Lock the root account, except on live-iso

If we leave the root account w/o a password people will use it that way,
leading to insecure images. Also if we use a default password. So lock
the root account in the templates.

Users will need to do one of these things:
 1. Use [[customizations.user]] in their blueprint to configure root or
    another user.
 2. Use [[customizations.sshkey]] to set a key for root
 2. Install a package that configures a user at install time
 3. Install a package that sets up a user at boot time (eg. cloud-init)

This also drops the auth line from the kickstart templates, allowing it
to use the default password algoritm instead of md5.

Resolves: rhbz#1626122
This commit is contained in:
Brian C. Lane 2018-08-08 15:46:16 -07:00
parent 003108b15f
commit f360ef9216
6 changed files with 22 additions and 27 deletions

View File

@ -13,6 +13,18 @@ Behind the scenes it uses `livemedia-creator <livemedia-creator.html>`_ and
`Anaconda <https://anaconda-installer.readthedocs.io/en/latest/>`_ to handle the
installation and configuration of the images.
Important Things To Note
------------------------
* SELinux must be in Permissive mode. Anaconda requires SELinux be in permissive mode
for image creation to work correctly. You can either edit the setting in the
``/etc/sysconfig/selinux`` file, or run ``setenforce 0`` before starting lorax-composer.
* All image types lock the root account, except for live-iso. You will need to either
use one of the `Customizations`_ methods for setting a ssh key/password, install a
package that creates a user, or use something like `cloud-init` to setup access at
boot time.
Installation
------------

View File

@ -3,12 +3,9 @@
# Firewall configuration
firewall --enabled
# Root password
rootpw --plaintext removethispw
# NOTE: The root account is locked by default
# Network information
network --bootproto=dhcp --onboot=on --activate
# System authorization information
auth --useshadow --enablemd5
# System keyboard
keyboard --xlayouts=us --vckeymap=us
# System language
@ -34,4 +31,4 @@ rm /var/lib/systemd/random-seed
# Packages requires to support this output format go here
policycoreutils
# NOTE lorax-composer will add the recipe packages below here, including the final %end
# NOTE lorax-composer will add the blueprint packages below here, including the final %end

View File

@ -1,16 +1,14 @@
# Lorax Composer Live ISO output kickstart template
#
# Firewall configuration
firewall --enabled --service=mdns
# X Window System configuration information
xconfig --startxonboot
# Root password
# Root password is removed for live-iso
rootpw --plaintext removethispw
# Network information
network --bootproto=dhcp --device=link --activate
# System authorization information
auth --useshadow --passalgo=sha512
# System keyboard
keyboard --xlayouts=us --vckeymap=us
# System language
@ -370,4 +368,4 @@ grub2-efi-ia32
efibootmgr
# NOTE lorax-composer will add the recipe packages below here, including the final %end%packages
# NOTE lorax-composer will add the blueprint packages below here, including the final %end%packages

View File

@ -3,12 +3,9 @@
# Firewall configuration
firewall --enabled
# Root password
rootpw --plaintext removethispw
# NOTE: The root account is locked by default
# Network information
network --bootproto=dhcp --onboot=on --activate
# System authorization information
auth --useshadow --enablemd5
# System keyboard
keyboard --xlayouts=us --vckeymap=us
# System language
@ -35,4 +32,4 @@ kernel
grub2
# NOTE lorax-composer will add the recipe packages below here, including the final %end
# NOTE lorax-composer will add the blueprint packages below here, including the final %end

View File

@ -3,12 +3,9 @@
# Firewall configuration
firewall --enabled
# Root password
rootpw --plaintext removethispw
# NOTE: The root account is locked by default
# Network information
network --bootproto=dhcp --onboot=on --activate
# System authorization information
auth --useshadow --enablemd5
# System keyboard
keyboard --xlayouts=us --vckeymap=us
# System language
@ -25,9 +22,6 @@ timezone US/Eastern
bootloader --location=mbr
%post
# Remove root password
passwd -d root > /dev/null
# Remove random-seed
rm /var/lib/systemd/random-seed
%end

View File

@ -3,12 +3,9 @@
# Firewall configuration
firewall --enabled
# Root password
rootpw --plaintext removethispw
# NOTE: The root account is locked by default
# Network information
network --bootproto=dhcp --onboot=on --activate
# System authorization information
auth --useshadow --enablemd5
# System keyboard
keyboard --xlayouts=us --vckeymap=us
# System language
@ -35,4 +32,4 @@ rm /var/lib/systemd/random-seed
policycoreutils
# NOTE lorax-composer will add the recipe packages below here, including the final %end
# NOTE lorax-composer will add the blueprint packages below here, including the final %end