kairos
kairos copied to clipboard
kairos-io
User passwd should be encrypted in cloud-config
Kairos version:
2.5.0 CPU architecture, OS, and Version:
x64 Describe the bug
kairos have user password stored in plain text, e.g.
kairos@localhost:/oem$ cat 90_custom.yaml
#cloud-config
install:
device: /dev/sda
k3s:
enabled: true
name: Config generated by the installer
stages:
network:
- users:
kairos:
groups:
- admin
name: kairos
passwd: liyimeng
ssh_authorized_keys:
- github:liyimeng
I think this is a bad idea. Suggest it to be encrypted. As I remember, k3os do it in encrypted, lets borrow the idea from there.
To Reproduce
- login node
- cat oem/90_custom.yaml
Expected behavior
password should be encrypted.
Logs
Additional context
Right now, I have limited knowledge on kairos, not sure where its cloud-config applied, otherwise, I can draft a PR based on k3os idea.
@liyimeng you can actually put password as well as they are stored in /etc/shadow. Both methods are supported (plaintext and not).
If you are looking for a stronger security posture, you might be as well interested in the upcoming release which brings Trusted Boot support: https://kairos.io/docs/installation/trustedboot/ the content of /oem and /usr/local are both encrypted then.
@mudler Thanks a lot, that looks like a Huge leap forward. Looking forward to seeing it real!
For now, /etc/shadow might be the way to go, right? so basically, I can do
echo "kairos:$6$XlUQxkbS$RQFrCfrHBqdgSpwfGJH3tdBRYi3uBT.1KPqI08ZwRWNCDKeI9dL8BCCDb1ZJ3DGKpUwNJHSwysXEa42c7M2Up0:19768::::::" >> /etc/shadow
right?
@liyimeng you can actually put the string in the cloud config like so:
#cloud-config
install:
device: /dev/sda
k3s:
enabled: true
name: Config generated by the installer
stages:
network:
- users:
kairos:
groups:
- admin
name: kairos
passwd: $6$XlUQxkbS$RQFrCfrHBqdgSpwfGJH3tdBRYi3uBT.1KPqI08ZwRWNCDKeI9dL8BCCDb1ZJ3DGKpUwNJHSwysXEa42c7M2Up0
ssh_authorized_keys:
- github:liyimeng
Thanks @mudler It is a neat solution! in k3os, it will do this translation automatically.
