** Description changed: + === Begin SRU Template === + [Impact] + The only way to assign a hashed password to a user is to use passwd within a + users entry like this: + users: + - name: root + passwd: $6$Cl....Hy$IEJciQZLxQLzkST......g.bzqf3lUl. + + But, if that user is already present on the system, cloud-init would skip + setting the password. The change was to add support for providing + encrypted passwords to 'chpasswd' as: + + chpasswd: + list: | + user:$5$eriogqzq$Dg7PxHsKGzziuEGkZgkLvacjuEFeljJ.rLf.hZqKQLA + + [Test Case] + There is an integration test in cloud-init that runs though this code. + To run that: + + $ git clone https://git.launchpad.net/cloud-init + $ cd cloud-init + + # download the appropriate deb for cloud-init from -proposed + # to + $ rel=xenial + $ http://archive.ubuntu.com/ubuntu/pool/main/c/cloud-init/cloud-init_0.7.9-48-g1c795b9-0ubuntu1~16.04.1_all.deb + $ pver=$(rmadison --url=ubuntu --suite=$rel-proposed cloud-init | + awk '{print $3}') + $ fname="cloud-init_${pver}_all.deb" + $ wget "http://archive.ubuntu.com/ubuntu/pool/main/c/cloud-init/$fname"; + $ ln -sf $fname cloud-init_all.$rel.deb + $ tox -e citest -- run -v -n $rel --deb=cloud-init_all.$rel.deb \ + -t tests/cloud_tests/testcases/modules/set_password_list_string.py \ + -t tests/cloud_tests/testcases/modules/set_password_list.py + + That will install the new cloud-init into a container and run + with user data to excercise this new feature. + + [Regression Potential] + Some user passwords provided via chpasswd and starting with '$' + may be interpreted as hashed passwords. + Specifically, those matching: r'\$[1,2a,2y,5,6](\$.+){2}' + + If a user hits this, they'd be unable to reach a new instance. + + [Other Info] + + === End SRU Template === + + The only way to assign a hashed password to a user is to use passwd within a users entry like this: users: - - name: root - passwd: $6$Cl....Hy$IEJciQZLxQLzkST......g.bzqf3lUl. + - name: root + passwd: $6$Cl....Hy$IEJciQZLxQLzkST......g.bzqf3lUl. But, if that user is already present on the system, cloud-init will skip setting the password: journal: [CLOUDINIT] __init__.py[INFO]: User root already exists, skipping. You can change password with chpasswd, but that only supports clear-text password. Requesting that chpasswd get support for setting a hashed password to users.
** Description changed: === Begin SRU Template === - [Impact] + [Impact] The only way to assign a hashed password to a user is to use passwd within a users entry like this: - users: - - name: root - passwd: $6$Cl....Hy$IEJciQZLxQLzkST......g.bzqf3lUl. - + users: + - name: root + passwd: $6$Cl....Hy$IEJciQZLxQLzkST......g.bzqf3lUl. + But, if that user is already present on the system, cloud-init would skip setting the password. The change was to add support for providing encrypted passwords to 'chpasswd' as: - - chpasswd: - list: | - user:$5$eriogqzq$Dg7PxHsKGzziuEGkZgkLvacjuEFeljJ.rLf.hZqKQLA - + + chpasswd: + list: | + user:$5$eriogqzq$Dg7PxHsKGzziuEGkZgkLvacjuEFeljJ.rLf.hZqKQLA + [Test Case] There is an integration test in cloud-init that runs though this code. To run that: $ git clone https://git.launchpad.net/cloud-init $ cd cloud-init # download the appropriate deb for cloud-init from -proposed # to $ rel=xenial $ http://archive.ubuntu.com/ubuntu/pool/main/c/cloud-init/cloud-init_0.7.9-48-g1c795b9-0ubuntu1~16.04.1_all.deb $ pver=$(rmadison --url=ubuntu --suite=$rel-proposed cloud-init | - awk '{print $3}') + awk '{print $3}') $ fname="cloud-init_${pver}_all.deb" $ wget "http://archive.ubuntu.com/ubuntu/pool/main/c/cloud-init/$fname"; - $ ln -sf $fname cloud-init_all.$rel.deb + $ ln -sf $fname cloud-init_all.$rel.deb $ tox -e citest -- run -v -n $rel --deb=cloud-init_all.$rel.deb \ - -t tests/cloud_tests/testcases/modules/set_password_list_string.py \ - -t tests/cloud_tests/testcases/modules/set_password_list.py + -t tests/cloud_tests/testcases/modules/set_password_list_string.py \ + -t tests/cloud_tests/testcases/modules/set_password_list.py That will install the new cloud-init into a container and run with user data to excercise this new feature. - + [Regression Potential] - Some user passwords provided via chpasswd and starting with '$' + Some user passwords provided via chpasswd and starting with '$' may be interpreted as hashed passwords. Specifically, those matching: r'\$[1,2a,2y,5,6](\$.+){2}' - If a user hits this, they'd be unable to reach a new instance. - + In english, that regex is: + - starts with a '$' + - followed by '1', '2a', '2y', '5', '6' + - followed by a $ + - followed by 1 or more characters + - followed by another $ + - followed by 1 or more characters + + So a total of 3 '$' and starting with one of those specific 3 or 4 + character strings. That could definitely happen, but it is low odds, and also fairly low risk. If a user hits this, they'd be unable to reach a new instance. + [Other Info] - + === End SRU Template === - The only way to assign a hashed password to a user is to use passwd within a users entry like this: users: - name: root passwd: $6$Cl....Hy$IEJciQZLxQLzkST......g.bzqf3lUl. But, if that user is already present on the system, cloud-init will skip setting the password: journal: [CLOUDINIT] __init__.py[INFO]: User root already exists, skipping. You can change password with chpasswd, but that only supports clear-text password. Requesting that chpasswd get support for setting a hashed password to users. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1570325 Title: RFE: chpasswd in cloud-init should support hashed passwords To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1570325/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
