-
-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
'sudo xl console', login asks for password for user 'user' #1130
'sudo xl console', login asks for password for user 'user' #1130
Comments
@adrelanos |
Just now tested
Exactly in that use case. But also in exactly these problematic cases it's very good to avoid further confusion and not to add more hurdles [or riddles] for the one trying to provide debug information. Can someone advice please, where the code is that allows passwordless login for the |
If you look in /etc/shadow you'll see root has no password set. |
We could get away with this by modifying https://github.com/marmarek/qubes-core-agent-linux/blob/master/debian/qubes-core-agent.preinst.
|
I'm ok with this change. Are you going to commit this? Best Regards, |
Yes, pull request attached above. I was wondering if this should be fixed in existing images during upgrade as well by running |
Theoretically we could check for:
But I think we could also simply ignore this. Best Regards, |
Done in above pull request. |
Please reopen. Can someone confirm, that newly created Debian templates that never upgraded qubes-core-agent before, can login Looking at qubes-core-agent-linux preinst it creates user But qubes-builder-debian prepare-chroot-debian uses Below.
We should add.
|
@andrewdavidwong Confirmed this issue still arises in 3.2 milestone for Fedora template |
In current release (Qubes 4.0) the usage of But to get control |
use long option names by default. QubesOS/qubes-issues#1130
QubesOS/qubes-core-agent-linux#169 QubesOS/qubes-core-agent-linux#170 After/if these are merged, I will suggest to move user/root password manipulation from qubes-core-agent to qubes-core-agent-passwordless-root instead. That would simplify https://github.com/tasket/Qubes-VM-hardening since then removal of qubes-core-agent-passwordless-root package would result in what is expected and also nicely encapsulate that functionality into the correct package. But that's a separate ticket. My idea was to first document / make obvious what we are doing to everyone and myself, and then be well prepared to suggest the fixes for the things I actually care about. This is related to https://github.com/tasket/Qubes-VM-hardening and the recently implemented root/su/sudoers/pam/securetty hardening in https://github.com/Whonix/security-misc. //cc @tasket |
Comment from QubesOS/qubes-core-agent-linux#171 (comment):
|
QubesOS/qubes-issues#1130 (cherry picked from commit f1add4c)
From QubesOS/qubes-core-agent-linux#168 (comment):
I like this idea very much, much better than the current empty password. |
QubesOS/qubes-core-agent-linux@fb28a48 and preceding commits fixed this for R4.1. Needs backporting to R4.0. Closing, but marking as “backport needed” so that R4.0 will get the fix. |
Works passwordless for user 'root' but not for user 'user. Both, Fedora and Debian templates are affected.
The text was updated successfully, but these errors were encountered: