[Bug 1878115] Re: logged luks passwords

Dimitri John Ledkov Tue, 12 May 2020 05:07:01 -0700

curtin already accepts either plaintext or a keyfile, so only changes in
subiquity needed to start using keyfile.


** Changed in: curtin (Ubuntu)
       Status: Confirmed => Invalid

** Description changed:

+ 
+ Fix published in
+ latest   amd64    stable     20.05.2                  1874        -
+          arm64    stable     20.05.2                  1875        -
+          ppc64el  stable     20.05.2                  1876        -
+          s390x    stable     20.05.2                  1873        -
+ 
+ Images respin pending
+ 
+ --
+ 
  The server installer, perhaps other installers, will log LUKS passwords
  used on the system via:
  
  - installer/subiquity-curtin-install.conf
  
-  - {volume: disk-sda, key: ...
+  - {volume: disk-sda, key: ...
  
  - curtin/install.log
  
  get_path_to_storage_volume for volume dm_crypt-0({'volume': 'disk-sda', 
'key':  ...
-         get_path_to_storage_volume for volume dm_crypt-0({'volume': 
'disk-sda', 'key': ...
+         get_path_to_storage_volume for volume dm_crypt-0({'volume': 
'disk-sda', 'key': ...
  
  - syslog
  
+ May 11 22:27:25 ubuntu-server curtin_log.2310[2592]: merged config:
+ {'sources': {'ubuntu00': 'cp:///media/filesystem'}, 'stages': ['early',
+ 'partitioning', 'extract', 'curthooks', 'hook', 'late'],
+ 'extract_commands': {'builtin': ['curtin', 'extract']}, 'hook_commands':
+ {'builtin': ['curtin', 'hook']}, 'partitioning_commands': {'builtin':
+ ['curtin', 'block-meta', 'simple']}, 'curthooks_commands': {'builtin':
+ ['curtin', 'curthooks'], '000-configure-run': ['/snap/bin/subiquity
+ .subiquity-configure-run'], '001-configure-apt': ['/snap/bin/subiquity
+ .subiquity-configure-apt', '/snap/subiquity/1866/usr/bin/python3',
+ 'true']}, 'late_commands': {'builtin': []}, 'network_commands':
+ {'builtin': ['curtin', 'net-meta', 'auto']}, 'apply_net_commands':
+ {'builtin': []}, 'install': {'log_file': '/var/log/curtin/install.log',
+ 'error_tarfile': '/var/log/curtin/curtin-error-logs.tar',
+ 'save_install_config': '/var/log/installer/curtin-install-cfg.yaml',
+ 'save_install_log': '/var/log/installer/curtin-install.log', 'target':
+ '/target', 'unmount': 'disabled'}, 'apt': {'preserve_sources_list':
+ False, 'primary': [{'arches': ['amd64', 'i386'], 'uri':
+ 'http://se.archive.ubuntu.com/ubuntu'}, {'arches': ['default'], 'uri':
+ 'http://ports.ubuntu.com/ubuntu-ports'}]}, 'debconf_selections':
+ {'subiquity': ''}, 'grub': {'probe_additional_os': True, 'terminal':
+ 'unmodified'}, 'kernel': {'package': 'linux-generic'}, 'pollinate':
+ {'user_agent': {'subiquity': '20.05.1_1866'}}, 'reporting':
+ {'subiquity': {'identifier': 'curtin_event.2310', 'type': 'journald'}},
+ 'storage': {'config': [{'ptable': 'gpt', 'serial': 'XXX', 'wwn': 'XXX',
+ 'path': '/dev/nvme0n1', 'wipe': 'superblock', 'preserve': False, 'name':
+ '', 'grub_device': False, 'type': 'disk', 'id': 'disk-nvme0n1'},
+ {'serial': 'XXX', 'wwn': 'XXX', 'path': '/dev/sda', 'wipe':
+ 'superblock', 'preserve': False, 'name': '', 'grub_device': False,
+ 'type': 'disk', 'id': 'disk-sda'}, {'device': 'disk-nvme0n1', 'size':
+ 536870912, 'wipe': 'superblock', 'flag': 'boot', 'number': 1,
+ 'preserve': False, 'grub_device': True, 'type': 'partition', 'id':
+ 'partition-0'}, {'fstype': 'fat32', 'volume': 'partition-0', 'preserve':
+ False, 'type': 'format', 'id': 'format-0'}, {'device': 'disk-nvme0n1',
+ 'size': 127496355840, 'wipe': 'superblock', 'flag': '', 'number': 2,
+ 'preserve': False, 'type': 'partition', 'id': 'partition-1'}, {'fstype':
+ 'btrfs', 'volume': 'partition-1', 'preserve': False, 'type': 'format',
+ 'id': 'format-1'}, {'device': 'format-1', 'path': '/', 'type': 'mount',
+ 'id': 'mount-1'}, {'volume': 'disk-sda', 'key': ...
  
- May 11 22:27:25 ubuntu-server curtin_log.2310[2592]: merged config: 
{'sources': {'ubuntu00': 'cp:///media/filesystem'}, 'stages': ['early', 
'partitioning', 'extract', 'curthooks', 'hook', 'late'], 'extract_commands': 
{'builtin': ['curtin', 'extract']}, 'hook_commands': {'builtin': ['curtin', 
'hook']}, 'partitioning_commands': {'builtin': ['curtin', 'block-meta', 
'simple']}, 'curthooks_commands': {'builtin': ['curtin', 'curthooks'], 
'000-configure-run': ['/snap/bin/subiquity.subiquity-configure-run'], 
'001-configure-apt': ['/snap/bin/subiquity.subiquity-configure-apt', 
'/snap/subiquity/1866/usr/bin/python3', 'true']}, 'late_commands': {'builtin': 
[]}, 'network_commands': {'builtin': ['curtin', 'net-meta', 'auto']}, 
'apply_net_commands': {'builtin': []}, 'install': {'log_file': 
'/var/log/curtin/install.log', 'error_tarfile': 
'/var/log/curtin/curtin-error-logs.tar', 'save_install_config': 
'/var/log/installer/curtin-install-cfg.yaml', 'save_install_log': 
'/var/log/installer/curtin-install.log', 'target': '/target', 'unmount': 
'disabled'}, 'apt': {'preserve_sources_list': False, 'primary': [{'arches': 
['amd64', 'i386'], 'uri': 'http://se.archive.ubuntu.com/ubuntu'}, {'arches': 
['default'], 'uri': 'http://ports.ubuntu.com/ubuntu-ports'}]}, 
'debconf_selections': {'subiquity': ''}, 'grub': {'probe_additional_os': True, 
'terminal': 'unmodified'}, 'kernel': {'package': 'linux-generic'}, 'pollinate': 
{'user_agent': {'subiquity': '20.05.1_1866'}}, 'reporting': {'subiquity': 
{'identifier': 'curtin_event.2310', 'type': 'journald'}}, 'storage': {'config': 
[{'ptable': 'gpt', 'serial': 'XXX', 'wwn': 'XXX', 'path': '/dev/nvme0n1', 
'wipe': 'superblock', 'preserve': False, 'name': '', 'grub_device': False, 
'type': 'disk', 'id': 'disk-nvme0n1'}, {'serial': 'XXX', 'wwn': 'XXX', 'path': 
'/dev/sda', 'wipe': 'superblock', 'preserve': False, 'name': '', 'grub_device': 
False, 'type': 'disk', 'id': 'disk-sda'}, {'device': 'disk-nvme0n1', 'size': 
536870912, 'wipe': 'superblock', 'flag': 'boot', 'number': 1, 'preserve': 
False, 'grub_device': True, 'type': 'partition', 'id': 'partition-0'}, 
{'fstype': 'fat32', 'volume': 'partition-0', 'preserve': False, 'type': 
'format', 'id': 'format-0'}, {'device': 'disk-nvme0n1', 'size': 127496355840, 
'wipe': 'superblock', 'flag': '', 'number': 2, 'preserve': False, 'type': 
'partition', 'id': 'partition-1'}, {'fstype': 'btrfs', 'volume': 'partition-1', 
'preserve': False, 'type': 'format', 'id': 'format-1'}, {'device': 'format-1', 
'path': '/', 'type': 'mount', 'id': 'mount-1'}, {'volume': 'disk-sda', 'key': 
...
- 
- 
- We shouldn't be logging this passphrase to disk, even inside the encrypted 
portion, because it's too easy for the password to leak, as it has here.
+ We shouldn't be logging this passphrase to disk, even inside the
+ encrypted portion, because it's too easy for the password to leak, as it
+ has here.
  
  Thanks

** Changed in: subiquity (Ubuntu)
       Status: Triaged => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1878115

Title:
  logged luks passwords

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/curtin/+bug/1878115/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1878115] Re: logged luks passwords

Reply via email to