Description
The NixOS OpenStack configuration module used an hardcoded value for the users.users.root.initialPassword setting.
If the password is not modified, local users can access the root account.
Accessing the root account remotely over SSH is not possible by default, as the default configuration prevents the use of passwords to log in.
Am I Affected?
You are affected if:
- You loaded modules/virtualisation/openstack-config.nix in your configuration or built an image using
openstack-image.nix,openstack-image-zfs.nix, ornixos-generatorswith the openstack format. - You did not set the
rootpassword by another means in your configuration, nor changed it manually or during the initialization of the machine (e.g. withcloud-init).
All releases of NixOS since NixOS 22.05 are impacted.
You can test if you are affected by trying to log in as root from a non-privileged account using the password foobar.
Recommended Action
On all impacted servers, you should replace or remove the default root password.
If the users.mutableUsers option is true (the default), you can do this using the passwd command.
If you have set the users.mutableUsers option to false, you should update to a fixed version or set the root account password using the options provided by users.users.root.
Images built from an impacted version should be rebuilt using a fixed version or ensure the root account password is set using the options provided by users.users.root.
Fix Availability
A fix removing the hardcoded default password for the root account has been merged for NixOS unstable and NixOS 24.05.
- NixOS unstable: openstack-config: remove hardcoded default password for the root account by LeSuisse · Pull Request #328532 · NixOS/nixpkgs · GitHub (PR progress tracker)
- NixOS 24.05: [Backport release-24.05] openstack-config: remove hardcoded default password for the root account by github-actions[bot] · Pull Request #335179 · NixOS/nixpkgs · GitHub (PR progress tracker)