Description
The NixOS OpenStack configuration module used an hardcoded value for the users.users.root.initialPassword
setting.
If the password is not modified, local users can access the root
account.
Accessing the root
account remotely over SSH is not possible by default, as the default configuration prevents the use of passwords to log in.
Am I Affected?
You are affected if:
- You loaded modules/virtualisation/openstack-config.nix in your configuration or built an image using
openstack-image.nix
,openstack-image-zfs.nix
, ornixos-generators
with the openstack format. - You did not set the
root
password by another means in your configuration, nor changed it manually or during the initialization of the machine (e.g. withcloud-init
).
All releases of NixOS since NixOS 22.05 are impacted.
You can test if you are affected by trying to log in as root
from a non-privileged account using the password foobar
.
Recommended Action
On all impacted servers, you should replace or remove the default root
password.
If the users.mutableUsers
option is true
(the default), you can do this using the passwd
command.
If you have set the users.mutableUsers
option to false
, you should update to a fixed version or set the root account password using the options provided by users.users.root
.
Images built from an impacted version should be rebuilt using a fixed version or ensure the root account password is set using the options provided by users.users.root
.
Fix Availability
A fix removing the hardcoded default password for the root account has been merged for NixOS unstable and NixOS 24.05.
- NixOS unstable: openstack-config: remove hardcoded default password for the root account by LeSuisse · Pull Request #328532 · NixOS/nixpkgs · GitHub (PR progress tracker)
- NixOS 24.05: [Backport release-24.05] openstack-config: remove hardcoded default password for the root account by github-actions[bot] · Pull Request #335179 · NixOS/nixpkgs · GitHub (PR progress tracker)