English Spanish (Latin America)
$ mkpasswd --method=yescrypt
By default, a privileged user named `core` is created on the Fedora CoreOS system, but it is not configured with a default password or SSH key. If you wish to use the `core` user, you must provide an Ignition config which includes a password and/or SSH key(s) for the `core` user. Alternately you may create additional, new users via Ignition configs.
Configuring Administrative Privileges
Configuring Groups
Configuring Users
Creating a New User
Default User
Enabling SSH Password Authentication
Fedora CoreOS comes with a few groups configured by default: `root`, `adm`, `wheel`, `sudo`, `systemd-journal`, `docker`
Fedora CoreOS ships with no default passwords. You can use a Butane config to set a password for a local user. Building on the previous example, we can configure the `password_hash` for one or more users:
If a group does not exist, users should create them as part of the Butane config.
Ignition writes configured SSH keys to `~/.ssh/authorized_keys.d/ignition`. On platforms where SSH keys can be configured at the platform level, such as AWS, Afterburn writes those keys to `~/.ssh/authorized_keys.d/afterburn`.
sshd uses a https://github.com/coreos/ssh-key-dir[helper program] to read public keys from files in a user's `~/.ssh/authorized_keys.d` directory. Key files are read in alphabetical order, ignoring dotfiles. The standard `~/.ssh/authorized_keys` file is read afterward, in the usual way. To debug the reading of `~/.ssh/authorized_keys.d`, manually run the helper program and inspect its output:
SSH Key Locations
The configured password will be accepted for local authentication at the console. By default, Fedora CoreOS does not allow <<_enabling_ssh_password_authentication,password authentication via SSH>>.
The easiest way for users to be granted administrative privileges is to have them added to the `sudo` and `wheel` groups as part of the Butane config.
The `yescrypt` hashing method is recommended for new passwords. For more details on hashing methods, see `man 5 crypt`.
To configure an SSH key for a local user, you can use a Butane config:
To create a new user (or users), add it to the `users` list of your Butane config. In the following example, the config creates two new usernames, but doesn't configure them to be especially useful.
To enable password authentication via SSH, add the following to your Butane config: