Image I'm using:

metal-dev

Issue or Feature Request:

When setting a password in user-data.toml (via base64'd user-data as described in the docs), logging in to the local console (tty0) fails.

user-data pre-base64:

{
	"user": "bottlerocket",
	"password-hash": "(generated with mkpasswd -m yescrypt -R 11 password-goes-here)",
	"ssh": {
		"authorized-keys": [
			"ssh-ed25519 REDACTED my-key"
		]
	}
}

Once the admin container starts, it takes over tty0 (understandable) and attempting to log in with root (no password) fails.
However, the user specified in user-data (bottlerocket) and the password specified by password-hash in user-data do not work -- login always fails.

However, SSHing into the host/admin container using the provided ssh.authorized-keys works. Inspecting the user-data shows that the user data was successfully applied (base64 value matches what is expected).

Can you check /etc/shadow to see if the hash was applied?

The login failure can happen if you hash the password with an algorithm that glibc in AL2 does not support.

Interestingly enough, the hash in /etc/shadow is not the same as the hash I placed in user-data. 🤔

I followed the steps outlined in the following page: https://github.com/bottlerocket-os/bottlerocket-admin-container#authenticating-with-the-admin-container

specifically, "Where the password-hash can be generated from:"

mkpasswd -m yescrypt -R 11 <desired password>

Interestingly enough, the hash in /etc/shadow is not the same as the hash I placed in user-data. 🤔

I'd first try using base64 -w0 on the input to ensure it's not getting a newline encoded partway through, though I don't know if that would manifest as this error.