I dug into this a bit more, and it seems this issue occurs specifically for the user `ubuntu`. Before the upgrade, I copied the contents of /etc/shadow, and compared them to /etc/shadow after the first reboot after the upgrade.
We can see that the entry for `ubuntu` changed. Looking at the journal, from that boot, it seems that cloud-init changed the passwd:
$ journalctl -b -1 --grep ubuntu
Aug 08 14:50:33 xubuntu kernel: Linux version 6.8.0-40-generic (buildd@lcy02-amd64-075) (x86_64-linux-gnu-gcc-13 (Ubuntu 13.2.0-23ubuntu4) 13.2.0, GNU ld (GNU Binutils for Ubuntu) 2.42) #40-Ubuntu SMP PREEMPT_DYNAMIC Fri Jul 5 10:34:03 UTC 2024 (Ubuntu 6.8.0-40.40-generic 6.8.12)
Aug 08 14:50:33 xubuntu kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019): c1d57b8f6b743f23ee41f4f7ee292f06eecadfb9'
Aug 08 14:50:33 xubuntu systemd[1]: systemd 255.4-1ubuntu8.2 running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)
Aug 08 14:50:33 xubuntu systemd[1]: Hostname set to <xubuntu>.
Aug 08 14:50:34 xubuntu cloud-init[564]: Cloud-init v. 24.1.3-0ubuntu3.3 running 'init-local' at Thu, 08 Aug 2024 18:50:34 +0000. Up 4.19 seconds.
Aug 08 14:50:34 xubuntu systemd-resolved[632]: Using system hostname 'xubuntu'.
Aug 08 14:50:35 xubuntu cloud-init[760]: Cloud-init v. 24.1.3-0ubuntu3.3 running 'init' at Thu, 08 Aug 2024 18:50:35 +0000. Up 5.51 seconds.
Aug 08 14:50:36 xubuntu passwd[869]: password for 'ubuntu' changed by 'root'
Aug 08 14:50:37 xubuntu cloud-init[760]: SHA256:GGMsp52cN8EAJYlqOdJArAxzOEhwfitNlPBgGQCVOTE root@xubuntu
Aug 08 14:50:37 xubuntu cloud-init[760]: SHA256:TcJuGTUBYjDMo+GVodNfGgE5P5FeszDy/8QddKQanJE root@xubuntu
Aug 08 14:50:37 xubuntu cloud-init[760]: SHA256:hjnsPHfUrAQbIkiRETrAszNsqZppRrI3dhTU4BGKy5s root@xubuntu
Looking at /etc/cloud/cloud.cfg, I see the lock_passwd[1] option set for `ubuntu`:
# System and/or distro specific settings
# (not accessible to handlers/transforms)
system_info:
# This will affect which distro class gets used
distro: ubuntu
# Default user name + that default users groups (if added/used)
default_user:
name: ubuntu
lock_passwd: True
gecos: Ubuntu
groups: [adm, cdrom, dip, lxd, sudo]
sudo: ["ALL=(ALL) NOPASSWD:ALL"]
shell: /bin/bash
The docs even say that cloud-init will apply lock_passwd for existing users. This seems wrong.
I dug into this a bit more, and it seems this issue occurs specifically for the user `ubuntu`. Before the upgrade, I copied the contents of /etc/shadow, and compared them to /etc/shadow after the first reboot after the upgrade.
$ diff -u <(/etc/shadow) /home/ubuntu/ before/ shadow before/ shadow 2024-08-08 14:20:17.158139781 -0400 y$j9T$NXJHsSu. l5iqspt5f8zzu/ $CaDVSozRbChrGC SerFmv3Ck8lxPAQ lj9D7MdG4Wrbm6: 19943:0: 99999:7: :: :19934: 0:99999: 7::: *:19769: 0:99999: 7::: 19769:0: 99999:7: :: 19769:0: 99999:7: :: 19769:0: 99999:7: :: *:19769: 0:99999: 7::: *:19769: 0:99999: 7::: autoipd: *:19769: 0:99999: 7::: *:19769: 0:99999: 7::: *:19769: 0:99999: 7::: *:19769: 0:99999: 7::: *:19769: 0:99999: 7::: *:19769: 0:99999: 7::: *:19769: 0:99999: 7::: !$y$j9T$ LreISCn8cWENVi4 Mw1/cv. $Kkn9WO6CGCd/ QUW8CUJoCHRZE8. /VZmCfqDixXr8TU 6:19934: 0:99999: 7::: $y$j9T$ LreISCn8cWENVi4 Mw1/cv. $Kkn9WO6CGCd/ QUW8CUJoCHRZE8. /VZmCfqDixXr8TU 6:19934: 0:99999: 7::: :19943: 0:99999: 7::: range-524288- root:!: 19943:: :::: !:19943: ::::: !:19943: ::::: !:19943: ::::: !*:19943: :::::
--- /dev/fd/63 2024-08-08 14:57:08.366981261 -0400
+++ /home/ubuntu/
@@ -1,4 +1,4 @@
-root:$
+root:!
daemon:
bin:*:
sys:*:
@@ -25,6 +25,7 @@
tss:*:
uuidd:
tcpdump:
+avahi-
usbmux:
dnsmasq:
kernoops:
@@ -39,10 +40,5 @@
colord:
pulse:
hplip:
-ubuntu:
+ubuntu:
sshd:*
-snapd-
-snap_daemon:
-dhcpcd:
-cups-browsed:
-polkitd:
We can see that the entry for `ubuntu` changed. Looking at the journal, from that boot, it seems that cloud-init changed the passwd:
$ journalctl -b -1 --grep ubuntu lcy02-amd64- 075) (x86_64- linux-gnu- gcc-13 (Ubuntu 13.2.0-23ubuntu4) 13.2.0, GNU ld (GNU Binutils for Ubuntu) 2.42) #40-Ubuntu SMP PREEMPT_DYNAMIC Fri Jul 5 10:34:03 UTC 2024 (Ubuntu 6.8.0-40.40-generic 6.8.12) 3ee41f4f7ee292f 06eecadfb9' hierarchy= unified) resolved[ 632]: Using system hostname 'xubuntu'. GGMsp52cN8EAJYl qOdJArAxzOEhwfi tNlPBgGQCVOTE root@xubuntu TcJuGTUBYjDMo+ GVodNfGgE5P5Fes zDy/8QddKQanJE root@xubuntu hjnsPHfUrAQbIki RETrAszNsqZppRr I3dhTU4BGKy5s root@xubuntu
Aug 08 14:50:33 xubuntu kernel: Linux version 6.8.0-40-generic (buildd@
Aug 08 14:50:33 xubuntu kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019): c1d57b8f6b743f2
Aug 08 14:50:33 xubuntu systemd[1]: systemd 255.4-1ubuntu8.2 running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT default-
Aug 08 14:50:33 xubuntu systemd[1]: Hostname set to <xubuntu>.
Aug 08 14:50:34 xubuntu cloud-init[564]: Cloud-init v. 24.1.3-0ubuntu3.3 running 'init-local' at Thu, 08 Aug 2024 18:50:34 +0000. Up 4.19 seconds.
Aug 08 14:50:34 xubuntu systemd-
Aug 08 14:50:35 xubuntu cloud-init[760]: Cloud-init v. 24.1.3-0ubuntu3.3 running 'init' at Thu, 08 Aug 2024 18:50:35 +0000. Up 5.51 seconds.
Aug 08 14:50:36 xubuntu passwd[869]: password for 'ubuntu' changed by 'root'
Aug 08 14:50:37 xubuntu cloud-init[760]: SHA256:
Aug 08 14:50:37 xubuntu cloud-init[760]: SHA256:
Aug 08 14:50:37 xubuntu cloud-init[760]: SHA256:
Looking at /etc/cloud/ cloud.cfg, I see the lock_passwd[1] option set for `ubuntu`:
# System and/or distro specific settings transforms)
# (not accessible to handlers/
system_info:
# This will affect which distro class gets used
distro: ubuntu
# Default user name + that default users groups (if added/used)
default_user:
name: ubuntu
lock_passwd: True
gecos: Ubuntu
groups: [adm, cdrom, dip, lxd, sudo]
sudo: ["ALL=(ALL) NOPASSWD:ALL"]
shell: /bin/bash
The docs even say that cloud-init will apply lock_passwd for existing users. This seems wrong.
[1] https:/ /cloudinit. readthedocs. io/en/latest/ reference/ modules. html#users- and-groups