[Users] Scientific Linux 5.7 OS Templates in contrib
Kelvin Raywood
kray at triumf.ca
Wed Sep 14 16:55:17 EDT 2011
Scott Dowdle wrote:
> ...
> The final products are a i386 and an x86_64 contributed SL 5.7 OS Template.
Thanks very much for these Scott. This is much appreciated.
I just wanted to mention one thing that I got bitten by recently with a
template from contrib.
In the official templates, /etc/shadow has * in the encrypted-password
field for root so that you can't login as root using a password.
In April, an early SL-6.0 template was contributed
(scientificlinux-6.0-x86.tar.gz Apr-11-2011) which has an encrypted
password string for root.
We normally disable password access to root in /etc/ssh/sshd_config via
"PermitRootLogin without-password" and use ssh keys or "vzctl enter" to
get root access so didn't notice that the machine had a root password
enabled. Also, since it was our first SL-6 container, we didn't have
our deployment procedure sorted out properly and this was the
sshd_config part.
It didn't take long for some spider to find the machine and guess the
password. An IRC robot was installed and /root/.ssh/authorized_keys was
overwritten. We noticed fairly quickly and then cracked the password
string.
Anyway, we learned our lesson but I think it would also be good practice
for contributors to check that their template does not have a root password.
Oh yeah - the cracked password ... password
--
Kel Raywood
TRIUMF
Vancouver BC
More information about the Users
mailing list