Philipp's picture

Hi,

just found this article:

Making TurnKey more turnkey - the end to default passwords | TurnKey GNU/Linux (turnkeylinux.org)

I want to create a userlogin during initial setup.

Where should I create the "useradd" command, so that password is not logged in logfiles like 'history'?
How can I encrypt the password which was entered within the inithook-script?

Regards

Philipp

Forum: 
Jeremy Davis's picture

Hi Philipp.

I assume that you are using TKLDev to build your appliance? If so, then create the user within your conf script(s). Then create a new firstboot script to (re)set the user password.


Conf script

An example of user creation can be found within the Ansible appliance build code, namely these lines within the Ansible conf script. If you don't need a special group, special home directory layout, and aren't planning to provide your appliance via AWS, then this could be simplified to this (user will have a random password at creation time):

ADMIN_USER="new_user"
ADMIN_PASS=$(mcookie)

# create new_user user
adduser --gecos 'my user' $ADMIN_USER
echo $ADMIN_USER:$ADMIN_PASS | chpasswd

Firstboot

Then to create an inithook to set the password of this user account on firstboot, then you can just leverage the default 'setpass.py' script by dropping a new file in overlay/usr/lib/inithooks/firstboot.d/ (essentially a stripped down version of the default root user setting inithook; /usr/lib/inithooks/firstboot.d/30rootpass), like this:

# make sure that you are in the root of your build code directory
cat > overlay/usr/lib/inithooks/firstboot.d/40new_userpass <<EOF
#!/bin/bash -e
# set new_user password

USERNAME=new_user

. /etc/default/inithooks

[ -e \$INITHOOKS_CONF ] && . \$INITHOOKS_CONF
/$INITHOOKS_PATH/bin/setpass.py /$USERNAME --pass="$USER_PASS"
EOF

That will still support pre-seeding (in the preseed file add a line like this: 'USER_PASS="Your pre-seeded password") but will ask interactively if not pre-seeded.

I hope that helps.

Add new comment