touch-packages team mailing list archive

Thread
Date
[Bug 296841] Re: root account has ! as default password

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: undefined <undefined@xxxxxxxxx>
Date: Sun, 03 Jan 2016 08:12:33 -0000
Reply-to: Bug 296841 <296841@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
I respectfully disagree with Jamie Strandboge regarding his statement:
"ssh public key logins are not disabled by the use of '!'."

OpenSSH, when *not* relying on PAM for account checking (ie "UsePAM
no"), will itself consider an account "locked" if the user's password
field in the shadow file is prefixed with "!".  See
http://anonscm.debian.org/cgit/pkg-
ssh/openssh.git/tree/auth.c?id=ce470e3bc0e39e71be0dbb809e29621466ac2bac#n139
and http://anonscm.debian.org/cgit/pkg-
ssh/openssh.git/tree/configure.ac?id=ce470e3bc0e39e71be0dbb809e29621466ac2bac#n770
.

You can clearly see in your example that you were using PAM (though the
log file explicitly shows that sshd was using PAM for session
processing, that implicitly reveals that sshd was using PAM also for
account processing as both are used when "UsePAM yes").  When sshd uses
PAM for account processing, PAM does not regard the exclamation mark or
asterisks (ie "!" or "*") as locking the account and PAM does not
prevent the SSH session from proceeding as OpenSSH does when performing
accounting checking itself.

I found this bug report when searching the internet for 'ssh "User root
not allowed because account is locked"' and through the tip that "!" and
"*" are sometimes treatly differently in regard to OpenSSH, I was able
to figure out the difference in detail.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to base-passwd in Ubuntu.
https://bugs.launchpad.net/bugs/296841

Title:
  root account has ! as default password

Status in VMBuilder:
  Fix Released
Status in base-passwd package in Ubuntu:
  Fix Released
Status in shadow package in Ubuntu:
  Fix Released
Status in vm-builder package in Ubuntu:
  Fix Released
Status in base-passwd source package in Dapper:
  Invalid
Status in shadow source package in Dapper:
  Fix Released
Status in vm-builder source package in Dapper:
  Invalid
Status in base-passwd source package in Gutsy:
  Invalid
Status in shadow source package in Gutsy:
  Fix Released
Status in vm-builder source package in Gutsy:
  Invalid
Status in base-passwd source package in Hardy:
  Invalid
Status in shadow source package in Hardy:
  Fix Released
Status in vm-builder source package in Hardy:
  Invalid
Status in base-passwd source package in Intrepid:
  Invalid
Status in shadow source package in Intrepid:
  Fix Released
Status in vm-builder source package in Intrepid:
  Fix Released
Status in base-passwd source package in Jaunty:
  Fix Released
Status in shadow source package in Jaunty:
  Fix Released
Status in vm-builder source package in Jaunty:
  Fix Released

Bug description:
  Mathiaz reported that vm created for ec2 could be logged on to the
  root account using ! as a password

  It was later verified that this problem could be reproduced on any vm
  generated by python-vm-builder and some version of ubuntu-vm-builder.

  Security fix for uvb in hardy fixed this but was later on reverted in
  the version in -proposed

  Test:
   Create a vm using "sudo vmbuilder kvm ubuntu --addpkg openssh-server"
   Start the VM
   Log in using ssh root@vm with password !

To manage notifications about this bug go to:
https://bugs.launchpad.net/vmbuilder/+bug/296841/+subscriptions