If two persons are pulling the same docker image (let’s say Debian:10.4), they will obtain the same "files" (layers) from the docker repo.
So, from what I understand, launching a docker image is not exactly like a fresh install, it is more like a preinstalled OS. So I guess the two docker images debian:10.4 launched in two separate hosts should be as equivalent as possible to avoid difference in the behaviour from a host to another.
Considering this, I am asking myself if the root’s password is always the same on every debian:10.4 images.
I don’t know if we know the root’s password of this image or only the hash. But if someone could find a preimage of this hash, he would be able to log in in every SSH server based on a debian:10.4 ?
Or is there a minimal randomness applied at the start of a instance docker to ensure the dispersion of some security constant (root password, id_rsa key, …) ?