Lock the root account, except on live-iso

If we leave the root account w/o a password people will use it that way,
leading to insecure images. Also if we use a default password. So lock
the root account in the templates.

Users will need to do one of these things:
 1. Use [[customizations.user]] in their blueprint to configure root or
    another user.
 2. Use [[customizations.sshkey]] to set a key for root
 2. Install a package that configures a user at install time
 3. Install a package that sets up a user at boot time (eg. cloud-init)

This also drops the auth line from the kickstart templates, allowing it
to use the default password algoritm instead of md5.

Resolves: rhbz#1626120

docs/lorax-composer.rst

@@ -25,6 +25,11 @@ Important Things To Note
   for information on how to enable it. Otherwise you will see image creation fail to
   depsolve even if the blueprint itself is correct.
 
+* All image types lock the root account, except for live-iso. You will need to either
+  use one of the `Customizations`_ methods for setting a ssh key/password, install a
+  package that creates a user, or use something like `cloud-init` to setup access at
+  boot time.
+
 Installation
 ------------
 

share/composer/ext4-filesystem.ks

@@ -1,16 +1,11 @@
 # Lorax Composer filesystem output kickstart template
 
-#
-sshpw --username=root --plaintext randOmStrinGhERE
 # Firewall configuration
 firewall --enabled
 
-# Root password
+# NOTE: The root account is locked by default
-rootpw --plaintext removethispw
 # Network information
 network  --bootproto=dhcp --onboot=on --activate
-# System authorization information
-auth --useshadow --enablemd5
 # System keyboard
 keyboard --xlayouts=us --vckeymap=us
 # System language
@@ -27,13 +22,10 @@ timezone  US/Eastern
 bootloader --location=none
 
 %post
-# Remove root password
-passwd -d root > /dev/null
-
 # Remove random-seed
 rm /var/lib/systemd/random-seed
 %end
 
 %packages --nobase
 
-# NOTE lorax-composer will add the recipe packages below here, including the final %end
+# NOTE lorax-composer will add the blueprint packages below here, including the final %end

share/composer/live-iso.ks

@@ -1,18 +1,14 @@
 # Lorax Composer Live ISO output kickstart template
 
-#
-sshpw --username=root --plaintext randOmStrinGhERE
 # Firewall configuration
 firewall --enabled --service=mdns
 
 # X Window System configuration information
 xconfig  --startxonboot
-# Root password
+# Root password is removed for live-iso
 rootpw --plaintext removethispw
 # Network information
 network  --bootproto=dhcp --onboot=on --activate
-# System authorization information
-auth --useshadow --enablemd5
 # System keyboard
 keyboard --xlayouts=us --vckeymap=us
 # System language
@@ -362,4 +358,4 @@ grub2-efi-ia32
 efibootmgr
 
 
-# NOTE lorax-composer will add the recipe packages below here, including the final %end%packages
+# NOTE lorax-composer will add the blueprint packages below here, including the final %end%packages

share/composer/partitioned-disk.ks

@@ -1,16 +1,11 @@
 # Lorax Composer partitioned disk output kickstart template
 
-#
-sshpw --username=root --plaintext randOmStrinGhERE
 # Firewall configuration
 firewall --enabled
 
-# Root password
+# NOTE: The root account is locked by default
-rootpw --plaintext removethispw
 # Network information
 network  --bootproto=dhcp --onboot=on --activate
-# System authorization information
-auth --useshadow --enablemd5
 # System keyboard
 keyboard --xlayouts=us --vckeymap=us
 # System language
@@ -29,9 +24,6 @@ bootloader --location=mbr
 zerombr
 
 %post
-# Remove root password
-passwd -d root > /dev/null
-
 # Remove random-seed
 rm /var/lib/systemd/random-seed
 %end
@@ -42,4 +34,4 @@ kernel
 
 grub2
 
-# NOTE lorax-composer will add the recipe packages below here, including the final %end
+# NOTE lorax-composer will add the blueprint packages below here, including the final %end

share/composer/qcow2.ks

@@ -1,16 +1,11 @@
 # Lorax Composer qcow2 output kickstart template
 
-#
-sshpw --username=root --plaintext randOmStrinGhERE
 # Firewall configuration
 firewall --enabled
 
-# Root password
+# NOTE: The root account is locked by default
-rootpw --plaintext removethispw
 # Network information
 network  --bootproto=dhcp --onboot=on --activate
-# System authorization information
-auth --useshadow --enablemd5
 # System keyboard
 keyboard --xlayouts=us --vckeymap=us
 # System language
@@ -29,9 +24,6 @@ bootloader --location=mbr
 zerombr
 
 %post
-# Remove root password
-passwd -d root > /dev/null
-
 # Remove random-seed
 rm /var/lib/systemd/random-seed
 %end
@@ -41,4 +33,4 @@ kernel
 -dracut-config-rescue
 grub2
 
-# NOTE lorax-composer will add the recipe packages below here, including the final %end
+# NOTE lorax-composer will add the blueprint packages below here, including the final %end

share/composer/tar.ks

@@ -1,16 +1,11 @@
 # Lorax Composer tar output kickstart template
 
-#
-sshpw --username=root --plaintext randOmStrinGhERE
 # Firewall configuration
 firewall --enabled
 
-# Root password
+# NOTE: The root account is locked by default
-rootpw --plaintext removethispw
 # Network information
 network  --bootproto=dhcp --onboot=on --activate
-# System authorization information
-auth --useshadow --enablemd5
 # System keyboard
 keyboard --xlayouts=us --vckeymap=us
 # System language
@@ -27,9 +22,6 @@ timezone  US/Eastern
 bootloader --location=none
 
 %post
-# Remove root password
-passwd -d root > /dev/null
-
 # Remove random-seed
 rm /var/lib/systemd/random-seed
 %end
@@ -39,4 +31,4 @@ rm /var/lib/systemd/random-seed
 # Packages requires to support this output format go here
 
 
-# NOTE lorax-composer will add the recipe packages below here, including the final %end
+# NOTE lorax-composer will add the blueprint packages below here, including the final %end