View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0000130||Cloud||General||public||2022-06-27 13:09||2022-07-15 10:38|
|Reporter||Tomas Leypold||Assigned To|
|Summary||0000130: Rocky 8 GenericCloud qcow2 image has a default root password set|
We just found some nasty security misconfiguration of Rocky 8 GenericCloud qcow2 images - https://download.rockylinux.org/pub/rocky/8/images/Rocky-8-GenericCloud.latest.x86_64.qcow2 which should be fixed:
1. Image has set a default root password - cloud image should newer have default password and if you create a new user in cloud-config as your default user than this misconfiguration can cause severe consequences:
2. Cloud image should not have these options enabled by default in /etc/ssh/sshd_config:
|Steps To Reproduce||1. Use cloud config like this:|
- name: user01
- ssh-ed25519 AAAAxxx
2. Wait for someone to bruteforce root password throught ssh.
|Tags||No tags attached.|
Hello. Thank you for the report and apologies for us not getting back quickly enough.
Can you try out these updated images and see if it helps?
|Hi. It seems like the link https://dl.rockylinux.org/stg/rocky/8/images/Rocky-8-GenericCloud-8.6.20220702.0.x86_64.qcow2 doesn't work. It just returns 200 but not a file.|
Thanks for the report. We dropped our cache last night for the downloads in our CDN due to some issues and it looks like it revealed a problem with our config. I've pushed a change to the CDN config, and downloads appear to be working for that now.
Please let me know if you have any other issues!
Just wondering why the size of Rocky-8-GenericCloud-8.6-20220515.x86_64.qcow2 is 857MB but the Rocky-8-GenericCloud-8.6.20220702.0.x86_64.qcow2 is 2.6G?
The images are larger mostly because they were not compressed/sparsified. The new images for 9.0 and 8.6 that will be released soon are closer to the original size of ~1.5Gb.
Great, stg image works fine, the root password is not set anymore.
Are build scripts publicly available somewhere, in case we have some future improvements so that we could test them and directly create pull requests?
|2022-06-27 13:09||Tomas Leypold||New Issue|
|2022-07-03 04:33||Louis Abel||Note Added: 0000245|
|2022-07-11 13:29||Tomas Leypold||Note Added: 0000256|
|2022-07-11 13:42||Neil Hanlon||Note Added: 0000257|
|2022-07-13 09:44||Hsi-En Yu||Note Added: 0000263|
|2022-07-13 13:50||Neil Hanlon||Note Added: 0000264|
|2022-07-15 10:38||Tomas Leypold||Note Added: 0000269|