Package: installation-guide Severity: normal Tags: patch The attached patch documents the password preseeding, including the "new" ways to preseed passwords as of shadow 4.0.13-1, which is now in testing.
I'm not very used to the writing style of the Installation Guide. This is why I did not commit the change immediately as it probably needs a review. -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.13-1-686 Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to fr_FR.UTF-8)
--- en/boot-new/modules/shadow.xml 2005-10-07 21:59:11.339037959 +0200 +++ en/boot-new/modules/shadow-new.xml 2005-11-02 08:13:06.791479900 +0100 @@ -65,5 +65,47 @@ account, use the <command>adduser</command> command. </para> + </sect3> + <sect3 id="password-preseeding"> + <title>Preseeding passwords</title> + +<para> + +Both the root and the first created user passwords can be +<emphasis>preseeded</emphasis> during automated installs (see <xref +linkend="automatic-install"/>). +</para> + +<para> +The passwords can be preseeded in cleartext using the +<classname>passwd/root-password</classname>, +<classname>passwd/root-password-again</classname>, +<classname>passwd/user-password</classname> and +<classname>passwd/user-password-again</classname> values. Be aware +that this is not completely security-proof as everyone with physical +access to the preseed file will have the knowledge of these passwords. +</para> + +<para condition="etch"> +The passwords can also be preseeded as MD5 <emphasis>hashes</emphasis> +by using the <classname>passwd/root-password-crypted</classname> and +<classname>passwd/user-password-crypted</classname> variables. Thihs +method is considered slightly better in terms of security but not +completely proof as well because physical access to a MD5 </para> hash +allows for brute force attacks. Some people even consider this method +can be less secure as it may give a false sense of security. +</para> + +<para condition="etch"> +The <classname>passwd/root-password-crypted</classname> and +<classname>passwd/user-password-crypted</classname> variables can be +preseeded with "!" as value. In that case, the corresponding account +is disabled. This may be convenient for the root account, provided of +course that an alternate method is setup to allow administrative +activities or root login (for instance by using SSH key +authentication). +</para> + + </sect2>