From cd854334ec6f9783302815a0b923d97fef5c4328 Mon Sep 17 00:00:00 2001
From: Kyle MacLeod <kyle.macleod@windriver.com>
Date: Wed, 9 Aug 2023 17:00:50 -0400
Subject: [PATCH] update-iso.sh: add --no-force-password option
The --no-force-password option removes the forced password change on
initial login. This is to enable customers who use a customized workflow
where the initial password is set to a secure value via update-iso.sh,
and do not want a forced password change on initial login.
Note: Used incorrectly, this is an insecure option. The
--no-force-password should only be used in secure environments, where
the initial password is kept secret. Further, this update does not
affect the password aging policies in place.
Test Plan:
PASS: Use update-iso.sh to change an existing ISO:
sudo ./update-iso.sh --addon ./ks-addon.cfg \
--no-force-password \
--initial-password 'MyPassword#123' \
--input ./starlingx-intel-x86-64-cd.iso \
--output ./update.iso
And boot from the new ISO. Verify that the initial password upon
boot is as expected, and that the provide password is accepted on first
login, without the normal forced password change on initial login.
PASS: Use update-iso.sh without the --no-force-password option, verify
that the user is still forced to change password on initial login.
Closes-Bug: 2030917
Signed-off-by: Kyle MacLeod <kyle.macleod@windriver.com>
Change-Id: I962e66741cf10b24ba965bef99f3cd2ef977cec4
---
utilities/platform-util/scripts/update-iso.sh | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/utilities/platform-util/scripts/update-iso.sh b/utilities/platform-util/scripts/update-iso.sh
index d4a79729..d18d1e68 100755
--- a/utilities/platform-util/scripts/update-iso.sh
+++ b/utilities/platform-util/scripts/update-iso.sh
@@ -53,6 +53,7 @@ function usage {
-t|--timeout <menu timeout>
-m|--mount <guestmount point>
--initial-password <password>
+ --no-force-password
-v|--verbose
-h|--help
@@ -62,6 +63,7 @@ function usage {
-o <path/file>: Specify output ISO file
-a <path/file>: Specify ks-addon.cfg file
--initial-password <password>: Specify the initial login password for sysadmin user
+ --no-force-password: Do not force password change on initial login (insecure)
-p <p=v>: Specify boot parameter
Example:
@@ -253,6 +255,7 @@ declare INPUT_ISO=
declare OUTPUT_ISO=
declare ADDON=
declare INITIAL_PASSWORD=
+declare NO_FORCE_PASSWORD=
declare -a PARAMS
declare DEFAULT_LABEL=
declare DEFAULT_GRUB_ENTRY=
@@ -263,7 +266,7 @@ declare VERBOSE=false
script=$(basename "$0")
OPTS=$(getopt -o a:d:hi:m:o:p:t:v \
- --long addon:,initial-password:,default:,help,input:,mount:,output:,param:,timeout:,verbose \
+ --long addon:,initial-password:,no-force-password,default:,help,input:,mount:,output:,param:,timeout:,verbose \
-n "${script}" -- "$@")
if [ $? != 0 ]; then
echo "Failed parsing options." >&2
@@ -299,6 +302,10 @@ while true; do
INITIAL_PASSWORD="${2}"
shift 2
;;
+ --no-force-password)
+ NO_FORCE_PASSWORD=1
+ shift 1
+ ;;
-a|--addon)
ADDON="${2}"
shift 2
@@ -437,6 +444,10 @@ if [ -n "${INITIAL_PASSWORD}" ]; then
ilog "Patching kickstart.cfg for custom default password"
sed -i.bak 's@sudo --password 4SuW8cnXFyxsk@sudo --password 4SuW8cnXFyxsk; echo "sysadmin:'"$(openssl passwd -quiet -crypt "$INITIAL_PASSWORD")"'" | chpasswd -e@' "${BUILDDIR}/kickstart/kickstart.cfg"
fi
+if [ -n "${NO_FORCE_PASSWORD}" ]; then
+ ilog "Patching kickstart.cfg for no forced password change"
+ sed -i.bak 's@chage -d 0 sysadmin@# DISABLED by update-iso.sh: chage -d 0 sysadmin@' "${BUILDDIR}/kickstart/kickstart.cfg"
+fi
unmount_efiboot_img