REDROOM

Navigation

Breadcrumbs

/ / lib / python3.6 / site-packages / cloudinit / config

Create

Create File | Create Folder | Upload Files | Run Command

Preview: cc_set_passwords.py Size: 10.97 KB

/lib/python3.6/site-packages/cloudinit/config/cc_set_passwords.py

# Copyright (C) 2009-2010 Canonical Ltd.
# Copyright (C) 2012, 2013 Hewlett-Packard Development Company, L.P.
#
# Author: Scott Moser <scott.moser@canonical.com>
# Author: Juerg Haefliger <juerg.haefliger@hp.com>
#
# This file is part of cloud-init. See LICENSE file for license information.
"""Set Passwords: Set user passwords and enable/disable SSH password auth"""

import logging
import re
from string import ascii_letters, digits
from textwrap import dedent
from typing import List

from cloudinit import features, subp, util
from cloudinit.cloud import Cloud
from cloudinit.config import Config
from cloudinit.config.schema import MetaSchema, get_meta_doc
from cloudinit.distros import ALL_DISTROS, Distro, ug_util
from cloudinit.settings import PER_INSTANCE
from cloudinit.ssh_util import update_ssh_config

MODULE_DESCRIPTION = """\
This module consumes three top-level config keys: ``ssh_pwauth``, ``chpasswd``
and ``password``.

The ``ssh_pwauth`` config key determines whether or not sshd will be configured
to accept password authentication.

The ``chpasswd`` config key accepts a dictionary containing either or both of
``users`` and ``expire``. The ``users`` key is used to assign a password to a
corresponding pre-existing user. The ``expire`` key is used to set
whether to expire all user passwords specified by this module,
such that a password will need to be reset on the user's next login.

.. note::
    Prior to cloud-init 22.3, the ``expire`` key only applies to plain text
    (including ``RANDOM``) passwords. Post 22.3, the ``expire`` key applies to
    both plain text and hashed passwords.

``password`` config key is used to set the default user's password. It is
ignored if the ``chpasswd`` ``users`` is used. Note: the ``list`` keyword is
deprecated in favor of ``users``.
"""

meta: MetaSchema = {
    "id": "cc_set_passwords",
    "name": "Set Passwords",
    "title": "Set user passwords and enable/disable SSH password auth",
    "description": MODULE_DESCRIPTION,
    "distros": [ALL_DISTROS],
    "frequency": PER_INSTANCE,
    "examples": [
        dedent(
            """\
            # Set a default password that would need to be changed
            # at first login
            ssh_pwauth: true
            password: password1
            """
        ),
        dedent(
            """\
            # Disable ssh password authentication
            # Don't require users to change their passwords on next login
            # Set the password for user1 to be 'password1' (OS does hashing)
            # Set the password for user2 to a pre-hashed password
            # Set the password for user3 to be a randomly generated password,
            #   which will be written to the system console
            ssh_pwauth: false
            chpasswd:
              expire: false
              users:
                - name: user1
                  password: password1
                  type: text
                - name: user2
                  password: $6$rounds=4096$5DJ8a9WMTEzIo5J4$Yms6imfeBvf3Yfu84mQBerh18l7OR1Wm1BJXZqFSpJ6BVas0AYJqIjP7czkOaAZHZi1kxQ5Y1IhgWN8K9NgxR1
                - name: user3
                  type: RANDOM
            """  # noqa
        ),
    ],
    "activate_by_schema_keys": [],
}

__doc__ = get_meta_doc(meta)

LOG = logging.getLogger(__name__)

# We are removing certain 'painful' letters/numbers
PW_SET = "".join([x for x in ascii_letters + digits if x not in "loLOI01"])


def get_users_by_type(users_list: list, pw_type: str) -> list:
    """either password or type: RANDOM is required, user is always required"""
    return (
        []
        if not users_list
        else [
            (item["name"], item.get("password", "RANDOM"))
            for item in users_list
            if item.get("type", "hash") == pw_type
        ]
    )


def _restart_ssh_daemon(distro, service):
    try:
        distro.manage_service("restart", service)
        LOG.debug("Restarted the SSH daemon.")
    except subp.ProcessExecutionError as e:
        LOG.warning(
            "'ssh_pwauth' configuration may not be applied. Cloud-init was "
            "unable to restart SSH daemon due to error: '%s'",
            e,
        )


def handle_ssh_pwauth(pw_auth, distro: Distro):
    """Apply sshd PasswordAuthentication changes.

    @param pw_auth: config setting from 'pw_auth'.
                    Best given as True, False, or "unchanged".
    @param distro: an instance of the distro class for the target distribution

    @return: None"""
    service = distro.get_option("ssh_svcname", "ssh")

    cfg_name = "PasswordAuthentication"

    if isinstance(pw_auth, str):
        util.deprecate(
            deprecated="Using a string value for the 'ssh_pwauth' key",
            deprecated_version="22.2",
            extra_message="Use a boolean value with 'ssh_pwauth'.",
        )
    if util.is_true(pw_auth):
        cfg_val = "yes"
    elif util.is_false(pw_auth):
        cfg_val = "no"
    else:
        bmsg = f"Leaving SSH config '{cfg_name}' unchanged."
        if pw_auth is None or pw_auth.lower() == "unchanged":
            LOG.debug("%s ssh_pwauth=%s", bmsg, pw_auth)
        else:
            LOG.warning("%s Unrecognized value: ssh_pwauth=%s", bmsg, pw_auth)
        return

    updated = update_ssh_config({cfg_name: cfg_val})
    if not updated:
        LOG.debug("No need to restart SSH service, %s not updated.", cfg_name)
        return

    if distro.uses_systemd():
        state = subp.subp(
            [
                "systemctl",
                "show",
                "--property",
                "ActiveState",
                "--value",
                service,
            ]
        ).stdout.strip()
        if state.lower() in ["active", "activating", "reloading"]:
            _restart_ssh_daemon(distro, service)
    else:
        _restart_ssh_daemon(distro, service)


def handle(name: str, cfg: Config, cloud: Cloud, args: list) -> None:
    distro: Distro = cloud.distro
    if args:
        # if run from command line, and give args, wipe the chpasswd['list']
        password = args[0]
        if "chpasswd" in cfg and "list" in cfg["chpasswd"]:
            del cfg["chpasswd"]["list"]
    else:
        password = util.get_cfg_option_str(cfg, "password", None)

    expire = True
    plist: List = []
    users_list: List = []

    if "chpasswd" in cfg:
        chfg = cfg["chpasswd"]
        users_list = util.get_cfg_option_list(chfg, "users", default=[])
        if "list" in chfg and chfg["list"]:
            util.deprecate(
                deprecated="Config key 'lists'",
                deprecated_version="22.3",
                extra_message="Use 'users' instead.",
            )
            if isinstance(chfg["list"], list):
                LOG.debug("Handling input for chpasswd as list.")
                plist = util.get_cfg_option_list(chfg, "list", plist)
            else:
                util.deprecate(
                    deprecated="The chpasswd multiline string",
                    deprecated_version="22.2",
                    extra_message="Use string type instead.",
                )
                LOG.debug("Handling input for chpasswd as multiline string.")
                multiline = util.get_cfg_option_str(chfg, "list")
                if multiline:
                    plist = multiline.splitlines()

        expire = util.get_cfg_option_bool(chfg, "expire", expire)

    if not (users_list or plist) and password:
        (users, _groups) = ug_util.normalize_users_groups(cfg, distro)
        (user, _user_config) = ug_util.extract_default(users)
        if user:
            plist = ["%s:%s" % (user, password)]
        else:
            LOG.warning("No default or defined user to change password for.")

    errors = []
    if plist or users_list:
        # This section is for parsing the data that arrives in the form of
        #   chpasswd:
        #     users:
        plist_in = get_users_by_type(users_list, "text")
        users = [user for user, _ in plist_in]
        hashed_plist_in = get_users_by_type(users_list, "hash")
        hashed_users = [user for user, _ in hashed_plist_in]
        randlist = []
        for user, _ in get_users_by_type(users_list, "RANDOM"):
            password = rand_user_password()
            users.append(user)
            plist_in.append((user, password))
            randlist.append(f"{user}:{password}")

        # This for loop is for parsing the data that arrives in the deprecated
        # form of
        #   chpasswd:
        #     list:
        # N.B. This regex is included in the documentation (i.e. the schema
        # docstring), so any changes to it should be reflected there.
        prog = re.compile(r"\$(1|2a|2y|5|6)(\$.+){2}")
        for line in plist:
            u, p = line.split(":", 1)
            if prog.match(p) is not None and ":" not in p:
                hashed_plist_in.append((u, p))
                hashed_users.append(u)
            else:
                # in this else branch, we potentially change the password
                # hence, a deviation from .append(line)
                if p == "R" or p == "RANDOM":
                    p = rand_user_password()
                    randlist.append("%s:%s" % (u, p))
                plist_in.append((u, p))
                users.append(u)
        if users:
            try:
                LOG.debug("Changing password for %s:", users)
                distro.chpasswd(plist_in, hashed=False)
            except Exception as e:
                errors.append(e)
                util.logexc(
                    LOG, "Failed to set passwords with chpasswd for %s", users
                )

        if hashed_users:
            try:
                LOG.debug("Setting hashed password for %s:", hashed_users)
                distro.chpasswd(hashed_plist_in, hashed=True)
            except Exception as e:
                errors.append(e)
                util.logexc(
                    LOG,
                    "Failed to set hashed passwords with chpasswd for %s",
                    hashed_users,
                )

        if len(randlist):
            blurb = (
                "Set the following 'random' passwords\n",
                "\n".join(randlist),
            )
            util.multi_log(
                "%s\n%s\n" % blurb, stderr=False, fallback_to_stdout=False
            )

        if expire:
            users_to_expire = users
            if features.EXPIRE_APPLIES_TO_HASHED_USERS:
                users_to_expire += hashed_users
            expired_users = []
            for u in users_to_expire:
                try:
                    distro.expire_passwd(u)
                    expired_users.append(u)
                except Exception as e:
                    errors.append(e)
                    util.logexc(LOG, "Failed to set 'expire' for %s", u)
            if expired_users:
                LOG.debug("Expired passwords for: %s users", expired_users)

    handle_ssh_pwauth(cfg.get("ssh_pwauth"), distro)

    if len(errors):
        LOG.debug("%s errors occurred, re-raising the last one", len(errors))
        raise errors[-1]


def rand_user_password(pwlen=20):
    return util.rand_str(pwlen, select_from=PW_SET)

Directory Contents

Dirs: 2 × Files: 64

Sort:

Enable drag-to-move

Name	Size	Perms	Modified	Actions
schemas DIR	-	drwxr-xr-x	2026-01-24 23:01:14	Edit Download recursive recursive
__pycache__ DIR	-	drwxr-xr-x	2026-01-24 23:01:14	Edit Download recursive recursive
cc_ansible.py	8.69 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_apk_configure.py	5.66 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_apt_configure.py	41.99 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_apt_pipelining.py	2.71 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_bootcmd.py	2.85 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_byobu.py	3.65 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_ca_certs.py	9.13 KB	lrw-r--r--	2026-01-23 08:56:46	Edit Download recursive recursive
cc_chef.py	13.77 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_disable_ec2_metadata.py	2.03 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_disk_setup.py	32.36 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_fan.py	3.02 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_final_message.py	3.39 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_growpart.py	21.03 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_grub_dpkg.py	6.65 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_install_hotplug.py	3.81 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_keyboard.py	2.38 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_keys_to_console.py	3.61 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_landscape.py	5.31 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_locale.py	1.86 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_lxd.py	18.14 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_mcollective.py	6.10 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_migrator.py	3.49 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_mounts.py	19.71 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_ntp.py	20.84 KB	lrw-r--r--	2026-01-23 08:56:46	Edit Download recursive recursive
cc_package_update_upgrade_install.py	4.54 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_phone_home.py	5.48 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_power_state_change.py	7.41 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_puppet.py	14.10 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_reset_rmc.py	4.47 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_resizefs.py	10.73 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_resolv_conf.py	4.98 KB	lrw-r--r--	2026-01-23 08:56:46	Edit Download recursive recursive
cc_rh_subscription.py	16.97 KB	lrw-r--r--	2026-01-23 08:56:46	Edit Download recursive recursive
cc_rightscale_userdata.py	4.28 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_rsyslog.py	13.48 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_runcmd.py	2.90 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_salt_minion.py	5.88 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_scripts_per_boot.py	1.66 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_scripts_per_instance.py	1.81 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_scripts_per_once.py	1.76 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_scripts_user.py	1.85 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_scripts_vendor.py	2.29 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_seed_random.py	4.72 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_set_hostname.py	5.13 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_set_passwords.py	10.97 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_snap.py	6.30 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_spacewalk.py	3.43 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_ssh.py	14.86 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_ssh_authkey_fingerprints.py	4.22 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_ssh_import_id.py	6.12 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_timezone.py	1.46 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_ubuntu_advantage.py	17.00 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_ubuntu_autoinstall.py	4.50 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_ubuntu_drivers.py	4.56 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_update_etc_hosts.py	5.16 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_update_hostname.py	3.87 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_users_groups.py	8.57 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_wireguard.py	9.22 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_write_files.py	6.66 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_write_files_deferred.py	1.68 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_yum_add_repo.py	7.45 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
cc_zypper_add_repo.py	6.59 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
modules.py	11.74 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
schema.py	54.85 KB	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive
__init__.py	14 B	lrw-r--r--	2023-12-04 11:47:40	Edit Download recursive recursive