Support expiring passwords on next login

[nhi-vanye]

Feature Request

I'd like the ability of forcing the expiration of a user's password on first login (or other password policy)

My use case is to avoid baking into the install config a hard-coded password whose lifetime will leave a backdoor.

Environment

What hardware/cloud provider/hypervisor is being used to run Ignition?

bare metal on embedded (NUC-like ) edge devices

[prestist]

@nhi-vanye I just wanted to ask if you had considered using authorized ssh keys? https://docs.fedoraproject.org/en-US/fedora-coreos/authentication/#_using_an_ssh_key

If so, could you try and explain why a password workflow is more suited to your needs?

[nhi-vanye]

Hi,

I have ssh authorised keys and expect it to be used normally , but I want a password to allow logging in via the console in case we're having networking issues.

Plus providing sudo access that isn't automatic.

I'm building an OS installer for automating the rollout of edge systems so I don't want to embed the password in the installer..

[Nitrousoxide]

Can't you just bake in one-off systemd service to the ignition to run the passwd expire command? I haven't tested this but

Example:

systemd:
   # expire initial password
    - name: expire-initial-pass.service
      enabled: true
      contents: |
        [Unit]
        Description=Expire Initial Pass
        Before=boot-complete.target
        After=network-online.target
        Require=network-online.target
        ConditionPathExists=!/var/lib/expire-initial-pass.stamp

        [Service]
        Type=oneshot
        RemainAfterExit=yes
        ExecStart=/bin/passwd -e core
        ExecStart=/bin/touch /var/lib/expire-initial-pass.stamp

        [Install]
        WantedBy=multi-user.target

[prestist]

@Nitrousoxide Yeah; I think that would also work just fine.