admin container ignores password set in user-data
mchaker opened this issue · comments
Image I'm using:
metal-dev
Issue or Feature Request:
When setting a password in user-data.toml (via base64'd user-data as described in the docs), logging in to the local console (tty0) fails.
user-data pre-base64:
{
"user": "bottlerocket",
"password-hash": "(generated with mkpasswd -m yescrypt -R 11 password-goes-here)",
"ssh": {
"authorized-keys": [
"ssh-ed25519 REDACTED my-key"
]
}
}
Once the admin container starts, it takes over tty0 (understandable) and attempting to log in with root
(no password) fails.
However, the user
specified in user-data
(bottlerocket) and the password specified by password-hash
in user-data
do not work -- login always fails.
However, SSHing into the host/admin container using the provided ssh.authorized-keys
works. Inspecting the user-data shows that the user data was successfully applied (base64 value matches what is expected).
Can you check /etc/shadow
to see if the hash was applied?
The login failure can happen if you hash the password with an algorithm that glibc in AL2 does not support.
Interestingly enough, the hash in /etc/shadow
is not the same as the hash I placed in user-data
. 🤔
I followed the steps outlined in the following page: https://github.com/bottlerocket-os/bottlerocket-admin-container#authenticating-with-the-admin-container
specifically, "Where the password-hash can be generated from:"
mkpasswd -m yescrypt -R 11 <desired password>
Interestingly enough, the hash in
/etc/shadow
is not the same as the hash I placed inuser-data
. 🤔
I'd first try using base64 -w0
on the input to ensure it's not getting a newline encoded partway through, though I don't know if that would manifest as this error.