[Bug 2034759] [NEW] riscv64 and generic preinstalled images use default ubuntu:ubuntu user where no other images do
Steve Langasek
2034759 at bugs.launchpad.net
Thu Sep 7 20:56:08 UTC 2023
Public bug reported:
livecd-rootfs has code that sets a pre-defined username and password on
preinstalled images for riscv64 and "generic" (amd64, arm64) images.
In *theory* the code that was added in 2021 for this was supposed to
also apply to the raspi images, except the wrong subarch is used
(raspi2 vs raspi).
We don't want to have hard-coded username/password in any Ubuntu image.
And the raspi images are by far the most commonly used of any of the
preinstalled images. So if we don't have to (insecurely) hardcode an
initial username and password for the raspi images, we shouldn't
hardcode it for the riscv64 and generic images either! We should figure
out what raspi is managing to do right, and replicate that to the other
images.
We should never have an Ubuntu image that, deployed on a network-
connected machine, is immediately vulnerable.
** Affects: livecd-rootfs (Ubuntu)
Importance: Undecided
Status: New
** Tags: rls-mm-incoming
** Tags added: rls-mm-incoming
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to livecd-rootfs in Ubuntu.
https://bugs.launchpad.net/bugs/2034759
Title:
riscv64 and generic preinstalled images use default ubuntu:ubuntu user
where no other images do
Status in livecd-rootfs package in Ubuntu:
New
Bug description:
livecd-rootfs has code that sets a pre-defined username and password
on preinstalled images for riscv64 and "generic" (amd64, arm64)
images.
In *theory* the code that was added in 2021 for this was supposed to
also apply to the raspi images, except the wrong subarch is used
(raspi2 vs raspi).
We don't want to have hard-coded username/password in any Ubuntu
image. And the raspi images are by far the most commonly used of any
of the preinstalled images. So if we don't have to (insecurely)
hardcode an initial username and password for the raspi images, we
shouldn't hardcode it for the riscv64 and generic images either! We
should figure out what raspi is managing to do right, and replicate
that to the other images.
We should never have an Ubuntu image that, deployed on a network-
connected machine, is immediately vulnerable.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/livecd-rootfs/+bug/2034759/+subscriptions
More information about the foundations-bugs
mailing list