READ ONLY FORUM: m23 :: makes software distribution easy The m23 discussion forum    FAQ   Search   Memberlist   Usergroups   Register   Profile   Log in to check your private messages   Log in  Virtualbox appliance with /root/.ssh/authorized_keys file          READ ONLY FORUM: m23 :: makes software distribution easy Forum Index -> Bugs View previous topic :: View next topic   Author Message jaywalker Joined: 18 Dec 2013 Posts: 6 Posted: Wed Dec 18, 2013 18:06    Post subject: Virtualbox appliance with /root/.ssh/authorized_keys file Hello, the virtualbox appliance of m23 comes with a /root/.ssh/authorized_keys file that is not empty. As far as I understand, this means that someone with the matching key is able to log in as root on all machines based on the virtual appliance, no matter whether the root password has been changed or not. Regards jaywalker Back to top Hauke Joined: 02 Mar 2003 Posts: 1072 Posted: Thu Dec 19, 2013 16:42    Post subject: Hi jaywalker, you are right, the public SSH key should not be incuded in the appliance The public SSH key shipped with the VM appliance (and likely in the ISO) comes from tests done before release. You can simply delete /root/.ssh/authorized_keys, if you haven't added your own SSH keys. We will add a hint to the m23 website to inform about it. I've added a remove command for /root/.ssh/authorized_keys to the ISO installer, so there should be no keys incuded in the ISO and the derived VM appliance in the future. _________________ Hauke Goos-Habermann - project leader m23 (http://m23.sf.net) - Jabber: dodgerm23@jabber.org Schulung, Entwicklung und Support zu m23 und anderen OpenSource-Produkten: www.goos-habermann.de Auch DU kannst etwas gegen Softwarepatente tun! www.patentfrei.de Back to top Hauke Joined: 02 Mar 2003 Posts: 1072 Posted: Thu Dec 19, 2013 18:05    Post subject: Some further investigations. We have three different cases: Installing with the Debian packages: The SSH public/private key pair of root won't be changed by the packages. The public key will be appended to /root/.ssh/authorized_keys. Not critical. Using the ISO: A new SSH public/private key pair for root will be created during the installation BUT in /root/.ssh/authorized_keys existing keys will remain and only the new public SSH key of root will be ADDED. The installer upcoming will delete /root/.ssh/authorized_keys. Importing the VM appliance: Code: dpkg-reconfigure m23 will only create a public/private key pair for root when /root/.ssh/id_dsa.pub is missing. This should be very unlikely and /root/.ssh/authorized_keys won't be changed by reconfiguring. So key pair and authorized_keys are UNCHANGED. _________________ Hauke Goos-Habermann - project leader m23 (http://m23.sf.net) - Jabber: dodgerm23@jabber.org Schulung, Entwicklung und Support zu m23 und anderen OpenSource-Produkten: www.goos-habermann.de Auch DU kannst etwas gegen Softwarepatente tun! www.patentfrei.de Back to top Hauke Joined: 02 Mar 2003 Posts: 1072 Posted: Thu Dec 19, 2013 19:31    Post subject: Here are the solutions: We added a hint in the installation guide to remove the SSH key pair and the authorized_keys files with Code: rm /root/.ssh/id_dsa* /root/.ssh/authorized_keys before calling Code: dpkg-reconfigure m23 for users of the VM appliance and Raspberry Pi image. Users of the ISO only need to remove /root/.ssh/authorized_keys. This will generate a fresh key pair and a authorized_keys file that only contains the public key of the root account. Updates for the stable packages release will be uploaded soon, that remove the SSH key pair and the entry from /root/.ssh/authorized_keys and generate a new SSH key pair. For the next release there are included cleaning routines that will delete the key pair and authorized_keys before generating the compressed OS archive of the m23 server ISO and preparing the VM and Raspberry Pi for compression. In addition the ISO installer will delete the key pair and authorized_keys. An article on the m23 page will follow. _________________ Hauke Goos-Habermann - project leader m23 (http://m23.sf.net) - Jabber: dodgerm23@jabber.org Schulung, Entwicklung und Support zu m23 und anderen OpenSource-Produkten: www.goos-habermann.de Auch DU kannst etwas gegen Softwarepatente tun! www.patentfrei.de Back to top Display posts from previous: All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 Year Oldest FirstNewest First         READ ONLY FORUM: m23 :: makes software distribution easy Forum Index -> Bugs All times are GMT - 2 Hours Page 1 of 1   Jump to: Select a forum m23----------------General questions and ideas/Allgemeine Fragen und AnregungenDesired features/Erwünschte FeaturesTips and tricks / Tipps und Tricks Problems with m23 / Probleme mit m23----------------BugsProblems with the server / ServerproblemeProblems with the client / ClientproblemeProblems with administration / Administrationsproblemetesting m23/Test area----------------Tests Debian----------------FAQ Archive----------------Feature requests for 0.5.0/Wünsche für Version 0.5.0Feature requests for 0.6.0/Wünsche für Version 0.6.0 m23/Translator----------------m23/Translator forum  You can post new topics in this forum You can reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum Powered by phpBB © 2001, 2005 phpBB Group