[Users] create CT with password

Kir Kolyshkin kir at openvz.org
Mon Nov 10 19:39:36 EST 2008 

The only problem is the solution is not generic. In other words, we
can't know how different distros handle local users. It used to be
crypt(3) and /etc/passwd (later /etc/shadow) manipulation. Now everybody
uses PAM which can be configured in this or that way. For example, new
passwords are checked (by pam_cracklib) for minimum length etc. (see
pam_cracklib(8) for much more details). Also they could be stored in a
different ways (this applies to both storage and hashes), say use (or
not use) /etc/shadow, md5 or sha256 hash or even NIS (see pam_unix(8)
for more details).

Because of the above, the only reliable way is to run passwd --stdin
inside the container (somewhat less generic (?) and more low-level way
is to call pam_chauthtok(3) function from a C code -- this is what I
assume passwd does). Using 'passwd' is the only way to make sure we are
doing what we should, not ignoring local configuration, not
circumventing any local restrictions etc. Unfortunately we need to start
the VE in order to run passwd (just chroot()'ing is not enough secure).

So, what if you approach the problem in a different way? Is it possible
that you run 'vzctl set --userpasswd' *after* VE start?

Dietmar Maurer wrote:
>
> Attached is a patch which passes the password to the postcreate script:
>
>  
>
> VE_ROOTPASSWD .. plain text passwd
>
> VE_CROOTPASSWD .. crypted  passwd (md5)
>
>  
>
> postcreate script can then modify /etc/passwd and /etc/shadow.
>
>  
>
> what do you think?
>
>  
>
> - Dietmar
>
>  
>
> *From:* users-bounces at openvz.org [mailto:users-bounces at openvz.org] *On
> Behalf Of *Dietmar Maurer
> *Sent:* Donnerstag, 06. November 2008 10:51
> *To:* users at openvz.org
> *Subject:* [Users] create CT with password
>
>  
>
> Hi all,
>
>  
>
> currently you need to use the following command to change the password
> inside a CT:
>
>  
>
> vzctl set CTID --userpasswd root:XXX
>
>  
>
> This starts/stop the CT if it is not already running.
>
>  
>
> That is OK unless you have preconfigured appliance templates which
> does some
>
> initialization at first startup. Let me explain:
>
>  
>
> 1.)    User create the CT: vzctl creat 777 --ostemplate name …
>
> 2.)    User set the password: vzctl set 777 --userpasswd root:XXX
>  (start/stop CT)
>
> 3.)    User starts the CT
>
>  
>
> As you see, there is a totally unnecessary start/stop action. Even
> worse, the container
>
> is not fully functional at that time because HOSTNAME, DOMAIN,… in not
> set before the
>
> container is started with “vzctl start”.
>
>  
>
> I wonder if it would be possible to add a  --userpasswd parameter to
> the ‘create’ command? Or maybe
>
> only a --rootpasswd option (because root is always a local user).
>
>  
>
> /etc/passwd and /etc/shadow should be easy to modify directly, or are
> there some distributions
>
> with unusual file formats?
>
>  
>
> - Dietmar
>
>  
>
>  
>
>  
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Users mailing list
> Users at openvz.org
> https://openvz.org/mailman/listinfo/users
>

More information about the Users mailing list