Skip to content

Root user is locked by default, can't login via SSH

Hi, I'm preparing cloud images with alpine and main option to have access is when ssh public key is set automatically by cloud-init or by OpenNebula contextualization scripts.

The problem is that after solving CVE-2019-5021, the password in /etc/passwd file looks like:

# head -n 1 /etc/shadow
root:!::0:::::

This record does not allows ssh-server to authenticate user even using public key authentication. (! prevents this, but * and other values allows)

The other distros are using different values here, eg.:

centos and opensuse uses locked word:

# head -n 1 /etc/shadow
root:locked::0:99999:7:::
# passwd -S root
root PS 1969-12-31 0 99999 7 -1 (Alternate authentication scheme in use.)

debian and ubuntu uses * symbol:

# head -n 1 /etc/shadow
root:*:18115:0:99999:7:::
# passwd -S root
root L 08/07/2019 0 99999 7 -1

archlinux coninues using empty password:

# head -n 1 /etc/shadow
root::14871::::::
# passwd -S root
root NP 09/19/2010 -1 -1 -1 -1

Shouldn't we use * instead of !? - It allows using ssh with private keys authentication but refuses using password

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information