2 files changed, 17 insertions, 12 deletions

diff --git a/ChangeLog b/ChangeLog
index 31a19996..9534be26 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -13,6 +13,9 @@
    settings (LP: #1090482)
  - fix CloudStack DataSource to use Virtual Router as found in
    /var/lib/dhcpclient rather than default gateway (LP: #1089989)
+ - fix redaction of password field in log (LP: #1096417)
+ - fix to cloud-config user setup.  Previously, lock_passwd was broken and
+   all accounts would be locked unless 'system' was given (LP: #1096423).
 0.7.1:
  - sysvinit: fix missing dependency in cloud-init job for RHEL 5.6 
  - config-drive: map hostname to local-hostname (LP: #1061964)
diff --git a/cloudinit/distros/__init__.py b/cloudinit/distros/__init__.py
index be32757d..38b2f829 100644
--- a/cloudinit/distros/__init__.py
+++ b/cloudinit/distros/__init__.py
@@ -297,22 +297,26 @@ class Distro(object):
             "no_create_home": "-M",
         }
 
+        redact_fields = ['passwd']
+
         # Now check the value and create the command
         for option in kwargs:
             value = kwargs[option]
             if option in adduser_opts and value \
                 and isinstance(value, str):
                 adduser_cmd.extend([adduser_opts[option], value])
-
-                # Redact the password field from the logs
-                if option != "password":
-                    x_adduser_cmd.extend([adduser_opts[option], value])
-                else:
+                # Redact certain fields from the logs
+                if option in redact_fields:
                     x_adduser_cmd.extend([adduser_opts[option], 'REDACTED'])
-
+                else:
+                    x_adduser_cmd.extend([adduser_opts[option], value])
             elif option in adduser_opts_flags and value:
                 adduser_cmd.append(adduser_opts_flags[option])
-                x_adduser_cmd.append(adduser_opts_flags[option])
+                # Redact certain fields from the logs
+                if option in redact_fields:
+                    x_adduser_cmd.append('REDACTED')
+                else:
+                    x_adduser_cmd.append(adduser_opts_flags[option])
 
         # Default to creating home directory unless otherwise directed
         #  Also, we do not create home directories for system users.
@@ -334,11 +338,9 @@ class Distro(object):
         if 'plain_text_passwd' in kwargs and kwargs['plain_text_passwd']:
             self.set_passwd(name, kwargs['plain_text_passwd'])
 
-        # Default locking down the account.
-        #
-        # Which means if lock_passwd is False (on non-existent its true)
-        # then lock or if system is True (on non-existent its false) then lock.
-        if (kwargs.get('lock_passwd', True) or kwargs.get('system', False)):
+        # Default locking down the account.  'lock_passwd' defaults to True.
+        # lock account unless lock_password is False.
+        if kwargs.get('lock_passwd', True):
             try:
                 util.subp(['passwd', '--lock', name])
             except Exception as e: