From 8c7145a12dc0d1bcc403d2daf0ed14ab4e9c91e7 Mon Sep 17 00:00:00 2001 From: Quentin Schulz Date: Fri, 22 Apr 2022 15:13:15 +0200 Subject: docs: ref-manual: variables: add hashed password example in EXTRA_USERS_PARAMS Add examples for hashed hardcoded passwords from extrausers.bbclass so that this feature is not hidden away. Cc: Quentin Schulz (From yocto-docs rev: 5db73c7c5668144ed4629f95378e44f0bd8c8256) Signed-off-by: Quentin Schulz Signed-off-by: Richard Purdie --- documentation/ref-manual/variables.rst | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) (limited to 'documentation') diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst index 1bfa667786..f8808cc052 100644 --- a/documentation/ref-manual/variables.rst +++ b/documentation/ref-manual/variables.rst @@ -2338,6 +2338,37 @@ system and gives an overview of their function and contents. # usermod -s /bin/sh tester; \ # " + Hardcoded passwords are supported via the ``-p`` parameters for + ``useradd`` or ``usermod``, but only hashed. + + Here is an example that adds two users named "tester-jim" and "tester-sue" and assigns + passwords. First on host, create the (escaped) password hash:: + + printf "%q" $(mkpasswd -m sha256crypt tester01) + + The resulting hash is set to a variable and used in ``useradd`` command parameters:: + + inherit extrausers + PASSWD = "\$X\$ABC123\$A-Long-Hash" + EXTRA_USERS_PARAMS = "\ + useradd -p '${PASSWD}' tester-jim; \ + useradd -p '${PASSWD}' tester-sue; \ + " + + Finally, here is an example that sets the root password:: + + inherit extrausers + EXTRA_USERS_PARAMS = "\ + usermod -p '${PASSWD}' root; \ + " + + .. note:: + + From a security perspective, hardcoding a default password is not + generally a good idea or even legal in some jurisdictions. It is + recommended that you do not do this if you are building a production + image. + Additionally there is a special ``passwd-expire`` command that will cause the password for a user to be expired and thus force changing it on first login, for example:: -- cgit v1.2.3-54-g00ecf