Bug#337011: installation-guide: Please document the new ways to preseed root and user passwords
New patch version, after Holger's remarks.
--- en/boot-new/modules/shadow.xml 2005-10-07 21:59:11.339037959 +0200
+++ en/boot-new/modules/shadow-new.xml 2005-11-02 18:26:12.427774809 +0100
@@ -16,7 +16,6 @@
a time as possible.
</para><para>
-
Any password you create should contain at least 6 characters, and
should contain both upper- and lower-case characters, as well as
punctuation characters. Take extra care when setting your root
@@ -65,5 +64,47 @@
account, use the <command>adduser</command> command.
</para>
+
</sect3>
+ <sect3 id="password-preseeding">
+ <title>Preseeding passwords</title>
+
+<para>
+
+Both the root and the first created user passwords can be
+<emphasis>preseeded</emphasis> during automated installs (see <xref
+linkend="automatic-install"/>).
+</para>
+
+<para>
+The passwords can be preseeded in cleartext using the
+<classname>passwd/root-password</classname>,
+<classname>passwd/root-password-again</classname>,
+<classname>passwd/user-password</classname> and
+<classname>passwd/user-password-again</classname> values. Be aware
+that this is not completely security-proof as everyone with physical
+access to the preseed file will have the knowledge of these passwords.
+</para>
+
+<para condition="etch">
+The passwords can also be preseeded as MD5 <emphasis>hashes</emphasis>
+by using the <classname>passwd/root-password-crypted</classname> and
+<classname>passwd/user-password-crypted</classname> variables. This
+method is considered slightly better in terms of security but it might
+also give a false sense of security because physical access to a MD5
+hash allows for brute force attacks.
+
+</para>
+
+<para condition="etch">
+The <classname>passwd/root-password-crypted</classname> and
+<classname>passwd/user-password-crypted</classname> variables can be
+preseeded with "!" as value. In that case, the corresponding account
+is disabled. This may be convenient for the root account, provided of
+course that an alternate method is setup to allow administrative
+activities or root login (for instance by using SSH key
+authentication).
+</para>
+
+
</sect2>
Reply to: