On 2024-12-10 14:50:39 +0100 (+0100), Thomas Goirand wrote:
I didn't feel it would be controversial, though it seems removing md5 password injection is still up to debate:
https://review.opendev.org/c/openstack/nova/+/935512
Of course, I'd like the TC to agree with me that injecting md5-hashed passwords is, in 2024, to be considered a security problem that should be fixed (and backported) ASAP.
BTW, IMO this patch could be using the new feature from oslo_utils.secretutils that Takashi managed to get in: https://review.opendev.org/c/openstack/oslo.utils/+/931899 https://review.opendev.org/c/openstack/oslo.utils/+/935525
While I agree, this will need extensive manual testing with a wide variety of guest operating systems. See the PORTABILITY NOTES section of the crypt(3) manpage, but basically POSIX doesn't guarantee support for any particular hashes and options, so just because the host where libcrypt is being called supports a particular combination, that doesn't mean the guest it's injected into will be able to parse it. I also agree with comments on the nova change that this mechanism ought to be at least strongly discouraged for use on any platforms where local agents are able to set passwords from metadata (sounds like it already is?), since is neatly sidesteps the portability problem. Deprecation/removal would be great, but it sounds like Windows doesn't have a functional guest agent capable of this?
These, IMO, should also be backported to earlier oslo.utils releases, so we can fix earlier OpenStack releases in a nicer way.
I doubt we'll get consensus on this. As you say, it will explicitly drop support for some older guest platforms, which doesn't seem consistent with our usual policy for bug fixes on stable branches. That said, if it's a long-time deprecated feature anyway, maybe loss of some functionality in it is less risky (just in this specific case)? -- Jeremy Stanley