Setting up users

Wed 08 April 2020
by Dave Jones

In the previous post we had a quick look at the user-data configuration file for cloud-init. In this post, we’ll have a more extensive look at some of the other options for configuring users in this file.

Different Passwords

We’ve seen how cloud-init is told to set the initial user password, but there’s a few more possibilities there we haven’t seen yet. Have a look at the following example:

chpasswd:
  expire: false
  list:
  - ubuntu:ubuntu
  - root:$1$1dE3dcLz$8iWGkDxx9SCWdQfkPXbCE/
  - pi:RANDOM

Here, as last time, “expire” is false so you won’t be prompted to change the password on first login. We’ve also specified a password for a pre-existing user (root, not that this is necessarily encouraged on a system with “sudo”). Finally, the special value “RANDOM” tells cloud-init to generate a completely random password for the “pi” user. This will be output on the console, and in the /var/log/cloud-init-output.log file.

Warning

You may want to erase (or at least restrict access to) the cloud-init-output.log file if you choose to use RANDOM passwords.

It is also worth noting (as the cloud-init docs do) that providing hashes of passwords is not necessarily secure. You may want to try running the hash above through something like John the Ripper to convince yourself of this!

Different Users

We’ve already seen how cloud-init creates a default “ubuntu” user, and for many purposes that’s enough. What would you do if you wanted to create other users besides this, and can we import different sets of SSH keys to each user? Here’s another example user-data:

groups:
- robot: [robot]
- robotics: [robot]
- pi

users:
- default
- name: robot
  gecos: Mr. Robot
  primary_group: robot
  groups: [users]
  ssh_import_id: gh:example
  passwd: $5$hkui88$nvZgIle31cNpryjRfO9uArF7DYiBcWEnjqq7L1AQNN3

The “groups” value lists the groups to create, and optionally the members they should have. Here we set up three groups named “robot”, “robotics”, and “pi”. The “robot” and “robotics” groups will each have a single member, the “robot” user, while the “pi” group will start off with no members.

The “users” value lists all the users to create, along with their details. Here we create two users: the default “ubuntu” user which is simply represented by the “default” entry at the top. You can remove this if you don’t want the default user.

Then there’s the aforementioned “robot” user. Various fields give this user an initial password (in the form of a hash under “passwd”), tell the ssh-import-id utility to import SSH keys from the “example” user on GitHub, and additionally places the user in the “users” group.

There’s an absolute pile of options that be specified for users; have a look at the Users and Groups section of the cloud-init docs for more information.

Coming Up

Next, we’ll take a break from user-data to look at the other important configuration file for cloud-init: network-config.