admin container ignores password set in user-data

[mchaker]

Image I'm using:

metal-dev

Issue or Feature Request:

When setting a password in user-data.toml (via base64'd user-data as described in the docs), logging in to the local console (tty0) fails.

user-data pre-base64:

{
	"user": "bottlerocket",
	"password-hash": "(generated with mkpasswd -m yescrypt -R 11 password-goes-here)",
	"ssh": {
		"authorized-keys": [
			"ssh-ed25519 REDACTED my-key"
		]
	}
}

Once the admin container starts, it takes over tty0 (understandable) and attempting to log in with root (no password) fails. However, the user specified in user-data (bottlerocket) and the password specified by password-hash in user-data do not work -- login always fails.

However, SSHing into the host/admin container using the provided ssh.authorized-keys works. Inspecting the user-data shows that the user data was successfully applied (base64 value matches what is expected).

[bcressey]

Can you check /etc/shadow to see if the hash was applied?

The login failure can happen if you hash the password with an algorithm that glibc in AL2 does not support.

[mchaker]

Interestingly enough, the hash in /etc/shadow is not the same as the hash I placed in user-data. 🤔

I followed the steps outlined in the following page: https://github.com/bottlerocket-os/bottlerocket-admin-container#authenticating-with-the-admin-container

specifically, "Where the password-hash can be generated from:"

mkpasswd -m yescrypt -R 11 <desired password>

[bcressey]

Interestingly enough, the hash in /etc/shadow is not the same as the hash I placed in user-data. 🤔

I'd first try using base64 -w0 on the input to ensure it's not getting a newline encoded partway through, though I don't know if that would manifest as this error.