update-iso.sh: add --no-force-password option

The --no-force-password option removes the forced password change on initial login. This is to enable customers who use a customized workflow where the initial password is set to a secure value via update-iso.sh, and do not want a forced password change on initial login. Note: Used incorrectly, this is an insecure option. The --no-force-password should only be used in secure environments, where the initial password is kept secret. Further, this update does not affect the password aging policies in place. Test Plan: PASS: Use update-iso.sh to change an existing ISO: sudo ./update-iso.sh --addon ./ks-addon.cfg \ --no-force-password \ --initial-password 'MyPassword#123' \ --input ./starlingx-intel-x86-64-cd.iso \ --output ./update.iso And boot from the new ISO. Verify that the initial password upon boot is as expected, and that the provide password is accepted on first login, without the normal forced password change on initial login. PASS: Use update-iso.sh without the --no-force-password option, verify that the user is still forced to change password on initial login. Closes-Bug: 2030917 Signed-off-by: Kyle MacLeod <kyle.macleod@windriver.com> Change-Id: I962e66741cf10b24ba965bef99f3cd2ef977cec4
2023-08-09 17:00:50 -04:00 · 2023-08-09 17:00:50 -04:00 · cd854334ec
commit cd854334ec
parent 36170e3457
1 changed files with 12 additions and 1 deletions
--- a/utilities/platform-util/scripts/update-iso.sh
+++ b/utilities/platform-util/scripts/update-iso.sh
@ -53,6 +53,7 @@ function usage {
        -t|--timeout <menu timeout>
        -m|--mount <guestmount point>
        --initial-password <password>
+        --no-force-password
        -v|--verbose
        -h|--help

@ -62,6 +63,7 @@ function usage {
        -o <path/file>: Specify output ISO file
        -a <path/file>: Specify ks-addon.cfg file
        --initial-password <password>: Specify the initial login password for sysadmin user
+        --no-force-password: Do not force password change on initial login (insecure)
        -p <p=v>:  Specify boot parameter

            Example:
@ -253,6 +255,7 @@ declare INPUT_ISO=
 declare OUTPUT_ISO=
 declare ADDON=
 declare INITIAL_PASSWORD=
+declare NO_FORCE_PASSWORD=
 declare -a PARAMS
 declare DEFAULT_LABEL=
 declare DEFAULT_GRUB_ENTRY=
@ -263,7 +266,7 @@ declare VERBOSE=false

 script=$(basename "$0")
 OPTS=$(getopt -o a:d:hi:m:o:p:t:v \
-                --long addon:,initial-password:,default:,help,input:,mount:,output:,param:,timeout:,verbose \
+                --long addon:,initial-password:,no-force-password,default:,help,input:,mount:,output:,param:,timeout:,verbose \
                -n "${script}" -- "$@")
 if [ $? != 0 ]; then
    echo "Failed parsing options." >&2
@ -299,6 +302,10 @@ while true; do
            INITIAL_PASSWORD="${2}"
            shift 2
            ;;
+        --no-force-password)
+            NO_FORCE_PASSWORD=1
+            shift 1
+            ;;
        -a|--addon)
            ADDON="${2}"
            shift 2
@ -437,6 +444,10 @@ if [ -n "${INITIAL_PASSWORD}" ]; then
    ilog "Patching kickstart.cfg for custom default password"
    sed -i.bak 's@sudo --password 4SuW8cnXFyxsk@sudo --password 4SuW8cnXFyxsk; echo "sysadmin:'"$(openssl passwd -quiet -crypt "$INITIAL_PASSWORD")"'" | chpasswd -e@' "${BUILDDIR}/kickstart/kickstart.cfg"
 fi
+if [ -n "${NO_FORCE_PASSWORD}" ]; then
+    ilog "Patching kickstart.cfg for no forced password change"
+    sed -i.bak 's@chage -d 0 sysadmin@# DISABLED by update-iso.sh: chage -d 0 sysadmin@' "${BUILDDIR}/kickstart/kickstart.cfg"
+fi

 unmount_efiboot_img