View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0000130 | Cloud | General | public | 2022-06-27 13:09 | 2022-08-30 21:19 |
Reporter | Tomas Leypold | Assigned To | Louis Abel | ||
Priority | high | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Summary | 0000130: Rocky 8 GenericCloud qcow2 image has a default root password set | ||||
Description | Hi, We just found some nasty security misconfiguration of Rocky 8 GenericCloud qcow2 images - https://download.rockylinux.org/pub/rocky/8/images/Rocky-8-GenericCloud.latest.x86_64.qcow2 which should be fixed: 1. Image has set a default root password - cloud image should newer have default password and if you create a new user in cloud-config as your default user than this misconfiguration can cause severe consequences: /etc/shadow root:$6$OeHuaqpiPVfIpPQR$oMpP/I0/Sw5y9FBTzz46cAy275SlPZ.x9Rvc25leMVAcWAljIlT6yGX3pf4CyEYC3QO/s/odM7h6Hc9P4MKns0:18700:0:99999:7::: 2. Cloud image should not have these options enabled by default in /etc/ssh/sshd_config: PermitRootLogin yes PasswordAuthentication yes | ||||
Steps To Reproduce | 1. Use cloud config like this: #cloud-config package_update: true package_upgrade: true package_reboot_if_required: true locale: en_US.UTF-8 timezone: Europe/Prague users: - name: user01 ssh-authorized-keys: - ssh-ed25519 AAAAxxx 2. Wait for someone to bruteforce root password throught ssh. | ||||
Tags | No tags attached. | ||||
Hello. Thank you for the report and apologies for us not getting back quickly enough. Can you try out these updated images and see if it helps? https://dl.rockylinux.org/stg/rocky/8/images/Rocky-8-GenericCloud-8.6.20220702.0.x86_64.qcow2 https://dl.rockylinux.org/stg/rocky/8/images/Rocky-8-GenericCloud-8.6.20220702.0.aarch64.qcow2 |
|
Hi. It seems like the link https://dl.rockylinux.org/stg/rocky/8/images/Rocky-8-GenericCloud-8.6.20220702.0.x86_64.qcow2 doesn't work. It just returns 200 but not a file. | |
Hi Thomas, Thanks for the report. We dropped our cache last night for the downloads in our CDN due to some issues and it looks like it revealed a problem with our config. I've pushed a change to the CDN config, and downloads appear to be working for that now. Please let me know if you have any other issues! Best, Neil |
|
Hi, Just wondering why the size of Rocky-8-GenericCloud-8.6-20220515.x86_64.qcow2 is 857MB but the Rocky-8-GenericCloud-8.6.20220702.0.x86_64.qcow2 is 2.6G? |
|
Hi Hsi-En, The images are larger mostly because they were not compressed/sparsified. The new images for 9.0 and 8.6 that will be released soon are closer to the original size of ~1.5Gb. --Neil |
|
Hi, Great, stg image works fine, the root password is not set anymore. Are build scripts publicly available somewhere, in case we have some future improvements so that we could test them and directly create pull requests? |
|
As this appears to be fixed, we will be closing this ticket. If you wish to provide input or PR's, you may do so at https://github.com/rocky-linux/kickstarts or https://git.resf.org/sig_core/kickstarts |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2022-06-27 13:09 | Tomas Leypold | New Issue | |
2022-07-03 04:33 | Louis Abel | Note Added: 0000245 | |
2022-07-11 13:29 | Tomas Leypold | Note Added: 0000256 | |
2022-07-11 13:42 | Neil Hanlon | Note Added: 0000257 | |
2022-07-13 09:44 | Hsi-En Yu | Note Added: 0000263 | |
2022-07-13 13:50 | Neil Hanlon | Note Added: 0000264 | |
2022-07-15 10:38 |
|
Note Added: 0000269 | |
2022-08-30 21:19 | Louis Abel | Assigned To | => Louis Abel |
2022-08-30 21:19 | Louis Abel | Status | new => closed |
2022-08-30 21:19 | Louis Abel | Resolution | open => fixed |
2022-08-30 21:19 | Louis Abel | Note Added: 0000485 |