add support for setting passwords and managing PasswordAuthentication

Note: by default, nothing is done.  No users will have passwords
set, nor will sshd's configuration be changed unless cloud-config
is modified.  Additionally, by default, users whose passwords are
set have their password expired, forcing a change.

4 files changed, 164 insertions, 0 deletions

diff --git a/ChangeLog b/ChangeLog
index 897d7d16..caaedd2a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,8 @@
  - improve comment strings in rsyslog file tools/21-cloudinit.conf
  - add previous-instance-id and previous-datasource files to datadir
  - add 'datasource' file to instance dir
+ - add setting of passwords and enabling/disabling of PasswordAuthentication
+   for sshd.  By default no changes are done to sshd.
 0.6.0:
  - change permissions of /var/log/cloud-init.log to accomodate
    syslog writing to it (LP: #704509)
diff --git a/cloudinit/CloudConfig/cc_set_passwords.py b/cloudinit/CloudConfig/cc_set_passwords.py
new file mode 100644
index 00000000..92f0aac7
--- /dev/null
+++ b/cloudinit/CloudConfig/cc_set_passwords.py
@@ -0,0 +1,124 @@
+# vi: ts=4 expandtab
+#
+#    Copyright (C) 2009-2010 Canonical Ltd.
+#
+#    Author: Scott Moser <scott.moser@canonical.com>
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License version 3, as
+#    published by the Free Software Foundation.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import cloudinit.util as util
+import subprocess
+import sys
+import random
+import string
+
+def handle(name,cfg,cloud,log,args):
+    if len(args) != 0:
+        # if run from command line, and give args, wipe the chpasswd['list']
+        password = args[0]
+        if 'chpasswd' in cfg and 'list' in cfg['chpasswd']:
+            del cfg['chpasswd']['list']
+    else:
+        password = util.get_cfg_option_str(cfg,"password",None)
+
+    expire = True
+    pw_auth = "no"
+    change_pwauth = False
+    plist = None
+
+    if 'chpasswd' in cfg:
+        chfg = cfg['chpasswd']
+        plist = util.get_cfg_option_str(chfg,'list',plist)
+        expire = util.get_cfg_option_bool(chfg,'expire', expire)
+
+    if not plist and password:
+        user = util.get_cfg_option_str(cfg,"user","ubuntu")
+        plist = "%s:%s" % (user, password)
+
+    errors = []
+    if plist:
+        plist_in = []
+        randlist = []
+        users = []
+        for line in plist.splitlines():
+            u,p = line.split(':',1)
+            if p == "R" or p == "RANDOM":
+                p = rand_user_password()
+                randlist.append("%s:%s" % (u,p))
+            plist_in.append("%s:%s" % (u,p))
+            users.append(u)
+        
+        ch_in = '\n'.join(plist_in)
+        try:
+            util.subp(['chpasswd'], ch_in)
+            log.debug("changed password for %s:" % users)
+        except Exception as e:
+            errors.append(e)
+            log.warn("failed to set passwords with chpasswd: %s" % e)
+
+        if len(randlist):
+            sys.stdout.write("%s\n%s\n" % ("Set the following passwords\n",
+                '\n'.join(randlist) ))
+
+        if expire:
+            enum=len(errors)
+            for u in users:
+                try:
+                    util.subp(['passwd', '--expire', u])
+                except Exception as e:
+                    errors.append(e)
+                    log.warn("failed to expire account for %s" % u )
+            if enum == len(errors):
+                log.debug("expired passwords for: %s" % u)
+
+    if 'ssh_pwauth' in cfg:
+        val = str(cfg['ssh_pwauth']).lower()
+        if val in ( "true", "1", "yes"):
+            pw_auth="yes"
+            change_pwauth=True
+        elif val in ( "false", "0", "no"):
+            pw_auth="no"
+            change_pwauth=True
+        else:
+            change_pwauth=False
+            
+    if change_pwauth:
+        pa_s = "\(#*\)\(PasswordAuthentication[[:space:]]\+\)\(yes\|no\)"
+        msg = "set PasswordAuthentication to '%s'" % pw_auth
+        try:
+            cmd = [ 'sed', '-i', 's,%s,\\2%s,' % (pa_s, pw_auth),
+                    '/etc/ssh/sshd_config' ]
+            util.subp(cmd)
+            log.debug(msg)
+        except Exception as e:
+            log.warn("failed %s" % msg)
+            errors.append(e)
+
+        try:
+            p = util.subp(['service', 'ssh', 'restart'])
+            log.debug("restarted sshd")
+        except:
+            log.warn("restart of ssh failed")
+
+    if len(errors):
+        raise(errors[0])
+
+    return
+
+def rand_str(strlen=32, select_from=string.letters+string.digits):
+    return("".join([random.choice(select_from) for x in range(0, strlen)]))
+
+def rand_user_password(pwlen=9):
+    selfrom=(string.letters.translate(None,'loLOI') +
+             string.digits.translate(None,'01'))
+    return(rand_str(pwlen,select_from=selfrom))
+
diff --git a/config/cloud.cfg b/config/cloud.cfg
index 90e7ae30..dcd61280 100644
--- a/config/cloud.cfg
+++ b/config/cloud.cfg
@@ -14,6 +14,7 @@ cloud_config_modules:
  - ssh-import-id
  - locale
  - ssh
+ - set-passwords
  - grub-dpkg
  - apt-update-upgrade
  - puppet
diff --git a/doc/examples/cloud-config.txt b/doc/examples/cloud-config.txt
index 443fee2e..0a1d4279 100644
--- a/doc/examples/cloud-config.txt
+++ b/doc/examples/cloud-config.txt
@@ -346,3 +346,40 @@ timezone: US/Eastern
 # if either is empty, then no change of ownership will be done
 def_log_file: /var/log/my-logging-file.log
 syslog_fix_perms: syslog:root
+
+# you can set passwords for a user or multiple users
+# this is off by default.
+# to set the default user's password, use the 'password' option.
+# if set, to 'R' or 'RANDOM', then a random password will be
+# generated and written to stdout (the console)
+# password: passw0rd
+#
+# also note, that this will expire the password, forcing a change
+# on first login. If you do not want to expire, see 'chpasswd' below.
+#
+# By default in the UEC images password authentication is disabled
+# Thus, simply setting 'password' as above will only allow you to login
+# via the console.
+#
+# in order to enable password login via ssh you must set
+# 'ssh_pwauth'.
+# If it is set, to 'True' or 'False', then sshd_config will be updated
+# to ensure the desired function.  If not set, or set to '' or 'unchanged'
+# then sshd_config will not be updated.
+# ssh_pwauth: True
+#
+# there is also an option to set multiple users passwords, using 'chpasswd'
+# That looks like the following, with 'expire' set to 'True' by default.
+# to not expire users passwords, set 'expire' to 'False':
+# chpasswd:
+#  list: |
+#    user1:password1
+#    user2:RANDOM
+#  expire: True
+# ssh_pwauth: [ True, False, "" or "unchanged" ]
+#
+# So, a simple working example to allow login via ssh, and not expire
+# for the default user would look like:
+password: passw0rd
+chpasswd: { expire: False }
+ssh_pwauth: True