Comment 5 for bug 2075968

I dug into this a bit more, and it seems this issue occurs specifically for the user `ubuntu`. Before the upgrade, I copied the contents of /etc/shadow, and compared them to /etc/shadow after the first reboot after the upgrade.

$ diff -u <(/etc/shadow) /home/ubuntu/before/shadow
--- /dev/fd/63 2024-08-08 14:57:08.366981261 -0400
+++ /home/ubuntu/before/shadow 2024-08-08 14:20:17.158139781 -0400
@@ -1,4 +1,4 @@
-root:$y$j9T$NXJHsSu.l5iqspt5f8zzu/$CaDVSozRbChrGCSerFmv3Ck8lxPAQlj9D7MdG4Wrbm6:19943:0:99999:7:::
+root:!:19934:0:99999:7:::
 daemon:*:19769:0:99999:7:::
 bin:*:19769:0:99999:7:::
 sys:*:19769:0:99999:7:::
@@ -25,6 +25,7 @@
 tss:*:19769:0:99999:7:::
 uuidd:*:19769:0:99999:7:::
 tcpdump:*:19769:0:99999:7:::
+avahi-autoipd:*:19769:0:99999:7:::
 usbmux:*:19769:0:99999:7:::
 dnsmasq:*:19769:0:99999:7:::
 kernoops:*:19769:0:99999:7:::
@@ -39,10 +40,5 @@
 colord:*:19769:0:99999:7:::
 pulse:*:19769:0:99999:7:::
 hplip:*:19769:0:99999:7:::
-ubuntu:!$y$j9T$LreISCn8cWENVi4Mw1/cv.$Kkn9WO6CGCd/QUW8CUJoCHRZE8./VZmCfqDixXr8TU6:19934:0:99999:7:::
+ubuntu:$y$j9T$LreISCn8cWENVi4Mw1/cv.$Kkn9WO6CGCd/QUW8CUJoCHRZE8./VZmCfqDixXr8TU6:19934:0:99999:7:::
 sshd:*:19943:0:99999:7:::
-snapd-range-524288-root:!:19943::::::
-snap_daemon:!:19943::::::
-dhcpcd:!:19943::::::
-cups-browsed:!:19943::::::
-polkitd:!*:19943::::::

We can see that the entry for `ubuntu` changed. Looking at the journal, from that boot, it seems that cloud-init changed the passwd:

$ journalctl -b -1 --grep ubuntu
Aug 08 14:50:33 xubuntu kernel: Linux version 6.8.0-40-generic (buildd@lcy02-amd64-075) (x86_64-linux-gnu-gcc-13 (Ubuntu 13.2.0-23ubuntu4) 13.2.0, GNU ld (GNU Binutils for Ubuntu) 2.42) #40-Ubuntu SMP PREEMPT_DYNAMIC Fri Jul 5 10:34:03 UTC 2024 (Ubuntu 6.8.0-40.40-generic 6.8.12)
Aug 08 14:50:33 xubuntu kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019): c1d57b8f6b743f23ee41f4f7ee292f06eecadfb9'
Aug 08 14:50:33 xubuntu systemd[1]: systemd 255.4-1ubuntu8.2 running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)
Aug 08 14:50:33 xubuntu systemd[1]: Hostname set to <xubuntu>.
Aug 08 14:50:34 xubuntu cloud-init[564]: Cloud-init v. 24.1.3-0ubuntu3.3 running 'init-local' at Thu, 08 Aug 2024 18:50:34 +0000. Up 4.19 seconds.
Aug 08 14:50:34 xubuntu systemd-resolved[632]: Using system hostname 'xubuntu'.
Aug 08 14:50:35 xubuntu cloud-init[760]: Cloud-init v. 24.1.3-0ubuntu3.3 running 'init' at Thu, 08 Aug 2024 18:50:35 +0000. Up 5.51 seconds.
Aug 08 14:50:36 xubuntu passwd[869]: password for 'ubuntu' changed by 'root'
Aug 08 14:50:37 xubuntu cloud-init[760]: SHA256:GGMsp52cN8EAJYlqOdJArAxzOEhwfitNlPBgGQCVOTE root@xubuntu
Aug 08 14:50:37 xubuntu cloud-init[760]: SHA256:TcJuGTUBYjDMo+GVodNfGgE5P5FeszDy/8QddKQanJE root@xubuntu
Aug 08 14:50:37 xubuntu cloud-init[760]: SHA256:hjnsPHfUrAQbIkiRETrAszNsqZppRrI3dhTU4BGKy5s root@xubuntu

Looking at /etc/cloud/cloud.cfg, I see the lock_passwd[1] option set for `ubuntu`:

# System and/or distro specific settings
# (not accessible to handlers/transforms)
system_info:
  # This will affect which distro class gets used
  distro: ubuntu
  # Default user name + that default users groups (if added/used)
  default_user:
    name: ubuntu
    lock_passwd: True
    gecos: Ubuntu
    groups: [adm, cdrom, dip, lxd, sudo]
    sudo: ["ALL=(ALL) NOPASSWD:ALL"]
    shell: /bin/bash

The docs even say that cloud-init will apply lock_passwd for existing users. This seems wrong.

[1] https://cloudinit.readthedocs.io/en/latest/reference/modules.html#users-and-groups