View Issue Details

IDProjectCategoryView StatusLast Update
0000130CloudGeneralpublic2022-08-30 21:19
ReporterTomas Leypold Assigned ToLouis Abel  
PriorityhighSeverityminorReproducibilityalways
Status closedResolutionfixed 
Summary0000130: Rocky 8 GenericCloud qcow2 image has a default root password set
DescriptionHi,

We just found some nasty security misconfiguration of Rocky 8 GenericCloud qcow2 images - https://download.rockylinux.org/pub/rocky/8/images/Rocky-8-GenericCloud.latest.x86_64.qcow2 which should be fixed:

1. Image has set a default root password - cloud image should newer have default password and if you create a new user in cloud-config as your default user than this misconfiguration can cause severe consequences:
/etc/shadow
root:$6$OeHuaqpiPVfIpPQR$oMpP/I0/Sw5y9FBTzz46cAy275SlPZ.x9Rvc25leMVAcWAljIlT6yGX3pf4CyEYC3QO/s/odM7h6Hc9P4MKns0:18700:0:99999:7:::

2. Cloud image should not have these options enabled by default in /etc/ssh/sshd_config:
PermitRootLogin yes
PasswordAuthentication yes
Steps To Reproduce1. Use cloud config like this:

#cloud-config
package_update: true
package_upgrade: true
package_reboot_if_required: true
locale: en_US.UTF-8
timezone: Europe/Prague
users:
  - name: user01
    ssh-authorized-keys:
      - ssh-ed25519 AAAAxxx

2. Wait for someone to bruteforce root password throught ssh.
TagsNo tags attached.

Activities

Louis Abel

Louis Abel

2022-07-03 04:33

administrator   ~0000245

Hello. Thank you for the report and apologies for us not getting back quickly enough.

Can you try out these updated images and see if it helps?

https://dl.rockylinux.org/stg/rocky/8/images/Rocky-8-GenericCloud-8.6.20220702.0.x86_64.qcow2
https://dl.rockylinux.org/stg/rocky/8/images/Rocky-8-GenericCloud-8.6.20220702.0.aarch64.qcow2
Tomas Leypold

Tomas Leypold

2022-07-11 13:29

reporter   ~0000256

Hi. It seems like the link https://dl.rockylinux.org/stg/rocky/8/images/Rocky-8-GenericCloud-8.6.20220702.0.x86_64.qcow2 doesn't work. It just returns 200 but not a file.
Neil Hanlon

Neil Hanlon

2022-07-11 13:42

administrator   ~0000257

Hi Thomas,

Thanks for the report. We dropped our cache last night for the downloads in our CDN due to some issues and it looks like it revealed a problem with our config. I've pushed a change to the CDN config, and downloads appear to be working for that now.

Please let me know if you have any other issues!

Best,
Neil
Hsi-En Yu

Hsi-En Yu

2022-07-13 09:44

reporter   ~0000263

Hi,

Just wondering why the size of Rocky-8-GenericCloud-8.6-20220515.x86_64.qcow2 is 857MB but the Rocky-8-GenericCloud-8.6.20220702.0.x86_64.qcow2 is 2.6G?
Neil Hanlon

Neil Hanlon

2022-07-13 13:50

administrator   ~0000264

Hi Hsi-En,

The images are larger mostly because they were not compressed/sparsified. The new images for 9.0 and 8.6 that will be released soon are closer to the original size of ~1.5Gb.

--Neil
Tomas Leypold

Tomas Leypold

2022-07-15 10:38

reporter   ~0000269

Hi,

Great, stg image works fine, the root password is not set anymore.

Are build scripts publicly available somewhere, in case we have some future improvements so that we could test them and directly create pull requests?
Louis Abel

Louis Abel

2022-08-30 21:19

administrator   ~0000485

As this appears to be fixed, we will be closing this ticket.

If you wish to provide input or PR's, you may do so at https://github.com/rocky-linux/kickstarts or https://git.resf.org/sig_core/kickstarts

Issue History

Date Modified Username Field Change
2022-06-27 13:09 Tomas Leypold New Issue
2022-07-03 04:33 Louis Abel Note Added: 0000245
2022-07-11 13:29 Tomas Leypold Note Added: 0000256
2022-07-11 13:42 Neil Hanlon Note Added: 0000257
2022-07-13 09:44 Hsi-En Yu Note Added: 0000263
2022-07-13 13:50 Neil Hanlon Note Added: 0000264
2022-07-15 10:38 Tomas Leypold Note Added: 0000269
2022-08-30 21:19 Louis Abel Assigned To => Louis Abel
2022-08-30 21:19 Louis Abel Status new => closed
2022-08-30 21:19 Louis Abel Resolution open => fixed
2022-08-30 21:19 Louis Abel Note Added: 0000485