Don't set an initial null root password for Amazon / VirtualBox images

A null password allows logging into local PAM services such as "login" (agetty) and KDM. That's not actually a security problem for EC2 machines, since they do not have "local" logins; for VirtualBox machines, if you local access, you can do anything anyway. But it's better to be on the safe side and disable password-based logins for root.
author: Eelco Dolstra <eelco.dolstra@logicblox.com> 2013-11-01 14:45:56 +0100
committer: Eelco Dolstra <eelco.dolstra@logicblox.com> 2013-11-01 15:04:21 +0100
commit: 4ba7dfde5b79ec835e8739922400b3f5f4f089f2 (patch)
tree: 77c0edf4df6472f48cefca5e0196dbe47b53dc76 /nixos/modules/virtualisation
parent: 8352df8d66a7fa3f5abc4ab890fbbfe34f335f79 (diff)
download: nixlib-4ba7dfde5b79ec835e8739922400b3f5f4f089f2.tar
nixlib-4ba7dfde5b79ec835e8739922400b3f5f4f089f2.tar.gz
nixlib-4ba7dfde5b79ec835e8739922400b3f5f4f089f2.tar.bz2
nixlib-4ba7dfde5b79ec835e8739922400b3f5f4f089f2.tar.lz
nixlib-4ba7dfde5b79ec835e8739922400b3f5f4f089f2.tar.xz
nixlib-4ba7dfde5b79ec835e8739922400b3f5f4f089f2.tar.zst
nixlib-4ba7dfde5b79ec835e8739922400b3f5f4f089f2.zip
2 files changed, 10 insertions, 0 deletions
diff --git a/nixos/modules/virtualisation/amazon-image.nix b/nixos/modules/virtualisation/amazon-image.nix
index cfc582170e6c..abd2a1084bd9 100644
--- a/nixos/modules/virtualisation/amazon-image.nix
+++ b/nixos/modules/virtualisation/amazon-image.nix
@@ -160,4 +160,9 @@ with pkgs.lib;
   environment.systemPackages = [ pkgs.cryptsetup ];
 
   boot.initrd.supportedFilesystems = [ "unionfs-fuse" ];
+
+  # Prevent logging in as root without a password.  This doesn't really matter,
+  # since the only PAM services that allow logging in with a null
+  # password are local ones that are inaccessible on EC2 machines.
+  security.initialRootPassword = "!";
 }
diff --git a/nixos/modules/virtualisation/virtualbox-image.nix b/nixos/modules/virtualisation/virtualbox-image.nix
index beed36b6a516..71bdf31a98d2 100644
--- a/nixos/modules/virtualisation/virtualbox-image.nix
+++ b/nixos/modules/virtualisation/virtualbox-image.nix
@@ -107,4 +107,9 @@ with pkgs.lib;
   boot.loader.grub.device = "/dev/sda";
 
   services.virtualbox.enable = true;
+
+  # Prevent logging in as root without a password.  For NixOps, we
+  # don't need this because the user can login via SSH, and for the
+  # demo images, there is a demo user account that can sudo to root.
+  security.initialRootPassword = "!";
 }
author	Eelco Dolstra <eelco.dolstra@logicblox.com>	2013-11-01 14:45:56 +0100
committer	Eelco Dolstra <eelco.dolstra@logicblox.com>	2013-11-01 15:04:21 +0100
commit	4ba7dfde5b79ec835e8739922400b3f5f4f089f2 (patch)
tree	77c0edf4df6472f48cefca5e0196dbe47b53dc76 /nixos/modules/virtualisation
parent	8352df8d66a7fa3f5abc4ab890fbbfe34f335f79 (diff)
download	nixlib-4ba7dfde5b79ec835e8739922400b3f5f4f089f2.tar nixlib-4ba7dfde5b79ec835e8739922400b3f5f4f089f2.tar.gz nixlib-4ba7dfde5b79ec835e8739922400b3f5f4f089f2.tar.bz2 nixlib-4ba7dfde5b79ec835e8739922400b3f5f4f089f2.tar.lz nixlib-4ba7dfde5b79ec835e8739922400b3f5f4f089f2.tar.xz nixlib-4ba7dfde5b79ec835e8739922400b3f5f4f089f2.tar.zst nixlib-4ba7dfde5b79ec835e8739922400b3f5f4f089f2.zip