cc_set_passwords does not expire users if password given as hash
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| cloud-init |
Fix Released
|
High
|
Unassigned | ||
Bug Description
https:/
Documentation explains three different ways of setting user password using chpasswd but doesn't mention that they would otherwise work any differently from one another. Passwords should by default be expired if not specifically set otherwise in chpasswd. Although if one sets the password as hash either in password or chpasswd list, cc_set_passwords.py skips passwd --expire <username> completely which doesn't match documented behaviour.
This part only applies to users which had either plain text password or random password set.
Thanks for reporting this. I can reproduce the behavior described.
Expectation here is to fix hashed passwords to also expire.
Validated that hashed password is not expired by default:
cat > hash_pw_
#cloud-config
ssh_pwauth: true
users:
- default
- gecos: User One
name: u1
groups: [adm, cdrom, dip, lxd, sudo]
lock_passwd: False
- gecos: User Two
name: u2
groups: [adm, cdrom, dip, lxd, sudo]
lock-passwd: False
chpasswd:
list:
- u1:6ドル$rounds=
- u2:RANDOM
EOF
lxc launch ubuntu-daily:jammy test-pw-expiry -c user.user-
lxc exec test-pw-expiry -- cloud-init status --wait --long
IP=`lxc ls -c 4 test-pw-expiry | awk '/eth/{print 2ドル}'`
ssh u1@$IP # hashed password this4now
# Note no expiry notice
lxc console test-pw-expiry --show-log | grep u2
#copy password and login
ssh u2@$IP # Use random password printed to console from above
# Note expiry notice
After further review and discussion on this item, we determined it's best not to change existing behavior, but fix the docs to align with current behavior. Introducing a change in behavior for hashed password expiry may break automation expecting to rely on this feature.
Since the introduction of hashed password support in cloud-init released in 2017[1], the hashed passwords are not expired. Let's retain and more clearly document that behavior.
[1] hashed pw support https:/
After further further review, we decided to fix the behavior after all. See https:/
A follow-on PR will ensure the original behavior is preserved for existing releases.
This bug is believed to be fixed in cloud-init in version 22.3. If this is still a problem for you, please make a comment and set the state back to New
Thank you.
Tracked in Github Issues as https:/