cloud init prefixes password hash with exclamation mark

[ubuntu-server-builder]

This bug was originally filed in Launchpad as LP: #2006052

Launchpad details

affected_projects = []
assignee = None
assignee_name = None
date_closed = 2023-04-12T04:17:19.140146+00:00
date_created = 2023-02-05T12:52:47.257056+00:00
date_fix_committed = None
date_fix_released = None
id = 2006052
importance = undecided
is_complete = True
lp_url = https://bugs.launchpad.net/cloud-init/+bug/2006052
milestone = None
owner = something-f
owner_name = windowsguy
private = False
status = expired
submitter = something-f
submitter_name = windowsguy
tags = ['exclamation', 'password']
duplicates = []

Launchpad user windowsguy(something-f) wrote on 2023-02-05T12:52:47.257056+00:00

Host OS is Ubuntu 22.04 LTS.

Guest info:

• Ubuntu 22.04 LTS KVM guest: https://cloud-images.ubuntu.com/releases/22.04/release/ubuntu-22.04-server-cloudimg-amd64-disk-kvm.img (also tried with https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64-disk-kvm.img)
• cloud-init package: 22.4.2-0ubuntu0~22.04.1

I use this to configure password for the Ubuntu user:

users:

• name: ubuntu
  gecos: Ubuntu User
  sudo: ALL=(ALL) NOPASSWD:ALL
  shell: /bin/bash
  groups: sudo
  lock_passwd: false

  mkpasswd --method=SHA-512 --rounds=4096 -S "1234asdf"

  passwd: $6$rounds=4096$1234asdf$3Ym7weobJp/ORkJML66e54IyCEOGKM8C1zfQj4NRngDgJJGdEJn3O9rocWy0uVc84PbEvSnzji3a54X5FOb230

While provisioning is still running, I can log in as root (configured separately) and observe the hash in /etc/shadow is identical to this (as expected). Also 'ubuntu' can login.

After provisioning is complete and the VM reboots, I cannot login as 'ubuntu'.

I log in as root and find that now a '!' was prefixed to password hash in /etc/shadow:

ubuntu:!$6$rounds=4096$1....

If I remove that '!', I can login as the ubuntu user.

I tried surrounding the password with single and double quotes, no difference. Initially it's provisioned correctly, so it's something that injects that '!' after that.

[ubuntu-server-builder]

Launchpad user Alberto Contreras(aciba) wrote on 2023-02-08T09:39:59.469081+00:00

Hello windowsguy.

Firstly, your command to generate the hashed password is wrong, as you are specifying the salt and not the password. See [1].

To hash 1234asdf execute:

$ mkpasswd --method=SHA-512 --rounds=4096 1234asdf
$6$rounds=4096$MJ9ozPaNS2HWVZcg$rwThVdxIm33BegbW2f2gNLq3JXzej5URpdOxPKna5uSI6K/opwxdZ317vgM1btgcys89ZDu520aglKOSvjT3Z0

or

$ mkpasswd --method=SHA-512 --rounds=4096 -S mycoolsalt 1234asdf
$6$rounds=4096$mycoolsalt$hNRWY61tyEOF.15a9a2q8PZ5Z/vFmBcRTDJrPzrl5ZK/iVPLQjCvEKWUmjSkqE1EyIRLgaYLYY1Y6BomzTIV./

Secondly, a password field which starts with an exclamation mark in /etc/shadow means that the password is locked, see [2]. This probably happened because you tried to log in using 1234asdf as the password a lot of times.

I am going to mark this bug as invalid. Please, try with one of those hashed passwords and comment here if you find any additional problem.

[1] https://manpages.ubuntu.com/manpages/jammy/en/man1/mkpasswd.1.html
[2] https://manpages.ubuntu.com/manpages/jammy/en/man5/shadow.5.html

[ubuntu-server-builder]

Launchpad user windowsguy(something-f) wrote on 2023-02-09T07:34:09.653767+00:00

The password command was a typo. What I used was mkpasswd --method=SHA-512 --rounds=4096 -S "1234asdf" and then provided my "standard" lab password which was the same as root. I couldn't login as ubuntu after removing ! from it as root if I didn't correctly produce the hash.

Last week I had to deploy a search-and-replace service as part of cloud-init, to remove that ! on OS restart, but I just tried 10 times and saw it only once (no idea why, I see zero failed login SSH attempts in auth.log and the system is my desktop with me as the only user, so I still think there's something wrong, but can no longer reproduce it at will).

I agree with your decision to close it.

[ubuntu-server-builder]

Launchpad user Alberto Contreras(aciba) wrote on 2023-02-09T09:04:17.876285+00:00

I tried to reproduce it assuming a valid hashed password, but I was not able to get an exclamation mark in the password. If you find a reproducer, please update this bug and we will be happy to have a look.

[ubuntu-server-builder]

Launchpad user Scott Moser(smoser) wrote on 2023-02-09T13:13:50.068588+00:00

windowsguy,
It might be helpful for you to collect log information with 'cloud-init collect-logs'.

This sounds to me like a problem where the "instance-id" is changing. on reboot, cloud-init thinks this is a new instance-id and a.) does not see the user-data you provided b.) locks the default user account.

[ubuntu-server-builder]

Launchpad user Chad Smith(chad.smith) wrote on 2023-02-10T22:41:01.767570+00:00

Hiya windowsguy,

One thing we hope to see here with your attached tar/zipped logs from cloud-init collect-logs is whether cloud-init is actually making a call to passwd -l or usermod --lock in logs.

I'll mark this bug as 'Incomplete' status. Please set it back to 'New' when you have had a change to attach the full cloud-init.log (or tgz from cloud-init collect-logs).

NOTE: when using cloud-init collect-logs it'll capture your user-data in /run/cloud-init/instance-data-sensitive.json which does contain your password in this case, so make sure you redact any specific password or hash listed if attaching that tarfile.

[ubuntu-server-builder]

Launchpad user Launchpad Janitor(janitor) wrote on 2023-04-12T04:17:18.890808+00:00

[Expired for cloud-init because there has been no activity for 60 days.]