Juju deployments allow remote SSH access with hard-coded password
Bug #1016428 reported by
Thomas Leonard
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pyjuju |
Fix Released
|
Medium
|
Kapil Thangavelu | ||
juju (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Oneiric |
Won't Fix
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
High
|
Clint Byrum | ||
Quantal |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
After deploying mysql (following the examples), I had a look at the generated machine. I was surprised to discover it had a user named "ubuntu" with password "ubuntu" and full admin access. I was able to ssh in using this account (from an account which didn't have access to the SSH private key).
This is using Juju from Ubuntu 12.04.
Related branches
description: | updated |
Changed in juju: | |
status: | In Progress → Fix Released |
Changed in juju (Ubuntu Precise): | |
status: | Triaged → In Progress |
assignee: | nobody → Clint Byrum (clint-fewbar) |
importance: | Undecided → High |
Changed in juju (Ubuntu Oneiric): | |
status: | Triaged → Won't Fix |
Changed in juju (Ubuntu Quantal): | |
status: | Triaged → Fix Released |
visibility: | private → public |
To post a comment you must log in.
Just confirmed this behavior with local provider.
For public and private clouds we utilize the official ubuntu cloud images which have password auth disabled.
In the lxc case we do setup a user ubuntu with a disabled password and i see code to disable password auth against the ssh server, but clearly there's an issue preventing that in practice.
This is somewhat mitigated by the lack of remote network access afforded by local provider.
However its still a rather serious issue. Thank you for bringing it to our attention