Closed noaho closed 1 year ago
Bento boxes are meant to be used with tools like test-kitchen and others as temporary servers stood up to test configuration changes etc... and then torn down. Password auth is needed for those tools to login with known user vagrant. If using the boxes for long term, production, and exposed to the internet it is highly encouraged to harden them via removing or changing the vagrant user password as well as other OS hardening steps. You can use the bento templates to create your own images and make modifications like creating a different user other than vagrant.
Version
bento/ubuntu-22.04 (virtualbox, 202303.13.0)
Scenario
On the latest Ubuntu 22.04 virtualbox image, there is a file /etc/ssh/sshd_config.d/50-cloud-init.conf that contains PasswordAuthentication yes
This overwrote the PasswordAuthentication No I had set in /etc/ssh/sshd_config as it takes precedence.
I found this out because I discovered a crypto-miner on the machine, that someone had installed after scanning the internet for vagrant:vagrant....
I'm very confused about this because I can't seem to see any changes in the chef/bento repo.. And I can't see where ubuntu cloud-init is being used in this way.
Anyway I thought I should make a bug report because this seems unexpected..