Impact
Using gluon-authorized-keys without gluon-setup-mode lacked a dependency on gluon-lock-password, which led to passwordless SSH access to nodes. This is especially problematic, as setting up authorized SSH keys would lead people to believe that it would securely configure the node to be only accessed this way.
This is a very uncommon setup, as gluon-setup-mode is the basis for config mode, which is commonly used.
Patches
Workarounds
Execute passwd -l root on affected nodes.
References
#1777
For more information
If you have any questions or comments about this advisory:
- Use the existing issue at #1777
ecsv Analyst
Impact
Using
gluon-authorized-keyswithoutgluon-setup-modelacked a dependency ongluon-lock-password, which led to passwordless SSH access to nodes. This is especially problematic, as setting up authorized SSH keys would lead people to believe that it would securely configure the node to be only accessed this way.This is a very uncommon setup, as gluon-setup-mode is the basis for config mode, which is commonly used.
Patches
Workarounds
Execute
passwd -l rooton affected nodes.References
#1777
For more information
If you have any questions or comments about this advisory: