Scott Dowdle wrote:
...
The final products are a i386 and an x86_64 contributed SL 5.7 OS Template.
Thanks very much for these Scott. This is much appreciated.
I just wanted to mention one thing that I got bitten by recently with a
template from contrib.
In the official templates, /etc/shadow has * in the encrypted-password
field for root so that you can't login as root using a password.
In April, an early SL-6.0 template was contributed
(scientificlinux-6.0-x86.tar.gz Apr-11-2011) which has an encrypted
password string for root.
We normally disable password access to root in /etc/ssh/sshd_config via
"PermitRootLogin without-password" and use ssh keys or "vzctl enter" to
get root access so didn't notice that the machine had a root password
enabled. Also, since it was our first SL-6 container, we didn't have
our deployment procedure sorted out properly and this was the
sshd_config part.
It didn't take long for some spider to find the machine and guess the
password. An IRC robot was installed and /root/.ssh/authorized_keys was
overwritten. We noticed fairly quickly and then cracked the password
string.
Anyway, we learned our lesson but I think it would also be good practice
for contributors to check that their template does not have a root password.
Oh yeah - the cracked password ... password
--
Kel Raywood
TRIUMF
Vancouver BC
_______________________________________________
Users mailing list
[email protected]
https://openvz.org/mailman/listinfo/users
