Open nhi-vanye opened 1 year ago
@nhi-vanye I just wanted to ask if you had considered using authorized ssh keys? https://docs.fedoraproject.org/en-US/fedora-coreos/authentication/#_using_an_ssh_key
If so, could you try and explain why a password workflow is more suited to your needs?
Hi,
I have ssh authorised keys and expect it to be used normally , but I want a password to allow logging in via the console in case we're having networking issues.
Plus providing sudo access that isn't automatic.
I'm building an OS installer for automating the rollout of edge systems so I don't want to embed the password in the installer..
Can't you just bake in one-off systemd service to the ignition to run the passwd expire command? I haven't tested this but
Example:
systemd:
# expire initial password
- name: expire-initial-pass.service
enabled: true
contents: |
[Unit]
Description=Expire Initial Pass
Before=boot-complete.target
After=network-online.target
Require=network-online.target
ConditionPathExists=!/var/lib/expire-initial-pass.stamp
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/passwd -e core
ExecStart=/bin/touch /var/lib/expire-initial-pass.stamp
[Install]
WantedBy=multi-user.target
@Nitrousoxide Yeah; I think that would also work just fine.
Feature Request
I'd like the ability of forcing the expiration of a user's password on first login (or other password policy)
My use case is to avoid baking into the install config a hard-coded password whose lifetime will leave a backdoor.
Environment
What hardware/cloud provider/hypervisor is being used to run Ignition?
bare metal on embedded (NUC-like ) edge devices