remote ssh login possible using well known password

Bug #1716651 reported by Piotr on 2017-09-12
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
CirrOS
Undecided
Unassigned

Bug Description

The CirrOS image is frequently used for testing in our Openstack based development datacenter. Unfortunately, users sometimes forgot to remove instances on their projects. When the instance is attached to public network, and security group allow remote SSH access, the instance became an open gateway for privilege escalation. (In this case gaining access to datacenter network.)

Perhaps it would be better when the random password is generated on boot, then it's printed on the console?

I've found another bug related to default password #1454144

So finally the random password should consist from capitals, letters and digits.

Usually, such remote system access bugs are classified as critical security issues. In other hand the Cirros is intended for testing and such access is configured intentionally. Anyway let's discuss to find a balance between security and usability.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers