cc_set_passwords does not expire users if password given as hash

[ubuntu-server-builder]

This bug was originally filed in Launchpad as LP: #1979065

Launchpad details

affected_projects = []
assignee = None
assignee_name = None
date_closed = 2022-08-19T16:37:25.234423+00:00
date_created = 2022-06-17T13:27:31.879015+00:00
date_fix_committed = 2022-07-12T18:47:47.493882+00:00
date_fix_released = 2022-08-19T16:37:25.234423+00:00
id = 1979065
importance = high
is_complete = True
lp_url = https://bugs.launchpad.net/cloud-init/+bug/1979065
milestone = None
owner = dome-livepatch
owner_name = Roni Väyrynen
private = False
status = fix_released
submitter = dome-livepatch
submitter_name = Roni Väyrynen
tags = []
duplicates = []

Launchpad user Roni Väyrynen(dome-livepatch) wrote on 2022-06-17T13:27:31.879015+00:00

https://cloudinit.readthedocs.io/en/latest/topics/modules.html#set-passwords

Documentation explains three different ways of setting user password using chpasswd but doesn't mention that they would otherwise work any differently from one another. Passwords should by default be expired if not specifically set otherwise in chpasswd. Although if one sets the password as hash either in password or chpasswd list, cc_set_passwords.py skips passwd --expire completely which doesn't match documented behaviour.

cloud-init/cloudinit/config/cc_set_passwords.py

Line 260 in 7280983

if expire:

This part only applies to users which had either plain text password or random password set.

[ubuntu-server-builder]

Launchpad user James Falcon(falcojr) wrote on 2022-06-20T17:06:18.548589+00:00

Thanks for reporting this. I can reproduce the behavior described.

[ubuntu-server-builder]

Launchpad user Chad Smith(chad.smith) wrote on 2022-06-22T15:59:25.797260+00:00

Expectation here is to fix hashed passwords to also expire.

Validated that hashed password is not expired by default:

cat > hash_pw_not_expired.yaml <<EOF
#cloud-config
ssh_pwauth: true
users:

• default
• gecos: User One
  name: u1
  groups: [adm, cdrom, dip, lxd, sudo]
  lock_passwd: False
• gecos: User Two
  name: u2
  groups: [adm, cdrom, dip, lxd, sudo]
  lock-passwd: False
  chpasswd:
  list:
  • u1:$6$rounds=4096$4Bbw0KI52G71TqOT$a.mEik19QEe9Lfot2gt6Ff5rUwYkLm49SAIDJoNrxd4V/PL21e83FqK/aDVV6CGFM/GNH6CtvR0Sk52i9jhNK1
  • u2:RANDOM
    EOF
    lxc launch ubuntu-daily:jammy test-pw-expiry -c user.user-data="$(cat hash_pw_not_expired.yaml)"
    lxc exec test-pw-expiry -- cloud-init status --wait --long
    IP=lxc ls -c 4 test-pw-expiry | awk '/eth/{print $2}'
    ssh u1@$IP # hashed password this4now

Note no expiry notice

lxc console test-pw-expiry --show-log | grep u2
#copy password and login
ssh u2@$IP # Use random password printed to console from above

Note expiry notice

[ubuntu-server-builder]

Launchpad user Chad Smith(chad.smith) wrote on 2022-06-23T15:29:48.616235+00:00

After further review and discussion on this item, we determined it's best not to change existing behavior, but fix the docs to align with current behavior. Introducing a change in behavior for hashed password expiry may break automation expecting to rely on this feature.

Since the introduction of hashed password support in cloud-init released in 2017[1], the hashed passwords are not expired. Let's retain and more clearly document that behavior.

[1] hashed pw support 2163297

[ubuntu-server-builder]

Launchpad user James Falcon(falcojr) wrote on 2022-07-12T18:49:08.471409+00:00

After further further review, we decided to fix the behavior after all. See #1577

A follow-on PR will ensure the original behavior is preserved for existing releases.

[ubuntu-server-builder]

Launchpad user Brett Holman(holmanb) wrote on 2022-08-19T16:37:26.377759+00:00

This bug is believed to be fixed in cloud-init in version 22.3. If this is still a problem for you, please make a comment and set the state back to New

Thank you.