On Fri, 19 Nov 2010, Jan Pazdziora wrote: > On Thu, Nov 18, 2010 at 10:19:51PM -0700, Pete Zaitcev wrote: > > Looking at the /etc/shadow in our official AMI ami-6e3a6a2b, I observed > > that root and ec2-user have passwords. Why are they left in? I suppose > > they do not hurt much, since sshd_config sets PasswordAuthentication > > and PermitRootLogin to no. Still, I'm just curious what they are. > > > > Even better, let's think in reverse: if the creator accidentially > > used a real root password, can I crack any interesting servers by > > cracking the root password and then applying it to bits of Fedora > > infrastructure (I know it's not 3-DES anymore, but still)? > > The passwords seem to be reset in /etc/rc.local by an random string. > I was surprised to see the passwords change upon every reboot but > it the found the cause and thought that maybe the AMI authors had good > reason to set it up this way. > shouldn't !! lock the password without disabling the account? Or is that behavior different for the root account? -Mike _______________________________________________ cloud mailing list cloud@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/cloud
