[Bug 2034759] Re: riscv64 and generic preinstalled images use default ubuntu:ubuntu user where no other images do

[Steve Langasek]

Turns out pi images do this also but elsewhere, and the riscv64 images
were actually the better ones by disabling ssh password auth by default
(now fixed on the pi side), so nothing to do here for now.

** Changed in: livecd-rootfs (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to livecd-rootfs in Ubuntu.
https://bugs.launchpad.net/bugs/2034759

Title:
  riscv64 and generic preinstalled images use default ubuntu:ubuntu user
  where no other images do

Status in livecd-rootfs package in Ubuntu:
  Invalid

Bug description:
  livecd-rootfs has code that sets a pre-defined username and password
  on preinstalled images for riscv64 and "generic" (amd64, arm64)
  images.

  In *theory* the code that was added in 2021 for this was supposed to
  also apply to the raspi images, except  the wrong subarch is used
  (raspi2 vs raspi).

  We don't want to have hard-coded username/password in any Ubuntu
  image.  And the raspi images are by far the most commonly used of any
  of the preinstalled images.  So if we don't have to (insecurely)
  hardcode an initial username and password for the raspi images, we
  shouldn't hardcode it for the riscv64 and generic images either!  We
  should figure out what raspi is managing to do right, and replicate
  that to the other images.

  We should never have an Ubuntu image that, deployed on a network-
  connected machine, is immediately vulnerable.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/livecd-rootfs/+bug/2034759/+subscriptions