[lxc-devel] Predictable root passwords in LXC templates

Serge Hallyn serge.hallyn at ubuntu.com
Thu Jun 18 19:30:59 UTC 2015


Quoting Stéphane Graber (stgraber at ubuntu.com):
> On Tue, Jun 16, 2015 at 07:37:17AM -0500, Major Hayden wrote:
> > Hello there,
> > 
> > I've been a user of LXC for quite some time but this is my first time digging into things a bit deeper.
> > 
> > I'm working with the Fedora Security Team to go through some security issues in various projects and I stumbled upon a bug[1] about predictable root passwords in LXC templates.  I opened an issue on Github[2] about it and Stéphane Graber was kind enough to redirect me to this list.
> > 
> > I'm certainly not here to complain -- I'd like to try to improve the templates a bit and see if some of the randomized root password functionality from the CentOS and Fedora templates could be implemented in the remaining templates.  There are other options as well, such as making the password empty and refusing logins with empty passwords (as suggested by Stéphane).
> > 
> > Would these contributions be welcomed by the LXC community or should I go in another direction?  Thanks in advance for your help.
> > 
> > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1132004
> > [2] https://github.com/lxc/lxc/issues/565#issuecomment-112094910
> 
> Hello,
> 
> So responding here too as not everyone is closely watching github.
> 
> == Comment from https://github.com/lxc/lxc/pull/574 ==
> 
> So while we certainly should have something like that, I don't think I
> agree with the implementation.
> 
> I'd much rather see a single pull request which introduces a shared
> shell file that can be sourced by all templates and provides generic
> functions to deal with passwords.
> 
> That should ideally be based on something like what the fedora/centos
> templates are doing so that the user can alter the behavior based on
> environment variables.
> 
> The main issue with your implementation, besides deviating the behavior
> of the templates even more from each other than they are today is that
> if somebody is scripting LXC, there's no easy way for them to get to
> that password.
> 
> I think ideally, I'd like for:
> 
>  - All templates to default to no password at all (no an empty password)
>  - All templates to support a common set of environment variables or/and
>    arguments to have passwords generated for them or to use passwords
>    provided by the user
>  - Have a way (possibly optional) for those credentials to be written
>    down into a text file in the container's directory (for use by scripts).
>  - Print a generic message to the user, advising them of any credential
>    that was generated and that they can use lxc-attach to interact with the
>    container without them.

That all sounds perfect.

> I'd also strongly recommend that this happens at the same time as we
> remove sshd by default from all templates, so our containers don't have
> any remote exposure by default (outside of the dhcp client).
> 
> -- 
> Stéphane Graber
> Ubuntu developer
> http://www.ubuntu.com



> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel



More information about the lxc-devel mailing list