-
Notifications
You must be signed in to change notification settings - Fork 837
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cloud init prefixes password hash with exclamation mark #4072
Comments
Launchpad user Alberto Contreras(aciba) wrote on 2023-02-08T09:39:59.469081+00:00 Hello windowsguy. Firstly, your command to generate the hashed password is wrong, as you are specifying the salt and not the password. See [1]. To hash 1234asdf execute: $ mkpasswd --method=SHA-512 --rounds=4096 1234asdf or $ mkpasswd --method=SHA-512 --rounds=4096 -S mycoolsalt 1234asdf Secondly, a password field which starts with an exclamation mark in /etc/shadow means that the password is locked, see [2]. This probably happened because you tried to log in using 1234asdf as the password a lot of times. I am going to mark this bug as invalid. Please, try with one of those hashed passwords and comment here if you find any additional problem. [1] https://manpages.ubuntu.com/manpages/jammy/en/man1/mkpasswd.1.html |
Launchpad user windowsguy(something-f) wrote on 2023-02-09T07:34:09.653767+00:00 The password command was a typo. What I used was mkpasswd --method=SHA-512 --rounds=4096 -S "1234asdf" and then provided my "standard" lab password which was the same as root. I couldn't login as ubuntu after removing ! from it as root if I didn't correctly produce the hash. Last week I had to deploy a search-and-replace service as part of cloud-init, to remove that ! on OS restart, but I just tried 10 times and saw it only once (no idea why, I see zero failed login SSH attempts in auth.log and the system is my desktop with me as the only user, so I still think there's something wrong, but can no longer reproduce it at will). I agree with your decision to close it. |
Launchpad user Alberto Contreras(aciba) wrote on 2023-02-09T09:04:17.876285+00:00 I tried to reproduce it assuming a valid hashed password, but I was not able to get an exclamation mark in the password. If you find a reproducer, please update this bug and we will be happy to have a look. |
Launchpad user Scott Moser(smoser) wrote on 2023-02-09T13:13:50.068588+00:00 windowsguy, This sounds to me like a problem where the "instance-id" is changing. on reboot, cloud-init thinks this is a new instance-id and a.) does not see the user-data you provided b.) locks the default user account. |
Launchpad user Chad Smith(chad.smith) wrote on 2023-02-10T22:41:01.767570+00:00 Hiya windowsguy, One thing we hope to see here with your attached tar/zipped logs from I'll mark this bug as 'Incomplete' status. Please set it back to 'New' when you have had a change to attach the full cloud-init.log (or tgz from cloud-init collect-logs). NOTE: when using cloud-init collect-logs it'll capture your user-data in /run/cloud-init/instance-data-sensitive.json which does contain your password in this case, so make sure you redact any specific password or hash listed if attaching that tarfile. |
Launchpad user Launchpad Janitor(janitor) wrote on 2023-04-12T04:17:18.890808+00:00 [Expired for cloud-init because there has been no activity for 60 days.] |
This bug was originally filed in Launchpad as LP: #2006052
Launchpad details
Launchpad user windowsguy(something-f) wrote on 2023-02-05T12:52:47.257056+00:00
Host OS is Ubuntu 22.04 LTS.
Guest info:
I use this to configure password for the Ubuntu user:
users:
gecos: Ubuntu User
sudo: ALL=(ALL) NOPASSWD:ALL
shell: /bin/bash
groups: sudo
lock_passwd: false
mkpasswd --method=SHA-512 --rounds=4096 -S "1234asdf"
passwd: $6$rounds=4096$1234asdf$3Ym7weobJp/ORkJML66e54IyCEOGKM8C1zfQj4NRngDgJJGdEJn3O9rocWy0uVc84PbEvSnzji3a54X5FOb230While provisioning is still running, I can log in as root (configured separately) and observe the hash in /etc/shadow is identical to this (as expected). Also 'ubuntu' can login.
After provisioning is complete and the VM reboots, I cannot login as 'ubuntu'.
I log in as root and find that now a '!' was prefixed to password hash in /etc/shadow:
ubuntu:!$6$rounds=4096$1....
If I remove that '!', I can login as the ubuntu user.
I tried surrounding the password with single and double quotes, no difference. Initially it's provisioned correctly, so it's something that injects that '!' after that.
The text was updated successfully, but these errors were encountered: