[lxc-devel] Predictable root passwords in LXC templates

Stéphane Graber stgraber at ubuntu.com
Thu Jun 18 18:20:32 UTC 2015

On Tue, Jun 16, 2015 at 07:37:17AM -0500, Major Hayden wrote:
> Hello there,
> I've been a user of LXC for quite some time but this is my first time digging into things a bit deeper.
> I'm working with the Fedora Security Team to go through some security issues in various projects and I stumbled upon a bug[1] about predictable root passwords in LXC templates.  I opened an issue on Github[2] about it and Stéphane Graber was kind enough to redirect me to this list.
> I'm certainly not here to complain -- I'd like to try to improve the templates a bit and see if some of the randomized root password functionality from the CentOS and Fedora templates could be implemented in the remaining templates.  There are other options as well, such as making the password empty and refusing logins with empty passwords (as suggested by Stéphane).
> Would these contributions be welcomed by the LXC community or should I go in another direction?  Thanks in advance for your help.
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1132004
> [2] https://github.com/lxc/lxc/issues/565#issuecomment-112094910


So responding here too as not everyone is closely watching github.

== Comment from https://github.com/lxc/lxc/pull/574 ==

So while we certainly should have something like that, I don't think I
agree with the implementation.

I'd much rather see a single pull request which introduces a shared
shell file that can be sourced by all templates and provides generic
functions to deal with passwords.

That should ideally be based on something like what the fedora/centos
templates are doing so that the user can alter the behavior based on
environment variables.

The main issue with your implementation, besides deviating the behavior
of the templates even more from each other than they are today is that
if somebody is scripting LXC, there's no easy way for them to get to
that password.

I think ideally, I'd like for:

 - All templates to default to no password at all (no an empty password)
 - All templates to support a common set of environment variables or/and
   arguments to have passwords generated for them or to use passwords
   provided by the user
 - Have a way (possibly optional) for those credentials to be written
   down into a text file in the container's directory (for use by scripts).
 - Print a generic message to the user, advising them of any credential
   that was generated and that they can use lxc-attach to interact with the
   container without them.

I'd also strongly recommend that this happens at the same time as we
remove sshd by default from all templates, so our containers don't have
any remote exposure by default (outside of the dhcp client).

Stéphane Graber
Ubuntu developer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20150618/eda05ab5/attachment.sig>

More information about the lxc-devel mailing list