← Back to team overview

orchestra team mailing list archive

  1. orchestra team
  2. Mailing list archive
  3. Message #00387

[Bug 912809] Re: Orchestra installs nodes with default password accessible via ssh

  Thread PreviousDate PreviousThread Next 
** Visibility changed to: Public

-- 
You received this bug notification because you are a member of
orchestra, which is subscribed to orchestra in Ubuntu.
https://bugs.launchpad.net/bugs/912809

Title:
  Orchestra installs nodes with default password accessible via ssh

Status in “orchestra” package in Ubuntu:
  Triaged

Bug description:
  I noticed that machines installed using orchestra by default when
  following instructions like http://cloud.ubuntu.com/2011/09/oneiric-
  server-deploy-server-fleets-p1/ get installed with password based ssh
  allowed and a default username/password of ubuntu/ubuntu and the
  ubuntu user has sudo privileges.

  Now the nodes created in this manner are not publicly visible to the
  internet being on a separate network connected by the controlling
  orchestra node. However all the nodes can ssh to each other and login
  using the ubuntu/ubuntu combination and have sudo.

  This means that if any node in a cloud controlled by orchestra is compromised then the whole cloud is compromised (unless the administrator has changed the defaults on all the nodes - which is not suggested in any of the documentation I have come across).
  I hope that I am wrong here but when I tested on my local orchestra installation the nodes could login to each other with ubuntu/ubuntu and have sudo.

  The behaviour I expected was that orchestra would install nodes with password based ssh disabled and propagate a public ssh key from the controlling node to all the installed nodes during installation. The ssh key propagation does happen but the disabling of password based ssh does not.
  It would be nice if the documentation encouraged the setting of a custom default username/password combination to seed new nodes with (preferably in a way which only stores the hash in the seed file) but that might not
  be easy to do. There is a separate bug: https://bugs.launchpad.net/ubuntu/+source/orchestra/+bug/912067 for this.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/orchestra/+bug/912809/+subscriptions
  Thread PreviousDate PreviousThread Next