From: Theodor Fumics via pve-devel <pve-devel@lists.proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
Christoph Heiss <c.heiss@proxmox.com>
Cc: Theodor Fumics <theodor.fumics@gmx.net>
Subject: Re: [pve-devel] [PATCH installer v2 0/6] auto-installer: add option for providing hashed root password
Date: Tue, 16 Jul 2024 15:48:51 +0200 [thread overview]
Message-ID: <mailman.559.1721284303.331.pve-devel@lists.proxmox.com> (raw)
In-Reply-To: <20240715075700.283532-1-c.heiss@proxmox.com>
[-- Attachment #1: Type: message/rfc822, Size: 8892 bytes --]
From: Theodor Fumics <theodor.fumics@gmx.net>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>, Christoph Heiss <c.heiss@proxmox.com>
Subject: Re: [pve-devel] [PATCH installer v2 0/6] auto-installer: add option for providing hashed root password
Date: Tue, 16 Jul 2024 15:48:51 +0200
Message-ID: <d34b72ff-9e55-4ca4-8a05-36aaaf07b692@gmx.net>
I have setup the new functionality according to the instructions from
[1] and [2], and tested various hashed and non-hashed passwords. The
only potential improvement would be to check if the provided hash is
valid because passing an invalid hash makes it rather impossible to
login after the installation. While it's not possible to fully verify
the validity of a hash, you could verify if it has the correct length
and only consists of hexadecimal characters (0-9, A-F).
Other than that it works great.
[1] https://wiki.intra.proxmox.com/index.php/Testing_Installer_Changes
[2] https://pve.proxmox.com/wiki/Automated_Installation
On 7/15/24 09:56, Christoph Heiss wrote:
> This series adds a new answer option `global.root_password_hashed`
> for the auto-installer, enabling administrators to specify the root
> password of the new installation in a hashed format - as generated by
> e.g. mkpasswd(1) - instead of plain-text.
>
> Administrators/users might want to avoid passing along a plain-text
> password with the different answer-fetching methods supported by the
> auto-installer, for obvious reasons.
>
> While this of course does not provide full security, sending a hashed
> password might still be preferred by administrators over plain text.
>
> Tested by installing using the GUI and TUI (to ensure no regressions
> can happen) and using the auto-installer, once with `root_password` set
> (again testing for potential regressions) and once with
> `global.root_password_hashed` set instead, testing the new
> functionality.
>
> First two patches are small cleanups and may be applied independently.
>
> v1: https://lists.proxmox.com/pipermail/pve-devel/2024-May/063949.html
>
> Notable changes v1 -> v2:
> * rebased on latest master
> * fixed rebase mistake
> * merged previous patch #4/#5 for consistency across crates
> * improved validation in auto-installer
>
> Christoph Heiss (6):
> common: move `PasswordOptions` type to tui crate
> tui-installer: remove `Debug` implementation for password options
> low-level: change root password option to contain either plaintext or
> hash
> {auto,tui}-installer: adapt to new `root_password` plain/hashed setup
> option
> auto-installer: add new `global.root_password_hashed` answer option
> auto-installer: add test for hashed root password option
>
> Proxmox/Install.pm | 25 ++++++++++++++++---
> Proxmox/Install/Config.pm | 20 ++++++++++++---
> proxinstall | 4 +--
> proxmox-auto-installer/src/answer.rs | 3 ++-
> proxmox-auto-installer/src/utils.rs | 21 ++++++++++++++--
> .../resources/parse_answer/disk_match.json | 2 +-
> .../parse_answer/disk_match_all.json | 2 +-
> .../parse_answer/disk_match_any.json | 2 +-
> .../parse_answer/hashed_root_password.json | 20 +++++++++++++++
> .../parse_answer/hashed_root_password.toml | 14 +++++++++++
> .../tests/resources/parse_answer/minimal.json | 2 +-
> .../resources/parse_answer/nic_matching.json | 2 +-
> .../resources/parse_answer/specific_nic.json | 2 +-
> .../tests/resources/parse_answer/zfs.json | 2 +-
> proxmox-installer-common/src/options.rs | 15 -----------
> proxmox-installer-common/src/setup.rs | 12 +++++++--
> proxmox-tui-installer/src/main.rs | 4 +--
> proxmox-tui-installer/src/options.rs | 20 ++++++++++++---
> proxmox-tui-installer/src/setup.rs | 10 ++++++--
> 19 files changed, 140 insertions(+), 42 deletions(-)
> create mode 100644 proxmox-auto-installer/tests/resources/parse_answer/hashed_root_password.json
> create mode 100644 proxmox-auto-installer/tests/resources/parse_answer/hashed_root_password.toml
>
[-- Attachment #2: Type: text/plain, Size: 160 bytes --]
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2024-07-18 6:31 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-15 7:56 Christoph Heiss
2024-07-15 7:56 ` [pve-devel] [PATCH installer v2 1/6] common: move `PasswordOptions` type to tui crate Christoph Heiss
2024-07-15 7:56 ` [pve-devel] [PATCH installer v2 2/6] tui-installer: remove `Debug` implementation for password options Christoph Heiss
2024-07-15 7:56 ` [pve-devel] [PATCH installer v2 3/6] low-level: change root password option to contain either plaintext or hash Christoph Heiss
2024-07-15 7:56 ` [pve-devel] [PATCH installer v2 4/6] {auto, tui}-installer: adapt to new `root_password` plain/hashed setup option Christoph Heiss
2024-07-15 7:56 ` [pve-devel] [PATCH installer v2 5/6] auto-installer: add new `global.root_password_hashed` answer option Christoph Heiss
2024-07-15 7:56 ` [pve-devel] [PATCH installer v2 6/6] auto-installer: add test for hashed root password option Christoph Heiss
2024-07-16 13:48 ` Theodor Fumics via pve-devel [this message]
2024-07-22 16:43 ` [pve-devel] applied-series: [PATCH installer v2 0/6] auto-installer: add option for providing hashed root password Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=mailman.559.1721284303.331.pve-devel@lists.proxmox.com \
--to=pve-devel@lists.proxmox.com \
--cc=c.heiss@proxmox.com \
--cc=theodor.fumics@gmx.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox