Ubuntu
vm-builder package

vmbuilder default account not well-documented

Bug #503467 reported by J. Bruce Fields
272
This bug affects 4 people
Affects Status Importance Assigned to Milestone
vm-builder (Ubuntu)
Confirmed
Wishlist
Unassigned

Bug Description

Binary package hint: python-vm-builder

I created a new kvm guest using vmbuilder (following, if I remember correctly, https://help.ubuntu.com/community/KVM/CreateGuests and/or https://help.ubuntu.com/community/JeOSVMBuilder), put it on the net without noticing that it had created a default account (with user and password both "ubuntu") and promptly got hacked by somebody running an ssh scanner. (I never needed a default account myself since I depended on the --ssh-key option to log me in to the new guest.)

OK, my mistake: something as simple as "ls /home" would probably have been enough to alert me to the problem; and https://help.ubuntu.com/community/JeOSVMBuilder does mention the default at some point (though not very prominently).

In my defense: vmbuilder appeared to be the preferred way to create kvm guests from the commandline, and it's somewhat surprising that it would by default create guests that were unsafe to put on the network.

Since this appears to be a property of one of the included templates, not of vmbuilder itself, I'm not sure where this is best documented.

The ideal might be if vmbuilder could warn the user about the default and require positive confirmation before proceeding ("are you sure you want this (y/n)?").

J. Bruce Fields (bfields-fieldses)
visibility: private → public
Thierry Carrez (ttx)
Changed in vm-builder (Ubuntu):
importance: Undecided → Wishlist
status: New → Confirmed
Revision history for this message
Simon Huerlimann (huerlisi) wrote :

Another possibility would be to use a random password (maybe using pwgen) and output it at the end of the installation.

Revision history for this message
Nils Toedtmann (m-launchpad-net-mail-nils-toedtmann-net) wrote :

I ran into the same issue and only was lucky because i disable password based ssh login on my machines.

This is a security issue, not "wishlist", please change importance. Insecure defaults must be changed or at least very prominently warned about. Mentioning this behavior in the help page is not enough.

One should ssh scan the cloud for this account ;-)

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.