[SRU] ssh root login broken

Bug #234062 reported by Soren Hansen on 2008-05-22
Affects Status Importance Assigned to Milestone
ubuntu-vm-builder (Ubuntu)

Bug Description

Binary package hint: ubuntu-vm-builder

Due to the way the security update locked the root account, ssh root logins are now not working. It uses "chpasswd -l", but the way the installer does it is using chpasswd to just set root's password to an invalid one, but without actually locking the account.

To test:
1. Create a vm adding "--ssh-key ~/.ssh/id_rsa.pub" to the command line.
2. Start the vm.
3. ssh root@virtualmachine

If it works, it works.

Soren Hansen (soren) wrote :
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-vm-builder - 0.6

ubuntu-vm-builder (0.6) intrepid; urgency=low

  * Release into Ubuntu proper.

ubuntu-vm-builder (0.5ubuntu1~ppa4) intrepid; urgency=low

  [Loic Minier]
  * Call sh -c "$EXEC_SCRIPT" instead of "$EXEC_SCRIPT"; allows to pass
    arguments to the script; also remove check that EXEC_SCRIPT exists.

  [Nick Barcet]
  * Adding an error handler to fix LP: #217950
  * Lots of sanitization to allow for error handler
  * Add an interrupt handler to cleanup if user interrupts script
  * Stop on error in user script to fix LP: #228675
  * --ssh-key adds key to root and --ssh-user-key adds key to user
  * Added --raw option to install on raw devices/files.
    WARNING: the variables used in template files for disk definition have been
    modified. Please insure that locally created templates are updated to
    reflect this change.
  * Add --firstboot and --firstlogin options
  * First login always execute "sudo dpkg-reconfigure console-setup" so
    that the local keyboard setting is taken into account.
  * Adding the --iso parameter to create image from an iso. This requires
    suite and kernel-flavour parameters to match what is available on the iso,
  * Include hostname in default destination directory if defined
  * Do not use a tmpfs by default anymore
  * Place the working directory in the same directory as dest if using --tmp -
  * Added --tmpfs option to specify usage of a tmpfs for the working directory
  * VM specific parameters do not need to be the last ones anymore
  * Unknown parameters now return an error and prints usage
  * Added --overwrite for overwriting of destination directory and libvirt
  * Added ~/.ubuntu-vm-builder config handling
  * Man page improvements and reorganization

  [Soren Hansen]
  * Fix for LP: #234062 ssh root login broken

ubuntu-vm-builder (0.4ubuntu2~ppa7) hardy; urgency=low

  [ Michael Vogt ]
  * patch the way do_avoid_starting_daemons() to write a policy-rc.d file in
    the same way as pbuilder does (LP: #228372)

  [ Nick Barcet ]
  * Lock the root account by default (LP: #230291)
  * Add ssh keys to the user account and not to root (LP: #230291)
  * Added function do_copy_settings to fix bug LP: #221231
  * Fix missing ipv6 entries in host file (LP: #230299)
  * Fix issue with template arguments fetching (LP: #228268)
  * Create the /etc/apt/sources.list properly (LP: #218195)
  * Use a tmpfs for $WORKINGDIR to avoid case when file system is mounted
    with no suid (LP: #228744)
  * Unproper letters variable initialization (LP: #230312)
  * Option --net failed other than for Class C (LP: #232361)

  [ Loic Minier ]
  * Fix v / --verbose getopt parsing. (LP: #230319)
  * Compute the default ARCH with dpkg --print-architecture. (LP: #230323)
  * Add support for lpia.
    - Allow lpia arch, lpia and lpiacompat kernel flavours.
    - Use http://ports.ubuntu.com/ubuntu-ports as default mirror for lpia.
    - Update help/documentation.
  * Check Release files against the archive keyring; depend on ubuntu-keyring.
    (LP: #230334)

 -- Soren Hansen <email address hidden> Wed, 28 May 2008 11:36:02 +0200

Changed in ubuntu-vm-builder:
status: New → Fix Released
Martin Pitt (pitti) wrote :

Accepted into -proposed, please test and give feedback here

Changed in ubuntu-vm-builder:
status: New → Fix Committed
Michael Vogt (mvo) wrote :

The following change is part of the update from 0.1 to 0.2:

 --ssh-key Add the given ssh public key file (absolute path)
- to root's authorized keys and install openssh-server
+ to user's authorized keys and install openssh-server
                    (WARNING: this has strong security implications)
        # we have a key, add it
        chroot root apt-get install --force-yes -y openssh-server
- mkdir root/root/.ssh
- cp "$SSHKEY" root/root/.ssh/authorized_keys
+ mkdir root/home/$VMUSER/.ssh
+ cp "$SSHKEY" root/home/$VMUSER/.ssh/authorized_keys
+ chroot root chown -R $VMUSER:$VMUSER /home/$VMUSER/.ssh

I don't think it is part of this bugfix in particular, but this breaks the behavior between the version of ubuntu-vm-builder in hardy and the behavior of the version in hardy-proposed and is IMHO unsuitable for a SRU.

I also couldn't find a entry in the changelog of 0.1 to 0.2 that indicates this change. The upload breaks ssh login for me.


Martin Pitt (pitti) wrote :

Copied to hardy-updates.

Changed in ubuntu-vm-builder (Ubuntu Hardy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers