orchestra team mailing list archive
Mailing list archive
[Bug 912809] Re: Orchestra installs nodes with default password accessible via ssh
** Visibility changed to: Public
You received this bug notification because you are a member of
orchestra, which is subscribed to orchestra in Ubuntu.
Orchestra installs nodes with default password accessible via ssh
Status in “orchestra” package in Ubuntu:
I noticed that machines installed using orchestra by default when
following instructions like http://cloud.ubuntu.com/2011/09/oneiric-
server-deploy-server-fleets-p1/ get installed with password based ssh
allowed and a default username/password of ubuntu/ubuntu and the
ubuntu user has sudo privileges.
Now the nodes created in this manner are not publicly visible to the
internet being on a separate network connected by the controlling
orchestra node. However all the nodes can ssh to each other and login
using the ubuntu/ubuntu combination and have sudo.
This means that if any node in a cloud controlled by orchestra is compromised then the whole cloud is compromised (unless the administrator has changed the defaults on all the nodes - which is not suggested in any of the documentation I have come across).
I hope that I am wrong here but when I tested on my local orchestra installation the nodes could login to each other with ubuntu/ubuntu and have sudo.
The behaviour I expected was that orchestra would install nodes with password based ssh disabled and propagate a public ssh key from the controlling node to all the installed nodes during installation. The ssh key propagation does happen but the disabling of password based ssh does not.
It would be nice if the documentation encouraged the setting of a custom default username/password combination to seed new nodes with (preferably in a way which only stores the hash in the seed file) but that might not
be easy to do. There is a separate bug: https://bugs.launchpad.net/ubuntu/+source/orchestra/+bug/912067 for this.
To manage notifications about this bug go to: