When provisioning a virtual machine on Azure, a user password may be provided. Cloud-init retrieves the password via ovf-env.xml (stored on a CDROM) which is then written to /var/lib/waagent/ovf-env.xml for later consumption by the WALinuxAgent. After first boot provisioning the user password is not needed by cloud-init.
While the password is stored in plain text on disk, the password is _NOT_ accessible to a non-privelaged user. Both the directory and the file
itself are read-only:
However, because the fabric presents /dev/sr0 (which contains ovf-env.xml) until the machine reboots, even if cloud-init masked the password, a non-privileged user may be able to read the password via /dev/sr0 (i.e. strings /dev/sr0 | grep UserPassword).
Canonical's guidance on this matter is that any password provided by a fabric is inherently insecure; users should leverage SSH keys.
When provisioning a virtual machine on Azure, a user password may be provided. Cloud-init retrieves the password via ovf-env.xml (stored on a CDROM) which is then written to /var/lib/ waagent/ ovf-env. xml for later consumption by the WALinuxAgent. After first boot provisioning the user password is not needed by cloud-init.
While the password is stored in plain text on disk, the password is _NOT_ accessible to a non-privelaged user. Both the directory and the file
itself are read-only:
$ stat /var/lib/waagent/
File: ‘/var/lib/waagent/’
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: 801h/2049d Inode: 2532 Links: 2
Access: (0700/drwx------) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2015-04-13 11:44:08.021992200 +0000
Modify: 2015-04-13 11:44:11.341805500 +0000
Change: 2015-04-13 11:44:11.341805500 +0000
Birth: -
$ sudo stat /var/lib/ waagent/ ovf-env. xml waagent/ ovf-env. xml’
File: ‘/var/lib/
Size: 1633 Blocks: 8 IO Block: 4096 regular file
Device: 801h/2049d Inode: 2556 Links: 1
Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2015-04-13 11:44:08.021992200 +0000
Modify: 2015-04-13 11:44:08.021992200 +0000
Change: 2015-04-13 11:44:08.021992200 +0000
Birth: -
However, because the fabric presents /dev/sr0 (which contains ovf-env.xml) until the machine reboots, even if cloud-init masked the password, a non-privileged user may be able to read the password via /dev/sr0 (i.e. strings /dev/sr0 | grep UserPassword).
Canonical's guidance on this matter is that any password provided by a fabric is inherently insecure; users should leverage SSH keys.