cc_set_passwords does not expire users if password given as hash

Bug #1979065 reported by Roni Väyrynen
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fix Released

Bug Description

Documentation explains three different ways of setting user password using chpasswd but doesn't mention that they would otherwise work any differently from one another. Passwords should by default be expired if not specifically set otherwise in chpasswd. Although if one sets the password as hash either in password or chpasswd list, skips passwd --expire <username> completely which doesn't match documented behaviour.

This part only applies to users which had either plain text password or random password set.

Revision history for this message
James Falcon (falcojr) wrote :

Thanks for reporting this. I can reproduce the behavior described.

Changed in cloud-init:
status: New → Triaged
importance: Undecided → High
Revision history for this message
Chad Smith (chad.smith) wrote :

Expectation here is to fix hashed passwords to also expire.

Validated that hashed password is not expired by default:

cat > hash_pw_not_expired.yaml <<EOF
ssh_pwauth: true
 - default
 - gecos: User One
   name: u1
   groups: [adm, cdrom, dip, lxd, sudo]
   lock_passwd: False
 - gecos: User Two
   name: u2
   groups: [adm, cdrom, dip, lxd, sudo]
   lock-passwd: False
   - u1:$6$rounds=4096$4Bbw0KI52G71TqOT$a.mEik19QEe9Lfot2gt6Ff5rUwYkLm49SAIDJoNrxd4V/PL21e83FqK/aDVV6CGFM/GNH6CtvR0Sk52i9jhNK1
   - u2:RANDOM
lxc launch ubuntu-daily:jammy test-pw-expiry -c user.user-data="$(cat hash_pw_not_expired.yaml)"
lxc exec test-pw-expiry -- cloud-init status --wait --long
IP=`lxc ls -c 4 test-pw-expiry | awk '/eth/{print $2}'`
ssh u1@$IP # hashed password this4now
# Note no expiry notice
lxc console test-pw-expiry --show-log | grep u2
#copy password and login
ssh u2@$IP # Use random password printed to console from above
# Note expiry notice

Revision history for this message
Chad Smith (chad.smith) wrote :

After further review and discussion on this item, we determined it's best not to change existing behavior, but fix the docs to align with current behavior. Introducing a change in behavior for hashed password expiry may break automation expecting to rely on this feature.

Since the introduction of hashed password support in cloud-init released in 2017[1], the hashed passwords are not expired. Let's retain and more clearly document that behavior.

[1] hashed pw support

Revision history for this message
James Falcon (falcojr) wrote :

After further further review, we decided to fix the behavior after all. See

A follow-on PR will ensure the original behavior is preserved for existing releases.

Changed in cloud-init:
status: Triaged → Fix Committed
Revision history for this message
Brett Holman (holmanb) wrote : Fixed in cloud-init version 22.3.

This bug is believed to be fixed in cloud-init in version 22.3. If this is still a problem for you, please make a comment and set the state back to New

Thank you.

Changed in cloud-init:
status: Fix Committed → Fix Released
Revision history for this message
James Falcon (falcojr) wrote :
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.