Impact
Using gluon-authorized-keys
without gluon-setup-mode
lacked a dependency on gluon-lock-password
, which led to passwordless SSH access to nodes. This is especially problematic, as setting up authorized SSH keys would lead people to believe that it would securely configure the node to be only accessed this way.
This is a very uncommon setup, as gluon-setup-mode is the basis for config mode, which is commonly used.
Patches
Workarounds
Execute passwd -l root
on affected nodes.
References
#1777
For more information
If you have any questions or comments about this advisory:
- Use the existing issue at #1777
Impact
Using
gluon-authorized-keys
withoutgluon-setup-mode
lacked a dependency ongluon-lock-password
, which led to passwordless SSH access to nodes. This is especially problematic, as setting up authorized SSH keys would lead people to believe that it would securely configure the node to be only accessed this way.This is a very uncommon setup, as gluon-setup-mode is the basis for config mode, which is commonly used.
Patches
Workarounds
Execute
passwd -l root
on affected nodes.References
#1777
For more information
If you have any questions or comments about this advisory: