-
Feature Request
-
Resolution: Done
-
Blocker
-
None
-
None
-
False
-
False
-
1. Proposed title of this feature request
Support passwordHash ignition config option in MCO
2. What is the nature and description of the request?
In the ignition config spec, the .passwd.users[].passwordHash option can be used to set a local login password hash for a user. While this is supported by ignition config, it isn't supported by MCO.
This request would be to add support to MCO for configuring this ignition config field via MachineConfig objects.
3. Why does the customer need this? (List the business requirements here)
While using password based authentication via SSH is generally not considered a security best practice, it is possible to disable the SSH process entirely.
However, cluster administrators may wish to still be able to access the local console of a node that is failing to join the cluster. This is possible on a cloud provider (for example: AWS, GCP), on a VM-based node using the hypervisor's tooling, or locally on a bare metal node. To login at the prompt however, you need a local password. Currently this is not able to be configured easily or via a supported path.
It may be prudent to enforce PasswordAuthentication no in the system sshd_config to ensure that if a password hash is set, it can't be used for remote authentication.
Additionally, rotating this password should not require a node reboot.
4. List any affected packages or components.
https://github.com/openshift/machine-config-operator
- is related to
-
MCO-240 Set or change 'core' user password via MachineConfig
- Closed