builder/sysprep: Allow 'random' as a password selector.

This chooses a random password.

builder/builder.ml

@@ -448,31 +448,19 @@ let main () =
    * Note 'None' means that we randomize the root password.
    *)
   let () =
-    let make_random_password () =
-      (* Get random characters from the set [A-Za-z0-9] with some
-       * homoglyphs removed.
-       *)
-      let chars =
-        "ABCDEFGHIJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz0123456789" in
-      Urandom.urandom_uniform 16 chars
-    in
-
-    let root_password =
-      match root_password with
-      | Some pw ->
-        msg (f_"Setting root password");
-        pw
-      | None ->
-        let pw = make_random_password () in
-        msg (f_"Random root password: %s [did you mean to use --root-password?]")
-          pw;
-        Password.Set_password pw in
-
     match g#inspect_get_type root with
     | "linux" ->
-      let h = Hashtbl.create 1 in
-      Hashtbl.replace h "root" root_password;
-      set_linux_passwords ~prog ?password_crypto g root h
+      let password_map = Hashtbl.create 1 in
+      let pw =
+        match root_password with
+        | Some pw ->
+          msg (f_"Setting root password");
+          pw
+        | None ->
+          msg (f_"Setting random root password [did you mean to use --root-password?]");
+          Password.Set_random_password in
+      Hashtbl.replace password_map "root" pw;
+      set_linux_passwords ~prog ?password_crypto g root password_map
     | _ ->
       eprintf (f_"%s: warning: root password could not be set for this type of guest\n%!") prog in
 

builder/virt-builder.pod

@@ -705,6 +705,13 @@ Set the root password to the literal string C<PASSWORD>.
 B<Note: this is not secure> since any user on the same machine can
 see the cleartext password using L<ps(1)>.
 
+=item B<--root-password> random
+
+Choose a random password, which is printed on stdout.  The password
+has approximately 120 bits of randomness.
+
+This is the default.
+
 =back
 
 =head3 Creating user accounts

mllib/password.ml

@@ -17,14 +17,24 @@
  *)
 
 open Common_gettext.Gettext
+open Common_utils
 open Printf
 
 type password_crypto = [`MD5 | `SHA256 | `SHA512 ]
 
-type password_selector = Set_password of string
+type password_selector =
+| Set_password of string
+| Set_random_password
 
 type password_map = (string, password_selector) Hashtbl.t
 
+let make_random_password =
+  (* Get random characters from the set [A-Za-z0-9] with some
+   * homoglyphs removed.
+   *)
+  let chars = "ABCDEFGHIJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz0123456789" in
+  fun () -> Urandom.urandom_uniform 16 chars
+
 let password_crypto_of_string ~prog = function
   | "md5" -> `MD5
   | "sha256" -> `SHA256
@@ -35,20 +45,12 @@ let password_crypto_of_string ~prog = function
     exit 1
 
 let rec parse_selector ~prog arg =
-  let i =
-    try String.index arg ':'
-    with Not_found ->
-      eprintf (f_"%s: invalid password format; see the man page.\n") prog;
-      exit 1 in
-  let key, value =
-    let len = String.length arg in
-    String.sub arg 0 i, String.sub arg (i+1) (len-(i+1)) in
-
-  match key with
-  | "file" -> Set_password (read_password_from_file value)
-  | "password" -> Set_password value
+  match string_nsplit ":" arg with
+  | [ "file"; filename ] -> Set_password (read_password_from_file filename)
+  | "password" :: password -> Set_password (String.concat ":" password)
+  | [ "random" ] -> Set_random_password
   | _ ->
-    eprintf (f_"%s: password format, \"%s:...\" is not recognized; see the man page.\n") prog key;
+    eprintf (f_"%s: invalid password selector '%s'; see the man page.\n") prog arg;
     exit 1
 
 and read_password_from_file filename =
@@ -83,9 +85,15 @@ let rec set_linux_passwords ~prog ?password_crypto g root passwords =
           let selector = Hashtbl.find passwords user in
           let j = String.index_from line (i+1) ':' in
           let rest = String.sub line j (String.length line - j) in
-          match selector with
-          | Set_password password ->
-            user ^ ":" ^ encrypt password crypto ^ rest
+          let pwfield =
+            match selector with
+            | Set_password password -> encrypt password crypto
+            | Set_random_password ->
+              let password = make_random_password () in
+              printf (f_"Setting random password of %s to %s\n%!")
+                user password;
+              encrypt password crypto in
+          user ^ ":" ^ pwfield ^ rest
         with Not_found -> line
     ) shadow in
 

mllib/password.mli

@@ -21,7 +21,9 @@ type password_crypto = [ `MD5 | `SHA256 | `SHA512 ]
 val password_crypto_of_string : prog:string -> string -> password_crypto
 (** Parse --password-crypto parameter on command line. *)
 
-type password_selector = Set_password of string
+type password_selector =
+| Set_password of string
+| Set_random_password
 
 val parse_selector : prog:string -> string -> password_selector
 (** Parse the selector field in --password/--root-password.  Note this

sysprep/sysprep_operation_password.ml

@@ -136,6 +136,13 @@ Set the password to the literal string C<PASSWORD>.
 B<Note: this is not secure> since any user on the same machine
 can see the cleartext password using L<ps(1)>.
 
+=item B<--password USERNAME:random>
+
+=item B<--root-password random>
+
+Choose a random password, which is printed on stdout.  The password
+has approximately 120 bits of randomness.
+
 =back"
       };