[Bug 503467] [NEW] vmbuilder default account not well-documented
J. Bruce Fields
bfields at fieldses.org
Tue Jan 5 17:59:56 UTC 2010
*** This bug is a security vulnerability ***
Public security bug reported:
Binary package hint: python-vm-builder
I created a new kvm guest using vmbuilder (following, if I remember
correctly, https://help.ubuntu.com/community/KVM/CreateGuests and/or
https://help.ubuntu.com/community/JeOSVMBuilder), put it on the net
without noticing that it had created a default account (with user and
password both "ubuntu") and promptly got hacked by somebody running an
ssh scanner. (I never needed a default account myself since I depended
on the --ssh-key option to log me in to the new guest.)
OK, my mistake: something as simple as "ls /home" would probably have
been enough to alert me to the problem; and
https://help.ubuntu.com/community/JeOSVMBuilder does mention the default
at some point (though not very prominently).
In my defense: vmbuilder appeared to be the preferred way to create kvm
guests from the commandline, and it's somewhat surprising that it would
by default create guests that were unsafe to put on the network.
Since this appears to be a property of one of the included templates,
not of vmbuilder itself, I'm not sure where this is best documented.
The ideal might be if vmbuilder could warn the user about the default
and require positive confirmation before proceeding ("are you sure you
want this (y/n)?").
** Affects: vm-builder (Ubuntu)
Importance: Undecided
Status: New
** Visibility changed to: Public
--
vmbuilder default account not well-documented
https://bugs.launchpad.net/bugs/503467
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
More information about the universe-bugs
mailing list