cloud-init

cloud init prefixes password hash with exclamation mark

Bug #2006052 reported by windowsguy on 2023-02-05

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	cloud-init	Expired	Undecided	Unassigned

Bug Description

Host OS is Ubuntu 22.04 LTS.

Guest info:

- Ubuntu 22.04 LTS KVM guest: https://cloud-images.ubuntu.com/releases/22.04/release/ubuntu-22.04-server-cloudimg-amd64-disk-kvm.img (also tried with https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64-disk-kvm.img)
- cloud-init package: 22.4.2-0ubuntu0~22.04.1

I use this to configure password for the Ubuntu user:

users:
  - name: ubuntu
    gecos: Ubuntu User
    sudo: ALL=(ALL) NOPASSWD:ALL
    shell: /bin/bash
    groups: sudo
    lock_passwd: false
    # mkpasswd --method=SHA-512 --rounds=4096 -S "1234asdf"
    passwd: $6$rounds=4096$1234asdf$3Ym7weobJp/ORkJML66e54IyCEOGKM8C1zfQj4NRngDgJJGdEJn3O9rocWy0uVc84PbEvSnzji3a54X5FOb230

While provisioning is still running, I can log in as root (configured separately) and observe the hash in /etc/shadow is identical to this (as expected). Also 'ubuntu' can login.

After provisioning is complete and the VM reboots, I cannot login as 'ubuntu'.

I log in as root and find that now a '!' was prefixed to password hash in /etc/shadow:

ubuntu:!$6$rounds=4096$1....

If I remove that '!', I can login as the ubuntu user.

I tried surrounding the password with single and double quotes, no difference. Initially it's provisioned correctly, so it's something that injects that '!' after that.

Tags:

windowsguy (something-f) on 2023-02-06

summary:

- cloud init prefixes password hash adds exclamation mark
+ cloud init prefixes password hash with exclamation mark

Revision history for this message

Alberto Contreras (aciba) wrote on 2023-02-08:

Hello windowsguy.

Firstly, your command to generate the hashed password is wrong, as you are specifying the salt and not the password. See [1].

To hash 1234asdf execute:

$ mkpasswd --method=SHA-512 --rounds=4096 1234asdf
$6$rounds=4096$MJ9ozPaNS2HWVZcg$rwThVdxIm33BegbW2f2gNLq3JXzej5URpdOxPKna5uSI6K/opwxdZ317vgM1btgcys89ZDu520aglKOSvjT3Z0

$ mkpasswd --method=SHA-512 --rounds=4096 -S mycoolsalt 1234asdf
$6$rounds=4096$mycoolsalt$hNRWY61tyEOF.15a9a2q8PZ5Z/vFmBcRTDJrPzrl5ZK/iVPLQjCvEKWUmjSkqE1EyIRLgaYLYY1Y6BomzTIV./

Secondly, a password field which starts with an exclamation mark in /etc/shadow means that the password is locked, see [2]. This probably happened because you tried to log in using 1234asdf as the password a lot of times.

I am going to mark this bug as invalid. Please, try with one of those hashed passwords and comment here if you find any additional problem.

[1] https://manpages.ubuntu.com/manpages/jammy/en/man1/mkpasswd.1.html
[2] https://manpages.ubuntu.com/manpages/jammy/en/man5/shadow.5.html

Changed in cloud-init:
status:	New → Invalid

Revision history for this message

windowsguy (something-f) wrote on 2023-02-09:

The password command was a typo. What I used was mkpasswd --method=SHA-512 --rounds=4096 -S "1234asdf" and then provided my "standard" lab password which was the same as root. I couldn't login as ubuntu after removing ! from it as root if I didn't correctly produce the hash.

Last week I had to deploy a search-and-replace service as part of cloud-init, to remove that ! on OS restart, but I just tried 10 times and saw it only once (no idea why, I see zero failed login SSH attempts in auth.log and the system is my desktop with me as the only user, so I still think there's something wrong, but can no longer reproduce it at will).

I agree with your decision to close it.

Revision history for this message

Alberto Contreras (aciba) wrote on 2023-02-09:

I tried to reproduce it assuming a valid hashed password, but I was not able to get an exclamation mark in the password. If you find a reproducer, please update this bug and we will be happy to have a look.

Revision history for this message

Scott Moser (smoser) wrote on 2023-02-09:

windowsguy,
It might be helpful for you to collect log information with 'cloud-init collect-logs'.

This sounds to me like a problem where the "instance-id" is changing. on reboot, cloud-init thinks this is a new instance-id and a.) does not see the user-data you provided b.) locks the default user account.

Revision history for this message

Chad Smith (chad.smith) wrote on 2023-02-10:

Hiya windowsguy,

One thing we hope to see here with your attached tar/zipped logs from `cloud-init collect-logs` is whether cloud-init is actually making a call to passwd -l or usermod --lock in logs.

I'll mark this bug as 'Incomplete' status. Please set it back to 'New' when you have had a change to attach the full cloud-init.log (or tgz from cloud-init collect-logs).

NOTE: when using cloud-init collect-logs it'll capture your user-data in /run/cloud-init/instance-data-sensitive.json which does contain your password in this case, so make sure you redact any specific password or hash listed if attaching that tarfile.