Bug 718226

Summary: Guests built for VMware allow ssh as root with default password
Product: [Retired] CloudForms Cloud Engine Reporter: Matt Wagner <matt.wagner>
Component: imagefactoryAssignee: Ian McLeod <imcleod>
Status: CLOSED ERRATA QA Contact: wes hayutin <whayutin>
Severity: high Docs Contact:
Priority: medium    
Version: 1.0.0CC: akarol, athomas, clalance, dajohnso, deltacloud-maint, jrd, ssachdev
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 719377 (view as bug list) Environment:
Last Closed: 2012-05-15 20:08:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
ss - blank passwd none

Description Matt Wagner 2011-07-01 13:57:25 UTC 
Description of problem:
I've just coerced a guest to build and launch on vSphere. No ssh keypair is present, and I was able to ssh in as root with the default 'ozrootpw' password. In theory the user can override this in the template, but if they don't, minting VM images with a predictable root password will be a security risk.


Version-Release number of selected component (if applicable):
imagefactory-0.2.2-1.el6.noarch

How reproducible:
100%

Expected results:
Guests are not launched with a publicly-known root password.
Comment 1 Chris Lalancette 2011-07-01 15:46:48 UTC 
So the thing is that Oz already has the ability to set the root password at build time, via the <rootpw> tag (see the RelaxNG schema for the right placement).  I'm thinking that we should "enforce" this tag at the imagefactory level by not accepting builds unless they have this tag set.  That will at least make sure that builds coming from the factory aren't insecure by default.

Chris Lalancette
Comment 2 wes hayutin 2011-07-06 16:02:46 UTC 
sounds like a doc issue for beta release notes
Comment 3 wes hayutin 2011-09-28 16:38:18 UTC 
making sure all the bugs are at the right version for future queries
Comment 5 jrd 2011-10-03 17:22:31 UTC 
https://www.aeolusproject.org/redmine/issues/2447
Comment 6 wes hayutin 2011-11-07 18:11:45 UTC 
Created attachment 532113 [details]
ss - blank passwd

screen shot of blank passwd in template description.
I'm assuming that is ok

[root@qeblade30 ~]# rpm -qa | grep imagefactory
rubygem-imagefactory-console-0.5.0-4.20110824113238gitd9debef.el6.noarch
imagefactory-jeosconf-ec2-rhel-0.8.0-1.el6.noarch
imagefactory-jeosconf-ec2-fedora-0.8.0-1.el6.noarch
imagefactory-0.8.0-1.el6.noarch
[root@qeblade30 ~]#
Comment 8 errata-xmlrpc 2012-05-15 20:08:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2012-0588.html