Easily visible password in plain-text of base64-encoded user-data
Environment
- Red Hat OpenStack Platform 16.1
- Red Hat Enterprise Linux 8.2 KVM Guest Image
- Cloud-init 19.4
Issue
- Creating an instance with a plaintext password in user-data, it will be encoded in base64 and easily seen by the openstack server show.
- Is there any way to prevent the password from being identified?
Resolution
mkpasswdis able to be used to generate a hash of the password and set it topasswdincloud-init
$ mkpasswd --method=SHA-512 --rounds=4096
Password:
$6$rounds=4096$r6zOu2vFqei0GfBq$XwyJ.Y4NFs/vw9kky8NurPQ67GwALTs68wn5JFrJF.h8uwr9ODuVBZYQUQRgbY1kScddRNHDidXV0WPtwLfwg/
For the default user, change as follows.
#cloud-config
system_info:
default_user:
name: cloud-user
passwd: '$6$rounds=4096$r6zOu2vFqei0GfBq$XwyJ.Y4NFs/vw9kky8NurPQ67GwALTs68wn5JFrJF.h8uwr9ODuVBZYQUQRgbY1kScddRNHDidXV0WPtwLfwg/' <==(*)
lock_passwd: false
ssh_pwauth: true
For specifics new user, change as follows.
#cloud-config
ssh_pwauth: true
users:
- name: foobar
lock_passwd: false
passwd: '$6$rounds=4096$r6zOu2vFqei0GfBq$XwyJ.Y4NFs/vw9kky8NurPQ67GwALTs68wn5JFrJF.h8uwr9ODuVBZYQUQRgbY1kScddRNHDidXV0WPtwLfwg/' <==(*)
Root Cause
- The cloud-init (version 19.4) included in the RHEL8.2 KVM image has a mechanism to set user passwords based on the contents of userdata, and if you set a password in plain text, decoding the base64-encoded user-data It is easily visible. Using a hash for the password makes it difficult to identify the password even after decoding.
- cloud-init 19.4 documentation
Diagnostic Steps
Create a server as follows.
$ openstack server create --wait --image rhel8.2 --flavor normal --network internal0 --user-data /home/stack/user-data rhel-vm1
The following is the user-data of the password in plain text.
(overcloud) [stack@undercloud ~]$ cat user-data
#cloud-config
ssh_pwauth: true
users:
- name: foobar
lock_passwd: false
passwd: mypassword
Looking at the information of the created Instance, information encoded in base64 is displayed in user_data.
(overcloud) [stack@undercloud ~]$ openstack server show rhel-vm1 --max-width 80
+-------------------------------------+----------------------------------------+
| Field | Value |
+-------------------------------------+----------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | nova |
| OS-EXT-SRV-ATTR:host | overcloud-novacompute-0.localdomain |
| OS-EXT-SRV-ATTR:hostname | rhel-vm1 |
| OS-EXT-SRV-ATTR:hypervisor_hostname | overcloud-novacompute-0.localdomain |
| OS-EXT-SRV-ATTR:instance_name | instance-0000000b |
| OS-EXT-SRV-ATTR:kernel_id | |
| OS-EXT-SRV-ATTR:launch_index | 0 |
| OS-EXT-SRV-ATTR:ramdisk_id | |
| OS-EXT-SRV-ATTR:reservation_id | r-ckchd9w5 |
| OS-EXT-SRV-ATTR:root_device_name | /dev/vda |
| OS-EXT-SRV-ATTR:user_data | I2Nsb3VkLWNvbmZpZwpzc2hfcHdhdXRoOiB0cn | <==(*)
| | VlCnVzZXJzOgogIC0gbmFtZTogZm9vYmFyCiAg |
| | ICBsb2NrX3Bhc3N3ZDogZmFsc2UKICAgIHBhc3 |
| | N3ZDogbXlwYXNzd29yZAo= |
| OS-EXT-STS:power_state | Running |
| OS-EXT-STS:task_state | None |
| OS-EXT-STS:vm_state | active |
...
+-------------------------------------+----------------------------------------+
Since it is base64, you can easily decode it and see the password.
(overcloud) [stack@undercloud ~]$ cat passwrd.txt
I2Nsb3VkLWNvbmZpZwpzc2hfcHdhdXRoOiB0cnVlCnVzZXJzOgogIC0gbmFtZTogZm9vYmFyCiAgICBsb2NrX3Bhc3N3ZDogZmFsc2UKICAgIHBhc3N3ZDogbXlwYXNzd29yZAo=
(overcloud) [stack@undercloud ~]$ base64 -d passwrd.txt
#cloud-config
ssh_pwauth: true
users:
- name: foobar
lock_passwd: false
passwd: mypassword <==(*)
If a hash is used for the password, decoding the base64 user_data will not identify the password
(overcloud) [stack@undercloud ~]$ openstack server show rhel-vm1 --max-width 80
+-------------------------------------+----------------------------------------+
| Field | Value |
+-------------------------------------+----------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | nova |
| OS-EXT-SRV-ATTR:host | overcloud-novacompute-0.localdomain |
| OS-EXT-SRV-ATTR:hostname | rhel-vm1 |
| OS-EXT-SRV-ATTR:hypervisor_hostname | overcloud-novacompute-0.localdomain |
| OS-EXT-SRV-ATTR:instance_name | instance-0000000e |
| OS-EXT-SRV-ATTR:kernel_id | |
| OS-EXT-SRV-ATTR:launch_index | 0 |
| OS-EXT-SRV-ATTR:ramdisk_id | |
| OS-EXT-SRV-ATTR:reservation_id | r-btqv37wt |
| OS-EXT-SRV-ATTR:root_device_name | /dev/vda |
| OS-EXT-SRV-ATTR:user_data | I2Nsb3VkLWNvbmZpZwpzc2hfcHdhdXRoOiB0cn | <==(*)
| | VlCnVzZXJzOgogIC0gbmFtZTogZm9vYmFyCiAg |
| | ICBsb2NrX3Bhc3N3ZDogZmFsc2UKICAgIHBhc3 |
| | N3ZDogJyQ2JHJvdW5kcz00MDk2JHI2ek91MnZG |
| | cWVpMEdmQnEkWHd5Si5ZNE5Gcy92dzlra3k4Tn |
| | VyUFE2N0d3QUxUczY4d241SkZySkYuaDh1d3I5 |
| | T0R1VkJaWVFVUVJnYlkxa1NjZGRSTkhEaWRYVj |
| | BXUHR3TGZ3Zy8nCg== |
| OS-EXT-STS:power_state | Running |
| OS-EXT-STS:task_state | None |
| OS-EXT-STS:vm_state | active |
...
+-------------------------------------+----------------------------------------+
(overcloud) [stack@undercloud ~]$ cat passwrd.txt
I2Nsb3VkLWNvbmZpZwpzc2hfcHdhdXRoOiB0cnVlCnVzZXJzOgogIC0gbmFtZTogZm9vYmFyCiAgICBsb2NrX3Bhc3N3ZDogZmFsc2UKICAgIHBhc3N3ZDogJyQ2JHJvdW5kcz00MDk2JHI2ek91MnZGcWVpMEdmQnEkWHd5Si5ZNE5Gcy92dzlra3k4TnVyUFE2N0d3QUxUczY4d241SkZySkYuaDh1d3I5T0R1VkJaWVFVUVJnYlkxa1NjZGRSTkhEaWRYVjBXUHR3TGZ3Zy8nCg==
(overcloud) [stack@undercloud ~]$ base64 -d passwrd.txt
#cloud-config
ssh_pwauth: true
users:
- name: foobar
lock_passwd: false
passwd: '$6$rounds=4096$r6zOu2vFqei0GfBq$XwyJ.Y4NFs/vw9kky8NurPQ67GwALTs68wn5JFrJF.h8uwr9ODuVBZYQUQRgbY1kScddRNHDidXV0WPtwLfwg/' <==(*)
(overcloud) [stack@undercloud ~]$
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments