*** This bug is a security vulnerability *** Public security bug reported:
Binary package hint: python-vm-builder I created a new kvm guest using vmbuilder (following, if I remember correctly, https://help.ubuntu.com/community/KVM/CreateGuests and/or https://help.ubuntu.com/community/JeOSVMBuilder), put it on the net without noticing that it had created a default account (with user and password both "ubuntu") and promptly got hacked by somebody running an ssh scanner. (I never needed a default account myself since I depended on the --ssh-key option to log me in to the new guest.) OK, my mistake: something as simple as "ls /home" would probably have been enough to alert me to the problem; and https://help.ubuntu.com/community/JeOSVMBuilder does mention the default at some point (though not very prominently). In my defense: vmbuilder appeared to be the preferred way to create kvm guests from the commandline, and it's somewhat surprising that it would by default create guests that were unsafe to put on the network. Since this appears to be a property of one of the included templates, not of vmbuilder itself, I'm not sure where this is best documented. The ideal might be if vmbuilder could warn the user about the default and require positive confirmation before proceeding ("are you sure you want this (y/n)?"). ** Affects: vm-builder (Ubuntu) Importance: Undecided Status: New ** Visibility changed to: Public -- vmbuilder default account not well-documented https://bugs.launchpad.net/bugs/503467 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
