READ ONLY FORUM: m23 :: makes software distribution easy Forum Index READ ONLY FORUM: m23 :: makes software distribution easy
The m23 discussion forum
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Virtualbox appliance with /root/.ssh/authorized_keys file

 
Post new topic   Reply to topic    READ ONLY FORUM: m23 :: makes software distribution easy Forum Index -> Bugs
View previous topic :: View next topic  
Author Message
jaywalker



Joined: 18 Dec 2013
Posts: 6

PostPosted: Wed Dec 18, 2013 18:06    Post subject: Virtualbox appliance with /root/.ssh/authorized_keys file Reply with quote

Hello,

the virtualbox appliance of m23 comes with a /root/.ssh/authorized_keys file that is not empty.
As far as I understand, this means that someone with the matching key is able to log in as root on all machines based on the virtual appliance, no matter whether the root password has been changed or not.

Regards
jaywalker
Back to top
View user's profile Send private message
Hauke



Joined: 02 Mar 2003
Posts: 1072

PostPosted: Thu Dec 19, 2013 16:42    Post subject: Reply with quote

Hi jaywalker,

you are right, the public SSH key should not be incuded in the appliance Crying or Very sad The public SSH key shipped with the VM appliance (and likely in the ISO) comes from tests done before release.

You can simply delete /root/.ssh/authorized_keys, if you haven't added your own SSH keys. We will add a hint to the m23 website to inform about it.

I've added a remove command for /root/.ssh/authorized_keys to the ISO installer, so there should be no keys incuded in the ISO and the derived VM appliance in the future.
_________________
Hauke Goos-Habermann
- project leader m23 (http://m23.sf.net) -
Jabber: dodgerm23@jabber.org

Schulung, Entwicklung und Support zu m23 und anderen OpenSource-Produkten: www.goos-habermann.de

Auch DU kannst etwas gegen Softwarepatente tun! www.patentfrei.de
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Hauke



Joined: 02 Mar 2003
Posts: 1072

PostPosted: Thu Dec 19, 2013 18:05    Post subject: Reply with quote

Some further investigations. We have three different cases:

  1. Installing with the Debian packages: The SSH public/private key pair of root won't be changed by the packages. The public key will be appended to /root/.ssh/authorized_keys. Not critical.
  2. Using the ISO: A new SSH public/private key pair for root will be created during the installation BUT in /root/.ssh/authorized_keys existing keys will remain and only the new public SSH key of root will be ADDED. The installer upcoming will delete /root/.ssh/authorized_keys.
  3. Importing the VM appliance:
    Code:
    dpkg-reconfigure m23
    will only create a public/private key pair for root when /root/.ssh/id_dsa.pub is missing. This should be very unlikely and /root/.ssh/authorized_keys won't be changed by reconfiguring. So key pair and authorized_keys are UNCHANGED.

_________________
Hauke Goos-Habermann
- project leader m23 (http://m23.sf.net) -
Jabber: dodgerm23@jabber.org

Schulung, Entwicklung und Support zu m23 und anderen OpenSource-Produkten: www.goos-habermann.de

Auch DU kannst etwas gegen Softwarepatente tun! www.patentfrei.de
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Hauke



Joined: 02 Mar 2003
Posts: 1072

PostPosted: Thu Dec 19, 2013 19:31    Post subject: Reply with quote

Here are the solutions:

We added a hint in the installation guide to remove the SSH key pair and the authorized_keys files with
Code:
rm /root/.ssh/id_dsa* /root/.ssh/authorized_keys

before calling
Code:
dpkg-reconfigure m23
for users of the VM appliance and Raspberry Pi image. Users of the ISO only need to remove /root/.ssh/authorized_keys. This will generate a fresh key pair and a authorized_keys file that only contains the public key of the root account.

Updates for the stable packages release will be uploaded soon, that remove the SSH key pair and the entry from /root/.ssh/authorized_keys and generate a new SSH key pair.

For the next release there are included cleaning routines that will delete the key pair and authorized_keys before generating the compressed OS archive of the m23 server ISO and preparing the VM and Raspberry Pi for compression. In addition the ISO installer will delete the key pair and authorized_keys.

An article on the m23 page will follow.
_________________
Hauke Goos-Habermann
- project leader m23 (http://m23.sf.net) -
Jabber: dodgerm23@jabber.org

Schulung, Entwicklung und Support zu m23 und anderen OpenSource-Produkten: www.goos-habermann.de

Auch DU kannst etwas gegen Softwarepatente tun! www.patentfrei.de
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    READ ONLY FORUM: m23 :: makes software distribution easy Forum Index -> Bugs All times are GMT - 2 Hours
Page 1 of 1

 
Jump to:  
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group