[pve-devel] [PATCH installer v2 0/6] auto-installer: add option for providing hashed root password

Theodor Fumics theodor.fumics at gmx.net
Tue Jul 16 15:48:51 CEST 2024


I have setup the new functionality according to the instructions from
[1] and [2], and tested various hashed and non-hashed passwords. The
only potential improvement would be to check if the provided hash is
valid because passing an invalid hash makes it rather impossible to
login after the installation. While it's not possible to fully verify
the validity of a hash, you could verify if it has the correct length
and only consists of hexadecimal characters (0-9, A-F).

Other than that it works great.


[1] https://wiki.intra.proxmox.com/index.php/Testing_Installer_Changes

[2] https://pve.proxmox.com/wiki/Automated_Installation

On 7/15/24 09:56, Christoph Heiss wrote:
> This series adds a new answer option `global.root_password_hashed`
> for the auto-installer, enabling administrators to specify the root
> password of the new installation in a hashed format - as generated by
> e.g. mkpasswd(1) - instead of plain-text.
>
> Administrators/users might want to avoid passing along a plain-text
> password with the different answer-fetching methods supported by the
> auto-installer, for obvious reasons.
>
> While this of course does not provide full security, sending a hashed
> password might still be preferred by administrators over plain text.
>
> Tested by installing using the GUI and TUI (to ensure no regressions
> can happen) and using the auto-installer, once with `root_password` set
> (again testing for potential regressions) and once with
> `global.root_password_hashed` set instead, testing the new
> functionality.
>
> First two patches are small cleanups and may be applied independently.
>
> v1: https://lists.proxmox.com/pipermail/pve-devel/2024-May/063949.html
>
> Notable changes v1 -> v2:
>    * rebased on latest master
>    * fixed rebase mistake
>    * merged previous patch #4/#5 for consistency across crates
>    * improved validation in auto-installer
>
> Christoph Heiss (6):
>    common: move `PasswordOptions` type to tui crate
>    tui-installer: remove `Debug` implementation for password options
>    low-level: change root password option to contain either plaintext or
>      hash
>    {auto,tui}-installer: adapt to new `root_password` plain/hashed setup
>      option
>    auto-installer: add new `global.root_password_hashed` answer option
>    auto-installer: add test for hashed root password option
>
>   Proxmox/Install.pm                            | 25 ++++++++++++++++---
>   Proxmox/Install/Config.pm                     | 20 ++++++++++++---
>   proxinstall                                   |  4 +--
>   proxmox-auto-installer/src/answer.rs          |  3 ++-
>   proxmox-auto-installer/src/utils.rs           | 21 ++++++++++++++--
>   .../resources/parse_answer/disk_match.json    |  2 +-
>   .../parse_answer/disk_match_all.json          |  2 +-
>   .../parse_answer/disk_match_any.json          |  2 +-
>   .../parse_answer/hashed_root_password.json    | 20 +++++++++++++++
>   .../parse_answer/hashed_root_password.toml    | 14 +++++++++++
>   .../tests/resources/parse_answer/minimal.json |  2 +-
>   .../resources/parse_answer/nic_matching.json  |  2 +-
>   .../resources/parse_answer/specific_nic.json  |  2 +-
>   .../tests/resources/parse_answer/zfs.json     |  2 +-
>   proxmox-installer-common/src/options.rs       | 15 -----------
>   proxmox-installer-common/src/setup.rs         | 12 +++++++--
>   proxmox-tui-installer/src/main.rs             |  4 +--
>   proxmox-tui-installer/src/options.rs          | 20 ++++++++++++---
>   proxmox-tui-installer/src/setup.rs            | 10 ++++++--
>   19 files changed, 140 insertions(+), 42 deletions(-)
>   create mode 100644 proxmox-auto-installer/tests/resources/parse_answer/hashed_root_password.json
>   create mode 100644 proxmox-auto-installer/tests/resources/parse_answer/hashed_root_password.toml
>



More information about the pve-devel mailing list