[lxc-devel] [PATCH 4/4] Added root_password_expired password control tuning knob.

Michael H. Warfield mhw at WittsEnd.com
Sat Mar 22 17:59:59 UTC 2014 

Added root_password_expired password control tuning knob.

Added the environment variable "root_password_expired" to
control if the initial, temporary, root password is initially
set up as "expired".  If set to "yes" (default), the root password
is set as "expired" and the user must change it at first login.

Signed-off-by: Michael H. Warfield <mhw at WittsEnd.com>
---
 templates/lxc-centos.in | 21 +++++++++++++++++----
 templates/lxc-fedora.in | 21 +++++++++++++++++----
 2 files changed, 34 insertions(+), 8 deletions(-)

diff --git a/templates/lxc-centos.in b/templates/lxc-centos.in
index 6d9e512..238159a 100644
--- a/templates/lxc-centos.in
+++ b/templates/lxc-centos.in
@@ -29,7 +29,7 @@
 #Configurations
 default_path=@LXCPATH@
 
-# Some combinations of the tunning knobs below do not exactly make sense.
+# Some combinations of the tuning knobs below do not exactly make sense.
 # but that's ok.
 #
 # If the "root_password" is non-blank, use it, else set a default.
@@ -45,6 +45,8 @@ default_path=@LXCPATH@
 # If root_store_password = yes, store it in the configuration directory
 # If root_prompt_password = yes, invoke "passwd" to force the user to change
 # the root password after the container is created.
+# If root_expire_password = yes, you will be prompted to change the root
+# password at the first login.
 #
 # These are conditional assignments...  The can be overridden from the
 # preexisting environment variables...
@@ -61,6 +63,10 @@ default_path=@LXCPATH@
 # with users running under the API...  Don't default to "yes"
 : ${root_prompt_password='no'}
 
+# Expire root password? Default to yes, but can be overridden from
+# the environment variable
+: ${root_expire_password='yes'}
+
 # These are only going into comments in the resulting config...
 lxc_network_type=veth
 lxc_network_link=lxcbr0
@@ -346,8 +352,12 @@ EOF
     fi
 
     echo "root:$root_password" | chroot $rootfs_path chpasswd
-    # Also set this password as expired to force the user to change it!
-    chroot $rootfs_path passwd -e root
+
+    if [ ${root_expire_password} = "yes" ]
+    then
+        # Also set this password as expired to force the user to change it!
+        chroot $rootfs_path passwd -e root
+    fi
 
     # This will need to be enhanced for CentOS 7 when systemd
     # comes into play...   /\/\|=mhw=|\/\/
@@ -900,7 +910,9 @@ then
 "
     chroot ${rootfs_path} passwd
 else
-    echo "
+    if [ ${root_expire_password} = "yes" ]
+    then
+        echo "
 The root password is set up as "expired" and will require it to be changed
 at first login, which you should do as soon as possible.  If you lose the
 root password or wish to change it without starting the container, you
@@ -909,4 +921,5 @@ also reset the expired flag):
 
         chroot ${rootfs_path} passwd
 "
+    fi
 fi
diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in
index 16f0c55..5414b4e 100644
--- a/templates/lxc-fedora.in
+++ b/templates/lxc-fedora.in
@@ -29,7 +29,7 @@
 #Configurations
 default_path=@LXCPATH@
 
-# Some combinations of the tunning knobs below do not exactly make sense.
+# Some combinations of the tuning knobs below do not exactly make sense.
 # but that's ok.
 #
 # If the "root_password" is non-blank, use it, else set a default.
@@ -45,6 +45,8 @@ default_path=@LXCPATH@
 # If root_store_password = yes, store it in the configuration directory
 # If root_prompt_password = yes, invoke "passwd" to force the user to change
 # the root password after the container is created.
+# If root_expire_password = yes, you will be prompted to change the root
+# password at the first login.
 #
 # These are conditional assignments...  The can be overridden from the
 # preexisting environment variables...
@@ -61,6 +63,10 @@ default_path=@LXCPATH@
 # with users running under the API...  Don't default to "yes"
 : ${root_prompt_password='no'}
 
+# Expire root password? Default to yes, but can be overridden from
+# the environment variable
+: ${root_expire_password='yes'}
+
 # These are only going into comments in the resulting config...
 lxc_network_type=veth
 lxc_network_link=lxcbr0
@@ -294,8 +300,12 @@ EOF
     fi
 
     echo "root:$root_password" | chroot $rootfs_path chpasswd
-    # Also set this password as expired to force the user to change it!
-    chroot $rootfs_path passwd -e root
+
+    if [ ${root_expire_password} = "yes" ]
+    then
+        # Also set this password as expired to force the user to change it!
+        chroot $rootfs_path passwd -e root
+    fi
 
     # specifying this in the initial packages doesn't always work.
     # Even though it should have...
@@ -1412,7 +1422,9 @@ then
 "
     chroot ${rootfs_path} passwd
 else
-    echo "
+    if [ ${root_expire_password} = "yes" ]
+    then
+        echo "
 The root password is set up as "expired" and will require it to be changed
 at first login, which you should do as soon as possible.  If you lose the
 root password or wish to change it without starting the container, you
@@ -1421,4 +1433,5 @@ also reset the expired flag):
 
         chroot ${rootfs_path} passwd
 "
+    fi
 fi
-- 
1.8.3.1


-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140322/47191344/attachment.pgp>

More information about the lxc-devel mailing list