Closed strawgate closed 3 years ago
Hello,
thanks for the feedback, this is documented in https://docs.flatcar-linux.org/os/booting-on-vmware/#logging-in and the release notes (section Changes) https://www.flatcar-linux.org/releases/#release-2512.2.0
Do you see any security issues with this? If it helps, I can gather some instructions on how to disable this via Ignition (but it may involve a reboot).
Hi!
I guess I misunderstood when reading the release notes.
Use flatcar.autologin kernel command line parameter on Azure and VMware for auto login on the serial console
And didn't realize serial console = vga console
The security issue would be that someone who has properly provisioned their instances with Ignition will now have them sitting logged in on the VGA console. As long as its documented that this occurred i guess it's not a big deal.
Yes, for Azure it's a serial console but for VMware a VGA console but actually the parameter doesn't restrict it to one in its current setting. It's possible to assign a single TTY name to it to restrict where the autologin happens (see https://docs.flatcar-linux.org/os/other-settings/#enable-flatcar-container-linux-autologin). However, This still can be circumvented by waiting for a reboot and pressing e
during the GRUB menu and change the setting again. This is why I don't see a big security issue because a knowledgeable attacker with console access can use this path.
You can change the default in /usr/share/oem/grub.cfg
and I will leave this ticket open until we document how to change the default (not only for VMware but for all where it applies).
For better or worse, most compliance/regulatory schemes require authentication to use/modify the system with no requirements for how hard it must be to bypass authentication.
Most systems have fairly simple ways to reset local accounts or bypass authentication while still requiring it.
I am struggling to deactivate autologin by using ignition config. Has anyone successfully deactivated it this way? Thank you and regards.
If you overwrite the file with Ignition the setting will only take effect after the next boot.
Here the CLC you can use (convert it to Ignition JSON with ct
):
storage:
filesystems:
- name: oem
mount:
device: /dev/disk/by-label/OEM
format: ext4
label: OEM
files:
- path: /grub.cfg
filesystem: oem
mode: 0644
contents:
inline: |
set oem_id="vmware"
set linux_append=""
Can you confirm this works after an additional reboot? Then I will create a PR to have this covered in the docs.
@pothos Thank you, the snippet you sent works perfectly fine, just replacing some tabs by spaces :)
I used the following command to convert to ignition, in case it helps someone else:
docker run --rm -i quay.io/coreos/ct:latest-dev --platform=custom -strict -pretty - < t.yaml > t.json
Ok, docs PR here: https://github.com/kinvolk/flatcar-docs/pull/156
Description
Due to: https://github.com/flatcar-linux/coreos-overlay/pull/308 flatcar now always does an autologin with the core user.
Impact
This was not the behavior previously and there is no documentation covering that this is the case. This seems like a pretty important breaking change to not be documented.
Expected behavior
The decision to auto-login on console should be handled via the ignition file per the documentation