-
Notifications
You must be signed in to change notification settings - Fork 877
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cc_set_passwords does not expire users if password given as hash #3990
Comments
Launchpad user James Falcon(falcojr) wrote on 2022-06-20T17:06:18.548589+00:00 Thanks for reporting this. I can reproduce the behavior described. |
Launchpad user Chad Smith(chad.smith) wrote on 2022-06-22T15:59:25.797260+00:00 Expectation here is to fix hashed passwords to also expire. Validated that hashed password is not expired by default: cat > hash_pw_not_expired.yaml <<EOF
Note no expiry noticelxc console test-pw-expiry --show-log | grep u2 Note expiry notice |
Launchpad user Chad Smith(chad.smith) wrote on 2022-06-23T15:29:48.616235+00:00 After further review and discussion on this item, we determined it's best not to change existing behavior, but fix the docs to align with current behavior. Introducing a change in behavior for hashed password expiry may break automation expecting to rely on this feature. Since the introduction of hashed password support in cloud-init released in 2017[1], the hashed passwords are not expired. Let's retain and more clearly document that behavior. [1] hashed pw support 2163297 |
Launchpad user James Falcon(falcojr) wrote on 2022-07-12T18:49:08.471409+00:00 After further further review, we decided to fix the behavior after all. See #1577 A follow-on PR will ensure the original behavior is preserved for existing releases. |
Launchpad user Brett Holman(holmanb) wrote on 2022-08-19T16:37:26.377759+00:00 This bug is believed to be fixed in cloud-init in version 22.3. If this is still a problem for you, please make a comment and set the state back to New Thank you. |
This bug was originally filed in Launchpad as LP: #1979065
Launchpad details
Launchpad user Roni Väyrynen(dome-livepatch) wrote on 2022-06-17T13:27:31.879015+00:00
https://cloudinit.readthedocs.io/en/latest/topics/modules.html#set-passwords
Documentation explains three different ways of setting user password using chpasswd but doesn't mention that they would otherwise work any differently from one another. Passwords should by default be expired if not specifically set otherwise in chpasswd. Although if one sets the password as hash either in password or chpasswd list, cc_set_passwords.py skips passwd --expire completely which doesn't match documented behaviour.
cloud-init/cloudinit/config/cc_set_passwords.py
Line 260 in 7280983
This part only applies to users which had either plain text password or random password set.
The text was updated successfully, but these errors were encountered: