Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 7. Configuring authentication by using cloud-init

You can use the cloud-init utility to manage users, access rights, and passwords. Specifically, you can set up cloud-init to do any of the following in a VM:

  • Create and describe users in a users section. If you add the users section, you must also set the default user options in that section. You can modify the section to add more users to the initial system configuration, and also set additional user options.
  • Configure a user as a sudoer by adding a sudo and groups entry to the users section.
  • Configure the user data so that only you have a root user access.
  • Force cloud-user to change the cloud-user password at the first login to reset the password.
  • Set the root password by creating a user list.

Prerequisites

  • Depending on the requirements of your datasource, edit the user-data file or add the following directive to the cloud.cfg.d directory:

    Note

    All user directives include #cloud-config at the top of the file so that cloud-init recognizes the file as containing user directives. When you include directives in the cloud.cfg.d directory, name the file *.cfg, and always include #cloud-config at the top of the file.

Procedure

  • To add users and user options:

    • Add or modify the users section to add users. For example: 

      #cloud-config
users:
  - default
  - name: user2
    gecos: User N. Ame
    selinux-user: staff_u
    groups: users,wheel
    ssh_pwauth: True
    ssh_authorized_keys:
      - ssh-rsa AA..vz user@domain.com
chpasswd:
  list: |
    root:password
    cloud-user:mypassword
    user2:mypassword2
  expire: False
      Copy to Clipboard
    • If you want cloud-user to be the default user created along with the other users you specify, ensure that you add default as the first entry in the section. If it is not the first entry, cloud-user is not created.

    • By default, users are labeled as unconfined_u if there is not an selinux-user value.

      Note

      This example places the user user2 into two groups: users and wheel.

  • To add a sudo user to the users list:

    • Add a sudo entry and specify the user access. For example, sudo: ALL=(ALL) NOPASSWD:ALL allows a user unrestricted user access.

    • Add a groups entry and specify the groups that include the user: 

      #cloud-config
users:
  - default
  - name: user2
    gecos: User D. Two
    sudo: ["ALL=(ALL) NOPASSWD:ALL"]
    groups: wheel,adm,systemd-journal
    ssh_pwauth: True
    ssh_authorized_keys:
      - ssh-rsa AA...vz user@domain.com
chpasswd:
  list: |
    root:password
    cloud-user:mypassword
    user2:mypassword2
  expire: False
      Copy to Clipboard

  • To configure an exclusive root access for a user:

    • Create an entry for the user root in the users section by modifying the name option: 

      users:
  - name: root
chpasswd:
  list: |
    root:password
  expire: False
      Copy to Clipboard

    • Optional: Set up SSH keys for the root user: 

      users:
  - name: root
    ssh_pwauth: True
    ssh_authorized_keys:
      - ssh-rsa AA..vz user@domain.com
      Copy to Clipboard

  • To change the default cloud-init user name, follow:

    • Add the line user: <username>, replacing <username> with the new default user name: 

      #cloud-config
user: username
password: mypassword
chpasswd: {expire: False}
ssh_pwauth: True
ssh_authorized_keys:
  - ssh-rsa AAA...SDvz user1@yourdomain.com
  - ssh-rsa AAB...QTuo user2@yourdomain.com
      Copy to Clipboard

  • To reset a password for a new user:

    • Change the line chpasswd: {expire: False} to chpasswd: {expire: True}: 

      #cloud-config
password: mypassword
chpasswd: {expire: True}
ssh_pwauth: True
ssh_authorized_keys:
  - ssh-rsa AAA...SDvz user1@yourdomain.com
  - ssh-rsa AAB...QTuo user2@yourdomain.com
      Copy to Clipboard
      Note
      • This works to expire the password because password and chpasswd operate on the default user unless you indicate otherwise.
      • This is a global setting. When you set chpasswd to True, all users you create need to change their passwords when they log in.

  • To set a root password:

    • Create a user list in the chpasswd section:

      Note

      White space is significant. Do not include white space before or after the colon in your user list. If you include white space, the password is set with a space in it. 

      #cloud-config
ssh_pwauth: True
ssh_authorized_keys:
  - ssh-rsa AAA...SDvz user1@yourdomain.com
  - ssh-rsa AAB...QTuo user2@yourdomain.com
chpasswd:
  list: |
     root:myrootpassword
     cloud-user:mypassword
  expire: False
      Copy to Clipboard
      Note

      If you use this method to set the user password, you must set all passwords in this section.

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat