From Fedora Project Wiki

No edit summary
Line 23: Line 23:
=== CentOS ===
=== CentOS ===
No changes needed as randomized root passwords are already applied during build.
No changes needed as randomized root passwords are already applied during build.
=== Cirros ===
The password for root isn't set, but a user called cirros has the password <code>cubswin:)</code>.


=== Debian ===
=== Debian ===

Revision as of 18:50, 18 June 2015

Mission

This project's mission is to eliminate the use of predictable passwords in LXC templates. It all started with BZ 1132001 which attached bug reports to fedora-all, EPEL 7, and EPEL 6. The problem exists upstream and the upstream developers are welcoming fixes.

This is part of the Fedora Security Team's 90-day challenge.

Templates

The upstream templates are on Github. Each template will be documented here as it's reviewed.

Work in progress
This section is being updated regularly. --Mhayden (talk) 17:31, 18 June 2015 (UTC)

Alpine

The template can't download an APK that passes verification. It also doesn't seem to set a root password anywhere during the container creation.

AltLinux

The password for root is set to rooter for all builds.

ArchLinux

The user can specify a root password but root's account is left without a password if a password isn't provided.

Busybox

Password for root is set to 'root' by default. Default ssh configuration allows root logins without a password as well.

CentOS

No changes needed as randomized root passwords are already applied during build.

Cirros

The password for root isn't set, but a user called cirros has the password cubswin:).

Debian

The upstream Debian template current sets root's password to root. There's a proposed fix waiting on feedback from Debian's LXC package maintainer.

Fedora

No changes needed as randomized root passwords are already applied during build.

Gentoo

If a root password isn't specified, the root password is set to toor.

Ubuntu

The UBuntu template disables the root account but makes a regular user with sudo privileges that has ubuntu as a username and password (unless a user password is specified on the command line during build).

A fix has been proposed.