Authentication, Users and Groups
Default Users and credentials
There are no default interactive users other than root
in the base image.
In the default full
base image, OpenSSH is running; but there are no
hardcoded credentials (passwords or SSH keys).
Creating a New User
There are multiple mechanisms for users, groups and SSH keys, depending on the chosen installation path.
Machine local interactive users at install time
The two paths to generate disk images support users, groups and SSH keys:
-
Anaconda: Installing on bare metal
-
bootc-image-builder supports a
config.json
Machine local users via cloud agents
Tools such as cloud-init
(which can be added as part of a derived
build), (or in general anything that ultimately invokes useradd
at runtime on the target system, these users become
"local mutable state", with entries in /etc/passwd
and /var/home/$user
.
Anaconda
This kickstart fragment will inject a SSH key for the root user:
rootpw --iscrypted locked
sshkey --username root "<your key here>"
The need for the rootpw is a bug/misdesign in Anaconda that will be fixed in the future. The default
root password defaults to being locked already.
|
bootc-image-builder
Similar to kickstart authentication, the bootc-image-builder project for generating
disk images supports a config.json
. For more information, see the bootc-image-builder docs.
Inline example:
{
"blueprint": {
"customizations": {
"user": [
{
"name": "alice",
"key": "ssh-rsa AAA ... [email protected]",
"groups": [
"wheel"
]
}
]
}
}
}
Local system users
The systemd-sysusers process also runs on each boot, adding local mutable users starting from the definitions in the image.
Embedded system users
The base images use nss-altfiles, with some statically-allocated users
in /usr/lib/passwd
and /usr/lib/group
that are part of the immutable
base. It is possible to extend this in derived builds; however,
using either systemd DynamicUser=yes
or
JSON user records for users is preferred.
Upstream bootc user/group recommendations
For more, see bootc generic user/group guidance.
The osbuild-cfg project
The osbuild-cfg project is aiming to create a fully declarative interface for a subset of operating system configuration tasks, and includes support for SSH keys for root. |
Want to help? Learn how to contribute to Fedora Docs ›