From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id 210AE1FF15E
	for <inbox@lore.proxmox.com>; Mon,  1 Sep 2025 12:10:01 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 1F74D2C924;
	Mon,  1 Sep 2025 12:10:12 +0200 (CEST)
Date: Mon, 01 Sep 2025 12:09:37 +0200
Message-Id: <DCHDR7UILE0I.13FUC3XYNRSPX@proxmox.com>
To: "Peter" <pjcreath+proxmox@gmail.com>
From: "Christoph Heiss" <c.heiss@proxmox.com>
Mime-Version: 1.0
X-Mailer: aerc 0.20.1
References: <20250829182603.46493-1-pjcreath+proxmox@gmail.com>
In-Reply-To: <20250829182603.46493-1-pjcreath+proxmox@gmail.com>
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1756721365675
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.037 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: Re: [pve-devel] [PATCH installer 1/1] assistant: validate: add
 verify-password option
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Cc: pve-devel@lists.proxmox.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>

On Fri Aug 29, 2025 at 8:26 PM CEST, Peter wrote:
> Adds an option to interactively verify the hashed root password in
> the answer file, so that mistakes can be caught before installation.

Sounds like a useful option to me!

>
> Signed-off-by: Peter <pjcreath+proxmox@gmail.com>
> ---
>
>  In preparing an answer file for auto-installation, I somehow mangled
>  the hashed root password, which I only discovered after performing
>  the automated installation.
>
>  This patch adds an option to the auto-install assistant that lets
>  the user verify the hash in the answer file by interactively typing
>  in the expected password and checking it against the hash.
>
>  I don't love that I had to add an unsafe call to crypt(), but there
>  isn't a Rust implementation of yescrypt. To minimize the impact
>  I wrapped the unsafe call in its own function.
>
>  This is my first submission to this mailing list. I've tried to
>  follow all of the guidelines in the developer documentation, so
>  please forgive any oversights and let me know if there's anything
>  I should do differently.

Did you sign our CLA [0]? Just to be sure we can accept it :)

[0] https://pve.proxmox.com/wiki/Developer_Documentation#Software_License_and_Copyright

>
>  proxmox-auto-install-assistant/Cargo.toml  |  2 +
>  proxmox-auto-install-assistant/src/main.rs | 51 +++++++++++++++++++++-
>  2 files changed, 52 insertions(+), 1 deletion(-)
>
> diff --git a/proxmox-auto-install-assistant/Cargo.toml b/proxmox-auto-install-assistant/Cargo.toml
> index 9b4a9c4..8af7d9d 100644
> --- a/proxmox-auto-install-assistant/Cargo.toml
> +++ b/proxmox-auto-install-assistant/Cargo.toml
> @@ -17,4 +17,6 @@ proxmox-installer-common = { workspace = true, features = [ "cli" ] }
>  serde_json.workspace = true
>  toml.workspace = true
>
> +crypt-sys = "0.1"

That crate is (currently) not packaged for Debian, so that would have to
be done first.

But fortunately we got that already properly & safely wrapped in our
`proxmox-sys` [1] crate, including a function for verifying passwords.
You can find it in proxmox-sys/src/crypt.rs, including some example
usages in the unit tests.

For the proxmox-sys crate you need to pull in our `devel` repository, as
described in [2].

[1] https://git.proxmox.com/?p=proxmox.git;a=tree;f=proxmox-sys
[2] https://pve.proxmox.com/wiki/Developer_Documentation#Development_Package_Repository

>  glob = "0.3"
> +rpassword = "7.2"

For this we also already got some functionality in our `proxmox-sys`
crate, see below for an example.

> diff --git a/proxmox-auto-install-assistant/src/main.rs b/proxmox-auto-install-assistant/src/main.rs
> index 5d6c1d5..88d0032 100644
> --- a/proxmox-auto-install-assistant/src/main.rs
> +++ b/proxmox-auto-install-assistant/src/main.rs
[..]
>
>  impl cli::Subcommand for CommandValidateAnswerArgs {
>      fn parse(args: &mut cli::Arguments) -> Result<Self> {
>          Ok(Self {
>              debug: args.contains(["-d", "--debug"]),
> +            verify_password: args.contains("--verify-password"),

This should probably throw an error if stdin (at least) is not connected
to an interactive terminal, this can be checked with:

  std::io::stdin().is_terminal()

Also, IMO the option should be named `--verify-root-password`, to make
its name a bit more precise.

>              // Needs to be last
>              path: args.free_from_str()?,
>          })
> @@ -176,6 +182,7 @@ ARGUMENTS:
>
>  OPTIONS:
>    -d, --debug        Also show the full answer as parsed.
> +      --verify-password  Interactively verify the hashed root password.
>    -h, --help         Print this help
>    -V, --version      Print version
>      "#,
> @@ -545,6 +552,42 @@ fn validate_answer_file_keys(path: impl AsRef<Path> + fmt::Debug) -> Result<bool
[..]
> +fn verify_hashed_password_interactive(answer: &Answer) -> Result<()> {
> +    if let Some(hashed) = &answer.global.root_password_hashed {
> +        println!("Verifying hashed root password.");
> +        let password = prompt_password("Enter root password to verify: ")
> +            .context("Failed to read password")?;

So this could be something like:

  use proxmox_sys::linux::tty;
  let password = tty::read_readpassword("Enter root password to verify: ")
      .context("Failed to read password")?;

> +
> +        if system_crypt(&password, hashed)? {
> +            println!("Password matches hashed password.");
> +            Ok(())
> +        } else {
> +            bail!("Password does not match hashed password.");
> +        }
> +    } else {
> +        bail!("'root-password-hashed' not set in answer file, cannot verify.");
> +    }
> +}


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel