Authentication, Users and Groups

Default Users and credentials

There are no default interactive users other than root in the base image.

In the default full base image, OpenSSH is running; but there are no hardcoded credentials (passwords or SSH keys).

Creating a New User

There are multiple mechanisms for users, groups and SSH keys, depending on the chosen installation path.

Machine local interactive users at install time

The two paths to generate disk images support users, groups and SSH keys:

Machine local users via cloud agents

Tools such as cloud-init (which can be added as part of a derived build), (or in general anything that ultimately invokes useradd at runtime on the target system, these users become "local mutable state", with entries in /etc/passwd and /var/home/$user.

Anaconda

This kickstart fragment will inject a SSH key for the root user:

rootpw --iscrypted locked
sshkey --username root "<your key here>"
The need for the rootpw is a bug/misdesign in Anaconda that will be fixed in the future. The default root password defaults to being locked already.

bootc-image-builder

Similar to kickstart authentication, the bootc-image-builder project for generating disk images supports a config.json. For more information, see the bootc-image-builder docs.

Inline example:

{
  "blueprint": {
    "customizations": {
      "user": [
        {
          "name": "alice",
          "key": "ssh-rsa AAA ... [email protected]",
          "groups": [
            "wheel"
          ]
        }
      ]
    }
  }
}

Local system users

The systemd-sysusers process also runs on each boot, adding local mutable users starting from the definitions in the image.

Embedded system users

The base images use nss-altfiles, with some statically-allocated users in /usr/lib/passwd and /usr/lib/group that are part of the immutable base. It is possible to extend this in derived builds; however, using either systemd DynamicUser=yes or JSON user records for users is preferred.

Upstream bootc user/group recommendations

The osbuild-cfg project

The osbuild-cfg project is aiming to create a fully declarative interface for a subset of operating system configuration tasks, and includes support for SSH keys for root.