0

We have automated a lot of things for server startup via cloud-config, and I want confirmation about whether there is any security concern in the following.

users:
  - name: myuser
    groups: sudo
    shell: /bin/zsh
...

runcmd:
    # change myuser password
  - PASSWORD=$(openssl rand -base64 12)
  - PASS_CRYPT=$(perl -e 'print crypt($ARGV[0], "password")' $PASSWORD)
  - usermod -p $PASS_CRYPT myuser
  - echo "# SAVE IN 1PASSWORD THEN DELETE THIS FILE\n$PASSWORD" > /home/myuser/password.txt
  - chown myuser:myuser /home/myuser/password.txt
  - chmod 600 /home/myuser/password.txt

In English, this

  • Creates user myuser
  • Generates and encrypts a random strong password
  • Leaves a text file in that user's home directory with instructions to save in a password manager, then delete.

I've seen some warnings about generating a password through cloud init, because certain logs are left in plaintext which are readable by all users. However, I think I've worked around that by using environment variables which will disappear when the session is over.

Is this assumption correct? Or will those variables be expanded and stored at any point in a place where any user could see it?

Augustine Calvino
  • 1
  • 1
  • I would most likely also `chown` the file to the user/group it is being created for and `chmod` it to 600 for security reasons (these are the same permissions used to secure ssh's priv keys) – CaffeineAddiction Jan 23 '22 at 03:35
  • ah thanks, that would make sense, even if the file is not meant to stick around...still curious about whether cloud-init might leave anything around.. – Augustine Calvino Jan 23 '22 at 05:10

0 Answers0