RFE: chpasswd in cloud-init should support hashed passwords

[ubuntu-server-builder]

This bug was originally filed in Launchpad as LP: #1570325

Launchpad details

affected_projects = ['cloud-init (Ubuntu)', 'cloud-init (Ubuntu Xenial)', 'cloud-init (Ubuntu Yakkety)']
assignee = None
assignee_name = None
date_closed = 2017-09-23T02:13:33.394157+00:00
date_created = 2016-04-14T11:16:00.675314+00:00
date_fix_committed = 2017-04-21T19:28:14.861425+00:00
date_fix_released = 2017-09-23T02:13:33.394157+00:00
id = 1570325
importance = medium
is_complete = True
lp_url = https://bugs.launchpad.net/cloud-init/+bug/1570325
milestone = None
owner = tlonoy
owner_name = Tore
private = False
status = fix_released
submitter = tlonoy
submitter_name = Tore
tags = ['verification-done-xenial', 'verification-done-yakkety']
duplicates = []

Launchpad user Tore(tlonoy) wrote on 2016-04-14T11:16:00.675314+00:00

=== Begin SRU Template ===
[Impact]
The only way to assign a hashed password to a user is to use passwd within a
users entry like this:
 users:
   - name: root
     passwd: $6$Cl....Hy$IEJciQZLxQLzkST......g.bzqf3lUl.

But, if that user is already present on the system, cloud-init would skip
setting the password. The change was to add support for providing
encrypted passwords to 'chpasswd' as:

 chpasswd:
   list: |
     user:$5$eriogqzq$Dg7PxHsKGzziuEGkZgkLvacjuEFeljJ.rLf.hZqKQLA

[Test Case]
There is an integration test in cloud-init that runs though this code.
To run that:

$ git clone https://git.launchpad.net/cloud-init
$ cd cloud-init

download the appropriate deb for cloud-init from -proposed

$ rel=xenial
$ pver=$(rmadison --url=ubuntu --suite=$rel-proposed cloud-init | awk '{print $3}')
$ fname="cloud-init_${pver}_all.deb"
$ wget "http://archive.ubuntu.com/ubuntu/pool/main/c/cloud-init/$fname"
$ ln -sf $fname cloud-init_all.$rel.deb
$ tox -e citest -- run -v -n $rel --deb=cloud-init_all.$rel.deb
-t tests/cloud_tests/testcases/modules/set_password_list_string.py
-t tests/cloud_tests/testcases/modules/set_password_list.py
That will install the new cloud-init into a container and run
with user data to excercise this new feature.

[Regression Potential]
Some user passwords provided via chpasswd and starting with '$'
may be interpreted as hashed passwords.
Specifically, those matching: r'$1,2a,2y,5,6{2}'

In english, that regex is:
  - starts with a '$'
  - followed by '1', '2a', '2y', '5', '6'
  - followed by a $
  - followed by 1 or more characters
  - followed by another $
  - followed by 1 or more characters

So a total of 3 '$' and starting with one of those specific 3 or 4
character strings. That could definitely happen, but it is low odds, and also fairly low risk. If a user hits this, they'd be unable to reach a new instance.

[Other Info]
Upstream commit:
https://git.launchpad.net/cloud-init/commit/?id=21632972df034

=== End SRU Template ===

The only way to assign a hashed password to a user is to use passwd within a users entry like this:
users:
   - name: root
     passwd: $6$Cl....Hy$IEJciQZLxQLzkST......g.bzqf3lUl.

But, if that user is already present on the system, cloud-init will skip setting the password:
journal: [CLOUDINIT] init.py[INFO]: User root already exists, skipping.

You can change password with chpasswd, but that only supports clear-text password.

Requesting that chpasswd get support for setting a hashed password to users.

[ubuntu-server-builder]

Launchpad user Brian Murray(brian-murray) wrote on 2017-04-10T22:22:08.771047+00:00

Hello Tore, or anyone else affected,

Accepted cloud-init into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/cloud-init/0.7.9-90-g61eb03fe-0ubuntu1~16.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

[ubuntu-server-builder]

Launchpad user Brian Murray(brian-murray) wrote on 2017-04-10T22:45:34.667923+00:00

Hello Tore, or anyone else affected,

Accepted cloud-init into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/cloud-init/0.7.9-90-g61eb03fe-0ubuntu1~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

[ubuntu-server-builder]

Launchpad user Andreas Hasenack(ahasenack) wrote on 2017-04-17T12:36:36.218732+00:00

Tests passed for xenial according to the instructions (see attached output).
Launchpad attachments: lp-1570325-xenial.txt

[ubuntu-server-builder]

Launchpad user Andreas Hasenack(ahasenack) wrote on 2017-04-17T12:37:31.957566+00:00

Tests passed for yakkety according to the instructions (see attached output).

Launchpad attachments: lp-1570325-yakkety.txt

[ubuntu-server-builder]

Launchpad user Andreas Hasenack(ahasenack) wrote on 2017-04-17T13:28:37.509174+00:00

Also launched a yakkety lxd with the attached user-data file, and it correctly changed the user's password to the provided hash.

lxc launch b03fe-yakkety-proposed y1-proposed "--config=user.user-data=$(cat cloud-init.yaml)"
Launchpad attachments: cloud-init.yaml

[ubuntu-server-builder]

Launchpad user Andreas Hasenack(ahasenack) wrote on 2017-04-17T13:43:29.981403+00:00

Also launched a xenial lxd container with the same user-data file as in the previous comment and it correctly changed the "tom" user's password to the provided hash.

lxc launch b03fe-xenial-proposed x1-proposed "--config=user.user-data=$(cat cloud-init.yaml)"

[ubuntu-server-builder]

Launchpad user Launchpad Janitor(janitor) wrote on 2017-04-20T19:33:34.017361+00:00

This bug was fixed in the package cloud-init - 0.7.9-90-g61eb03fe-0ubuntu1~16.10.1

---

cloud-init (0.7.9-90-g61eb03fe-0ubuntu1~16.10.1) yakkety; urgency=medium

• debian/cloud-init.templates: add Bigstep to list of sources. (LP: #1676460)
• New upstream snapshot.
  • OpenStack: add 'dvs' to the list of physical link types. (LP: #1674946)
  • Fix bug that resulted in an attempt to rename bonds or vlans.
    (LP: #1669860)
  • tests: update OpenNebula and Digital Ocean to not rely on host
    interfaces.
  • net: in netplan renderer delete known image-builtin content.
    (LP: #1675576)
  • doc: correct grammar in capabilities.rst [David Tagatac]
  • ds-identify: fix detecting of maas datasource. (LP: #1677710)
  • netplan: remove debugging prints, add debug logging [Ryan Harper]
  • ds-identify: do not write None twice to datasource_list.
  • support resizing partition and rootfs on system booted without
    initramfs. [Steve Langasek] (LP: #1677376)
  • apt_configure: run only when needed. (LP: #1675185)
  • OpenStack: identify OpenStack by product 'OpenStack Compute'.
    (LP: #1675349)
  • GCE: Search GCE in ds-identify, consider serial number in check.
    (LP: #1674861)
  • Add support for setting hashed passwords [Tore S. Lonoy] (LP: #1570325)
  • Fix filesystem creation when using "partition: auto"
    [Jonathan Ballet] (LP: #1634678)
  • ConfigDrive: support reading config drive data from /config-drive.
    (LP: #1673411)
  • ds-identify: fix detection of Bigstep datasource. (LP: #1674766)
  • test: add running of pylint [Joshua Powers]
  • ds-identify: fix bug where filename expansion was left on.
  • advertise network config v2 support (NETWORK_CONFIG_V2) in features.
  • Bigstep: fix bug when executing in python3. [root]
  • Fix unit test when running in a system deployed with cloud-init.
  • Bounce network interface for Azure when using the built-in path.
    [Brent Baude] (LP: #1674685)
  • cloudinit.net: add network config v2 parsing and rendering [Ryan Harper]
  • net: Fix incorrect call to isfile [Joshua Powers] (LP: #1674317)
  • net: add renderers for automatically selecting the renderer.
  • doc: fix config drive doc with regard to unpartitioned disks.
    (LP: #1673818)
  • test: Adding integratiron test for password as list [Joshua Powers]
  • render_network_state: switch arguments around, do not require target
  • support 'loopback' as a device type.
  • Integration Testing: improve testcase subclassing [Wesley Wiedenmeier]
  • gitignore: adding doc/rtd_html [Joshua Powers]
  • doc: add instructions for running integration tests via tox.
    [Joshua Powers]
  • test: avoid differences in 'date' output due to daylight savings.
  • Fix chef config module in omnibus install. [Jeremy Melvin] (LP: #1583837)
  • Add feature flags to cloudinit.version. [Wesley Wiedenmeier]
  • tox: add a citest environment
  • Support chpasswd/list being a list in addition to a string.
    [Sergio Lystopad] (LP: #1665694)
  • doc: Fix configuration example for cc_set_passwords module.
    [Sergio Lystopad] (LP: #1665773)
  • net: support both ipv4 and ipv6 gateways in sysconfig.
    [Lars Kellogg-Stedman] (LP: #1669504)
  • net: do not raise exception for > 3 nameservers
    [Lars Kellogg-Stedman] (LP: #1670052)

-- Scott Moser smoser@ubuntu.com Mon, 03 Apr 2017 12:03:30 -0400

[ubuntu-server-builder]

Launchpad user Steve Langasek(vorlon) wrote on 2017-04-20T19:34:17.802987+00:00

The verification of the Stable Release Update for cloud-init has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

[ubuntu-server-builder]

Launchpad user Launchpad Janitor(janitor) wrote on 2017-04-20T19:35:54.384643+00:00

This bug was fixed in the package cloud-init - 0.7.9-90-g61eb03fe-0ubuntu1~16.04.1

---

cloud-init (0.7.9-90-g61eb03fe-0ubuntu1~16.04.1) xenial-proposed; urgency=medium

• debian/cloud-init.templates: add Bigstep to list of sources. (LP: #1676460)
• New upstream snapshot.
  • OpenStack: add 'dvs' to the list of physical link types. (LP: #1674946)
  • Fix bug that resulted in an attempt to rename bonds or vlans.
    (LP: #1669860)
  • tests: update OpenNebula and Digital Ocean to not rely on host
    interfaces.
  • net: in netplan renderer delete known image-builtin content.
    (LP: #1675576)
  • doc: correct grammar in capabilities.rst [David Tagatac]
  • ds-identify: fix detecting of maas datasource. (LP: #1677710)
  • netplan: remove debugging prints, add debug logging [Ryan Harper]
  • ds-identify: do not write None twice to datasource_list.
  • support resizing partition and rootfs on system booted without
    initramfs. [Steve Langasek] (LP: #1677376)
  • apt_configure: run only when needed. (LP: #1675185)
  • OpenStack: identify OpenStack by product 'OpenStack Compute'.
    (LP: #1675349)
  • GCE: Search GCE in ds-identify, consider serial number in check.
    (LP: #1674861)
  • Add support for setting hashed passwords [Tore S. Lonoy] (LP: #1570325)
  • Fix filesystem creation when using "partition: auto"
    [Jonathan Ballet] (LP: #1634678)
  • ConfigDrive: support reading config drive data from /config-drive.
    (LP: #1673411)
  • ds-identify: fix detection of Bigstep datasource. (LP: #1674766)
  • test: add running of pylint [Joshua Powers]
  • ds-identify: fix bug where filename expansion was left on.
  • advertise network config v2 support (NETWORK_CONFIG_V2) in features.
  • Bigstep: fix bug when executing in python3. [root]
  • Fix unit test when running in a system deployed with cloud-init.
  • Bounce network interface for Azure when using the built-in path.
    [Brent Baude] (LP: #1674685)
  • cloudinit.net: add network config v2 parsing and rendering [Ryan Harper]
  • net: Fix incorrect call to isfile [Joshua Powers] (LP: #1674317)
  • net: add renderers for automatically selecting the renderer.
  • doc: fix config drive doc with regard to unpartitioned disks.
    (LP: #1673818)
  • test: Adding integratiron test for password as list [Joshua Powers]
  • render_network_state: switch arguments around, do not require target
  • support 'loopback' as a device type.
  • Integration Testing: improve testcase subclassing [Wesley Wiedenmeier]
  • gitignore: adding doc/rtd_html [Joshua Powers]
  • doc: add instructions for running integration tests via tox.
    [Joshua Powers]
  • test: avoid differences in 'date' output due to daylight savings.
  • Fix chef config module in omnibus install. [Jeremy Melvin] (LP: #1583837)
  • Add feature flags to cloudinit.version. [Wesley Wiedenmeier]
  • tox: add a citest environment
  • Support chpasswd/list being a list in addition to a string.
    [Sergio Lystopad] (LP: #1665694)
  • doc: Fix configuration example for cc_set_passwords module.
    [Sergio Lystopad] (LP: #1665773)
  • net: support both ipv4 and ipv6 gateways in sysconfig.
    [Lars Kellogg-Stedman] (LP: #1669504)
  • net: do not raise exception for > 3 nameservers
    [Lars Kellogg-Stedman] (LP: #1670052)

-- Scott Moser smoser@ubuntu.com Mon, 03 Apr 2017 11:52:56 -0400

[ubuntu-server-builder]

Launchpad user Scott Moser(smoser) wrote on 2017-09-23T02:13:35.942006+00:00

This bug is believed to be fixed in cloud-init in 17.1. If this is still a problem for you, please make a comment and set the state back to New

Thank you.