F14 AMI passwords

Mike McGrath mmcgrath at redhat.com
Wed Dec 1 02:42:57 UTC 2010


On Fri, 19 Nov 2010, Jan Pazdziora wrote:

> On Thu, Nov 18, 2010 at 10:19:51PM -0700, Pete Zaitcev wrote:
> > Looking at the /etc/shadow in our official AMI ami-6e3a6a2b, I observed
> > that root and ec2-user have passwords. Why are they left in? I suppose
> > they do not hurt much, since sshd_config sets PasswordAuthentication
> > and PermitRootLogin to no. Still, I'm just curious what they are.
> >
> > Even better, let's think in reverse: if the creator accidentially
> > used a real root password, can I crack any interesting servers by
> > cracking the root password and then applying it to bits of Fedora
> > infrastructure (I know it's not 3-DES anymore, but still)?
>
> The passwords seem to be reset in /etc/rc.local by an random string.
> I was surprised to see the passwords change upon every reboot but
> it the found the cause and thought that maybe the AMI authors had good
> reason to set it up this way.
>

shouldn't !! lock the password without disabling the account?  Or is that
behavior different for the root account?

	-Mike



More information about the cloud mailing list