From: Nils K <24257556+septatrix@users.noreply.github.com>
Date: Mon, 27 Nov 2023 22:14:28 +0000 (+0100)
Subject: Add ability to create passwordless root account (#2093)
X-Git-Tag: v20~136
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a4ed7d3c85c8a3777f3b8bd9f25f2397fec621a0;p=thirdparty%2Fmkosi.git

Add ability to create passwordless root account (#2093)

To create a passwordless root account one may specify `hashed:` without passing
an actual hash.
---

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index f3ae51652..4da714443 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -1132,8 +1132,8 @@ def build_initrd(state: MkosiState) -> Path:
     # Default values are assigned via the parser so we go via the argument parser to construct
     # the config for the initrd.
 
-    password, hashed = state.config.root_password or (None, False)
-    if password:
+    if state.config.root_password:
+        password, hashed = state.config.root_password
         rootpwopt = f"hashed:{password}" if hashed else password
     else:
         rootpwopt = None
@@ -1860,7 +1860,8 @@ def run_firstboot(state: MkosiState) -> None:
     creds = []
 
     for option, cred, value in settings:
-        if not value:
+        # Check for None as password might be the empty string
+        if value is None:
             continue
 
         options += [option, value]
diff --git a/mkosi/resources/mkosi.md b/mkosi/resources/mkosi.md
index fcb043ae0..d039d2026 100644
--- a/mkosi/resources/mkosi.md
+++ b/mkosi/resources/mkosi.md
@@ -1073,7 +1073,8 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`,
 : Set the system root password. If this option is not used, but a `mkosi.rootpw` file is found in the local
   directory, the password is automatically read from it. If the password starts with `hashed:`, it is treated
   as an already hashed root password. The root password is also stored in `/usr/lib/credstore` under the
-  appropriate systemd credential so that it applies even if only `/usr` is shipped in the image.
+  appropriate systemd credential so that it applies even if only `/usr` is shipped in the image. To create
+  an unlocked account without any password use `hashed:` without a hash.
 
 `Autologin=`, `--autologin`