** Description changed: === Begin SRU Template === [Impact] The only way to assign a hashed password to a user is to use passwd within a users entry like this: users: - name: root passwd: $6$Cl....Hy$IEJciQZLxQLzkST......g.bzqf3lUl. But, if that user is already present on the system, cloud-init would skip setting the password. The change was to add support for providing encrypted passwords to 'chpasswd' as: chpasswd: list: | user:$5$eriogqzq$Dg7PxHsKGzziuEGkZgkLvacjuEFeljJ.rLf.hZqKQLA [Test Case] There is an integration test in cloud-init that runs though this code. To run that: $ git clone https://git.launchpad.net/cloud-init $ cd cloud-init # download the appropriate deb for cloud-init from -proposed - # to $ rel=xenial - $ http://archive.ubuntu.com/ubuntu/pool/main/c/cloud-init/cloud-init_0.7.9-48-g1c795b9-0ubuntu1~16.04.1_all.deb - $ pver=$(rmadison --url=ubuntu --suite=$rel-proposed cloud-init | - awk '{print $3}') + $ pver=$(rmadison --url=ubuntu --suite=$rel-proposed cloud-init | awk '{print $3}') $ fname="cloud-init_${pver}_all.deb" $ wget "http://archive.ubuntu.com/ubuntu/pool/main/c/cloud-init/$fname"; $ ln -sf $fname cloud-init_all.$rel.deb $ tox -e citest -- run -v -n $rel --deb=cloud-init_all.$rel.deb \ - -t tests/cloud_tests/testcases/modules/set_password_list_string.py \ - -t tests/cloud_tests/testcases/modules/set_password_list.py - + -t tests/cloud_tests/testcases/modules/set_password_list_string.py \ + -t tests/cloud_tests/testcases/modules/set_password_list.py That will install the new cloud-init into a container and run with user data to excercise this new feature. [Regression Potential] Some user passwords provided via chpasswd and starting with '$' may be interpreted as hashed passwords. Specifically, those matching: r'\$[1,2a,2y,5,6](\$.+){2}' In english, that regex is: - - starts with a '$' - - followed by '1', '2a', '2y', '5', '6' - - followed by a $ - - followed by 1 or more characters - - followed by another $ - - followed by 1 or more characters + - starts with a '$' + - followed by '1', '2a', '2y', '5', '6' + - followed by a $ + - followed by 1 or more characters + - followed by another $ + - followed by 1 or more characters So a total of 3 '$' and starting with one of those specific 3 or 4 character strings. That could definitely happen, but it is low odds, and also fairly low risk. If a user hits this, they'd be unable to reach a new instance. [Other Info] + Upstream commit: + https://git.launchpad.net/cloud-init/commit/?id=21632972df034 + === End SRU Template === The only way to assign a hashed password to a user is to use passwd within a users entry like this: users: - name: root passwd: $6$Cl....Hy$IEJciQZLxQLzkST......g.bzqf3lUl. But, if that user is already present on the system, cloud-init will skip setting the password: journal: [CLOUDINIT] __init__.py[INFO]: User root already exists, skipping. You can change password with chpasswd, but that only supports clear-text password. Requesting that chpasswd get support for setting a hashed password to users.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1570325 Title: RFE: chpasswd in cloud-init should support hashed passwords To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1570325/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
