LXC @QNAP Container Station - Users passwords in container


I started my adventure with LXC containers on the QNAP server, encouraged by passwords on the QNAP website (LXC vs Docker - https://www.qnap.com/solution/container_station/en/) such as:

  • Architecture: Supports a fully-virtualized Linux® OS including boot-up procedures
  • Purposes: Requires a fully-functional Linux® OS
  • Advantages: A lightweight alternative to virtual machines
    So far, everything worked perfectly as I expected.

Most of the containers I have been using are based on Debian 10 - buster.

Unfortunately, I do not understand the problem of user management inside the container.

I created a new username to use authorization in applications based on linux users and and I planned to use the user to connect to the container via ssh.
The first warning signal was the lack of a password for a new user.

The passwd command does not ask for any passwords but only returns information about the correct setting

root@debian-buster-3:/# passwd
passwd: password updated successfully
root@debian-buster-3:/# passwd ruser
passwd: password updated successfully

After a few searches, the only method that allowed “setting of the password” turned out to be the use of “usermod -password [hash] [username]” - hash correctly went to /etc/shadow.

Everything seemed to work correctly, but it turned out that I could use any random password to log in!

I also tested another container, based on Ubuntu 18.04 bionic.

The passwd command behaves a little differently, but the result is the same. The created user can log in with any random password.

An example from the commands below.

root@ubuntu-bionic-1:/home/ubuntu# cat /etc/shadow | grep testwtf
root@ubuntu-bionic-1:/home/ubuntu# passwd testwtf
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
root@ubuntu-bionic-1:/home/ubuntu# cat /etc/shadow | grep testwtf
root@ubuntu-bionic-1:/home/ubuntu# su testwtf
testwtf@ubuntu-bionic-1:/home/ubuntu$ passwd
Changing password for testwtf.
(current) UNIX password:

the correct password has been rejected

passwd: Authentication token manipulation error
passwd: password unchanged
testwtf@ubuntu-bionic-1:/home/ubuntu$ exit
root@ubuntu-bionic-1:/home/ubuntu# ssh testwtf@
testwtf@’s password:

random passwor typed

Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.2.8 x86_64)

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.


It is possible, and if yes then how, to use of users and passwords defined inside the container?

Sounds like PAM in the container may have a bit of a funny configuration, missing a passwd provider would explain the behavior you’re seeing on password change at least.

You’d want to look at /var/log/auth.log to see what’s being run, then modify the applicable configs in /etc/pam

Hi Stéphane,

You’re right, something is wrong with PAM configuration.
I quickly changed the configuration of SSH server from “UsePAM yes” to “UsePAM no” and login proceeded as expected. This means login was only possible on the defined password.

I will check in more detail PAM settings and return with the results.

In the PAM configuration (pam-auth-update) “Unix authentication” was disabled.
Only “Register user sessions in the systemd control group hierarchy” and “Inheritable Capabilites Management” was enabled.

I enabled that option and everything so far works as expected :slight_smile:
I do not know why the previous settings could have been.

In /etc/pam.d/common-password “primary block” configuration was

password [default=1] pam_permit.so

where now is

password [success=1 default=ignore] pam_unix.so obscure sha512

Thanks for pointing me the right direction.