Support for default/root expired password in combo with password dictionary policy

18 views

Skip to first unread message

Bart Van Bos

unread,

Jan 16, 2019, 10:38:10 PM1/16/19

to Packer

Hi all,

I am trying to use packer to create Vagrant boxes for the F5 Networks BigIQ Virtual instances (ISO based). My configuration looks like this:

{
  "variables": {
    "F5_NAME": "BIGIP-14.0.0-0.0.2187"
  },
  "builders": [
    {
      "name": "{{ user `F5_NAME` }}",
      "type": "virtualbox-iso",
      "iso_url": "software/{{ user `F5_NAME` }}.iso",
      "iso_checksum": "4b503178ab6fb80a07a41940f507c681",
      "iso_checksum_type": "md5",
      "ssh_username": "root",
      "ssh_password": "default",
      "ssh_wait_timeout": "30000s",
      "headless": "false",
      "shutdown_command": "shutdown -h now",
      "guest_additions_mode": "disable",
      "guest_os_type": "Linux_64",
      "vm_name": "{{ user `F5_NAME` }}",
      "boot_wait": "60s",
      "boot_command": [
        "<enter><wait5>",
        "<enter><wait5>",
        "<enter>"
      ],
      "cpus":  "2",
      "disk_size": "160000",
      "format": "ovf",
      "memory": "4096",
      "vboxmanage": [
        ["modifyvm","{{.Name}}","--memory","4096"],
        ["modifyvm","{{.Name}}","--cpus","2"],
        ["modifyvm","{{.Name}}","--nic1","NAT"],
        ["modifyvm","{{.Name}}","--boot1","disk"]
      ]
    }
  ],
  "post-processors": [
    {
      "type": "vagrant",
      "compression_level": 9,
      "output": "{{ build_name }}.box"
    }
  ],
  "provisioners": [
    {
      "type": "shell",
      "inline": [
        "mkdir /shared/vagrant",
        "exit 0"
      ],
      "pause_before": "60s"
    },
    {
      "type": "file",
      "source": "files",
      "destination": "/shared/vagrant"
    }, ...
  ]
}

The default administrator password combination is root/default, but F5 has several measures to avoid insecure installations:

The password is marked expired after initial installation, so you are forced to change the password.
The new password has to comply the password policy (should not be based on a dictionary word, like "default")

REF: https://support.f5.com/csp/article/K10612010

As a result, I am not able to login with SSH and the virtualbox-iso based packer build fails, before the provisioners can kick-off.

packer: -- Question 1: You are required to change your password immediately (root enforced)
packer: Changing password for root.
packer: (current) UNIX password:
packer: Keyboard interactive challenge:
packer: -- User:
packer: -- Instructions:
packer: -- Question 1: New BIG-IP password:
packer: Keyboard interactive challenge:
packer: -- User:
packer: -- Instructions:
packer: -- Question 1: BAD PASSWORD: it is based on a dictionary word
packer: New BIG-IP password:
packer: Keyboard interactive challenge:
packer: -- User:
packer: -- Instructions:
packer: -- Question 1: BAD PASSWORD: it is based on a dictionary word
packer: New BIG-IP password:
packer: Keyboard interactive challenge:
packer: -- User:
packer: -- Instructions: BAD PASSWORD: it is based on a dictionary word
packer: [DEBUG] SSH handshake err: ssh: handshake failed: ssh: unable to authenticate, attempted methods [keyboard-interactive none], no supported methods remain
packer: [DEBUG] Detected authentication error. Increasing handshake attempts.

In a normal interactive shell it would look like this:

login: root
Password:     (default)
You are required to change your password immediately (root enforced)
Changing password for root.
(current) UNIX password:      (default)
New BIG-IP password:
BAD PASSWORD: it is based on a dictionary word 
New BIG-IP password:
BAD PASSWORD: it is based on a dictionary word

Is there support for this kind of scenario in packer or a way to hack this into it?

      "ssh_username": "root",
      "ssh_password": "default",
      "ssh_new_password": "somethingmoresafe",
      "ssh_wait_timeout": "30000s",

Best regards,

Bart

Rickard von Essen

unread,

Jan 17, 2019, 5:56:54 AM1/17/19

to packe...@googlegroups.com

I would expect that you can change the password on the console, using `boot_command`?

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/mitchellh/packer/issues
IRC: #packer-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Packer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/624988a5-eaad-4a7c-a82f-a5e11caf66d3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply all

Reply to author

Forward

0 new messages