Bug#337011: installation-guide: Please document the new ways to preseed root and user passwords

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#337011: installation-guide: Please document the new ways to preseed root and user passwords
From: Christian Perrier <bubulle@debian.org>
Date: Wed, 02 Nov 2005 09:04:22 +0100
Message-id: <[🔎] 20051102080422.0275740A81A@cc-mykerinos.onera>
Reply-to: Christian Perrier <bubulle@debian.org>, 337011@bugs.debian.org

Package: installation-guide
Severity: normal
Tags: patch

The attached patch documents the password preseeding, including the "new"
ways to preseed passwords as of shadow 4.0.13-1, which is now in testing.

I'm not very used to the writing style of the Installation Guide. This is
why I did not commit the change immediately as it probably needs a review.

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.13-1-686
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to fr_FR.UTF-8)

--- en/boot-new/modules/shadow.xml	2005-10-07 21:59:11.339037959 +0200
+++ en/boot-new/modules/shadow-new.xml	2005-11-02 08:13:06.791479900 +0100
@@ -65,5 +65,47 @@
 account, use the <command>adduser</command> command.
 
 </para>
+
   </sect3>
+  <sect3 id="password-preseeding">
+  <title>Preseeding passwords</title>
+
+<para>
+
+Both the root and the first created user passwords can be
+<emphasis>preseeded</emphasis> during automated installs (see <xref
+linkend="automatic-install"/>).
+</para>
+
+<para>
+The passwords can be preseeded in cleartext using the
+<classname>passwd/root-password</classname>,
+<classname>passwd/root-password-again</classname>,
+<classname>passwd/user-password</classname> and
+<classname>passwd/user-password-again</classname> values. Be aware
+that this is not completely security-proof as everyone with physical
+access to the preseed file will have the knowledge of these passwords.
+</para>
+
+<para condition="etch">
+The passwords can also be preseeded as MD5 <emphasis>hashes</emphasis>
+by using the <classname>passwd/root-password-crypted</classname> and
+<classname>passwd/user-password-crypted</classname> variables. Thihs
+method is considered slightly better in terms of security but not
+completely proof as well because physical access to a MD5 </para> hash
+allows for brute force attacks. Some people even consider this method
+can be less secure as it may give a false sense of security.
+</para>
+
+<para condition="etch">
+The <classname>passwd/root-password-crypted</classname> and
+<classname>passwd/user-password-crypted</classname> variables can be
+preseeded with "!" as value. In that case, the corresponding account
+is disabled. This may be convenient for the root account, provided of
+course that an alternate method is setup to allow administrative
+activities or root login (for instance by using SSH key
+authentication).
+</para>
+
+
  </sect2>

Reply to:

Follow-Ups:
- Bug#337011: installation-guide: Please document the new ways to preseed root and user passwords
  - From: Holger Levsen <debian@layer-acht.org>
- Bug#337011: installation-guide: Please document the new ways to preseed root and user passwords
  - From: Christian Perrier <bubulle@debian.org>
- Bug#337011: installation-guide: Please document the new ways to preseed root and user passwords
  - From: Frans Pop <aragorn@tiscali.nl>

Prev by Date: Bug#336877: debian-installer: does not add initrd line when configuring Fedora Core 3 dualboot
Next by Date: Re: GTK frontend updated in SVN
Previous by thread: Bug#337001: marked as done (Installation report)
Next by thread: Bug#337011: installation-guide: Please document the new ways to preseed root and user passwords
Index(es):
- Date
- Thread