Lock the root account, except on live-iso
If we leave the root account w/o a password people will use it that way,
leading to insecure images. Also if we use a default password. So lock
the root account in the templates.
Users will need to do one of these things:
1. Use [[customizations.user]] in their blueprint to configure root or
another user.
2. Use [[customizations.sshkey]] to set a key for root
2. Install a package that configures a user at install time
3. Install a package that sets up a user at boot time (eg. cloud-init)
This also drops the auth line from the kickstart templates, allowing it
to use the default password algoritm instead of md5.
Resolves: rhbz#1626122
This commit is contained in:
Brian C. Lane
parent
003108b15f
commit
f360ef9216
@ -13,6 +13,18 @@ Behind the scenes it uses `livemedia-creator <livemedia-creator.html>`_ and
|
||||
`Anaconda <https://anaconda-installer.readthedocs.io/en/latest/>`_ to handle the
|
||||
installation and configuration of the images.
|
||||
|
||||
Important Things To Note
|
||||
------------------------
|
||||
|
||||
* SELinux must be in Permissive mode. Anaconda requires SELinux be in permissive mode
|
||||
for image creation to work correctly. You can either edit the setting in the
|
||||
``/etc/sysconfig/selinux`` file, or run ``setenforce 0`` before starting lorax-composer.
|
||||
|
||||
* All image types lock the root account, except for live-iso. You will need to either
|
||||
use one of the `Customizations`_ methods for setting a ssh key/password, install a
|
||||
package that creates a user, or use something like `cloud-init` to setup access at
|
||||
boot time.
|
||||
|
||||
Installation
|
||||
------------
|
||||
|
||||
|
||||
@ -3,12 +3,9 @@
|
||||
# Firewall configuration
|
||||
firewall --enabled
|
||||
|
||||
# Root password
|
||||
rootpw --plaintext removethispw
|
||||
# NOTE: The root account is locked by default
|
||||
# Network information
|
||||
network --bootproto=dhcp --onboot=on --activate
|
||||
# System authorization information
|
||||
auth --useshadow --enablemd5
|
||||
# System keyboard
|
||||
keyboard --xlayouts=us --vckeymap=us
|
||||
# System language
|
||||
@ -34,4 +31,4 @@ rm /var/lib/systemd/random-seed
|
||||
# Packages requires to support this output format go here
|
||||
policycoreutils
|
||||
|
||||
# NOTE lorax-composer will add the recipe packages below here, including the final %end
|
||||
# NOTE lorax-composer will add the blueprint packages below here, including the final %end
|
||||
|
||||
@ -1,16 +1,14 @@
|
||||
# Lorax Composer Live ISO output kickstart template
|
||||
|
||||
#
|
||||
# Firewall configuration
|
||||
firewall --enabled --service=mdns
|
||||
|
||||
# X Window System configuration information
|
||||
xconfig --startxonboot
|
||||
# Root password
|
||||
# Root password is removed for live-iso
|
||||
rootpw --plaintext removethispw
|
||||
# Network information
|
||||
network --bootproto=dhcp --device=link --activate
|
||||
# System authorization information
|
||||
auth --useshadow --passalgo=sha512
|
||||
# System keyboard
|
||||
keyboard --xlayouts=us --vckeymap=us
|
||||
# System language
|
||||
@ -370,4 +368,4 @@ grub2-efi-ia32
|
||||
efibootmgr
|
||||
|
||||
|
||||
# NOTE lorax-composer will add the recipe packages below here, including the final %end%packages
|
||||
# NOTE lorax-composer will add the blueprint packages below here, including the final %end%packages
|
||||
|
||||
@ -3,12 +3,9 @@
|
||||
# Firewall configuration
|
||||
firewall --enabled
|
||||
|
||||
# Root password
|
||||
rootpw --plaintext removethispw
|
||||
# NOTE: The root account is locked by default
|
||||
# Network information
|
||||
network --bootproto=dhcp --onboot=on --activate
|
||||
# System authorization information
|
||||
auth --useshadow --enablemd5
|
||||
# System keyboard
|
||||
keyboard --xlayouts=us --vckeymap=us
|
||||
# System language
|
||||
@ -35,4 +32,4 @@ kernel
|
||||
|
||||
grub2
|
||||
|
||||
# NOTE lorax-composer will add the recipe packages below here, including the final %end
|
||||
# NOTE lorax-composer will add the blueprint packages below here, including the final %end
|
||||
|
||||
@ -3,12 +3,9 @@
|
||||
# Firewall configuration
|
||||
firewall --enabled
|
||||
|
||||
# Root password
|
||||
rootpw --plaintext removethispw
|
||||
# NOTE: The root account is locked by default
|
||||
# Network information
|
||||
network --bootproto=dhcp --onboot=on --activate
|
||||
# System authorization information
|
||||
auth --useshadow --enablemd5
|
||||
# System keyboard
|
||||
keyboard --xlayouts=us --vckeymap=us
|
||||
# System language
|
||||
@ -25,9 +22,6 @@ timezone US/Eastern
|
||||
bootloader --location=mbr
|
||||
|
||||
%post
|
||||
# Remove root password
|
||||
passwd -d root > /dev/null
|
||||
|
||||
# Remove random-seed
|
||||
rm /var/lib/systemd/random-seed
|
||||
%end
|
||||
|
||||
@ -3,12 +3,9 @@
|
||||
# Firewall configuration
|
||||
firewall --enabled
|
||||
|
||||
# Root password
|
||||
rootpw --plaintext removethispw
|
||||
# NOTE: The root account is locked by default
|
||||
# Network information
|
||||
network --bootproto=dhcp --onboot=on --activate
|
||||
# System authorization information
|
||||
auth --useshadow --enablemd5
|
||||
# System keyboard
|
||||
keyboard --xlayouts=us --vckeymap=us
|
||||
# System language
|
||||
@ -35,4 +32,4 @@ rm /var/lib/systemd/random-seed
|
||||
policycoreutils
|
||||
|
||||
|
||||
# NOTE lorax-composer will add the recipe packages below here, including the final %end
|
||||
# NOTE lorax-composer will add the blueprint packages below here, including the final %end
|
||||
|
||||
Loading…
Reference in New Issue
Block a user