root password for dynamic-login made simpler

Simplifies the definition of root password for dynamic login by lifting the requirement for a double quote at the end of the command line argument and letting the user encode the hash value in base64 format. Compatibility with the legacy behavior is kept but the updated documentation recomends using base64 as this makes it possible to use the same command line with syslinux (Bios) or grub (UEFI). Closes-Bug: #2123878 Change-Id: I3c263746ac2e4e6b1516c0303fb1193dbd9fb480 Signed-off-by: Pierre Crégut <pierre.cregut@orange.com>
2025-09-15 21:30:48 +02:00
parent b6323458a9
commit 6043889a78
3 changed files with 22 additions and 6 deletions
--- a/diskimage_builder/elements/dynamic-login/README.rst
+++ b/diskimage_builder/elements/dynamic-login/README.rst
@@ -27,10 +27,12 @@ rootpwd
  :Description: If the operator append rootpwd="$ENCRYPTED_PASSWORD" to the
                kernel command line on boot, the helper script will set the
                root password to the one specified by this option. Note that
-                this password must be **encrypted**. Interpolation can be
-                avoided by using $$. Encrypted passwords can be generated
-                using the ``openssl`` command, e.g: ``openssl passwd -1
-                -stdin <<< YOUR_PASSWORD | sed 's/\$/\$\$/g'``.
+                this password must be **encrypted** and encoded in base64
+                format. For compatibility with previous versions of this
+                element, the later step can be avoided but then $ character
+                must be escaped. Encrypted passwords can be generated
+                using the ``openssl`` command, e.g: ``openssl passwd -6
+                -stdin <<< YOUR_PASSWORD | base64 -w 0``.


 .. note::
--- a/diskimage_builder/elements/dynamic-login/static/usr/local/bin/dynamic-login
+++ b/diskimage_builder/elements/dynamic-login/static/usr/local/bin/dynamic-login
@@ -19,8 +19,15 @@ set -o pipefail

 # Reads an encrypted root password from the kernel command line and set
 # it to the root user
-if [[ $(</proc/cmdline) =~ rootpwd=\"?([^\"]+)\" ]]; then
-    echo "root:${BASH_REMATCH[1]}" | chpasswd -e
+
+if [[ $(</proc/cmdline) =~ rootpwd=\"?([^\"]+)\" ]] || \
+    [[ $(</proc/cmdline) =~ rootpwd=([^\" ]+)( |$) ]]
+then
+    pwdhash="${BASH_REMATCH[1]}"
+    if ! [[ $pwdhash =~ ^\$ ]]; then
+        pwdhash=$(base64 -d <<<"$pwdhash")
+    fi
+    echo "root:$pwdhash" | chpasswd -e
 fi

 # Reads a sshkey from the kernel command line and appends it to the root
--- a/releasenotes/notes/root-pwd-dynamic-login-530adcf15b577e4e.yaml
+++ b/releasenotes/notes/root-pwd-dynamic-login-530adcf15b577e4e.yaml
@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    The password hash provided on the kernel command line for dynamic login 
+    can now be base64 encoded and double quotes are no longer required.
+    The same command line can be used for both Syslinux (legacy BIOS)
+    and Grub (UEFI) although their escaping conventions are different.