[Pkg-shadow-commits] r568 - trunk/debian

Thu Oct 6 18:59:46 UTC 2005

Author: bubulle
Date: 2005-10-06 18:59:45 +0000 (Thu, 06 Oct 2005)
New Revision: 568

Modified:
   trunk/debian/changelog
   trunk/debian/passwd.config
   trunk/debian/passwd.templates
Log:
Allow preseeding root and user passwords with a MD5 hash (and "*" to disable
the root password)


Modified: trunk/debian/changelog
===================================================================

--- trunk/debian/changelog	2005-10-06 16:41:05 UTC (rev 567)
+++ trunk/debian/changelog	2005-10-06 18:59:45 UTC (rev 568)
@@ -18,6 +18,11 @@
                            removed
     - debian/rules:
       - pack upstream's NEWS file into login and passwd. Closes: #331487
+    - debian/passwd.config, debian/passwd.templates:
+      - allow preseeding the root (and user) password with a MD5 hash
+        Closes: #275343, #304352
+      - the above also allows preseeding a disabled password for root
+        Closes: #304343
 
  -- Christian Perrier <bubulle at debian.org>  Wed, 28 Sep 2005 19:59:31 +0200
 

Modified: trunk/debian/passwd.config
===================================================================
--- trunk/debian/passwd.config	2005-10-06 16:41:05 UTC (rev 567)
+++ trunk/debian/passwd.config	2005-10-06 18:59:45 UTC (rev 568)
@@ -57,7 +57,10 @@
 # only called when first booting the system, when root has no
 # password at all, so that should be an unnecessary precaution).
 #
-# Pass in two arguments: the user and the password.
+# Arguments: 
+#  1) (mandatory) username
+#  2) (mandatory) password
+#  3) (optional) 1 for meaning "the passed password is a MD5 hash"
 setpassword () {
 	SETPASSWD_PW="$2"
 	export SETPASSWD_PW
@@ -67,7 +70,11 @@
 	# that by crypting the password myself if md5 is used.
 	USE_MD5=1
 	export USE_MD5
-	perl -e '
+
+        if test "$3" ; then
+	    echo $1:${SETPASSWD_PW} | chpasswd -e
+	else
+	    perl -e '
 		sub CreateCryptSalt {
 			my $md5 = shift;
 
@@ -90,7 +97,8 @@
 			crypt($ENV{SETPASSWD_PW}, CreateCryptSalt($ENV{USE_MD5})).
 			"\n";
 		close P;
-	' "$1"
+	    ' "$1"
+	fi
 	SETPASSWD_PW=''
 	USE_MD5=''
 }
@@ -120,43 +128,57 @@
 	3)
 		# Prompt for a root password if there is none.
 		if ! root_password; then
-			db_input critical passwd/root-password || true
-			# Note that this runs at a slightly lower
-			# priority, so it may not always be seen. If
-			# it isn't, don't compare passwords.
-			COMPARE_PW=''
-			db_input critical passwd/root-password-again \
+			# First check whether the root password hash was preseeded
+			db_get passwd/root-password-hash || true
+			if ! test $RET ; then
+			    # No preseed of the root password hash
+			    # we will prompt the user
+			    db_input critical passwd/root-password || true
+			    # Note that this runs at a slightly lower
+			    # priority, so it may not always be seen. If
+			    # it isn't, don't compare passwords.
+			    COMPARE_PW=''
+			    db_input critical passwd/root-password-again \
 				&& COMPARE_PW=1 || true
+			fi
 		fi
 	;;
 	4)
 		# Verify and set a root password.
 		if ! root_password; then
-			# Compare the two passwords, loop back if not
-			# identical, or if empty.
-			db_get passwd/root-password
-			ROOT_PW="$RET"
-			if [ -z "$ROOT_PW" ]; then
+			# First check whether the root password hash was preseeded
+			db_get passwd/root-password-hash || true
+			if ! test $RET ; then
+			    # Compare the two passwords, loop back if not
+			    # identical, or if empty.
+			    db_get passwd/root-password
+			    ROOT_PW="$RET"
+			    if [ -z "$ROOT_PW" ]; then
 				db_fset passwd/password-empty seen false
 				db_input critical passwd/password-empty
 				STATE=2
 				continue
-			fi
-			db_get passwd/root-password-again
-			if [ "$COMPARE_PW" ] && [ "$ROOT_PW" != "$RET" ]; then
+			    fi
+			    db_get passwd/root-password-again
+			    if [ "$COMPARE_PW" ] && [ "$ROOT_PW" != "$RET" ]; then
 				db_fset passwd/password-mismatch seen false
 				db_input critical passwd/password-mismatch
 				STATE=2
 				continue
+			    fi
+			
+			    # Clear root password from the db, and set the
+			    # password.
+			    db_set passwd/root-password ""
+			    db_set passwd/root-password-again ""
+			    setpassword root "$ROOT_PW"
+			    ROOT_PW=''
+			else
+			    # The hash for the root password was preseeded
+			    ROOT_PW=$RET
+			    setpassword root "$ROOT_PW" 1
+			    ROOT_PW=''
 			fi
-			
-			# Clear root password from the db, and set the
-			# password.
-			db_set passwd/root-password ""
-			db_set passwd/root-password-again ""
-			setpassword root "$ROOT_PW"
-			ROOT_PW=''
-			
 			# Loop back to state #2 to make sure that there
 			# is a root password, and if not, prompt again.
 			STATE=2
@@ -217,21 +239,26 @@
 				continue
 			fi
 			
-			db_input critical passwd/user-password || true
-			COMPARE_PW=''
-			db_input critical passwd/user-password-again \
+			db_get passwd/user-password-hash || true
+			if ! test $RET ; then
+			    db_input critical passwd/user-password || true
+			    COMPARE_PW=''
+			    db_input critical passwd/user-password-again \
 				&& COMPARE_PW=1 || true
+			fi
 		fi
 	;;
 	9)
 		db_get passwd/make-user
 		if [ "$RET" = true ] && ! is_system_user; then
-			# Compare the two passwords, loop with message if not
-			# identical, or if empty.
-			db_get passwd/user-password
-			USER_PW="$RET"
-			db_get passwd/user-password-again
-			if [ "$COMPARE_PW" ] && [ "$USER_PW" != "$RET" ]; then
+			db_get passwd/user-password-hash || true
+			if ! test $RET ; then
+			    # Compare the two passwords, loop with message if not
+			    # identical, or if empty.
+			    db_get passwd/user-password
+			    USER_PW="$RET"
+			    db_get passwd/user-password-again
+			    if [ "$COMPARE_PW" ] && [ "$USER_PW" != "$RET" ]; then
 				db_set passwd/user-password ""
 				db_set passwd/user-password-again ""
 				db_fset passwd/password-mismatch seen false
@@ -240,8 +267,8 @@
 				db_fset passwd/user-password-again seen false
 				STATE=8
 				continue
-			fi
-			if [ -z "$USER_PW" ]; then
+			    fi
+			    if [ -z "$USER_PW" ]; then
 				db_set passwd/user-password ""
 				db_set passwd/user-password-again ""
 				db_fset passwd/password-empty seen false
@@ -250,8 +277,10 @@
 				db_fset passwd/user-password-again seen false
 				STATE=8
 				continue
+			    fi
+			else
+			    USER_PW=$RET
 			fi
-			
 			# Add the user to the database, using adduser in
 			# noninteractive mode.
 			db_get passwd/user-fullname
@@ -262,12 +291,18 @@
 			    useradd -c "$RET" -m "$USER" >/dev/null || true
 			fi
 			
-			# Clear password from the db, and set the password.
-			db_set passwd/user-password ""
-			db_set passwd/user-password-again ""
-			db_get passwd/username
-			setpassword "$USER" "$USER_PW"
-			USER_PW=''
+			db_get passwd/user-password-hash || true
+			if ! test $RET ; then
+			    # Clear password from the db, and set the password.
+			    db_set passwd/user-password ""
+			    db_set passwd/user-password-again ""
+			    db_get passwd/username
+			    setpassword "$USER" "$USER_PW"
+			    USER_PW=''
+			else
+			    setpassword "$USER" "$USER_PW" 1
+			    USER_PW=''
+			fi
 
 			# Loop back through to make sure the user was
 			# added.

Modified: trunk/debian/passwd.templates
===================================================================
--- trunk/debian/passwd.templates	2005-10-06 16:41:05 UTC (rev 567)
+++ trunk/debian/passwd.templates	2005-10-06 18:59:45 UTC (rev 568)
@@ -1,3 +1,15 @@
+# This template is for D-I purposes and should allow
+# preseeding the root password with a MD5 hash rather than cleartext
+Template: passwd/root-password-hash
+Type: password
+Description: For internal use only
+
+# This template is for D-I purposes and should allow
+# preseeding the user password with a MD5 hash rather than cleartext
+Template: passwd/user-password-hash
+Type: password
+Description: For internal use only
+
 Template: passwd/root-password
 Type: password
 _Description: Root password:


