[Users] create CT with password

[Dietmar Maurer]

> The only problem is the solution is not generic. In other words, we
> can't know how different distros handle local users. It used to be
> crypt(3) and /etc/passwd (later /etc/shadow) manipulation. Now
> everybody
> uses PAM which can be configured in this or that way. For example, new
> passwords are checked (by pam_cracklib) for minimum length etc. (see
> pam_cracklib(8) for much more details). Also they could be stored in a
> different ways (this applies to both storage and hashes), say use (or
> not use) /etc/shadow, md5 or sha256 hash or even NIS (see pam_unix(8)
> for more details).

I just thought my approach works in 99,99% of all cases, but maybe I am wrong.

> Because of the above, the only reliable way is to run passwd --stdin
> inside the container (somewhat less generic (?) and more low-level way
> is to call pam_chauthtok(3) function from a C code -- this is what I
> assume passwd does). Using 'passwd' is the only way to make sure we are
> doing what we should, not ignoring local configuration, not
> circumventing any local restrictions etc. Unfortunately we need to
> start
> the VE in order to run passwd (just chroot()'ing is not enough secure).
> 
> So, what if you approach the problem in a different way? Is it possible
> that you run 'vzctl set --userpasswd' *after* VE start?

And save the password in plaintext somewhere? (we do not want to start the
VM on create).

There is another problem with your suggestion. Assume we do:

vzctl start
vzctl set --userpasswd
vzctl stop

Unfortunately the stop will abort any initialization tasks which are
running in background (mysql database initialization for example).

Maybe we can generate a init script (stored inside the VE) which sets 
the password?

- Dietmar