mirrors/libguestfs
1
0
Fork 0
mirror of https://github.com/libguestfs/libguestfs.git synced 2026-03-22 07:03:38 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
e8a092ae87ea9d317107b4e091e15f9673b55a76
libguestfs/sysprep/sysprep_operation_password.ml
Richard W.M. Jones e8a092ae87 sysprep: Refactor password handling code into a common library. 
Also the crypt binding is moved to mllib because this is a dependency
of the password library.

This is just code motion.
2013-10-03 21:42:04 +01:00

174 lines
5.2 KiB
OCaml
Raw Blame History

(* virt-sysprep
* Copyright (C) 2013 Red Hat Inc.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*)
open Printf
open Sysprep_operation
open Common_gettext.Gettext
open Password
module G = Guestfs
let passwords = Hashtbl.create 13
let rec set_root_password arg =
set_password "root" arg
and set_user_password arg =
let i =
try String.index arg ':'
with Not_found ->
eprintf (f_"virt-sysprep: password: invalid --password format; see the man page.\n");
exit 1 in
let len = String.length arg in
set_password (String.sub arg 0 i) (String.sub arg (i+1) (len-(i+1)))
and set_password user arg =
let pw = get_password ~prog arg in
if Hashtbl.mem passwords user then (
eprintf (f_"virt-sysprep: password: multiple --root-password/--password options set the password for user '%s' twice.\n") user;
exit 1
);
Hashtbl.replace passwords user pw
let password_crypto : password_crypto option ref = ref None
let set_password_crypto arg =
password_crypto := Some (password_crypto_of_string ~prog arg)
let password_perform g root =
if Hashtbl.length passwords > 0 then (
let typ = g#inspect_get_type root in
match typ with
| "linux" ->
let password_crypto = !password_crypto in
set_linux_passwords ~prog ?password_crypto g root passwords;
[ `Created_files ]
| _ ->
eprintf (f_"virt-sysprep: cannot set passwords for %s guests.\n") typ;
exit 1
)
else []
let op = {
defaults with
name = "password";
(* enabled_by_default because we only do anything if the
* --password or --root-password parameter is used.
*)
enabled_by_default = true;
heading = s_"Set root or user password";
pod_description = Some (s_"\
Set root or another user's password.
Use the I<--root-password> option to specify a replacement root
password for the guest. You can only use this option once.
Use the I<--password> option to specify replacement user password(s).
You can use this option as many times as you want.
Use I<--password-crypto> to change the password encryption used.
See L</OPTIONS> above for details of these options.
This operation is enabled by default, but it only does something
if there is at least one I<--root-password> or I<--password>
argument given.");
pod_notes = Some (s_"\
Currently this only works for glibc-based Linux guests that
use shadow passwords.");
extra_args = [
("--root-password", Arg.String set_root_password,
s_"..." ^ " " ^ s_"set root password (see man page)"),
s_"\
Set the root password. The following formats may be used
for this option:
=over 4
=item B<--root-password file:FILENAME>
Read the root password from C<FILENAME>. The whole
first line of this file is the replacement password.
Any other lines are ignored. You should create the file
with mode 0600 to ensure no one else can read it.
=item B<--root-password password:PASSWORD>
Set the root password to the literal string C<PASSWORD>.
B<Note: this is not secure> since any user on the same machine
can see the cleartext password using L<ps(1)>.
=back";
("--password", Arg.String set_user_password,
s_"..." ^ " " ^ s_"set user password (see man page)"),
s_"\
Set a user password. The user must exist already (this option
does I<not> create users). The following formats may be used
for this option:
=over 4
=item B<--password USERNAME:file:FILENAME>
Change the password for C<USERNAME>.
Read the password from C<FILENAME>. The whole
first line of this file is the replacement password.
Any other lines are ignored. You should create the file
with mode 0600 to ensure no one else can read it.
=item B<--password USERNAME:password:PASSWORD>
Change the password for C<USERNAME>.
Set the password to the literal string C<PASSWORD>.
B<Note: this is not secure> since any user on the same machine
can see the cleartext password using L<ps(1)>.
=back";
("--password-crypto", Arg.String set_password_crypto,
s_"md5|sha256|sha512" ^ " " ^ s_"set password crypto"),
s_"\
Set the password encryption to C<md5>, C<sha256> or C<sha512>.
C<sha256> and C<sha512> require glibc E<ge> 2.7
(check L<crypt(3)> inside the guest).
C<md5> will work with relatively old Linux guests (eg. RHEL 3), but
is not secure against modern attacks.
The default is C<sha512> unless libguestfs detects an old guest
that didn't have support for SHA-512, in which case it will use C<md5>.
You can override libguestfs by specifying this option.";
];
perform_on_filesystems = Some password_perform;
}
let () = register_operation op
Reference in New Issue View Git Blame Copy Permalink