[Bug 1578369] Re: preseed user-password-crypted password cannot be used with d-i user-setup/encrypt-home boolean true option
Dimitri John Ledkov
launchpad at surgut.co.uk
Fri May 6 17:07:56 UTC 2016
I don't believe this is a bug.
By default user-setup/encrypt-home is setup using ecryptfs and uses the
user plaintext password as the seed for the ecryptfs key generation.
That way plaintext password is used in pam stack to authenticate user
against shadow password, and used to derive decryption key to decrypt
encryptfs. Clearly shadow salted password cannot be used to derive/setup
ecryptfs encryption key, thus the two options are mutually exclusive.
Using plaintext password is imho bad, thus instead do the install with
crypted password, and setup user-home encryption post-install using
"ecryptfs-migrate-home" command http://blog.dustinkirkland.com/2011/02
Given above deficiency what would you expect from the installer?
Critical prompt - encryptfs home was requested, but cannot be configured
due to missing plain text password?
You also report another bug too w.r.t make-user question. Not sure what
needs fixing there.
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to preseed in Ubuntu.
preseed user-password-crypted password cannot be used with d-i user-
setup/encrypt-home boolean true option
Status in preseed package in Ubuntu:
The following preseed values cannot be used together:
d-i preseed user-password-crypted password
d-i user-setup/encrypt-home boolean true option
I've tested deploying 14.04 and 16.04 using preseed and pxeboot.
If I configure a new user account to be created with a plain-text
password the installation completes properly.
If I configure a new user account to be created with an encrypted
password the installation screen either hangs if I also have set
'user-setup-udeb passwd/make-user boolean false' or if set 'user-
setup-udeb passwd/make-user boolean true' then I'm prompted with 'You
entered an empty password, which is not allowed. Please choose a non-
I've also attempted adding 'd-i user-setup/allow-password-empty
boolean true' as I thought maybe preseed was stuck because I had not
defined a plain-text password, but the install screen just hangs with
this option included, and won't prompt for a password at all
d-i user-setup/encrypt-home boolean true
d-i passwd passwd/make-user boolean true
d-i user-setup-udeb passwd/make-user boolean true
d-i passwd/user-fullname string Steve D
d-i passwd/username string steved
d-i passwd/user-password-crypted password $5$aqzLdP2M$U8XWa/kOyN3KP8V1ieidmXRNmPaj4FM1axp8qMkgs83
I'm using The Foreman to orchestrate deployments, and I thought
perhaps the user-password-crypted value wasn't being received by the
client, but I also checked /var/lib/preseed/log on the client and the
correct value exists.
I'll also mention I've tried sha-512 hashed passwords as well as the
sha-256 hash shown above with the same result.
Client syslog does not generate any errors.
Lastly, I mention 'hang' a few times but this is in relation to the
installer screen. At no time is the client system unresponsive. I can
get another tty, check logs, etc.
To manage notifications about this bug go to:
More information about the foundations-bugs