From 34d6c0a2c19b27194b375a550da7e7a7e97f77f6 Mon Sep 17 00:00:00 2001 From: bin456789 Date: Sun, 13 Oct 2024 22:58:12 +0800 Subject: [PATCH] =?UTF-8?q?core:=20=E6=94=AF=E6=8C=81=E4=BF=AE=E6=94=B9?= =?UTF-8?q?=E5=AF=86=E7=A0=81?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/run_reinstall.yml | 4 +- README.en.md | 40 +++++--- README.md | 20 +++- cloud-init.yaml | 5 +- debian.cfg | 7 +- reinstall.bat | 26 +++-- reinstall.sh | 150 +++++++++++++++++++++++++--- trans.sh | 105 +++++++++++-------- windows.xml | 4 +- 9 files changed, 273 insertions(+), 88 deletions(-) diff --git a/.github/workflows/run_reinstall.yml b/.github/workflows/run_reinstall.yml index f9a00c0..c8958bd 100644 --- a/.github/workflows/run_reinstall.yml +++ b/.github/workflows/run_reinstall.yml @@ -13,9 +13,9 @@ jobs: os: [ubuntu-latest, windows-latest] include: - os: ubuntu-latest - command: sudo bash reinstall.sh --debug + command: sudo bash reinstall.sh --debug --password 123@@@ - os: windows-latest - command: ./reinstall.bat --debug + command: ./reinstall.bat --debug --password 123@@@ runs-on: ${{ matrix.os }} steps: - run: | diff --git a/README.en.md b/README.en.md index 7946dc4..cae9019 100644 --- a/README.en.md +++ b/README.en.md @@ -125,11 +125,12 @@ certutil -urlcache -f -split https://jihulab.com/bin456789/reinstall/-/raw/main/ - Does not include a boot partition (except for Fedora), nor a swap partition, maximizing disk space utilization. - On virtual machines, the appropriate official slimmed-down kernel will be automatically installed. - To install Red Hat, you need to provide the `qcow2` image link obtained from . -- Username `root`, password `123@@@`. It may take a few minutes for the password to take effect on the first boot. +- Username `root`, Default password `123@@@`. It may take a few minutes for the password to take effect on the first boot. - After reinstalling, if you need to change SSH port or switch to key-based login, be sure to modify the files inside `/etc/ssh/sshd_config.d/`. - Optional parameters: - - `--ssh-port PORT` to change the SSH port - - `--hold 2` to prevent entering the system after installation. You can connect via SSH to modify system content, with the system mounted at `/os` (this feature is not supported on Debian/Kali). + - `--password PASSWORD` Set password + - `--ssh-port PORT` Change SSH port + - `--hold 2` Prevent entering the system after installation. You can connect via SSH to modify system content, with the system mounted at `/os` (this feature is not supported on Debian/Kali). ```bash bash reinstall.sh centos 9 @@ -161,21 +162,27 @@ bash reinstall.sh centos 9 Experimental Features -The following features are experimental and may not support modifying the SSH port or other options. - Install Debian using a cloud image, suitable for machines with slower CPUs ```bash bash reinstall.sh debian --ci ``` -Install CentOS, Alma, Rocky, Fedora using ISO, only supports machines with more than 2G of memory and dynamic IP +Install CentOS, Alma, Rocky, Fedora using ISO, only supports machines with more than 2G of memory and dynamic IP. + +Password `123@@@`, SSH Port `22` + +Password and SSH port options are not supported. ```bash bash reinstall.sh centos --installer ``` -Install Ubuntu using ISO, only supports machines with more than 1G of memory and dynamic IP +Install Ubuntu using ISO, only supports machines with more than 1G of memory and dynamic IP. + +Password `123@@@`, SSH Port `22` + +Password and SSH port options are not supported. ```bash bash reinstall.sh ubuntu --installer @@ -189,9 +196,9 @@ bash reinstall.sh ubuntu --installer - When deploy a Windows image, the system disk will be expanded, and machines with static IPs will have their IPs configured. However, it may take a few minutes after the first boot for the configuration to take effect. - When deploy a Linux image, the script will not modify any contents of the image. - Optional parameters: - - `--rdp-port PORT` to change the RDP port (Windows only). - - `--allow-ping` to allow ping responses (Windows only). - - `--hold 2` to prevent entering the system after DD completion. You can connect via SSH to modify system content, with the system mounted at `/os`. + - `--rdp-port PORT` Change RDP port (Windows only). + - `--allow-ping` Allow ping responses (Windows only). + - `--hold 2` Prevent entering the system after DD completion. You can connect via SSH to modify system content, with the system mounted at `/os`. ```bash bash reinstall.sh dd --img https://example.com/xxx.xz @@ -204,8 +211,10 @@ bash reinstall.sh dd --img https://example.com/xxx.xz ### Feature 3: Reboot to Alpine Rescue System (Live OS) - You can use SSH to manually perform DD operations, modify partitions, and manually install Alpine, Arch, Gentoo, and other systems. -- Username `root`, password `123@@@` +- Username `root`, Default password `123@@@` - If the disk content is not modified, rebooting again will return to the original system. +- Optional parameters: + - `--password PASSWORD` Set password ```bash bash reinstall.sh alpine --hold=1 @@ -224,13 +233,14 @@ bash reinstall.sh netboot.xyz ### Feature 5: Install Windows ISO -- Username `administrator`, password `123@@@` +- Username `administrator`, Default password `123@@@` - If remote login fails, try using the username `.\administrator`. - The machine with a static IP will automatically configure the IP. It may take a few minutes to take effect on the first boot. - Optional parameters: - - `--rdp-port PORT` to change the RDP port - - `--allow-ping` to allow ping responses - - `--hold 2` to allow SSH connections for modifying the hard disk content before rebooting into the official Windows installation program, with the hard disk mounted at `/os`. + - `--password PASSWORD` Set Password + - `--rdp-port PORT` Change RDP port + - `--allow-ping` Allow ping responses + - `--hold 2` Allow SSH connections for modifying the hard disk content before rebooting into the official Windows installation program, with the hard disk mounted at `/os`. ![Windows Installation](https://github.com/bin456789/reinstall/assets/7548515/07c1aea2-1ce3-4967-904f-aaf9d6eec3f7) diff --git a/README.md b/README.md index f6dc798..095703d 100644 --- a/README.md +++ b/README.md @@ -125,9 +125,10 @@ certutil -urlcache -f -split https://jihulab.com/bin456789/reinstall/-/raw/main/ - 不含 boot 分区(Fedora 例外),不含 swap 分区,最大化利用磁盘空间 - 在虚拟机上,会自动安装合适的官方精简内核 - 安装 Red Hat 需填写 得到的 `qcow2` 镜像链接 -- 用户名 `root` 密码 `123@@@`,可能首次开机几分钟后密码才生效 +- 用户名 `root` 默认密码 `123@@@`,密码可能首次开机几分钟后才生效 - 重装后如需修改 SSH 端口 / 改成密钥登录,还要注意修改 `/etc/ssh/sshd_config.d/` 里面的文件 - 可选参数 + - `--password PASSWORD` 设置密码 - `--ssh-port PORT` 修改 SSH 端口 - `--hold 2` 安装结束后不进入系统。可连接 SSH 修改系统内容,系统挂载在 `/os` (此功能不支持 Debian / Kali) @@ -161,8 +162,6 @@ bash reinstall.sh centos 9 实验性功能 -以下功能为实验性质,可能不支持修改 ssh 端口等其它选项 - 用云镜像安装 Debian,适合于 CPU 较慢的机器 ```bash @@ -171,12 +170,20 @@ bash reinstall.sh debian --ci 用 ISO 安装 CentOS, Alma, Rocky, Fedora ,仅支持内存大于 2G 且为动态 IP 的机器 +密码 `123@@@`,SSH 端口 `22` + +不支持设置密码、SSH 端口等选项 + ```bash bash reinstall.sh centos --installer ``` 用 ISO 安装 Ubuntu ,仅支持内存大于 1G 且为动态 IP 的机器 +密码 `123@@@`,SSH 端口 `22` + +不支持设置密码、SSH 端口等选项 + ```bash bash reinstall.sh ubuntu --installer ``` @@ -204,8 +211,10 @@ bash reinstall.sh dd --img https://example.com/xxx.xz ### 功能 3: 重启到 Alpine 救援系统 (Live OS) - 可用 ssh 连接,进行手动 DD、修改分区、手动安装 Alpine / Arch / Gentoo 等操作 -- 用户名 `root` 密码 `123@@@` +- 用户名 `root` 默认密码 `123@@@` - 如果没有修改硬盘内容,再次重启将回到原系统 +- 可选参数 + - `--password PASSWORD` 设置密码 ```bash bash reinstall.sh alpine --hold=1 @@ -224,10 +233,11 @@ bash reinstall.sh netboot.xyz ### 功能 5: 安装 Windows ISO -- 用户名 `administrator` 密码 `123@@@` +- 用户名 `administrator` 默认密码 `123@@@` - 如果远程登录失败,尝试使用用户名 `.\administrator` - 静态机器会自动配置好 IP,可能首次开机几分钟后才生效 - 可选参数 + - `--password PASSWORD` 设置密码 - `--rdp-port PORT` 更改 RDP 端口 - `--allow-ping` 允许被 Ping - `--hold 2` 在重启进入 Windows 官方安装程序前,可连接 SSH 修改硬盘内容,硬盘挂载在 `/os` diff --git a/cloud-init.yaml b/cloud-init.yaml index 39fd797..c06b683 100644 --- a/cloud-init.yaml +++ b/cloud-init.yaml @@ -8,13 +8,13 @@ users: lock_passwd: false chpasswd: expire: false - # 20.04 arm 需要 + # <= cloud-init 22.2.x 需要 list: | root:@PASSWORD@ users: - name: root password: "@PASSWORD@" - type: text + type: hash runcmd: # opensuse tumbleweed 镜像有 /etc/ssh/sshd_config.d/ 文件夹,没有 /etc/ssh/sshd_config,有/usr/etc/ssh/sshd_config # opensuse tumbleweed cloud-init 直接创建并写入 /etc/ssh/sshd_config,造成默认配置丢失 @@ -28,6 +28,7 @@ runcmd: # daemon-reload 会刷新 /run/systemd/generator/ssh.socket.d/addresses.conf - systemctl daemon-reload - for s in ssh.socket ssh.service sshd.socket sshd.service; do systemctl is-enabled $s && systemctl restart $s && break; done + # 删除有密码的行 - sed -i -e '/^[[:space:]]*password:/d' -e '/[[:space:]]*root:/d' /etc/cloud/cloud.cfg.d/99_fallback.cfg - touch /etc/cloud/cloud-init.disabled # ubuntu 镜像运行 echo -e '\nDone' ,-e 会被显示出来 diff --git a/debian.cfg b/debian.cfg index 3201d1c..b0d9b14 100644 --- a/debian.cfg +++ b/debian.cfg @@ -25,8 +25,9 @@ d-i mirror/country string manual # B.4.5. 帐号设置 d-i passwd/make-user boolean false -d-i passwd/root-password password 123@@@ -d-i passwd/root-password-again password 123@@@ +# 单纯为了跳过设置,实际上是在 partman/early_command 里设置密码,preseed/early_command 无法设置密码 +d-i passwd/root-password password '' +d-i passwd/root-password-again password '' # kali 需要下面这行,否则会提示输入用户名 d-i passwd/root-login boolean true @@ -155,6 +156,8 @@ d-i partman/early_command string true; \ [ -d /sys/firmware/efi ] && debconf-set partman-auto/expert_recipe "$(debconf-get partman-auto/expert_recipe_efi)"; \ [ -d /sys/firmware/efi ] || debconf-set partman-auto/expert_recipe "$(debconf-get partman-auto/expert_recipe_bios)"; \ + debconf-set passwd/root-password-crypted "$(cat /configs/password-linux-sha512)"; \ + true >/bin/os-prober # kali ssh 默认关闭 diff --git a/reinstall.bat b/reinstall.bat index 6f5f097..cf6aa0d 100644 --- a/reinstall.bat +++ b/reinstall.bat @@ -41,6 +41,7 @@ rem 检查是否国内 if not exist %tmp%\geoip ( rem 部分地区 www.cloudflare.com 被墙 call :download http://dash.cloudflare.com/cdn-cgi/trace %tmp%\geoip + if errorlevel 1 goto :download_failed ) findstr /c:"loc=CN" %tmp%\geoip >nul if not errorlevel 1 ( @@ -61,9 +62,9 @@ if not errorlevel 1 ( ) rem pkgs 改动了才重新运行 Cygwin 安装程序 -set pkgs="curl,cpio,p7zip,bind-utils,ipcalc,dos2unix,binutils,jq" -set tags=%tmp%\cygwin-installed-!pkgs! -if not exist !tags! ( +set pkgs=curl,cpio,p7zip,bind-utils,ipcalc,dos2unix,binutils,jq,xz,gzip,zstd,openssl,libiconv +set tags=%tmp%\cygwin-installed-%pkgs% +if not exist "%tags%" ( rem win10 arm 支持运行 x86 软件 rem win11 arm 支持运行 x86 和 x86_64 软件 rem wmic os get osarchitecture 显示中文 @@ -102,6 +103,7 @@ if not exist !tags! ( rem 下载 Cygwin call :download http://www.cygwin.com/setup-!CygwinArch!.exe %tmp%\setup-cygwin.exe + if errorlevel 1 goto :download_failed rem 安装 Cygwin set site=!mirror!!dir! @@ -111,13 +113,14 @@ if not exist !tags! ( --site !site! ^ --root %SystemDrive%\cygwin ^ --local-package-dir %tmp%\cygwin-local-package-dir ^ - --packages !pkgs! ^ - && type nul >!tags! + --packages %pkgs% ^ + && type nul >"%tags%" ) rem 下载 reinstall.sh if not exist reinstall.sh ( call :download %confhome%/reinstall.sh %~dp0reinstall.sh + if errorlevel 1 goto :download_failed ) rem 为每个参数添加引号,使参数正确传递到 bash @@ -147,8 +150,13 @@ rem https://learn.microsoft.com/en-us/windows/win32/bits/http-requirements-for-b rem certutil 会被 windows Defender 报毒 rem windows server 2019 要用第二条 certutil 命令 echo Download: %~1 %~2 -certutil -urlcache -f -split %~1 %~2 -if not exist %~2 ( - certutil -urlcache -split %~1 %~2 -) +del /q "%~2" 2>nul +if exist "%~2" (echo Cannot delete %~2 & exit /b 1) +if not exist "%~2" certutil -urlcache -f -split "%~1" "%~2" >nul +if not exist "%~2" certutil -urlcache -split "%~1" "%~2" >nul +if not exist "%~2" exit /b 1 exit /b + +:download_failed +echo Download failed. +exit /b 1 diff --git a/reinstall.sh b/reinstall.sh index 70e18cc..1d6cfd8 100644 --- a/reinstall.sh +++ b/reinstall.sh @@ -8,7 +8,8 @@ confhome_cn=https://jihulab.com/bin456789/reinstall/-/raw/main # confhome_cn=https://mirror.ghproxy.com/https://raw.githubusercontent.com/bin456789/reinstall/main # 用于判断 reinstall.sh 和 trans.sh 是否兼容 -SCRIPT_VERSION=4BACD833-A585-23BA-6CBB-9AA4E08E0001 +SCRIPT_VERSION=4BACD833-A585-23BA-6CBB-9AA4E08E0002 +DEFAULT_PASSWORD=123@@@ # https://www.gnu.org/software/gettext/manual/html_node/The-LANGUAGE-variable.html export LC_ALL=C @@ -1562,6 +1563,12 @@ install_pkg() { yum | dnf | zypper) pkg="bind-utils" ;; esac ;; + iconv) + case "$pkg_mgr" in + apk) pkg="musl-utils" ;; + *) error_and_exit "Which GNU/Linux do not have iconv built-in?" ;; + esac + ;; *) pkg=$cmd ;; esac } @@ -1814,6 +1821,92 @@ del_empty_lines() { sed '/^[[:space:]]*$/d' } +prompt_password() { + while true; do + IFS= read -r -p "Password [$DEFAULT_PASSWORD]: " password + IFS= read -r -p "Retype password [$DEFAULT_PASSWORD]: " password_confirm + password=${password:-$DEFAULT_PASSWORD} + password_confirm=${password_confirm:-$DEFAULT_PASSWORD} + if [ -z "$password" ]; then + error "Passwords is empty. Try again." + elif [ "$password" != "$password_confirm" ]; then + error "Passwords don't match. Try again." + else + break + fi + done +} + +save_password() { + dir=$1 + + # mkpasswd 有三个 + # expect 里的 mkpasswd 是用来生成随机密码的 + # whois 里的 mkpasswd 才是我们想要的,可能不支持 yescrypt,alpine 的 mkpasswd 是独立的包 + # busybox 里的 mkpasswd 也是我们想要的,但多数不支持 yescrypt + + # alpine 这两个包有冲突 + # apk add expect mkpasswd + + # 明文密码 + # 假如用户运行 alpine live 直接打包硬盘镜像,则会暴露明文密码,因为 netboot initrd 在里面 + # 通过 --password 传入密码,history 有记录,也会暴露明文密码 + # /reinstall.log 也会暴露明文密码 + if false; then + echo "$password" >>"$dir/password-plaintext" + fi + + # sha512 + # 以下系统均支持 sha512 密码,但是生成密码需要不同的工具 + # 兼容性 openssl mkpasswd busybox python + # centos 7 × 只有expect的 需要编译 √ + # centos 8 √ 只有expect的 + # debian 9 × √ + # ubuntu 16 × √ + # alpine √ 可能系统装了expect √ + # cygwin √ + # others √ + + # alpine + if is_have_cmd busybox && busybox mkpasswd --help 2>&1 | grep -wq sha512; then + crypted=$(printf '%s' "$password" | busybox mkpasswd -m sha512) + # centos 7 + elif is_have_cmd python2; then + crypted=$(python2 -c "import crypt; print(crypt.crypt('$password', crypt.mksalt(crypt.METHOD_SHA512)))") + # others + elif install_pkg openssl && openssl passwd --help 2>&1 | grep -wq '\-6'; then + crypted=$(printf '%s' "$password" | openssl passwd -6 -stdin) + # debian 9 / ubuntu 16 + elif is_have_cmd apt-get && install_pkg whois && mkpasswd -m help | grep -wq sha-512; then + crypted=$(printf '%s' "$password" | mkpasswd -m sha-512 --stdin) + else + error_and_exit "Could not generate sha512 password." + fi + echo "$crypted" >"$dir/password-linux-sha512" + + # yescrypt + # 旧系统不支持,先不管 + if false; then + if mkpasswd -m help | grep -wq yescrypt; then + crypted=$(printf '%s' "$password" | mkpasswd -m yescrypt --stdin) + echo "$crypted" >"$dir/password-linux-yescrypt" + fi + fi + + # windows + if [ "$distro" = windows ] || [ "$distro" = dd ]; then + install_pkg iconv + + # 要分两行写,因为 echo "$(xxx)" 返回值始终为 0,出错也不会中断脚本 + # grep . 为了保证脚本没有出错 + base64=$(printf '%s' "${password}Password" | iconv -f UTF-8 -t UTF-16LE | base64 -w 0 | grep .) + echo "$base64" >"$dir/password-windows-user-base64" + + base64=$(printf '%s' "${password}AdministratorPassword" | iconv -f UTF-8 -t UTF-16LE | base64 -w 0 | grep .) + echo "$base64" >"$dir/password-windows-administrator-base64" + fi +} + # 记录主硬盘 find_main_disk() { if [ -n "$main_disk" ]; then @@ -2359,7 +2452,7 @@ build_extra_cmdline() { # https://answers.launchpad.net/ubuntu/+question/249456 # https://salsa.debian.org/installer-team/rootskel/-/blob/master/src/lib/debian-installer-startup.d/S02module-params?ref_type=heads for key in confhome hold force force_old_windows_setup cloud_image main_disk \ - ssh_port rdp_port web_port allow_ping password; do + ssh_port rdp_port web_port allow_ping; do value=${!key} if [ -n "$value" ]; then is_need_quote "$value" && @@ -2728,13 +2821,17 @@ EOF # 5. debian 11/12 initrd 无法识别 < < # 6. debian 11 initrd 无法识别 set -E # 7. debian 11 initrd 无法识别 trap ERR + # 8. debian 9 initrd 无法识别 ${string//find/replace} # 删除或注释,可能会导致空方法而报错,因此改为替换成'\n: #' replace='\n: #' - sed -Ei "s/> >/$replace/" $initrd_dir/trans.sh - sed -Ei "s/< >/$replace/" \ + -e "s/< \$sysroot/etc/local.d/trans.start # wget --no-check-certificate -O \$sysroot/etc/local.d/trans.start $confhome/trans.sh cp /trans.sh \$sysroot/etc/local.d/trans.start chmod a+x \$sysroot/etc/local.d/trans.start ln -s /etc/init.d/local \$sysroot/etc/runlevels/default/ + + # 配置文件夹 + cp -r /configs \$sysroot/configs EOF # 判断云镜像 debain 能否用云内核 @@ -2958,14 +3059,19 @@ mod_initrd() { $(is_in_windows && echo --nonmatching 'dev/console' --nonmatching 'dev/null') curl -Lo $initrd_dir/trans.sh $confhome/trans.sh - if ! grep -i "$SCRIPT_VERSION" $initrd_dir/trans.sh; then + if ! grep -iq "$SCRIPT_VERSION" $initrd_dir/trans.sh; then error_and_exit " This script is outdated, please download reinstall.sh again. 脚本有更新,请重新下载 reinstall.sh" fi + curl -Lo $initrd_dir/alpine-network.sh $confhome/alpine-network.sh chmod a+x $initrd_dir/trans.sh $initrd_dir/alpine-network.sh + # 保存配置 + mkdir -p $initrd_dir/configs + save_password $initrd_dir/configs + if is_distro_like_debian $nextos_distro; then mod_initrd_debian_kali else @@ -3071,13 +3177,13 @@ fi long_opts= for o in ci installer debug minimal allow-ping \ - hold: \ - sleep: \ + hold: sleep: \ iso: \ image-name: \ boot-wim: \ img: \ lang: \ + passwd: password: \ ssh-port: \ rdp-port: \ web-port: \ @@ -3091,7 +3197,7 @@ done # 整理参数 if ! opts=$(getopt -n $0 -o "" --long "$long_opts" -- "$@"); then - usage_and_exit + exit fi eval set -- "$opts" @@ -3138,6 +3244,11 @@ while true; do force=$2 shift 2 ;; + --passwd | --password) + [ -n "$2" ] || error_and_exit "Need value for $1" + password=$2 + shift 2 + ;; --ssh-port) is_port_valid $2 || error_and_exit "Invalid $1 value: $2" ssh_port=$2 @@ -3202,6 +3313,21 @@ if is_secure_boot_enabled; then error_and_exit "Please disable secure boot first." fi +# 密码 +if ! is_netboot_xyz && [ -z "$password" ]; then + if is_use_dd; then + warn " +This password is only used for SSH access to view logs during the DD process. +Password of the image will NOT modify. + +密码仅用于 DD 过程中通过 SSH 查看日志。 +镜像的密码将不会被修改。 +" + + fi + prompt_password +fi + # 必备组件 install_pkg curl grep @@ -3635,7 +3761,7 @@ if ! { is_netboot_xyz || is_use_dd; }; then username="root" fi echo "Username: $username" - echo "Password: 123@@@" + echo "Password: $password" fi if is_netboot_xyz; then diff --git a/trans.sh b/trans.sh index bb38f21..4615aaf 100644 --- a/trans.sh +++ b/trans.sh @@ -1,6 +1,6 @@ #!/bin/ash # shellcheck shell=dash -# shellcheck disable=SC2086,SC3047,SC3036,SC3010,SC3001 +# shellcheck disable=SC2086,SC3047,SC3036,SC3010,SC3001,SC3060 # alpine 默认使用 busybox ash # 出错后停止运行,将进入到登录界面,防止失联 @@ -8,10 +8,7 @@ set -eE # 用于判断 reinstall.sh 和 trans.sh 是否兼容 # shellcheck disable=SC2034 -SCRIPT_VERSION=4BACD833-A585-23BA-6CBB-9AA4E08E0001 - -# debian 安装版、ubuntu 安装版、el/ol 安装版不使用该密码 -PASSWORD=123@@@ +SCRIPT_VERSION=4BACD833-A585-23BA-6CBB-9AA4E08E0002 TRUE=0 FALSE=1 @@ -432,6 +429,27 @@ is_dmi_contains() { echo "$_dmi" | grep -Eiwq "$1" } +get_config() { + cat "/configs/$1" +} + +get_password_linux_sha512() { + get_config password-linux-sha512 +} + +get_password_windows_administrator_base64() { + get_config password-windows-administrator-base64 +} + +# debian 安装版、ubuntu 安装版、el/ol 安装版不使用该密码 +get_password_plaintext() { + get_config password-plaintext +} + +is_password_plaintext() { + get_password_plaintext >/dev/null 2>&1 +} + show_netconf() { grep -r . /dev/netconf/ } @@ -1399,8 +1417,8 @@ EOF nixos-install --root /os --no-root-passwd -j $threads # 设置密码 - echo "root:$PASSWORD" | nixos-enter --root /os -- \ - /run/current-system/sw/bin/chpasswd + echo "root:$(get_password_linux_sha512)" | nixos-enter --root /os -- \ + /run/current-system/sw/bin/chpasswd -e # 设置 channel if is_in_china; then @@ -2158,7 +2176,9 @@ download_cloud_init_config() { sed -i '1!{/^[[:space:]]*#/d}' $ci_file # 修改密码 - sed -i "s/@PASSWORD@/$PASSWORD/" $ci_file + # 不能用 sed 替换,因为含有特殊字符 + content=$(cat $ci_file) + echo "${content//@PASSWORD@/$(get_password_linux_sha512)}" >$ci_file # 修改 ssh 端口 if is_need_change_ssh_port; then @@ -2467,9 +2487,9 @@ EOF cp_resolv_conf $os_dir # 在这里修改密码,而不是用cloud-init,因为我们的默认密码太弱 - sed -i 's/enforce=everyone/enforce=none/' $os_dir/etc/security/passwdqc.conf - echo "root:$PASSWORD" | chroot $os_dir chpasswd - sed -i 's/enforce=none/enforce=everyone/' $os_dir/etc/security/passwdqc.conf + is_password_plaintext && sed -i 's/enforce=everyone/enforce=none/' $os_dir/etc/security/passwdqc.conf + echo "root:$(get_password_linux_sha512)" | chroot $os_dir chpasswd -e + is_password_plaintext && sed -i 's/enforce=none/enforce=everyone/' $os_dir/etc/security/passwdqc.conf # 下载仓库,选择 profile chroot $os_dir emerge-webrsync @@ -2628,39 +2648,45 @@ change_root_password() { info 'change root password' - pam_d=$os_dir/etc/pam.d + if is_password_plaintext; then + pam_d=$os_dir/etc/pam.d - [ -f $pam_d/chpasswd ] && has_pamd_chpasswd=true || has_pamd_chpasswd=false + [ -f $pam_d/chpasswd ] && has_pamd_chpasswd=true || has_pamd_chpasswd=false - if $has_pamd_chpasswd; then - cp $pam_d/chpasswd $pam_d/chpasswd.orig + if $has_pamd_chpasswd; then + cp $pam_d/chpasswd $pam_d/chpasswd.orig - # cat /etc/pam.d/chpasswd - # @include common-password + # cat /etc/pam.d/chpasswd + # @include common-password - # cat /etc/pam.d/chpasswd - # #%PAM-1.0 - # auth include system-auth - # account include system-auth - # password substack system-auth - # -password optional pam_gnome_keyring.so use_authtok - # password substack postlogin + # cat /etc/pam.d/chpasswd + # #%PAM-1.0 + # auth include system-auth + # account include system-auth + # password substack system-auth + # -password optional pam_gnome_keyring.so use_authtok + # password substack postlogin - # 通过 /etc/pam.d/chpasswd 找到 /etc/pam.d/system-auth 或者 /etc/pam.d/system-auth - # 再找到有 password 和 pam_unix.so 的行,并删除 use_authtok,写入 /etc/pam.d/chpasswd - files=$(grep -E '^(password|@include)' $pam_d/chpasswd | awk '{print $NF}' | sort -u) - for file in $files; do - if [ -f "$pam_d/$file" ] && line=$(grep ^password "$pam_d/$file" | grep -F pam_unix.so); then - echo "$line" | sed 's/use_authtok//' >$pam_d/chpasswd - break - fi - done - fi + # 通过 /etc/pam.d/chpasswd 找到 /etc/pam.d/system-auth 或者 /etc/pam.d/system-auth + # 再找到有 password 和 pam_unix.so 的行,并删除 use_authtok,写入 /etc/pam.d/chpasswd + files=$(grep -E '^(password|@include)' $pam_d/chpasswd | awk '{print $NF}' | sort -u) + for file in $files; do + if [ -f "$pam_d/$file" ] && line=$(grep ^password "$pam_d/$file" | grep -F pam_unix.so); then + echo "$line" | sed 's/use_authtok//' >$pam_d/chpasswd + break + fi + done + fi - echo "root:$PASSWORD" | chroot $os_dir chpasswd + # 分两行写,不然遇到错误不会终止 + plaintext=$(get_password_plaintext) + echo "root:$plaintext" | chroot $os_dir chpasswd - if $has_pamd_chpasswd; then - mv $pam_d/chpasswd.orig $pam_d/chpasswd + if $has_pamd_chpasswd; then + mv $pam_d/chpasswd.orig $pam_d/chpasswd + fi + else + get_password_linux_sha512 | chroot $os_dir chpasswd -e fi } @@ -4136,11 +4162,12 @@ install_windows() { download $confhome/windows.xml /tmp/autounattend.xml locale=$(get_selected_image_prop 'Default Language') use_default_rdp_port=$(is_need_change_rdp_port && echo false || echo true) + password_base64=$(get_password_windows_administrator_base64) sed -i \ -e "s|%arch%|$arch|" \ -e "s|%image_name%|$image_name|" \ -e "s|%locale%|$locale|" \ - -e "s|%password%|$PASSWORD|" \ + -e "s|%administrator_password%|$password_base64|" \ -e "s|%use_default_rdp_port%|$use_default_rdp_port|" \ /tmp/autounattend.xml @@ -4597,7 +4624,7 @@ mount / -o remount,size=100% hwclock -s || true # 设置密码,安装并打开 ssh -echo "root:$PASSWORD" | chpasswd +echo "root:$(get_password_linux_sha512)" | chpasswd -e apk add openssh if is_need_change_ssh_port; then change_ssh_port / $ssh_port diff --git a/windows.xml b/windows.xml index df06b26..6ea0e84 100644 --- a/windows.xml +++ b/windows.xml @@ -137,8 +137,8 @@ - %password% - true</PlainText> + <Value>%administrator_password%</Value> + <PlainText>false</PlainText> </AdministratorPassword> </UserAccounts> <OOBE>