Hi,
I started my adventure with LXC containers on the QNAP server, encouraged by passwords on the QNAP website (LXC vs Docker - Container Station | Supports LXD, Docker, and Kata Containers | QNAP) such as:
- Architecture: Supports a fully-virtualized Linux® OS including boot-up procedures
- Purposes: Requires a fully-functional Linux® OS
- Advantages: A lightweight alternative to virtual machines
So far, everything worked perfectly as I expected.
Most of the containers I have been using are based on Debian 10 - buster.
Unfortunately, I do not understand the problem of user management inside the container.
I created a new username to use authorization in applications based on linux users and and I planned to use the user to connect to the container via ssh.
The first warning signal was the lack of a password for a new user.
The passwd command does not ask for any passwords but only returns information about the correct setting
root@debian-buster-3:/# passwd
passwd: password updated successfully
root@debian-buster-3:/# passwd ruser
passwd: password updated successfully
root@debian-buster-3:/#
After a few searches, the only method that allowed “setting of the password” turned out to be the use of “usermod -password [hash] [username]” - hash correctly went to /etc/shadow.
Everything seemed to work correctly, but it turned out that I could use any random password to log in!
I also tested another container, based on Ubuntu 18.04 bionic.
The passwd command behaves a little differently, but the result is the same. The created user can log in with any random password.
An example from the commands below.
root@ubuntu-bionic-1:/home/ubuntu# cat /etc/shadow | grep testwtf
testwtf:$6$UMPWvtpl$r7gWZtLYE0JAlcwQ/uLmHMlfVHnNt1OkX/vp5pzJuEhxZDCt6Q0reNbiz1bBbP4yuJ.bR8uwOEHHB8d9ytETY0:18084:0:99999:7:::
root@ubuntu-bionic-1:/home/ubuntu# passwd testwtf
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
root@ubuntu-bionic-1:/home/ubuntu# cat /etc/shadow | grep testwtf
testwtf:$6$h0CxGCWU$9kekCVAhk4KERfIhoOHetPjIU/AhaGr6pKssImlhjxrV6vjcHcvByy6EiLeILxwnElKtR9V./CZkOl85QdCdf1:18084:0:99999:7:::
root@ubuntu-bionic-1:/home/ubuntu# su testwtf
testwtf@ubuntu-bionic-1:/home/ubuntu$ passwd
Changing password for testwtf.
(current) UNIX password:
the correct password has been rejected
passwd: Authentication token manipulation error
passwd: password unchanged
testwtf@ubuntu-bionic-1:/home/ubuntu$ exit
exit
root@ubuntu-bionic-1:/home/ubuntu# ssh testwtf@127.0.0.1
testwtf@127.0.0.1’s password:
random passwor typed
Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.2.8 x86_64)
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.testwtf@ubuntu-bionic-1:~$
It is possible, and if yes then how, to use of users and passwords defined inside the container?