Lock the root account, except on live-iso

If we leave the root account w/o a password people will use it that way,
leading to insecure images. Also if we use a default password. So lock
the root account in the templates.

Users will need to do one of these things:
 1. Use [[customizations.user]] in their blueprint to configure root or
    another user.
 2. Use [[customizations.sshkey]] to set a key for root
 2. Install a package that configures a user at install time
 3. Install a package that sets up a user at boot time (eg. cloud-init)

This also drops the auth line from the kickstart templates, allowing it
to use the default password algoritm instead of md5.

Resolves: rhbz#1626122
This commit is contained in:
Brian C. Lane 2018-08-08 15:46:16 -07:00
parent 3ad5a5cccf
commit 8963c33e16
6 changed files with 22 additions and 27 deletions

View File

@ -13,6 +13,18 @@ Behind the scenes it uses `livemedia-creator <livemedia-creator.html>`_ and
`Anaconda <https://anaconda-installer.readthedocs.io/en/latest/>`_ to handle the `Anaconda <https://anaconda-installer.readthedocs.io/en/latest/>`_ to handle the
installation and configuration of the images. installation and configuration of the images.
Important Things To Note
------------------------
* SELinux must be in Permissive mode. Anaconda requires SELinux be in permissive mode
for image creation to work correctly. You can either edit the setting in the
``/etc/sysconfig/selinux`` file, or run ``setenforce 0`` before starting lorax-composer.
* All image types lock the root account, except for live-iso. You will need to either
use one of the `Customizations`_ methods for setting a ssh key/password, install a
package that creates a user, or use something like `cloud-init` to setup access at
boot time.
Installation Installation
------------ ------------

View File

@ -3,12 +3,9 @@
# Firewall configuration # Firewall configuration
firewall --enabled firewall --enabled
# Root password # NOTE: The root account is locked by default
rootpw --plaintext removethispw
# Network information # Network information
network --bootproto=dhcp --onboot=on --activate network --bootproto=dhcp --onboot=on --activate
# System authorization information
auth --useshadow --enablemd5
# System keyboard # System keyboard
keyboard --xlayouts=us --vckeymap=us keyboard --xlayouts=us --vckeymap=us
# System language # System language
@ -34,4 +31,4 @@ rm /var/lib/systemd/random-seed
# Packages requires to support this output format go here # Packages requires to support this output format go here
policycoreutils policycoreutils
# NOTE lorax-composer will add the recipe packages below here, including the final %end # NOTE lorax-composer will add the blueprint packages below here, including the final %end

View File

@ -1,16 +1,14 @@
# Lorax Composer Live ISO output kickstart template # Lorax Composer Live ISO output kickstart template
# # Firewall configuration
firewall --enabled --service=mdns firewall --enabled --service=mdns
# X Window System configuration information # X Window System configuration information
xconfig --startxonboot xconfig --startxonboot
# Root password # Root password is removed for live-iso
rootpw --plaintext removethispw rootpw --plaintext removethispw
# Network information # Network information
network --bootproto=dhcp --device=link --activate network --bootproto=dhcp --device=link --activate
# System authorization information
auth --useshadow --passalgo=sha512
# System keyboard # System keyboard
keyboard --xlayouts=us --vckeymap=us keyboard --xlayouts=us --vckeymap=us
# System language # System language
@ -370,4 +368,4 @@ grub2-efi-ia32
efibootmgr efibootmgr
# NOTE lorax-composer will add the recipe packages below here, including the final %end%packages # NOTE lorax-composer will add the blueprint packages below here, including the final %end%packages

View File

@ -3,12 +3,9 @@
# Firewall configuration # Firewall configuration
firewall --enabled firewall --enabled
# Root password # NOTE: The root account is locked by default
rootpw --plaintext removethispw
# Network information # Network information
network --bootproto=dhcp --onboot=on --activate network --bootproto=dhcp --onboot=on --activate
# System authorization information
auth --useshadow --enablemd5
# System keyboard # System keyboard
keyboard --xlayouts=us --vckeymap=us keyboard --xlayouts=us --vckeymap=us
# System language # System language
@ -35,4 +32,4 @@ kernel
grub2 grub2
# NOTE lorax-composer will add the recipe packages below here, including the final %end # NOTE lorax-composer will add the blueprint packages below here, including the final %end

View File

@ -3,12 +3,9 @@
# Firewall configuration # Firewall configuration
firewall --enabled firewall --enabled
# Root password # NOTE: The root account is locked by default
rootpw --plaintext removethispw
# Network information # Network information
network --bootproto=dhcp --onboot=on --activate network --bootproto=dhcp --onboot=on --activate
# System authorization information
auth --useshadow --enablemd5
# System keyboard # System keyboard
keyboard --xlayouts=us --vckeymap=us keyboard --xlayouts=us --vckeymap=us
# System language # System language
@ -25,9 +22,6 @@ timezone US/Eastern
bootloader --location=mbr bootloader --location=mbr
%post %post
# Remove root password
passwd -d root > /dev/null
# Remove random-seed # Remove random-seed
rm /var/lib/systemd/random-seed rm /var/lib/systemd/random-seed
%end %end

View File

@ -3,12 +3,9 @@
# Firewall configuration # Firewall configuration
firewall --enabled firewall --enabled
# Root password # NOTE: The root account is locked by default
rootpw --plaintext removethispw
# Network information # Network information
network --bootproto=dhcp --onboot=on --activate network --bootproto=dhcp --onboot=on --activate
# System authorization information
auth --useshadow --enablemd5
# System keyboard # System keyboard
keyboard --xlayouts=us --vckeymap=us keyboard --xlayouts=us --vckeymap=us
# System language # System language
@ -35,4 +32,4 @@ rm /var/lib/systemd/random-seed
policycoreutils policycoreutils
# NOTE lorax-composer will add the recipe packages below here, including the final %end # NOTE lorax-composer will add the blueprint packages below here, including the final %end