Hash root password when a plaintext one is given

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index b445d6e4e8d524721524a1919eff7a2532fe3942..96f94560539418fe9706c547a9d874175c6106d1 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -2388,17 +2388,18 @@ def run_firstboot(context: Context) -> None:
         return
 
     password, hashed = context.config.root_password or (None, False)
-    pwopt = "--root-password-hashed" if hashed else "--root-password"
-    pwcred = "passwd.hashed-password.root" if hashed else "passwd.plaintext-password.root"
+    if password and not hashed:
+        password = run(["openssl", "passwd", "-stdin", "-6"],
+                       sandbox=context.sandbox(), input=password, stdout=subprocess.PIPE).stdout.strip()
 
     settings = (
-        ("--locale",          "firstboot.locale",          context.config.locale),
-        ("--locale-messages", "firstboot.locale-messages", context.config.locale_messages),
-        ("--keymap",          "firstboot.keymap",          context.config.keymap),
-        ("--timezone",        "firstboot.timezone",        context.config.timezone),
-        ("--hostname",        None,                        context.config.hostname),
-        (pwopt,               pwcred,                      password),
-        ("--root-shell",      "passwd.shell.root",         context.config.root_shell),
+        ("--locale",               "firstboot.locale",            context.config.locale),
+        ("--locale-messages",      "firstboot.locale-messages",   context.config.locale_messages),
+        ("--keymap",               "firstboot.keymap",            context.config.keymap),
+        ("--timezone",             "firstboot.timezone",          context.config.timezone),
+        ("--hostname",             None,                          context.config.hostname),
+        ("--root-password-hashed", "passwd.hashed-password.root", password),
+        ("--root-shell",           "passwd.shell.root",           context.config.root_shell),
     )
 
     options = []