preseed user-password-crypted password cannot be used with d-i user-setup/encrypt-home boolean true option
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
preseed (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
The following preseed values cannot be used together:
d-i preseed user-password-
d-i user-setup/
I've tested deploying 14.04 and 16.04 using preseed and pxeboot.
If I configure a new user account to be created with a plain-text password the installation completes properly.
If I configure a new user account to be created with an encrypted password the installation screen either hangs if I also have set 'user-setup-udeb passwd/make-user boolean false' or if set 'user-setup-udeb passwd/make-user boolean true' then I'm prompted with 'You entered an empty password, which is not allowed. Please choose a non-empty password.'.
I've also attempted adding 'd-i user-setup/
Relevant settings:
d-i user-setup/
d-i passwd passwd/make-user boolean true
d-i user-setup-udeb passwd/make-user boolean true
d-i passwd/
d-i passwd/username string steved
d-i passwd/
I'm using The Foreman to orchestrate deployments, and I thought perhaps the user-password-
I'll also mention I've tried sha-512 hashed passwords as well as the sha-256 hash shown above with the same result.
Client syslog does not generate any errors.
Lastly, I mention 'hang' a few times but this is in relation to the installer screen. At no time is the client system unresponsive. I can get another tty, check logs, etc.
I don't believe this is a bug.
By default user-setup/ encrypt- home is setup using ecryptfs and uses the user plaintext password as the seed for the ecryptfs key generation. That way plaintext password is used in pam stack to authenticate user against shadow password, and used to derive decryption key to decrypt encryptfs. Clearly shadow salted password cannot be used to derive/setup ecryptfs encryption key, thus the two options are mutually exclusive.
Using plaintext password is imho bad, thus instead do the install with crypted password, and setup user-home encryption post-install using "ecryptfs- migrate- home" command http:// blog.dustinkirk land.com/ 2011/02/ long-overdue- introduction- ecryptfs. html
Given above deficiency what would you expect from the installer? Critical prompt - encryptfs home was requested, but cannot be configured due to missing plain text password?
You also report another bug too w.r.t make-user question. Not sure what needs fixing there.