Ubuntu

root account has ! as default password

Reported by Nick Barcet on 2008-11-11
270
Affects Status Importance Assigned to Milestone
VMBuilder
Undecided
Unassigned
base-passwd (Ubuntu)
Medium
Colin Watson
Dapper
Undecided
Unassigned
Gutsy
Undecided
Unassigned
Hardy
Undecided
Unassigned
Intrepid
Undecided
Unassigned
Jaunty
Medium
Colin Watson
shadow (Ubuntu)
High
Jamie Strandboge
Dapper
High
Jamie Strandboge
Gutsy
High
Jamie Strandboge
Hardy
High
Jamie Strandboge
Intrepid
High
Jamie Strandboge
Jaunty
High
Jamie Strandboge
vm-builder (Ubuntu)
Critical
Jamie Strandboge
Dapper
Undecided
Unassigned
Gutsy
Undecided
Unassigned
Hardy
Undecided
Unassigned
Intrepid
Critical
Jamie Strandboge
Jaunty
Critical
Jamie Strandboge

Bug Description

Mathiaz reported that vm created for ec2 could be logged on to the root account using ! as a password

It was later verified that this problem could be reproduced on any vm generated by python-vm-builder and some version of ubuntu-vm-builder.

Security fix for uvb in hardy fixed this but was later on reverted in the version in -proposed

Test:
 Create a vm using "sudo vmbuilder kvm ubuntu --addpkg openssh-server"
 Start the VM
 Log in using ssh root@vm with password !

Changed in vm-builder:
status: New → Invalid
status: New → Invalid
Changed in vm-builder:
status: New → Invalid
Changed in shadow:
assignee: nobody → jdstrand
importance: Undecided → High
status: New → In Progress
assignee: nobody → jdstrand
importance: Undecided → High
status: New → In Progress
assignee: nobody → jdstrand
importance: Undecided → High
status: New → In Progress
assignee: nobody → jdstrand
importance: Undecided → High
status: New → In Progress
Jamie Strandboge (jdstrand) wrote :

Will disable affected root passwords on vm-builder created systems via shadow.

Changed in vm-builder:
assignee: nobody → jdstrand
importance: Undecided → Critical
status: New → In Progress
assignee: nobody → jdstrand
importance: Undecided → Critical
status: New → In Progress
Changed in shadow:
assignee: nobody → jdstrand
importance: Undecided → High
status: New → In Progress
Jamie Strandboge (jdstrand) wrote :

Here is the vm-builder patch I plan to upload. Works well here. Server team, can you test it?

Jamie Strandboge (jdstrand) wrote :

Here is the debdiff for intrepid. dapper-hardy also need the update, but don't require the libtool change.

Nick Barcet (nijaba) wrote :

vm-builder_0.9-0ubuntu3.1.debdiff works for me. Cannot use root/! to log into a vmbuilder generated vm.

Nick Barcet (nijaba) wrote :

shadow patch works as well in an intrepid vm displaying the issue:

ubuntu@ubuntu:~$ su
Password:
root@ubuntu:/home/ubuntu# exit
exit
ubuntu@ubuntu:~$ sudo dpkg -i passwd_4.1.1-1ubuntu1.1_amd64.deb
(Reading database ... 11868 files and directories currently installed.)
Preparing to replace passwd 1:4.1.1-1ubuntu1 (using passwd_4.1.1-1ubuntu1.1_amd64.deb) ...
Unpacking replacement passwd ...
Setting up passwd (1:4.1.1-1ubuntu1.1) ...

ubuntu@ubuntu:~$ su
Password:
su: Authentication failure
ubuntu@ubuntu:~$

Changed in shadow:
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
Changed in vm-builder:
status: In Progress → Fix Committed
Changed in shadow:
status: In Progress → Fix Committed
status: Fix Committed → In Progress
Changed in vm-builder:
status: In Progress → Fix Committed
status: Fix Committed → In Progress
Changed in shadow:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
status: In Progress → Fix Released
Changed in vm-builder:
status: In Progress → Fix Released
Changed in shadow:
status: Fix Released → Fix Committed
status: Fix Committed → Fix Released
Changed in vm-builder:
status: Fix Committed → Fix Released
status: Fix Released → In Progress
Changed in vmbuilder:
status: New → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shadow - 1:4.1.1-5ubuntu3

---------------
shadow (1:4.1.1-5ubuntu3) jaunty; urgency=low

  * disable the root password for virtual machines created with vm-builder
    on Ubuntu 8.10. (LP: #296841)

 -- Jamie Strandboge <email address hidden> Thu, 13 Nov 2008 20:32:42 -0600

Changed in shadow:
status: Fix Committed → Fix Released
Changed in vm-builder:
status: In Progress → Fix Released
Jan Kokoska (jkokoska) wrote :

This fix breaks logging into our OpenVZ and Linux-VServer virtual machines created from debootstrapped templates. The routine by which you check whether the root login should be disabled is wrong:

if printf '!\0' | unix_chkpwd root nullok ; then
  echo 'root:!' | chpasswd -e
fi

This should become:

if printf '!\0' | unix_chkpwd root nonull ; then
  echo 'root:!' | chpasswd -e
fi

This bug will affect everybody who has "*" as their root password, hence not using password, hence probably exclusively using SSH keys or something such. This should have been tested better before releasing a package that will lock many people out of their template-created machines (virtual or not).

Jamie Strandboge (jdstrand) wrote :

A disabled empty root password (ie '*' in /etc/shadow) works fine. Eg, using the below 'test.sh' script:

#!/bin/sh -e
for i in nullok nonull ; do
    echo -n "$i: "
    if printf '!\0' | unix_chkpwd root $i ; then
        echo "matched"
    else
        echo "did not match"
    fi
done

$ sudo head -1 /etc/shadow
root:*:14215:0:99999:7:::
$ sudo ./test.sh
nullok: did not match
nonull: did not match

What will match with nullok but not nonull is an enabled empty root password:
$ sudo head -1 /etc/shadow
root::14215:0:99999:7:::

Of course, an enabled empty root password allows passwordless root login via ssh and the console which is not at all needed for ssh keys logins.

Jan Kokoska (jkokoska) wrote :

Hi Jamie,

Firstly, I'm curious with what sshd_config settings does sshd allow you to connect having such root line in /etc/shadow without supplying password.

Because even if I supply this config (neither of which I use in practice):

PermitRootLogin yes
PasswordAuthentication yes

I still can't login as root with empty password via SSH.

Secondly, while my original suggestion was wrong and nonull or nullok is not the main problem (it's just a coincidence that using nonull helps in my case), when you're disabling root login like this (exclamation mark in the password field, which has a special meaning of locking the account), do you realize you disable root login by SSH keys as well? It would have been much better to replace with an asterisk which achieves what you need to do and does not lock other people out.

/etc/shadow
root:!:14210:0:99999:7:::

/var/log/auth.log
Dec 5 18:12:37 root sshd[3387]: User root not allowed because account is locked

Jan

Jamie Strandboge (jdstrand) wrote :

1. I should have said "an enabled empty root password makes possible passwordless root login via ssh and the console". In other words, /etc/securetty and /etc/pam.d/common-auth need to be (mis)configured.

2. ssh public key logins are not disabled by the use of '!'. Eg:
/etc/shadow
root:!:14196:0:99999:7:::

/var/log/auth.log
Dec 15 18:17:59 sec-intrepid-amd64 sshd[5654]: Accepted publickey for root from 192.168.122.1 port 43391 ssh2
Dec 15 18:17:59 sec-intrepid-amd64 sshd[5654]: pam_unix(sshd:session): session opened for user root by (uid=0)

sshd_config has:
PermitRootLogin yes
RSAAuthentication yes
PubkeyAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
#PasswordAuthentication yes

Jan Kokoska (jkokoska) wrote :

1. OK

2. I may not know enough detail here, but why would it then be that root password '!' prevents me from logging with SSH key, but root password of '*' allows me to do so? I was under impression that '!' in /etc/shadow password field is used to disable logins for that account entirely.

Kees Cook (kees) on 2009-01-10
Changed in vmbuilder:
status: Fix Committed → Fix Released
Colin Watson (cjwatson) wrote :

Part of the reason there's been a problem here is that the root user is initially set up by base-passwd as follows:

  root::0:0:root:/root:/bin/bash

I don't think the blank password is defensible in this day and age, and will change this. I wouldn't like to backport this to Intrepid immediately, though - I think it could bear a bit of shaking out just in case there are unexpected consequences.

Changed in base-passwd (Ubuntu Dapper):
status: New → Invalid
Changed in base-passwd (Ubuntu Gutsy):
status: New → Invalid
Changed in base-passwd (Ubuntu Hardy):
status: New → Invalid
Changed in base-passwd (Ubuntu Jaunty):
importance: Undecided → Medium
status: New → Triaged
assignee: nobody → cjwatson
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package base-passwd - 3.5.21

---------------
base-passwd (3.5.21) unstable; urgency=low

  * Set up the root user without a password by default, rather than giving
    it an empty password. In this day and age the latter is not really a
    defensible default (LP: #296841).
  * Update description of dip group, based on a suggestion by Osamu Aoki
    (closes: #512938).

base-passwd (3.5.20) unstable; urgency=medium

  * Document that the staff group is typically root-equivalent (thanks, Guy
    Hulbert).

 -- Colin Watson <email address hidden> Tue, 17 Mar 2009 13:43:34 +0000

Changed in base-passwd:
status: Triaged → Fix Released
Alex Valavanis (valavanisalex) wrote :

Intrepid Ibex reached end-of-life on 30 April 2010 so I am closing the
report. The bug has been fixed in newer releases of Ubuntu.

Changed in base-passwd (Ubuntu Intrepid):
status: New → Invalid
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers