pyjuju

Juju deployments allow remote SSH access with hard-coded password

Bug #1016428 reported by Thomas Leonard on 2012-06-22

264

This bug affects 1 person

	Status	Importance	Assigned to
pyjuju	Fix Released	Medium	Kapil Thangavelu
juju (Ubuntu)	Fix Released	Undecided	Unassigned
Oneiric	Won't Fix	Undecided	Unassigned
Precise	Fix Released	High	Clint Byrum
Quantal	Fix Released	Undecided	Unassigned

Bug Description

After deploying mysql (following the examples), I had a look at the generated machine. I was surprised to discover it had a user named "ubuntu" with password "ubuntu" and full admin access. I was able to ssh in using this account (from an account which didn't have access to the SSH private key).

This is using Juju from Ubuntu 12.04.

See original description

Related branches

lp:ubuntu/precise-security/juju

Thomas Leonard (tal-it-innovation) on 2012-06-22

description:

updated

Revision history for this message

Kapil Thangavelu (hazmat) wrote on 2012-06-22:

Just confirmed this behavior with local provider.

For public and private clouds we utilize the official ubuntu cloud images which have password auth disabled.

In the lxc case we do setup a user ubuntu with a disabled password and i see code to disable password auth against the ssh server, but clearly there's an issue preventing that in practice.

This is somewhat mitigated by the lack of remote network access afforded by local provider.

However its still a rather serious issue. Thank you for bringing it to our attention

Revision history for this message

Kapil Thangavelu (hazmat) wrote on 2012-06-22:

confirmed specific to the local provider and not remotely accessible. the lxc container customization was disabling root logins but not password auth.

Changed in juju:
status:	New → Confirmed
importance:	Undecided → Medium
assignee:	nobody → Kapil Thangavelu (hazmat)
status:	Confirmed → In Progress

Revision history for this message

Kapil Thangavelu (hazmat) wrote on 2012-06-22:

also fwiw i tracked down the origin of that user/password combo to the default lxc package ubuntu template. juju creates the user with a disabled password if it doesn't exist.

Revision history for this message

Kapil Thangavelu (hazmat) wrote on 2012-06-22:

fix is on trunk, daily ppa will rebuild, this will get rolled into precise proposed, and security pockets for oneiric and precise.

this issue should probably also be fixed in the lxc package ubuntu template since its setting up the default/known username passwords. the fix for juju is to just disable the password auth for ssh.

Kapil Thangavelu (hazmat) on 2012-06-22

Changed in juju:
status:	In Progress → Fix Released

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2012-06-22:

Sounds like this bug can be made public then, since the commits are public.

Changed in juju (Ubuntu Oneiric):
status:	New → Triaged
Changed in juju (Ubuntu Precise):
status:	New → Triaged
Changed in juju (Ubuntu Quantal):
status:	New → Triaged

Revision history for this message

Clint Byrum (clint-fewbar) wrote on 2012-06-22: Re: [Bug 1016428] Re: Juju deployments allow remote SSH access with hard-coded password

Excerpts from Jamie Strandboge's message of 2012-06-22 19:55:20 UTC:
> Sounds like this bug can be made public then, since the commits are
> public.

I think so. Its a really low risk vulnerability. You have to try really
hard to make it remote-exploitable, and juju is basically just not safe
on multi user systems at all anyway.

Revision history for this message

Thomas Leonard (tal-it-innovation) wrote on 2012-06-25:

"juju is basically just not safe on multi user systems at all anyway"

Information like this really needs to go in the docs... what are the issues?

Revision history for this message

Clint Byrum (clint-fewbar) wrote on 2012-06-25:

Excerpts from Thomas Leonard's message of 2012-06-25 08:06:17 UTC:
> "juju is basically just not safe on multi user systems at all anyway"
>
> Information like this really needs to go in the docs... what are the
> issues?
>

First line of https://juju.ubuntu.com/docs

"Note juju is still in a stage of fast development, and is not yet ready
for prime time. The current software is being made available as an early
technology preview, and while it can be experimented with, it should
not be used in real deployments just yet."

Clint Byrum (clint-fewbar) on 2012-08-23

Changed in juju (Ubuntu Precise):
status:	Triaged → In Progress
assignee:	nobody → Clint Byrum (clint-fewbar)
importance:	Undecided → High
Changed in juju (Ubuntu Oneiric):
status:	Triaged → Won't Fix
Changed in juju (Ubuntu Quantal):
status:	Triaged → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-08-29:

This bug was fixed in the package juju - 0.5+bzr531-0ubuntu1.3

---------------
juju (0.5+bzr531-0ubuntu1.3) precise-security; urgency=low

  * SECURITY UPDATE: d/p/upstream-543.patch: Disable password authentication
    on LXC containers created in the local provider. (LP: #1016428)
  * SECURITY UPDATE: d/p/upstream-564.patch: Fix example mysql charm to
    not expose root mysql password to all users. (LP: #1040165)
  * SECURITY UPDATE: d/p/upstream-565.patch: Verify charm store hostname
    matches hostname on SSL certificate. (LP: #992447)
-- Clint Byrum <email address hidden> Thu, 23 Aug 2012 17:12:26 -0700

Changed in juju (Ubuntu Precise):
status:	In Progress → Fix Released

Clint Byrum (clint-fewbar) on 2012-08-31

visibility:

private → public

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.