root account has ! as default password

Will disable affected root passwords on vm-builder created systems via shadow.

Here is the vm-builder patch I plan to upload. Works well here. Server team, can you test it?

Here is the debdiff for intrepid. dapper-hardy also need the update, but don't require the libtool change.

vm-builder_0.9-0ubuntu3.1.debdiff works for me. Cannot use root/! to log into a vmbuilder generated vm.

shadow patch works as well in an intrepid vm displaying the issue:

ubuntu@ubuntu:~$ su
Password:
root@ubuntu:/home/ubuntu# exit
exit
ubuntu@ubuntu:~$ sudo dpkg -i passwd_4.1.1-1ubuntu1.1_amd64.deb
(Reading database ... 11868 files and directories currently installed.)
Preparing to replace passwd 1:4.1.1-1ubuntu1 (using passwd_4.1.1-1ubuntu1.1_amd64.deb) ...
Unpacking replacement passwd ...
Setting up passwd (1:4.1.1-1ubuntu1.1) ...

ubuntu@ubuntu:~$ su
Password:
su: Authentication failure
ubuntu@ubuntu:~$

This bug was fixed in the package shadow - 1:4.1.1-5ubuntu3

---------------
shadow (1:4.1.1-5ubuntu3) jaunty; urgency=low

  * disable the root password for virtual machines created with vm-builder
    on Ubuntu 8.10. (LP: #296841)

 -- Jamie Strandboge <email address hidden> Thu, 13 Nov 2008 20:32:42 -0600

This fix breaks logging into our OpenVZ and Linux-VServer virtual machines created from debootstrapped templates. The routine by which you check whether the root login should be disabled is wrong:

if printf '!\0' | unix_chkpwd root nullok ; then
  echo 'root:!' | chpasswd -e
fi

This should become:

if printf '!\0' | unix_chkpwd root nonull ; then
  echo 'root:!' | chpasswd -e
fi

This bug will affect everybody who has "*" as their root password, hence not using password, hence probably exclusively using SSH keys or something such. This should have been tested better before releasing a package that will lock many people out of their template-created machines (virtual or not).

A disabled empty root password (ie '*' in /etc/shadow) works fine. Eg, using the below 'test.sh' script:

#!/bin/sh -e
for i in nullok nonull ; do
    echo -n "$i: "
    if printf '!\0' | unix_chkpwd root $i ; then
        echo "matched"
    else
        echo "did not match"
    fi
done

$ sudo head -1 /etc/shadow
root:*:14215:0:99999:7:::
$ sudo ./test.sh
nullok: did not match
nonull: did not match

What will match with nullok but not nonull is an enabled empty root password:
$ sudo head -1 /etc/shadow
root::14215:0:99999:7:::

Of course, an enabled empty root password allows passwordless root login via ssh and the console which is not at all needed for ssh keys logins.

Hi Jamie,

Firstly, I'm curious with what sshd_config settings does sshd allow you to connect having such root line in /etc/shadow without supplying password.

Because even if I supply this config (neither of which I use in practice):

PermitRootLogin yes
PasswordAuthentication yes

I still can't login as root with empty password via SSH.

Secondly, while my original suggestion was wrong and nonull or nullok is not the main problem (it's just a coincidence that using nonull helps in my case), when you're disabling root login like this (exclamation mark in the password field, which has a special meaning of locking the account), do you realize you disable root login by SSH keys as well? It would have been much better to replace with an asterisk which achieves what you need to do and does not lock other people out.

/etc/shadow
root:!:14210:0:99999:7:::

/var/log/auth.log
Dec 5 18:12:37 root sshd[3387]: User root not allowed because account is locked

Jan

1. I should have said "an enabled empty root password makes possible passwordless root login via ssh and the console". In other words, /etc/securetty and /etc/pam.d/common-auth need to be (mis)configured.

2. ssh public key logins are not disabled by the use of '!'. Eg:
/etc/shadow
root:!:14196:0:99999:7:::

/var/log/auth.log
Dec 15 18:17:59 sec-intrepid-amd64 sshd[5654]: Accepted publickey for root from 192.168.122.1 port 43391 ssh2
Dec 15 18:17:59 sec-intrepid-amd64 sshd[5654]: pam_unix(sshd:session): session opened for user root by (uid=0)

sshd_config has:
PermitRootLogin yes
RSAAuthentication yes
PubkeyAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
#PasswordAuthentication yes

1. OK

2. I may not know enough detail here, but why would it then be that root password '!' prevents me from logging with SSH key, but root password of '*' allows me to do so? I was under impression that '!' in /etc/shadow password field is used to disable logins for that account entirely.

Part of the reason there's been a problem here is that the root user is initially set up by base-passwd as follows:

  root::0:0:root:/root:/bin/bash

I don't think the blank password is defensible in this day and age, and will change this. I wouldn't like to backport this to Intrepid immediately, though - I think it could bear a bit of shaking out just in case there are unexpected consequences.

This bug was fixed in the package base-passwd - 3.5.21

---------------
base-passwd (3.5.21) unstable; urgency=low

  * Set up the root user without a password by default, rather than giving
    it an empty password. In this day and age the latter is not really a
    defensible default (LP: #296841).
  * Update description of dip group, based on a suggestion by Osamu Aoki
    (closes: #512938).

base-passwd (3.5.20) unstable; urgency=medium

  * Document that the staff group is typically root-equivalent (thanks, Guy
    Hulbert).

 -- Colin Watson <email address hidden> Tue, 17 Mar 2009 13:43:34 +0000

Intrepid Ibex reached end-of-life on 30 April 2010 so I am closing the
report. The bug has been fixed in newer releases of Ubuntu.

I respectfully disagree with Jamie Strandboge regarding his statement: "ssh public key logins are not disabled by the use of '!'."

OpenSSH, when *not* relying on PAM for account checking (ie "UsePAM no"), will itself consider an account "locked" if the user's password field in the shadow file is prefixed with "!". See http://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/auth.c?id=ce470e3bc0e39e71be0dbb809e29621466ac2bac#n139 and http://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/configure.ac?id=ce470e3bc0e39e71be0dbb809e29621466ac2bac#n770 .

You can clearly see in your example that you were using PAM (though the log file explicitly shows that sshd was using PAM for session processing, that implicitly reveals that sshd was using PAM also for account processing as both are used when "UsePAM yes"). When sshd uses PAM for account processing, PAM does not regard the exclamation mark or asterisks (ie "!" or "*") as locking the account and PAM does not prevent the SSH session from proceeding as OpenSSH does when performing accounting checking itself.

I found this bug report when searching the internet for 'ssh "User root not allowed because account is locked"' and through the tip that "!" and "*" are sometimes treatly differently in regard to OpenSSH, I was able to figure out the difference in detail.