Avoiding the need to set user passwords for 'guix system vm-image'

Avoiding the need to set user passwords for 'guix system vm-image'

[George myglc2 Clemmer]

How do I avoid the need to set user passwords for vm-images created with
'guix system vm-image'?

Is there a way to pre-populate user accounts with public keys?

Or is there some other cool thing I  missed?

A sample config sure would be appreciated ;-)

TIA - George

Re: Avoiding the need to set user passwords for 'guix system vm-image'

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 1745 bytes --]

On Wed, Jan 31, 2018 at 08:41:44PM -0500, George myglc2 Clemmer wrote:
> How do I avoid the need to set user passwords for vm-images created with
> 'guix system vm-image'?

It's possible to put the encrypted user passwords in the GuixSD configuration file:

"password (default: #f)

    You would normally leave this field to #f, initialize user passwords
    as root with the passwd command, and then let users change it with
    passwd. Passwords set with passwd are of course preserved across
    reboot and reconfiguration.

    If you do want to have a preset password for an account, then this
    field must contain the encrypted password, as a string. See crypt in
    The GNU C Library Reference Manual, for more information on password
    encryption, and Encryption in GNU Guile Reference Manual, for
    information on Guile’s crypt procedure."

https://www.gnu.org/software/guix/manual/html_node/User-Accounts.html#User-Accounts

> Is there a way to pre-populate user accounts with public keys?

And, at least with the OpenSSH service, to include the public keys:

(service openssh-service-type
         (openssh-configuration
           (x11-forwarding? #t)
           (permit-root-login 'without-password)
           (authorized-keys
             `(("alice" ,(local-file "alice.pub"))
               ("bob" ,(local-file "bob.pub"))))))

I haven't tried it, but I think it should be possible to pass the public
key as a string instead of using local-file if necessary.

https://www.gnu.org/software/guix/manual/html_node/Networking-Services.html#index-openssh_002dservice_002dtype

> A sample config sure would be appreciated ;-)

Sorry, I've never tried either of these things before :)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Avoiding the need to set user passwords for 'guix system vm-image'

[Hartmut Goebel]

Am 01.02.2018 um 02:41 schrieb George myglc2 Clemmer:
> Is there a way to pre-populate user accounts with public keys?

Yes, there is: Just search the manual for "authorized-keys" to find the
documentation.

You may also want to have a look at the real-world examples
<http://git.savannah.gnu.org/cgit/guix/maintenance.git/tree/hydra/berlin-new.scm>
and
<http://git.savannah.gnu.org/cgit/guix/maintenance.git/tree/hydra/modules/sysadmin/people.scm>.

-- 
Regards
Hartmut Goebel

| Hartmut Goebel          | h.goebel@crazy-compilers.com               |
| www.crazy-compilers.com | compilers which you thought are impossible |

Re: Avoiding the need to set user passwords for 'guix system vm-image'

[myglc2]

On 02/01/2018 at 15:23 Leo Famulari writes:

> On Wed, Jan 31, 2018 at 08:41:44PM -0500, George myglc2 Clemmer wrote:
>> How do I avoid the need to set user passwords for vm-images created with
>> 'guix system vm-image'?
>
> It's possible to put the encrypted user passwords in the GuixSD configuration file:
>
> "password (default: #f)
>
>     You would normally leave this field to #f, initialize user passwords
>     as root with the passwd command, and then let users change it with
>     passwd. Passwords set with passwd are of course preserved across
>     reboot and reconfiguration.
>
>     If you do want to have a preset password for an account, then this
>     field must contain the encrypted password, as a string. See crypt in
>     The GNU C Library Reference Manual, for more information on password
>     encryption, and Encryption in GNU Guile Reference Manual, for
>     information on Guile’s crypt procedure."
>
> https://www.gnu.org/software/guix/manual/html_node/User-Accounts.html#User-Accounts
>
>> Is there a way to pre-populate user accounts with public keys?
>
> And, at least with the OpenSSH service, to include the public keys:
>
> (service openssh-service-type
>          (openssh-configuration
>            (x11-forwarding? #t)
>            (permit-root-login 'without-password)
>            (authorized-keys
>              `(("alice" ,(local-file "alice.pub"))
>                ("bob" ,(local-file "bob.pub"))))))
>
> I haven't tried it, but I think it should be possible to pass the public
> key as a string instead of using local-file if necessary.
>
> https://www.gnu.org/software/guix/manual/html_node/Networking-Services.html#index-openssh_002dservice_002dtype
>
>> A sample config sure would be appreciated ;-)
>
> Sorry, I've never tried either of these things before :)

Many thanks. Duh! dunno how I missed that in the doc ;-)  - George

Re: Avoiding the need to set user passwords for 'guix system vm-image'

[myglc2]

On 02/01/2018 at 21:41 Hartmut Goebel writes:

> Am 01.02.2018 um 02:41 schrieb George myglc2 Clemmer:
>> Is there a way to pre-populate user accounts with public keys?
>
> Yes, there is: Just search the manual for "authorized-keys" to find the
> documentation.
>
> You may also want to have a look at the real-world examples
> <http://git.savannah.gnu.org/cgit/guix/maintenance.git/tree/hydra/berlin-new.scm>
> and
> <http://git.savannah.gnu.org/cgit/guix/maintenance.git/tree/hydra/modules/sysadmin/people.scm>.

Many thanks. Duh! dunno how I missed that in the doc ;-)  - George