Description of problem: - Running an RHCOS VM with ignition script of user and password does not function as expected, VM is booted normally (means script is valid) but the user and password authentication is not working. Using the same script with FCOS (but with ignition version 3.0.0 instead of 2.3.0 for RHCOS) is working and it is possible to login VM with script user and password. - trying to create different password hash with different encryption methods is not solving this issue. - Ignition script for RHCOS (password is changeme): { "ignition": { "version": "2.3.0" }, "passwd": { "users": [ { "name": "core", "passwordHash": "$y$j9T$skCa2x5kFis7p58gYjz3C1$ykelHfCckRToZKAVYK7GDdLOCi3pcF2WMioI.vmYkj5" } ] } } Version-Release number of selected component (if applicable): ovirt-engine-4.4.0-0.19.master.el7 vdsm-4.40.2-1.el8ev.x86_64 qemu-kvm-4.2.0-8.module+el8.2.0+5607+dc756904.x86_64 libvirt-client-6.0.0-4.module+el8.2.0+5642+838f3513.x86_64 rhcos-4.4-44.81.202001241431.0 How reproducible: 100% Steps to Reproduce: 1. Download latest RHCOS openstack qcow image (from rhcos.json), or use latest RHCOS template. 2. Create a VM, set OS type to RHCOS, check ignition checkbox and add script mentioned above with "ignition": { "version": "2.3.0" } 3. Run VM and try to login with user: core password: changeme Actual results: Login with this user and password failed. Expected results: Login with this user and password should succeed. Additional info: vdsm.log and engine.log attached RHCOS VM name/ID: ignition_from_temp/c9edb803-62d5-4f48-81bc-35bd0fbc3c26 FCOS VM name/ID: ignition_FCOS/321df2d2-3545-47fe-9967-d5bfd53e8c39
Created attachment 1662124 [details] engine.log
Created attachment 1662125 [details] vdsm.log
Ignition has some breaking changes. The only references I'm seeing in the docs are for sha hashed passwords. We also wouldn't expect ignition for upstream versions (e.g. FCOS) to necessarily be compatible with RHCOS. Are you sure this is a bug?
(In reply to Ryan Barry from comment #3) > Ignition has some breaking changes. The only references I'm seeing in the > docs are for sha hashed passwords. We also wouldn't expect ignition for > upstream versions (e.g. FCOS) to necessarily be compatible with RHCOS. > > Are you sure this is a bug? Currently I can't test ignition on RHCOS because I cannot login the VMs in order to verify if ignition configuration is applied. It also looks like the UI option for hashed password is not working.
Which algorithm was used for the hash? Is the UI option not working the same as the other reported bug, or different?
Yeah, this is likely due to a hashing algorithm we turn off by default. How did you generate the hash? Works for me with one generated using `mkpasswd -m sha-512` at least.
Ahh OK yup, RHCOS just inherits el8's sha512-by-default here: ``` [root@coreos ~]# grep password /etc/pam.d/system-auth password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow password required pam_deny.so ```
The original comment didn't mention it, though just in case this was tried over SSH, note that RHCOS disables SSH password authentication (https://github.com/openshift/os/issues/374). It works fine on serial though. (One can of course always go against that opinion and turn it back on via Ignition if so determined.)