diff options
author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2013-11-01 14:45:56 +0100 |
---|---|---|
committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2013-11-01 15:04:21 +0100 |
commit | 4ba7dfde5b79ec835e8739922400b3f5f4f089f2 (patch) | |
tree | 77c0edf4df6472f48cefca5e0196dbe47b53dc76 /nixos/modules/virtualisation | |
parent | 8352df8d66a7fa3f5abc4ab890fbbfe34f335f79 (diff) | |
download | nixlib-4ba7dfde5b79ec835e8739922400b3f5f4f089f2.tar nixlib-4ba7dfde5b79ec835e8739922400b3f5f4f089f2.tar.gz nixlib-4ba7dfde5b79ec835e8739922400b3f5f4f089f2.tar.bz2 nixlib-4ba7dfde5b79ec835e8739922400b3f5f4f089f2.tar.lz nixlib-4ba7dfde5b79ec835e8739922400b3f5f4f089f2.tar.xz nixlib-4ba7dfde5b79ec835e8739922400b3f5f4f089f2.tar.zst nixlib-4ba7dfde5b79ec835e8739922400b3f5f4f089f2.zip |
Don't set an initial null root password for Amazon / VirtualBox images
A null password allows logging into local PAM services such as "login" (agetty) and KDM. That's not actually a security problem for EC2 machines, since they do not have "local" logins; for VirtualBox machines, if you local access, you can do anything anyway. But it's better to be on the safe side and disable password-based logins for root.
Diffstat (limited to 'nixos/modules/virtualisation')
-rw-r--r-- | nixos/modules/virtualisation/amazon-image.nix | 5 | ||||
-rw-r--r-- | nixos/modules/virtualisation/virtualbox-image.nix | 5 |
2 files changed, 10 insertions, 0 deletions
diff --git a/nixos/modules/virtualisation/amazon-image.nix b/nixos/modules/virtualisation/amazon-image.nix index cfc582170e6c..abd2a1084bd9 100644 --- a/nixos/modules/virtualisation/amazon-image.nix +++ b/nixos/modules/virtualisation/amazon-image.nix @@ -160,4 +160,9 @@ with pkgs.lib; environment.systemPackages = [ pkgs.cryptsetup ]; boot.initrd.supportedFilesystems = [ "unionfs-fuse" ]; + + # Prevent logging in as root without a password. This doesn't really matter, + # since the only PAM services that allow logging in with a null + # password are local ones that are inaccessible on EC2 machines. + security.initialRootPassword = "!"; } diff --git a/nixos/modules/virtualisation/virtualbox-image.nix b/nixos/modules/virtualisation/virtualbox-image.nix index beed36b6a516..71bdf31a98d2 100644 --- a/nixos/modules/virtualisation/virtualbox-image.nix +++ b/nixos/modules/virtualisation/virtualbox-image.nix @@ -107,4 +107,9 @@ with pkgs.lib; boot.loader.grub.device = "/dev/sda"; services.virtualbox.enable = true; + + # Prevent logging in as root without a password. For NixOps, we + # don't need this because the user can login via SSH, and for the + # demo images, there is a demo user account that can sudo to root. + security.initialRootPassword = "!"; } |