-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Live ISO: set the root password from boot command line or interactively #1288
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This handles several boot command line options for setting the root password: - "agama.password=<password>" - set password (plain text) - "agama.password_hash=<password_hash>" - set hashed password (generated by "mkpasswd" or "openssl passwd") - "agama.password_systemd" - interactively ask for the password during boot using the "systemd-ask-password" tool - "agama.password_dialog" - interactively ask for the password during boot using an interactive dialog
imobachgs
approved these changes
Jun 5, 2024
|
||
# before starting the SSH and Agama server so they use the new password | ||
Before=sshd.service | ||
Before=agama-web-server.service |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
np: I would try to be consistent with the style in agama-password-cmdline.service
and use:
Before=sshd.service agama-web-server.service
or
Before=sshd.service
Before=agama-web-server.service
Whatever you prefer, but the same.
2 tasks
lslezak
added a commit
that referenced
this pull request
Jun 6, 2024
## Problem Avoid using the well known default root password in the Live medium. ## Solution Allow modifying the default root password in the ISO medium by users. A new default root password can be embedded into the ISO file metadata using this command: ``` tagmedia --add-tag "agama_password=$((openssl passwd -6) | base64 -w 0)" <agama.iso> ``` This will embed a SHA512 hashed password into the ISO application area. This area is already used for storing the medium checksum, if you run the `checkmedia` command to verify the medium integrity then the expected checksum is read from this metadata. You can check its content by running `tagmedia <agama.iso>`. The ISO application area is pretty small (512 bytes), but there is still enough space to embed a hashed root password. Unfortunately it needs to be Base64 encoded otherwise `tagmedia` then reports an error about unsupported format. If the root password is set by other options on the boot command line (see #1288) then they will override this ISO file default. The advantage of this solution is that it does not need any special tweaks and you do not root permissions to modify the ISO image. This solution is suitable for mass deployment using the same physical medium. You can modify the ISO, dump it on an USB stick and then install several machines using your specific root password. ## Testing - Tested manually, the embedded password is correctly used by Agama and SSH. - If the password is set by the other boot options from #1288 then they will take precedence. ## TODO Later: - [ ] Create documentation - [ ] Update changes
Merged
imobachgs
added a commit
that referenced
this pull request
Jun 27, 2024
Prepare for releasing Agama 9. It includes the following pull requests: - #1101 - #1202 - #1228 - #1231 - #1236 - #1238 - #1239 - #1240 - #1242 - #1243 - #1244 - #1245 - #1246 - #1247 - #1248 - #1249 - #1250 - #1251 - #1252 - #1253 - #1254 - #1255 - #1256 - #1257 - #1258 - #1259 - #1260 - #1261 - #1264 - #1265 - #1267 - #1268 - #1269 - #1270 - #1271 - #1272 - #1273 - #1274 - #1279 - #1280 - #1284 - #1285 - #1286 - #1287 - #1288 - #1289 - #1290 - #1291 - #1292 - #1293 - #1294 - #1295 - #1296 - #1298 - #1299 - #1300 - #1301 - #1302 - #1303 - #1304 - #1305 - #1306 - #1307 - #1308 - #1309 - #1310 - #1311 - #1312 - #1313 - #1314 - #1315 - #1316 - #1317 - #1318 - #1319 - #1320 - #1321 - #1322 - #1323 - #1324 - #1325 - #1326 - #1328 - #1329 - #1331 - #1332 - #1334 - #1338 - #1340 - #1341 - #1342 - #1343 - #1344 - #1345 - #1348 - #1349 - #1351 - #1352 - #1353 - #1354 - #1355 - #1356 - #1357 - #1358 - #1359 - #1360 - #1361 - #1362 - #1363 - #1365 - #1366 - #1367 - #1368 - #1371 - #1372 - #1374 - #1375 - #1376 - #1379 - #1380 - #1381 - #1383 - #1384 - #1385 - #1386 - #1387 - #1388 - #1389 - #1391 - #1392 - #1394 - #1395 - #1397 - #1398 - #1399 - #1400 - #1403
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
Solution
This adds several boot command line options for setting the root password:
agama.password=<password>
- set a plain text password, not really secure as every process can read it from/proc/cmdline
but it is still far better than a predefined known passwordagama.password_hash=<password_hash>
- set a hashed password (generated bymkpasswd
oropenssl passwd
), this is more secure but difficult to type manually as the hashed password is usually quite long, suitable for environments where you can prepare the boot command line before booting (like in PXE boot)agama.password_systemd
- interactively ask for the password during boot using thesystemd-ask-password
tool (simple prompt but should work also over a serial console)agama.password_dialog
- interactively ask for the password during boot using an interactive dialog (more fancy, but might not work well over a serial console)Testing
Additional Fixes
set -e
inconfig.sh
, there was a hidden problem with activating thespicevdagend
service, it was failing unnoticed for quite some time... 😱chown
workarounds, not needed anymore as we build the tarball using the--owner=0 --group=0
options so the owner is properly set already in the archive.(But that gave me an idea about using the YaST Firstboot package for the Agama setup. We have almost full YaST in the Live ISO already. Using
dialog
is fine for simple things but if we ever need to do some more complicated setup then using YaST Firstboot might be a possible solution...)Notes
After=
option. If the screen later gets broken by another service the solution should be to add it into theAfter=
list.systemd-ask-password
tool has the same problem so the same workaround is applied there as well. (I hoped it is better integrated into the systemd boot process, but there is nothing special about it regarding the terminal handling.)TODO
Screenshots
Entering a password using dialog
Entering a password using systemd