Flatcar always logins in automatically on VMWare

[strawgate]

Description

Due to: https://github.com/flatcar-linux/coreos-overlay/pull/308 flatcar now always does an autologin with the core user.

Impact

This was not the behavior previously and there is no documentation covering that this is the case. This seems like a pretty important breaking change to not be documented.

Expected behavior

The decision to auto-login on console should be handled via the ignition file per the documentation

[pothos]

Hello,

thanks for the feedback, this is documented in https://docs.flatcar-linux.org/os/booting-on-vmware/#logging-in and the release notes (section Changes) https://www.flatcar-linux.org/releases/#release-2512.2.0

Do you see any security issues with this? If it helps, I can gather some instructions on how to disable this via Ignition (but it may involve a reboot).

[strawgate]

Hi!

I guess I misunderstood when reading the release notes.

Use flatcar.autologin kernel command line parameter on Azure and VMware for auto login on the serial console

And didn't realize serial console = vga console

The security issue would be that someone who has properly provisioned their instances with Ignition will now have them sitting logged in on the VGA console. As long as its documented that this occurred i guess it's not a big deal.

[pothos]

Yes, for Azure it's a serial console but for VMware a VGA console but actually the parameter doesn't restrict it to one in its current setting. It's possible to assign a single TTY name to it to restrict where the autologin happens (see https://docs.flatcar-linux.org/os/other-settings/#enable-flatcar-container-linux-autologin). However, This still can be circumvented by waiting for a reboot and pressing e during the GRUB menu and change the setting again. This is why I don't see a big security issue because a knowledgeable attacker with console access can use this path.

You can change the default in /usr/share/oem/grub.cfg and I will leave this ticket open until we document how to change the default (not only for VMware but for all where it applies).

[strawgate]

For better or worse, most compliance/regulatory schemes require authentication to use/modify the system with no requirements for how hard it must be to bypass authentication.

Most systems have fairly simple ways to reset local accounts or bypass authentication while still requiring it.

[dgsardina]

I am struggling to deactivate autologin by using ignition config. Has anyone successfully deactivated it this way? Thank you and regards.

[pothos]

If you overwrite the file with Ignition the setting will only take effect after the next boot. Here the CLC you can use (convert it to Ignition JSON with ct):

storage:
  filesystems:
    - name: oem
      mount:
    device: /dev/disk/by-label/OEM
        format: ext4
        label: OEM
  files:
    - path: /grub.cfg
      filesystem: oem
      mode: 0644
      contents:
        inline: |
          set oem_id="vmware"
          set linux_append=""

[pothos]

Can you confirm this works after an additional reboot? Then I will create a PR to have this covered in the docs.

[dgsardina]

@pothos Thank you, the snippet you sent works perfectly fine, just replacing some tabs by spaces :)

I used the following command to convert to ignition, in case it helps someone else: docker run --rm -i quay.io/coreos/ct:latest-dev --platform=custom -strict -pretty - < t.yaml > t.json

[pothos]

Ok, docs PR here: https://github.com/kinvolk/flatcar-docs/pull/156