LXC @QNAP Container Station - Users passwords in container

Hi,

I started my adventure with LXC containers on the QNAP server, encouraged by passwords on the QNAP website (LXC vs Docker - https://www.qnap.com/solution/container_station/en/) such as:

  • Architecture: Supports a fully-virtualized Linux® OS including boot-up procedures
  • Purposes: Requires a fully-functional Linux® OS
  • Advantages: A lightweight alternative to virtual machines
    So far, everything worked perfectly as I expected.

Most of the containers I have been using are based on Debian 10 - buster.

Unfortunately, I do not understand the problem of user management inside the container.

I created a new username to use authorization in applications based on linux users and and I planned to use the user to connect to the container via ssh.
The first warning signal was the lack of a password for a new user.

The passwd command does not ask for any passwords but only returns information about the correct setting

root@debian-buster-3:/# passwd
passwd: password updated successfully
root@debian-buster-3:/# passwd ruser
passwd: password updated successfully
root@debian-buster-3:/#

After a few searches, the only method that allowed “setting of the password” turned out to be the use of “usermod -password [hash] [username]” - hash correctly went to /etc/shadow.

Everything seemed to work correctly, but it turned out that I could use any random password to log in!

I also tested another container, based on Ubuntu 18.04 bionic.

The passwd command behaves a little differently, but the result is the same. The created user can log in with any random password.

An example from the commands below.

root@ubuntu-bionic-1:/home/ubuntu# cat /etc/shadow | grep testwtf
testwtf:$6$UMPWvtpl$r7gWZtLYE0JAlcwQ/uLmHMlfVHnNt1OkX/vp5pzJuEhxZDCt6Q0reNbiz1bBbP4yuJ.bR8uwOEHHB8d9ytETY0:18084:0:99999:7:::
root@ubuntu-bionic-1:/home/ubuntu# passwd testwtf
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
root@ubuntu-bionic-1:/home/ubuntu# cat /etc/shadow | grep testwtf
testwtf:$6$h0CxGCWU$9kekCVAhk4KERfIhoOHetPjIU/AhaGr6pKssImlhjxrV6vjcHcvByy6EiLeILxwnElKtR9V./CZkOl85QdCdf1:18084:0:99999:7:::
root@ubuntu-bionic-1:/home/ubuntu# su testwtf
testwtf@ubuntu-bionic-1:/home/ubuntu$ passwd
Changing password for testwtf.
(current) UNIX password:

the correct password has been rejected

passwd: Authentication token manipulation error
passwd: password unchanged
testwtf@ubuntu-bionic-1:/home/ubuntu$ exit
exit
root@ubuntu-bionic-1:/home/ubuntu# ssh testwtf@127.0.0.1
testwtf@127.0.0.1’s password:

random passwor typed

Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.2.8 x86_64)

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

testwtf@ubuntu-bionic-1:~$

It is possible, and if yes then how, to use of users and passwords defined inside the container?

Sounds like PAM in the container may have a bit of a funny configuration, missing a passwd provider would explain the behavior you’re seeing on password change at least.

You’d want to look at /var/log/auth.log to see what’s being run, then modify the applicable configs in /etc/pam

Hi Stéphane,

You’re right, something is wrong with PAM configuration.
I quickly changed the configuration of SSH server from “UsePAM yes” to “UsePAM no” and login proceeded as expected. This means login was only possible on the defined password.

I will check in more detail PAM settings and return with the results.

In the PAM configuration (pam-auth-update) “Unix authentication” was disabled.
Only “Register user sessions in the systemd control group hierarchy” and “Inheritable Capabilites Management” was enabled.

I enabled that option and everything so far works as expected :slight_smile:
I do not know why the previous settings could have been.

In /etc/pam.d/common-password “primary block” configuration was

password [default=1] pam_permit.so

where now is

password [success=1 default=ignore] pam_unix.so obscure sha512

Thanks for pointing me the right direction.