English Spanish (Latin America)
Configuring Users
Default User
By default, a privileged user named `core` is created on the Fedora CoreOS system, but it is not configured with a default password or SSH key. If you wish to use the `core` user, you must provide an Ignition config which includes a password and/or SSH key(s) for the `core` user. Alternately you may create additional, new users via Ignition configs.
Creating a New User
To create a new user (or users), add it to the `users` list of your Butane config. In the following example, the config creates two new usernames, but doesn't configure them to be especially useful.
variant: fcos
version: 1.4.0
passwd:
users:
- name: jlebon
- name: miabbott
You will typically want to configure SSH keys or a password, in order to be able to login as those users.
Using an SSH Key
To configure an SSH key for a local user, you can use a Butane config:
variant: fcos
version: 1.4.0
passwd:
users:
- name: core
ssh_authorized_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHn2eh...
- name: jlebon
ssh_authorized_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDC5QFS...
- sh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIveEaMRW...
- name: miabbott
ssh_authorized_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTey7R...
SSH Key Locations
sshd uses a https://github.com/coreos/ssh-key-dir[helper program] to read public keys from files in a user's `~/.ssh/authorized_keys.d` directory. Key files are read in alphabetical order, ignoring dotfiles. The standard `~/.ssh/authorized_keys` file is read afterward, in the usual way. To debug the reading of `~/.ssh/authorized_keys.d`, manually run the helper program and inspect its output:
/usr/libexec/ssh-key-dir
Ignition writes configured SSH keys to `~/.ssh/authorized_keys.d/ignition`. On platforms where SSH keys can be configured at the platform level, such as AWS, Afterburn writes those keys to `~/.ssh/authorized_keys.d/afterburn`.
Using Password Authentication
Fedora CoreOS ships with no default passwords. You can use a Butane config to set a password for a local user. Building on the previous example, we can configure the `password_hash` for one or more users:
variant: fcos
version: 1.4.0
passwd:
users:
- name: core
ssh_authorized_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHn2eh...
- name: jlebon
ssh_authorized_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDC5QFS...
- sh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIveEaMRW...
- name: miabbott
password_hash: $y$j9T$aUmgEDoFIDPhGxEe2FUjc/$C5A...
ssh_authorized_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTey7R...
To generate a secure password hash, use the `mkpasswd` command:
$ mkpasswd --method=yescrypt
Password:
$y$j9T$A0Y3wwVOKP69S.1K/zYGN.$S596l11UGH3XjN...
The `yescrypt` hashing method is recommended for new passwords. For more details on hashing methods, see `man 5 crypt`.