[Pkg-shadow-commits] r568 - trunk/debian
Christian Perrier
bubulle at costa.debian.org
Thu Oct 6 18:59:46 UTC 2005
Author: bubulle
Date: 2005-10-06 18:59:45 +0000 (Thu, 06 Oct 2005)
New Revision: 568
Modified:
trunk/debian/changelog
trunk/debian/passwd.config
trunk/debian/passwd.templates
Log:
Allow preseeding root and user passwords with a MD5 hash (and "*" to disable
the root password)
Modified: trunk/debian/changelog
===================================================================
--- trunk/debian/changelog 2005-10-06 16:41:05 UTC (rev 567)
+++ trunk/debian/changelog 2005-10-06 18:59:45 UTC (rev 568)
@@ -18,6 +18,11 @@
removed
- debian/rules:
- pack upstream's NEWS file into login and passwd. Closes: #331487
+ - debian/passwd.config, debian/passwd.templates:
+ - allow preseeding the root (and user) password with a MD5 hash
+ Closes: #275343, #304352
+ - the above also allows preseeding a disabled password for root
+ Closes: #304343
-- Christian Perrier <bubulle at debian.org> Wed, 28 Sep 2005 19:59:31 +0200
Modified: trunk/debian/passwd.config
===================================================================
--- trunk/debian/passwd.config 2005-10-06 16:41:05 UTC (rev 567)
+++ trunk/debian/passwd.config 2005-10-06 18:59:45 UTC (rev 568)
@@ -57,7 +57,10 @@
# only called when first booting the system, when root has no
# password at all, so that should be an unnecessary precaution).
#
-# Pass in two arguments: the user and the password.
+# Arguments:
+# 1) (mandatory) username
+# 2) (mandatory) password
+# 3) (optional) 1 for meaning "the passed password is a MD5 hash"
setpassword () {
SETPASSWD_PW="$2"
export SETPASSWD_PW
@@ -67,7 +70,11 @@
# that by crypting the password myself if md5 is used.
USE_MD5=1
export USE_MD5
- perl -e '
+
+ if test "$3" ; then
+ echo $1:${SETPASSWD_PW} | chpasswd -e
+ else
+ perl -e '
sub CreateCryptSalt {
my $md5 = shift;
@@ -90,7 +97,8 @@
crypt($ENV{SETPASSWD_PW}, CreateCryptSalt($ENV{USE_MD5})).
"\n";
close P;
- ' "$1"
+ ' "$1"
+ fi
SETPASSWD_PW=''
USE_MD5=''
}
@@ -120,43 +128,57 @@
3)
# Prompt for a root password if there is none.
if ! root_password; then
- db_input critical passwd/root-password || true
- # Note that this runs at a slightly lower
- # priority, so it may not always be seen. If
- # it isn't, don't compare passwords.
- COMPARE_PW=''
- db_input critical passwd/root-password-again \
+ # First check whether the root password hash was preseeded
+ db_get passwd/root-password-hash || true
+ if ! test $RET ; then
+ # No preseed of the root password hash
+ # we will prompt the user
+ db_input critical passwd/root-password || true
+ # Note that this runs at a slightly lower
+ # priority, so it may not always be seen. If
+ # it isn't, don't compare passwords.
+ COMPARE_PW=''
+ db_input critical passwd/root-password-again \
&& COMPARE_PW=1 || true
+ fi
fi
;;
4)
# Verify and set a root password.
if ! root_password; then
- # Compare the two passwords, loop back if not
- # identical, or if empty.
- db_get passwd/root-password
- ROOT_PW="$RET"
- if [ -z "$ROOT_PW" ]; then
+ # First check whether the root password hash was preseeded
+ db_get passwd/root-password-hash || true
+ if ! test $RET ; then
+ # Compare the two passwords, loop back if not
+ # identical, or if empty.
+ db_get passwd/root-password
+ ROOT_PW="$RET"
+ if [ -z "$ROOT_PW" ]; then
db_fset passwd/password-empty seen false
db_input critical passwd/password-empty
STATE=2
continue
- fi
- db_get passwd/root-password-again
- if [ "$COMPARE_PW" ] && [ "$ROOT_PW" != "$RET" ]; then
+ fi
+ db_get passwd/root-password-again
+ if [ "$COMPARE_PW" ] && [ "$ROOT_PW" != "$RET" ]; then
db_fset passwd/password-mismatch seen false
db_input critical passwd/password-mismatch
STATE=2
continue
+ fi
+
+ # Clear root password from the db, and set the
+ # password.
+ db_set passwd/root-password ""
+ db_set passwd/root-password-again ""
+ setpassword root "$ROOT_PW"
+ ROOT_PW=''
+ else
+ # The hash for the root password was preseeded
+ ROOT_PW=$RET
+ setpassword root "$ROOT_PW" 1
+ ROOT_PW=''
fi
-
- # Clear root password from the db, and set the
- # password.
- db_set passwd/root-password ""
- db_set passwd/root-password-again ""
- setpassword root "$ROOT_PW"
- ROOT_PW=''
-
# Loop back to state #2 to make sure that there
# is a root password, and if not, prompt again.
STATE=2
@@ -217,21 +239,26 @@
continue
fi
- db_input critical passwd/user-password || true
- COMPARE_PW=''
- db_input critical passwd/user-password-again \
+ db_get passwd/user-password-hash || true
+ if ! test $RET ; then
+ db_input critical passwd/user-password || true
+ COMPARE_PW=''
+ db_input critical passwd/user-password-again \
&& COMPARE_PW=1 || true
+ fi
fi
;;
9)
db_get passwd/make-user
if [ "$RET" = true ] && ! is_system_user; then
- # Compare the two passwords, loop with message if not
- # identical, or if empty.
- db_get passwd/user-password
- USER_PW="$RET"
- db_get passwd/user-password-again
- if [ "$COMPARE_PW" ] && [ "$USER_PW" != "$RET" ]; then
+ db_get passwd/user-password-hash || true
+ if ! test $RET ; then
+ # Compare the two passwords, loop with message if not
+ # identical, or if empty.
+ db_get passwd/user-password
+ USER_PW="$RET"
+ db_get passwd/user-password-again
+ if [ "$COMPARE_PW" ] && [ "$USER_PW" != "$RET" ]; then
db_set passwd/user-password ""
db_set passwd/user-password-again ""
db_fset passwd/password-mismatch seen false
@@ -240,8 +267,8 @@
db_fset passwd/user-password-again seen false
STATE=8
continue
- fi
- if [ -z "$USER_PW" ]; then
+ fi
+ if [ -z "$USER_PW" ]; then
db_set passwd/user-password ""
db_set passwd/user-password-again ""
db_fset passwd/password-empty seen false
@@ -250,8 +277,10 @@
db_fset passwd/user-password-again seen false
STATE=8
continue
+ fi
+ else
+ USER_PW=$RET
fi
-
# Add the user to the database, using adduser in
# noninteractive mode.
db_get passwd/user-fullname
@@ -262,12 +291,18 @@
useradd -c "$RET" -m "$USER" >/dev/null || true
fi
- # Clear password from the db, and set the password.
- db_set passwd/user-password ""
- db_set passwd/user-password-again ""
- db_get passwd/username
- setpassword "$USER" "$USER_PW"
- USER_PW=''
+ db_get passwd/user-password-hash || true
+ if ! test $RET ; then
+ # Clear password from the db, and set the password.
+ db_set passwd/user-password ""
+ db_set passwd/user-password-again ""
+ db_get passwd/username
+ setpassword "$USER" "$USER_PW"
+ USER_PW=''
+ else
+ setpassword "$USER" "$USER_PW" 1
+ USER_PW=''
+ fi
# Loop back through to make sure the user was
# added.
Modified: trunk/debian/passwd.templates
===================================================================
--- trunk/debian/passwd.templates 2005-10-06 16:41:05 UTC (rev 567)
+++ trunk/debian/passwd.templates 2005-10-06 18:59:45 UTC (rev 568)
@@ -1,3 +1,15 @@
+# This template is for D-I purposes and should allow
+# preseeding the root password with a MD5 hash rather than cleartext
+Template: passwd/root-password-hash
+Type: password
+Description: For internal use only
+
+# This template is for D-I purposes and should allow
+# preseeding the user password with a MD5 hash rather than cleartext
+Template: passwd/user-password-hash
+Type: password
+Description: For internal use only
+
Template: passwd/root-password
Type: password
_Description: Root password:
More information about the Pkg-shadow-commits
mailing list