PDA

View Full Version : Autoyast Ask Passwords



jkinney
03-Apr-2013, 16:33
I have an autoyast script that I want to ask for the root password on. It is currently asking for the passwords, however when the install finished it won't work. I can boot the box using init=/bin/bash and see the password is stored for that user just as I entered it instead of being hashed. I'm assuming that might be the issue, but I'm hoping someone out there can provide some guidance.

Any insight would be great on how I can accomplish this as I have an immediate need to provision a bunch of boxes and want to automate as much as I can.

ab
04-Apr-2013, 06:57
Can you post your autoyast file, or part of it, so see if it compares to
others we have? I have the following section for 'root' in my
autoyast.xml file from a SLES 11 SP2 x86_64 box, though I am not having it
prompt me; how does that change compared to your file where it does prompt?

Code:
----------
<user>
<encrypted config:type="boolean">true</encrypted>
<fullname>root</fullname>
<gid>0</gid>
<home>/root</home>
<shell>/bin/bash</shell>
<uid>0</uid>

<user_password>$2y$12$tvIdGuL5wb9FhsC4bIJvweWkhjOHy5ZhMj2BcKjOHyr vcNoYjcOgrz</user_password>
<username>root</username>
</user>
----------

Good luck.

jkinney
04-Apr-2013, 14:07
I tried leaving no password for root in the user section of the autoinst file and also tried with a different, generic password for root in the user section. They both wind up setting the password unhashed in the /etc/shadow and all authentication attempts fail.

Here are the two sections:

<ask>
<title>PASSWORD FOR USER root</title>
<pathlist config:type="list">
<path>users,11,user_password</path>
</pathlist>

<question>Enter root password</question>

<stage>initial</stage>

<help>Enter the password for the superuser "root".</help>

<password config:type="boolean">true</password>
</ask>


<user>
<encrypted config:type="boolean">true</encrypted>

<fullname>root</fullname>

<gid>0</gid>

<home>/root</home>

<password_settings>
<expire>
</expire>

<flag>
</flag>

<inact>
</inact>

<max>
</max>

<min>
</min>

<warn>
</warn>
</password_settings>

<shell>/bin/bash</shell>

<uid>0</uid>
<user_password>$2y$05$WN9jE4A3PGkhRwNZmpcTWeu0OsIlXhogfE5oYY0hr5u 3R/pL5fxD.</user_password>
<username>root</username>
</user>


Alternate user section:

<user>
<encrypted config:type="boolean">true</encrypted>

<fullname>root</fullname>

<gid>0</gid>

<home>/root</home>

<password_settings>
<expire>
</expire>

<flag>
</flag>

<inact>
</inact>

<max>
</max>

<min>
</min>

<warn>
</warn>
</password_settings>

<shell>/bin/bash</shell>

<uid>0</uid>
<username>root</username>
</user>


Any ideas?

jmozdzen
04-Apr-2013, 16:17
Hi jkinney,

have you tried to set "encrypted" to "false"? AFAIK, that flag describes the state of the password entered in the autoyast file, not the target state in the password store.

Regards,
Jens

jkinney
04-Apr-2013, 21:10
Still no joy. When I attempt to login it says Permissiosn on the password database may be too restrictive and when looking at /etc/shadow the password is still not hashed.

jmozdzen
04-Apr-2013, 22:09
Hi jkinney,

sorry to hear that.

A web search turned up an example that was said to work years ago (http://www.linuxquestions.org/questions/suse-novell-60/autoyast-and-root-password-637672/)... the only difference to your attempt seems to be the omission of the <encrypted> element. Might be worth a try.

Regards,
Jens

jkinney
05-Apr-2013, 13:45
I did try the <encrypted> tag as well, but that didn't work either.

jmozdzen
05-Apr-2013, 14:43
Hi jkinney,


I did try the <encrypted> tag as well, but that didn't work either.

was that you tried "*without* the <encrypted> tag as well"? Anyhow, I've asked someone who's currently working with autoyast files to test this. It may take until next week that he will find time to actually perform these tests, I'll let you know once I receive his results.

Regards,
Jens

jmozdzen
05-Apr-2013, 15:15
Hi jkinney,

I received a first feedback - actually he had a setup running today, although for openSUSE, not for SLES. Anyhow, with the openSUSE version, putting a clear-text password into the autoyast file and omitting the "<encrypted>" tag, the resulting /etc/shadow contained a properly encrypted version of the password.

I'm not sure when/if he'll run the next autoyasted SLES11 install, but for us, the versions haven't behaved much differently so far. And the feedback I received was "should work similarly with SLES11".

Regards,
Jens