How do I set a custom password with Cloud-init on Ubuntu 20.04?

Question

Recently I've gotten Cloud-Init to work by mounting my config in an image. This is all fine, it works. If I break the config, it tells me. What it doesn't tell me is why I'm not allowed to log on.

What I've tried is creating my own password using echo possible | mkpasswd -m sha-512 -s and by copying the example found on the quickstart page: https://wiki.ubuntu.com/FoundationsTeam/AutomatedServerInstalls/QuickStart

Neither work. I've tried setting a custom username too. Doesn't change anything. The default ubuntu:ubuntu is also unavailable. Neither is ubuntu and blank.

What I'm using:

https://releases.ubuntu.com/20.04/ubuntu-20.04-live-server-amd64.iso

https://wiki.ubuntu.com/FoundationsTeam/AutomatedServerInstalls/QuickStart

# echo possible | mkpasswd -m sha-512 -s                                    
$6$nqZiIASVBA.iF$9nubU0ImWVrv4XhtEq9XhSh9UYNFQ7yC9Lf7A.uheSlJ3cgI5d9ltkUwRq.X8lAwoQuLAMem6v.gJNGYwk5XA0

The following config with it's supplied password, or the above;

#cloud-config
autoinstall:
  version: 1
  identity:
    hostname: ubuntu-server
    password: "$6$exDY1mhS4KUYCE/2$zmn9ToZwTKLhCw.b4/b.ZRTIZM30JZ4QrOQ2aOXJ8yk96xpcCof0kxKwuX1kqLG/ygbJ1f8wxED22bTL4F46P0"
    username: ubuntu

I've also tried setting up a users block like this:

https://gist.github.com/leogallego/a614c61457ed22cb1d960b32de4a1b01#file-ubuntu-cloud-virtualbox-sh-L46-L56

What I'm asking for:

• A better documentation of what type of hash is expected.
• A working user-data config

Answer 1

I've finally found a working config that creates a usable account;

users:
  - default
  - name: kim
    passwd: "$6$kW4vfBM9kGgq4hr$TFtHW7.3jOECR9UCBuw9NrdSMJETzSVoNQGcVv2y.RqRUzWDEtYhYRkGvIpB6ml1fh/fZEVIgKbSXI9L1B6xF."
    shell: /bin/bash
    lock-passwd: false
    ssh_pwauth: True
    chpasswd: { expire: False }
    sudo: ALL=(ALL) NOPASSWD:ALL
    groups: users, admin
    ssh_authorized_keys:
     - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCbJ7oF5RXUj6R1ewF15X2i6RieWFmVUkOyT0DwzgfI8fRl5mMMSRlDRYQi3NznwcWDAxLApF82FomNv8vk1V2SXDGGs8XpOvtgAPpR3JUKJGmxoiES7rxa7bq/JSmpGprsnlCocTJnOfDz6Gz2Ge4+D84EZHOW7ejbkWDBdXOYYRMIlRSoXBkb0017G/OIvPNdwZRYLzLJYjGGL08GX+/Da+lrbz8/FaewXwb/BfjRYESOG+aJNTCOQfgzNsFGJ6EslsMc1bDtCq2pvWUenlUo/2BEAICiJxmXZkAjDrIYcyTzHLE14+UfCiC6pbMEdXF2ndUARr0HcNpvJz8K0Mg4CfjRpxaopfPfHp/lMR36ys0r4bT3q9iU4ClnUAeWxbCK7pUN+D/6TVrIKLOLuuIph81sb5+jW23ycg0fjQ/2/ttKQvTzHwomN6B6T/KgXVt367Iq+uzN02wtk282pJOIIqVi3PSHVcJl1I+bFAzeEdmJP29d/wnp0ZyuNYDp0P8= miesl@mies-pc

autoinstall:
    version: 1
    identity:
        hostname: yamanouchi-node-1
        username: ubuntu
        password: "$6$exDY1mhS4KUYCE/2$zmn9ToZwTKLhCw.b4/b.ZRTIZM30JZ4QrOQ2aOXJ8yk96xpcCof0kxKwuX1kqLG/ygbJ1f8wxED22bTL4F46P0"
    refresh-installer:
        update: yes

It creates a user with name kim and password possible. I'm not entirely sure whether refresh-installer is required (I don't think so). It's insanely insecure with password ssh and no password root, but hey. You can configure that yourself.

The ubuntu account remains unusable. I'm at a loss as to why.

Answer 2

I do not have enough rep to post a comment, but as stated here and I can confirmed with my tests, to set password for existing user you have to use hashed_passwd, not simply passwd

Example:

#cloud-config
users:
  - name: root
    lock_passwd: false
    hashed_passwd: <output from mkpasswd --method=SHA-512 --rounds=4096>
    ssh_authorized_keys:
      - ssh-rsa <key>

Answer 3

if your image is：focal-server-cloudimg-amd64.img

rm -f vm_0001-focal-server-cloudimg-amd64.qcow2
qemu-img create -f qcow2 -F qcow2 -b focal-server-cloudimg-amd64.img  vm_0001-focal-server-cloudimg-amd64.qcow2 20G
qemu-img info vm_0001-focal-server-cloudimg-amd64.qcow2
VM_NAME="ubuntu-20-cloud-image"
USERNAME="programster"
PASSWORD="thisok"
echo "#cloud-config
system_info:
  default_user:
    name: $USERNAME
    home: /home/$USERNAME

password: $PASSWORD
chpasswd: { expire: False }
hostname: $VM_NAME

# configure sshd to allow users logging in using password 
# rather than just keys
ssh_pwauth: True
" | sudo tee user-data
cloud-localds ./cidata.iso user-data
qemu-system-x86_64 -m 2048 -smp 4 -hda ./vm_0001-focal-server-cloudimg-amd64.qcow2 \
      -cdrom ./cidata.iso -device e1000,netdev=net0 -netdev user,id=net0,hostfwd=tcp::5555-:22 -nographic

another example:

rm -f vm_0001-focal-server-cloudimg-amd64.qcow2
qemu-img create -f qcow2 -F qcow2 -b focal-server-cloudimg-amd64.img  vm_0001-focal-server-cloudimg-amd64.qcow2 20G
qemu-img info vm_0001-focal-server-cloudimg-amd64.qcow2
cat >user-data <<'EOF'
#cloud-config
users:
  - default
  - name: jamlee
    homedir: /home/jamlee
    sudo: ALL=(ALL) NOPASSWD:ALL
    groups: users, admin
    lock_passwd: false
    shell: /bin/bash
    passwd: $6$yO/Yf/zQbbIXlaHN$cA/i6a6.Cp7cnHl9HEhSPyVLtsitWs3oe/2NARVCKAn54LU2kT92/vqzpeSP3N87SGFkSHGBe7uQxshZXTbL./
    ssh_authorized_keys:
      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC6/fB4NNy2k+oAHA4Q4pOUCdH997mQq9BtxoOx99MdS+cRKYITVlN1VaLW+beYgTtTYLRdrJhgPBCk9BzriUEXhFO1D6cOslkCxHsQO5M8FPJEU+I/OSRvpU2QYnhYwP9RRKs1XjwdJ2sg924xYLHdfqcRazRFdLGmKnmz8lLrhz0HrBaBIG8Qm58YpfSrkEQ6eAs+1Xf/1VlCTN4sKq2lwLYGFv8GkMOPRndhiEEc5HTZPfGtOp928xJR63WxUoWn2deDGQxU+Z3wGlZ4Ag0SHGM6uZkaRD+LYZHj+m7J979SJ2uqiLC4YCMjoQF5yqUgsu6bzvVh5TesrW2FZ1PrdWjxZGkmS7gv5PJnAdJ4xKLuuG9Bq5QZmWSTPMaKo6Z23HbAbmBj1stUfNbF7apt+GPiGjR4yZk5+tNCQ2n5fRCufNdsFyeBIXnx6MMugbKq2O70F365fyVNR0otleISpmnpnPlfG+n/+rhdf6w5+b0SYaJ3bBYMdXCrTZ8lj68= root@DESKTOP-SBBNAKK
system_info:
    default_user:
      name: ubuntu
      home: /home/ubuntu
password: ubuntu
chpasswd:
    expire: false
hostname: vm-001
ssh_pwauth: yes
EOF
cloud-localds ./cidata.iso user-data
qemu-system-x86_64 -m 2048 -smp 4 -hda ./vm_0001-focal-server-cloudimg-amd64.qcow2 \
      -cdrom ./cidata.iso -device e1000,netdev=net0 -netdev user,id=net0,hostfwd=tcp::5555-:22 -nographic

Answer 4

If you add any users via cloud-init, the default ubuntu user is not created at all. You will note that the /home/ubuntu/ directory is absent.

To create my cloud-init that allows SSH authentication, and sets a password so that I can use sudo, I have successfully used these steps:

Create a password hash with mkpasswd:

$ mkpasswd -m sha-512
Password:  <enter your password here>
$6$nq4v1BtHB8bg$Oc2TouXN1KZu7F406ELRUATiwXwyhC4YhkeSRD2z/I.a8tTnOokDeXt3K4mY8tHgW6n0l/S8EU0O7wIzo.7iw1

Then, I use this section in my cloud-init:

users:
  - name: brandon
    groups: [ sudo ]
    shell: /bin/bash
    lock_passwd: false
    passwd: "$6$nq4v1BtHB8bg$Oc2TouXN1KZu7F406ELRUATiwXwyhC4YhkeSRD2z/I.a8tTnOokDeXt3K4mY8tHgW6n0l/S8EU0O7wIzo.7iw1"
    ssh-authorized-keys:
    - ssh-ed25519 AAAAC3NzaC1lZDI1zzzBBBGGGg3BZFFzTexMPpOZJbSa6OlzycjkPhsh4Qg2tSWZyXZ my-key-name

I prefer to use the groups: [ sudo ] syntax to grant access to sudo via a group, which is personal preference over the usage of the sudo directive.

Answer 5

For ubuntu 20.04, I am finding that I cannot login to the console without /etc/securetty. I'm answering with this because it's not clear if you're trying to access your account through the console.

runcmd:
    - cp /usr/share/doc/util-linux/examples/securetty /etc/securetty

I find if I install /etc/securetty as a runcmd, that I can then log in with these cloud-config users on the system console. Otherwise, authentication will fail.

I make no claims about the security ramifications of deciding to use this example.

Answer 6

I'm facing the very same issue. By using the shell during the installation process, I see that no users are created, hence we cannot log in after the reboot. I don't know why, either a bug in subiquity or a lack of documentation about how to use it properly. Neverteless, I was able to create an user using this trick in my autoinstall file:

  late-commands:
    - useradd -m -R /target -u 1001 ubuntu
    - echo "ubuntu:ubuntu" | chroot /target /usr/sbin/chpasswd
    - usermod -R /target -aG sudo ubuntu