Red Hat SummitChapter 7. Configuring authentication by using cloud-init
To manage users, access rights, and passwords in a virtual machine (VM), you can use the cloud-init utility. You can create users, configure sudo access, set root passwords, and force password changes at first login.
-
Create and describe users in a
userssection. If you add theuserssection, you must also set the default user options in that section. You can modify the section to add more users to the initial system configuration, and also set additional user options. -
Configure a user as a
sudoerby adding asudoandgroupsentry to theuserssection. -
Configure the user data so that only you have a
rootuser access. -
Force
cloud-userto change thecloud-userpassword at the first login to reset the password. -
Set the
rootpassword by creating a user list.
Prerequisites
Depending on the requirements of your datasource, edit the
user-datafile or add the following directive to thecloud.cfg.ddirectory:NoteAll user directives include
#cloud-configat the top of the file so thatcloud-initrecognizes the file as containing user directives. When you include directives in thecloud.cfg.ddirectory, name the file*.cfg, and always include#cloud-configat the top of the file.
Procedure
To add users and user options:
By default, users are labeled as
unconfined_uif there is not anselinux-uservalue.NoteThis example places the user
user2into two groups:usersandwheel.Add or modify the
userssection to add users. For example:#cloud-config users: - default - name: user2 gecos: User N. Ame selinux-user: staff_u groups: users,wheel ssh_pwauth: True ssh_authorized_keys: - ssh-rsa AA..vz user@domain.com chpasswd: list: | root:password cloud-user:mypassword user2:mypassword2 expire: False-
If you want
cloud-userto be the default user created along with the other users you specify, ensure that you adddefaultas the first entry in the section. If it is not the first entry,cloud-useris not created.
To add a
sudouser to the users list:-
Add a
sudoentry and specify the user access. For example,sudo: ALL=(ALL) NOPASSWD:ALLallows a user unrestricted user access. Add a
groupsentry and specify the groups that include the user:#cloud-config users: - default - name: user2 gecos: User D. Two sudo: ["ALL=(ALL) NOPASSWD:ALL"] groups: wheel,adm,systemd-journal ssh_pwauth: True ssh_authorized_keys: - ssh-rsa AA...vz user@domain.com chpasswd: list: | root:password cloud-user:mypassword user2:mypassword2 expire: False
-
Add a
To configure an exclusive
rootaccess for a user:Create an entry for the user
rootin theuserssection by modifying thenameoption:users: - name: root chpasswd: list: | root:password expire: FalseOptional: Set up SSH keys for the
rootuser:users: - name: root ssh_pwauth: True ssh_authorized_keys: - ssh-rsa AA..vz user@domain.com
To change the default
cloud-inituser name, follow:Add the line
user: <username>, replacing <username> with the new default user name:#cloud-config user: username password: mypassword chpasswd: {expire: False} ssh_pwauth: True ssh_authorized_keys: - ssh-rsa AAA...SDvz user1@yourdomain.com - ssh-rsa AAB...QTuo user2@yourdomain.com
To reset a password for a new user:
Change the line
chpasswd: {expire: False}tochpasswd: {expire: True}:#cloud-config password: mypassword chpasswd: {expire: True} ssh_pwauth: True ssh_authorized_keys: - ssh-rsa AAA...SDvz user1@yourdomain.com - ssh-rsa AAB...QTuo user2@yourdomain.comNote-
This works to expire the password because
passwordandchpasswdoperate on the default user unless you indicate otherwise. -
This is a global setting. When you set
chpasswdtoTrue, all users you create need to change their passwords when they log in.
-
This works to expire the password because
To set a root password:
Create a user list in the
chpasswdsection:NoteWhite space is significant. Do not include white space before or after the colon in your user list. If you include white space, the password is set with a space in it.
#cloud-config ssh_pwauth: True ssh_authorized_keys: - ssh-rsa AAA...SDvz user1@yourdomain.com - ssh-rsa AAB...QTuo user2@yourdomain.com chpasswd: list: | root:myrootpassword cloud-user:mypassword expire: FalseNoteIf you use this method to set the user password, you must set all passwords in this section.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}