Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Live ISO: set the root password from boot command line or interactively #1288

Merged
merged 2 commits into from
Jun 5, 2024

Conversation

lslezak
Copy link
Contributor

@lslezak lslezak commented Jun 5, 2024

Problem

  • The Live ISO uses a static well known root password, that is insecure

Solution

This adds several boot command line options for setting the root password:

  • agama.password=<password> - set a plain text password, not really secure as every process can read it from /proc/cmdline but it is still far better than a predefined known password
  • agama.password_hash=<password_hash> - set a hashed password (generated by mkpasswd or openssl passwd), this is more secure but difficult to type manually as the hashed password is usually quite long, suitable for environments where you can prepare the boot command line before booting (like in PXE boot)
  • agama.password_systemd - interactively ask for the password during boot using the systemd-ask-password tool (simple prompt but should work also over a serial console)
  • agama.password_dialog - interactively ask for the password during boot using an interactive dialog (more fancy, but might not work well over a serial console)

Testing

  • Tested manually in VirtualBox and KVM virtual machines
  • The requested password is set properly and can be used in both Agama and SSH

Additional Fixes

  • Use set -e in config.sh, there was a hidden problem with activating the spicevdagend service, it was failing unnoticed for quite some time... 😱
  • Disable the snapper snapshot cleanup services, if you left the password dialog running for long time enough then starting the timer services would mess the screen. Moreover these are not need and it is potentially dangerous to run such services from a Live ISO.
  • Removed the chown workarounds, not needed anymore as we build the tarball using the --owner=0 --group=0 options so the owner is properly set already in the archive.
  • Disabled the YaST units, not needed at all, that might make the boot process a tiny bit faster 😃

(But that gave me an idea about using the YaST Firstboot package for the Agama setup. We have almost full YaST in the Live ISO already. Using dialog is fine for simple things but if we ever need to do some more complicated setup then using YaST Firstboot might be a possible solution...)

Notes

  • In the interactive cases the SSH and Agama web server are blocked until you enter the password, that avoids (mis)using the default predefined password before a new one is set.
  • Starting an interactive session via systemd is quite tricky, the boot process normally continues and the systemd progress messages scroll over the console possibly destroying the displayed content. The workaround is to run the interactive service as late as possible, ideally after all unblocked services are finished. That is achieved by using the After= option. If the screen later gets broken by another service the solution should be to add it into the After= list.
  • Additionally printing the kernel messages to the console is disabled when the dialog is running
  • The dialog contains the "Press Ctrl+L to refresh the screen" hint at the top in case the output is messed up by some background process
  • The systemd-ask-password tool has the same problem so the same workaround is applied there as well. (I hoped it is better integrated into the systemd boot process, but there is nothing special about it regarding the terminal handling.)

TODO

  • Add documentation (will be added later in a separate PR)
  • Update changes (the same here)

Screenshots

Entering a password using dialog

agama_password_dialog

Entering a password using systemd

agama_password_systemd

This handles several boot command line options for setting the root password:

- "agama.password=<password>" - set password (plain text)
- "agama.password_hash=<password_hash>" - set hashed password
  (generated by "mkpasswd" or "openssl passwd")
- "agama.password_systemd" - interactively ask for the password during boot
  using the "systemd-ask-password" tool
- "agama.password_dialog" - interactively ask for the password during boot
  using an interactive dialog

# before starting the SSH and Agama server so they use the new password
Before=sshd.service
Before=agama-web-server.service
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

np: I would try to be consistent with the style in agama-password-cmdline.service and use:

Before=sshd.service agama-web-server.service

or

Before=sshd.service
Before=agama-web-server.service

Whatever you prefer, but the same.

@lslezak lslezak merged commit 0514f32 into master Jun 5, 2024
@lslezak lslezak deleted the live_root_password branch June 5, 2024 14:52
lslezak added a commit that referenced this pull request Jun 6, 2024
## Problem

Avoid using the well known default root password in the Live medium.

## Solution

Allow modifying the default root password in the ISO medium by users. A
new default root password can be embedded into the ISO file metadata
using this command:
```
tagmedia --add-tag "agama_password=$((openssl passwd -6) | base64 -w 0)" <agama.iso>
```
This will embed a SHA512 hashed password into the ISO application area.
This area is already used for storing the medium checksum, if you run
the `checkmedia` command to verify the medium integrity then the
expected checksum is read from this metadata. You can check its content
by running `tagmedia <agama.iso>`.

The ISO application area is pretty small (512 bytes), but there is still
enough space to embed a hashed root password. Unfortunately it needs to
be Base64 encoded otherwise `tagmedia` then reports an error about
unsupported format.

If the root password is set by other options on the boot command line
(see #1288) then they will override this ISO file default.

The advantage of this solution is that it does not need any special
tweaks and you do not root permissions to modify the ISO image. This
solution is suitable for mass deployment using the same physical medium.
You can modify the ISO, dump it on an USB stick and then install several
machines using your specific root password.

## Testing

- Tested manually, the embedded password is correctly used by Agama and
SSH.
- If the password is set by the other boot options from #1288 then they
will take precedence.

## TODO

Later:

- [ ] Create documentation
- [ ] Update changes
@imobachgs imobachgs mentioned this pull request Jun 27, 2024
imobachgs added a commit that referenced this pull request Jun 27, 2024
Prepare for releasing Agama 9. It includes the following pull requests:

- #1101
- #1202
- #1228
- #1231
- #1236
- #1238
- #1239
- #1240
- #1242
- #1243
- #1244
- #1245
- #1246
- #1247
- #1248
- #1249
- #1250
- #1251
- #1252
- #1253
- #1254
- #1255
- #1256
- #1257
- #1258
- #1259
- #1260
- #1261
- #1264
- #1265
- #1267
- #1268
- #1269
- #1270
- #1271
- #1272
- #1273
- #1274
- #1279
- #1280
- #1284
- #1285
- #1286
- #1287
- #1288
- #1289
- #1290
- #1291
- #1292
- #1293
- #1294
- #1295
- #1296
- #1298
- #1299
- #1300
- #1301
- #1302
- #1303
- #1304
- #1305
- #1306
- #1307
- #1308
- #1309
- #1310
- #1311
- #1312
- #1313
- #1314
- #1315
- #1316
- #1317
- #1318
- #1319
- #1320
- #1321
- #1322
- #1323
- #1324
- #1325
- #1326
- #1328
- #1329
- #1331
- #1332
- #1334
- #1338
- #1340
- #1341
- #1342
- #1343
- #1344
- #1345
- #1348
- #1349
- #1351
- #1352
- #1353
- #1354
- #1355
- #1356
- #1357
- #1358
- #1359
- #1360
- #1361
- #1362
- #1363
- #1365
- #1366
- #1367
- #1368
- #1371
- #1372
- #1374
- #1375
- #1376
- #1379
- #1380
- #1381
- #1383
- #1384
- #1385
- #1386
- #1387
- #1388
- #1389
- #1391
- #1392
- #1394
- #1395
- #1397
- #1398
- #1399
- #1400
- #1403
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants