentOS and Fedora templates will fair now better.

> -serge

Mike
-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140102/529bcf6c/attachment.pgp>


More information about the lxc-devel mailing list