cloud-init

cc_set_passwords does not expire users if password given as hash

Bug #1979065 reported by Roni Väyrynen
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cloud-init
Fix Released
High
Unassigned

Bug Description

https://cloudinit.readthedocs.io/en/latest/topics/modules.html#set-passwords

Documentation explains three different ways of setting user password using chpasswd but doesn't mention that they would otherwise work any differently from one another. Passwords should by default be expired if not specifically set otherwise in chpasswd. Although if one sets the password as hash either in password or chpasswd list, cc_set_passwords.py skips passwd --expire <username> completely which doesn't match documented behaviour.

https://github.com/canonical/cloud-init/blob/728098325657cb2fec559cf321ccd5235e786381/cloudinit/config/cc_set_passwords.py#L260

This part only applies to users which had either plain text password or random password set.

Revision history for this message
James Falcon (falcojr) wrote :

Thanks for reporting this. I can reproduce the behavior described.

Changed in cloud-init:
status: New → Triaged
importance: Undecided → High
Revision history for this message
Chad Smith (chad.smith) wrote :

Expectation here is to fix hashed passwords to also expire.

Validated that hashed password is not expired by default:

cat > hash_pw_not_expired.yaml <<EOF
#cloud-config
ssh_pwauth: true
users:
 - default
 - gecos: User One
   name: u1
   groups: [adm, cdrom, dip, lxd, sudo]
   lock_passwd: False
 - gecos: User Two
   name: u2
   groups: [adm, cdrom, dip, lxd, sudo]
   lock-passwd: False
chpasswd:
   list:
   - u1:$6$rounds=4096$4Bbw0KI52G71TqOT$a.mEik19QEe9Lfot2gt6Ff5rUwYkLm49SAIDJoNrxd4V/PL21e83FqK/aDVV6CGFM/GNH6CtvR0Sk52i9jhNK1
   - u2:RANDOM
EOF
lxc launch ubuntu-daily:jammy test-pw-expiry -c user.user-data="$(cat hash_pw_not_expired.yaml)"
lxc exec test-pw-expiry -- cloud-init status --wait --long
IP=`lxc ls -c 4 test-pw-expiry | awk '/eth/{print $2}'`
ssh u1@$IP # hashed password this4now
# Note no expiry notice
lxc console test-pw-expiry --show-log | grep u2
#copy password and login
ssh u2@$IP # Use random password printed to console from above
# Note expiry notice

Revision history for this message
Chad Smith (chad.smith) wrote :

After further review and discussion on this item, we determined it's best not to change existing behavior, but fix the docs to align with current behavior. Introducing a change in behavior for hashed password expiry may break automation expecting to rely on this feature.

Since the introduction of hashed password support in cloud-init released in 2017[1], the hashed passwords are not expired. Let's retain and more clearly document that behavior.

[1] hashed pw support https://github.com/canonical/cloud-init/commit/21632972df034c200578e1fbc121a07f20bb8774

Revision history for this message
James Falcon (falcojr) wrote :

After further further review, we decided to fix the behavior after all. See https://github.com/canonical/cloud-init/pull/1577

A follow-on PR will ensure the original behavior is preserved for existing releases.

Changed in cloud-init:
status: Triaged → Fix Committed
Revision history for this message
Brett Holman (holmanb) wrote : Fixed in cloud-init version 22.3.

This bug is believed to be fixed in cloud-init in version 22.3. If this is still a problem for you, please make a comment and set the state back to New

Thank you.

Changed in cloud-init:
status: Fix Committed → Fix Released
Revision history for this message
James Falcon (falcojr) wrote :

Tracked in Github Issues as https://github.com/canonical/cloud-init/issues/3990

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.