[Bug 1578369] Re: preseed user-password-crypted password cannot be used with d-i user-setup/encrypt-home boolean true option

Dimitri John Ledkov launchpad at surgut.co.uk
Fri May 6 17:07:56 UTC 2016

I don't believe this is a bug.

By default user-setup/encrypt-home is setup using ecryptfs and uses the
user plaintext password as the seed for the ecryptfs key generation.
That way plaintext password is used in pam stack to authenticate user
against shadow password, and used to derive decryption key to decrypt
encryptfs. Clearly shadow salted password cannot be used to derive/setup
ecryptfs encryption key, thus the two options are mutually exclusive.

Using plaintext password is imho bad, thus instead do the install with
crypted password, and setup user-home encryption post-install using
"ecryptfs-migrate-home" command http://blog.dustinkirkland.com/2011/02

Given above deficiency what would you expect from the installer?
Critical prompt - encryptfs home was requested, but cannot be configured
due to missing plain text password?

You also report another bug too w.r.t make-user question. Not sure what
needs fixing there.

You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to preseed in Ubuntu.

  preseed user-password-crypted password cannot be used with d-i user-
  setup/encrypt-home boolean true option

Status in preseed package in Ubuntu:

Bug description:
  The following preseed values cannot be used together:
  d-i preseed user-password-crypted password
  d-i user-setup/encrypt-home boolean true option

  I've tested deploying 14.04 and 16.04 using preseed and pxeboot.

  If I configure a new user account to be created with a plain-text
  password the installation completes properly.

  If I configure a new user account to be created with an encrypted
  password the installation screen either hangs if I also have set
  'user-setup-udeb passwd/make-user boolean false' or if set 'user-
  setup-udeb passwd/make-user boolean true' then I'm prompted with 'You
  entered an empty password, which is not allowed. Please choose a non-
  empty password.'.

  I've also attempted adding 'd-i user-setup/allow-password-empty
  boolean true' as I thought maybe preseed was stuck because I had not
  defined a plain-text password, but the install screen just hangs with
  this option included, and won't prompt for a password at all

  Relevant settings:

      d-i user-setup/encrypt-home boolean true

      d-i passwd passwd/make-user boolean true
      d-i user-setup-udeb passwd/make-user boolean true

      d-i passwd/user-fullname string Steve D
      d-i passwd/username string steved
      d-i passwd/user-password-crypted password $5$aqzLdP2M$U8XWa/kOyN3KP8V1ieidmXRNmPaj4FM1axp8qMkgs83

  I'm using The Foreman to orchestrate deployments, and I thought
  perhaps the user-password-crypted value wasn't being received by the
  client, but I also checked /var/lib/preseed/log on the client and the
  correct value exists.

  I'll also mention I've tried sha-512 hashed passwords as well as the
  sha-256 hash shown above with the same result.

  Client syslog does not generate any errors.

  Lastly, I mention 'hang' a few times but this is in relation to the
  installer screen. At no time is the client system unresponsive. I can
  get another tty, check logs, etc.

To manage notifications about this bug go to:

More information about the foundations-bugs mailing list