Undocumented credentials part of the code in repository (D@rj33l1ng)

[dragetd]

There are default-credentals in the code with the password 'D@rj33l1ng' configured here:

windows/floppy/_packer_config.cmd

Line 47 in 72c70ff

:: Default: D@rj33l1ng

windows/floppy/_packer_config.cmd

Line 48 in 72c70ff

:: set SSHD_PASSWORD=D@rj33l1ng

here:

windows/floppy/cygwin.bat

Line 22 in 72c70ff

if not defined SSHD_PASSWORD set SSHD_PASSWORD=D@rj33l1ng

and here:

windows/floppy/openssh.bat

Line 8 in 72c70ff

if not defined SSHD_PASSWORD set SSHD_PASSWORD=D@rj33l1ng

First of all, the README could have a warning in the next update that states this fact and reminds people who are running these boxes to check if they have these default credentials enabled, since this password should be declared 'insecure' now.

The long-term solution might be a configuration variable to set all credentials across spots, where this is needed.

For now, the password could be set to a less surprising value like 'boxcutter' and be clearly documented in the README, so poeple are at least aware of this.

Replacing these and adding a bit to the README is a #goodfirstissue :-)

[daxgames]

The long-term solution might be a configuration variable to set all credentials across spots, where this is needed.

FWIW Thats what this is, just remove the :: and set a different password:

windows/floppy/_packer_config.cmd

Line 48 in 72c70ff

:: set SSHD_PASSWORD=D@rj33l1ng

[dragetd]

Well, the issue that this is not very well documented still stands.

[daxgames]

True

[arizvisa]

Thanks for this report. I don't personally use the ssh+cygwin builders, so this is a great catch. I'll see what I can do once I make some progress on the other things.

If you want to update the docs or anything in the meantime, a PR would be very welcomed.