summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorTore S. Lonoy <tore.lonoy@gmail.com>2016-11-04 11:38:31 +0100
committerScott Moser <smoser@brickies.net>2017-03-24 16:45:24 -0400
commit21632972df034c200578e1fbc121a07f20bb8774 (patch)
tree7e090adbe9bf31418e7f752e455342a0be5f9ed3 /doc
parent4a2b2f87ec48c227eb8fb2091dba604457cf8de8 (diff)
downloadvyos-cloud-init-21632972df034c200578e1fbc121a07f20bb8774.tar.gz
vyos-cloud-init-21632972df034c200578e1fbc121a07f20bb8774.zip
Add support for setting hashed passwords
This change will add support for hashed passwords in cc_set_passwords. It checks if a password is a hash with by checking that it matches in fairly safe way, and also that the password does not have a ":" in it. chpasswd needs to know if the password is hashed or not, so two lists is created so chpasswd is feed with the correct one. LP: #1570325
Diffstat (limited to 'doc')
-rw-r--r--doc/examples/cloud-config.txt9
1 files changed, 8 insertions, 1 deletions
diff --git a/doc/examples/cloud-config.txt b/doc/examples/cloud-config.txt
index c03f1026..bd84c641 100644
--- a/doc/examples/cloud-config.txt
+++ b/doc/examples/cloud-config.txt
@@ -426,14 +426,21 @@ syslog_fix_perms: syslog:root
#
# there is also an option to set multiple users passwords, using 'chpasswd'
# That looks like the following, with 'expire' set to 'True' by default.
-# to not expire users passwords, set 'expire' to 'False':
+# to not expire users passwords, set 'expire' to 'False'. Also possible
+# to set hashed password, here account 'user3' has a password it set to
+# 'cloud-init', hashed with SHA-256:
# chpasswd:
# list: |
# user1:password1
# user2:RANDOM
+# user3:$5$eriogqzq$Dg7PxHsKGzziuEGkZgkLvacjuEFeljJ.rLf.hZqKQLA
# expire: True
# ssh_pwauth: [ True, False, "" or "unchanged" ]
#
+# Hashed passwords can be generated in multiple ways, example with python3:
+# python3 -c 'import crypt,getpass; print(crypt.crypt(getpass.getpass(), crypt.mksalt(crypt.METHOD_SHA512)))'
+# Newer versions of 'mkpasswd' will also work: mkpasswd -m sha-512 password
+#
# So, a simple working example to allow login via ssh, and not expire
# for the default user would look like:
password: passw0rd