Merge pull request #1607 from abhay-krishna/ssh-password-dynamic

Set SSH password dynamically during auto-install

images/capi/Makefile

@@ -44,6 +44,14 @@ help: ## Display this help
 version: ## Display version of image-builder
 	@echo $(IB_VERSION)
 
+GET_UBUNTU_DOTTED_SEMVER=$(strip \
+	$(eval _UBUNTU_SEMVER:=$1) \
+	$(eval _UBUNTU_SEMVER:=$(subst ubuntu-2004,ubuntu-20.04,$(_UBUNTU_SEMVER))) \
+	$(eval _UBUNTU_SEMVER:=$(subst ubuntu-2204,ubuntu-22.04,$(_UBUNTU_SEMVER))) \
+	$(eval _UBUNTU_SEMVER:=$(subst ubuntu-2404,ubuntu-24.04,$(_UBUNTU_SEMVER))) \
+	$(_UBUNTU_SEMVER) \
+)
+
 ## --------------------------------------
 ## Dependencies
 ## --------------------------------------
@@ -175,6 +183,13 @@ deps-vultr: deps-common
 	$(PACKER) init packer/config.pkr.hcl
 	$(PACKER) init packer/vultr/config.pkr.hcl
 
+## --------------------------------------
+## Packer Configuration
+## --------------------------------------
+
+.PHONY: set-ssh-password
+set-ssh-password:
+	hack/set-ssh-password.sh
 
 ## --------------------------------------
 ## Container variables
@@ -426,37 +441,37 @@ VULTR_BUILD_TARGETS 	:= $(addprefix build-,$(VULTR_BUILD_NAMES))
 VULTR_VALIDATE_TARGETS 	:= $(addprefix validate-,$(VULTR_BUILD_NAMES))
 
 .PHONY: $(NODE_OVA_LOCAL_BUILD_TARGETS)
-$(NODE_OVA_LOCAL_BUILD_TARGETS): deps-ova
+$(NODE_OVA_LOCAL_BUILD_TARGETS): deps-ova set-ssh-password
     # This uses a packer file builder to input unattend variables into a JSON file to be consumed by the python script before running the vmware-iso provisioner
 	$(if $(findstring windows,$@),$(PACKER) build $(PACKER_WINDOWS_NODE_FLAGS) -var-file="packer/ova/packer-common.json" -var-file="$(abspath packer/ova/$(subst build-node-ova-local-,,$@).json)" -only=file $(ABSOLUTE_PACKER_VAR_FILES) packer/ova/packer-windows.json,)
 	$(if $(findstring windows,$@),hack/windows-ova-unattend.py --unattend-file='./packer/ova/windows/$(subst build-node-ova-local-,,$@)/autounattend.xml',)
 	$(PACKER) build $(if $(findstring windows,$@),$(PACKER_WINDOWS_NODE_FLAGS),$(PACKER_NODE_FLAGS)) -var-file="packer/ova/packer-common.json" -var-file="$(abspath packer/ova/$(subst build-node-ova-local-,,$@).json)" -except=vsphere -only=vmware-iso $(ABSOLUTE_PACKER_VAR_FILES) packer/ova/packer-$(if $(findstring windows,$@),windows,node).json
 
 .PHONY: $(NODE_OVA_LOCAL_VALIDATE_TARGETS)
-$(NODE_OVA_LOCAL_VALIDATE_TARGETS): deps-ova
+$(NODE_OVA_LOCAL_VALIDATE_TARGETS): deps-ova set-ssh-password
 	$(PACKER) validate $(if $(findstring windows,$@),$(PACKER_WINDOWS_NODE_FLAGS),$(PACKER_NODE_FLAGS)) -var-file="packer/ova/packer-common.json" -var-file="$(abspath packer/ova/$(subst validate-node-ova-local-,,$@).json)" -except=vsphere -only=vmware-iso $(ABSOLUTE_PACKER_VAR_FILES) packer/ova/packer-$(if $(findstring windows,$@),windows,node).json
 
 .PHONY: $(NODE_OVA_LOCAL_VMX_BUILD_TARGETS)
-$(NODE_OVA_LOCAL_VMX_BUILD_TARGETS): deps-ova
+$(NODE_OVA_LOCAL_VMX_BUILD_TARGETS): deps-ova set-ssh-password
 	$(PACKER) build $(PACKER_NODE_FLAGS) -var-file="packer/ova/packer-common.json" -var-file="$(abspath packer/ova/$(subst build-node-ova-local-vmx-,,$@).json)" -var-file="packer/ova/vmx.json" -except=vsphere -except=vmware-iso -only=vmware-vmx $(ABSOLUTE_PACKER_VAR_FILES) packer/ova/packer-node.json
 
 .PHONY: $(NODE_OVA_LOCAL_BASE_BUILD_TARGETS)
-$(NODE_OVA_LOCAL_BASE_BUILD_TARGETS): deps-ova
+$(NODE_OVA_LOCAL_BASE_BUILD_TARGETS): deps-ova set-ssh-password
 	$(PACKER) build $(PACKER_NODE_FLAGS) -var-file="packer/ova/packer-common.json" -var-file="$(abspath packer/ova/$(subst build-node-ova-local-base-,,$@).json)"  -except=vsphere -except=vmware-iso -except=vmware-vmx -only=vmware-iso-base $(ABSOLUTE_PACKER_VAR_FILES) packer/ova/packer-node.json
 
 .PHONY: $(NODE_OVA_VSPHERE_BUILD_TARGETS)
-$(NODE_OVA_VSPHERE_BUILD_TARGETS): deps-ova
+$(NODE_OVA_VSPHERE_BUILD_TARGETS): deps-ova set-ssh-password
     # This uses a packer file builder to input unattend variables into a JSON file to be consumed by the python script before running the vsphere provisioner
 	$(if $(findstring windows,$@),$(PACKER) build $(PACKER_WINDOWS_NODE_FLAGS) -var-file="packer/ova/packer-common.json" -var-file="$(abspath packer/ova/$(subst build-node-ova-vsphere-,,$@).json)" -only=file $(ABSOLUTE_PACKER_VAR_FILES) packer/ova/packer-windows.json,)
 	$(if $(findstring windows,$@),hack/windows-ova-unattend.py --unattend-file='./packer/ova/windows/$(subst build-node-ova-vsphere-,,$@)/autounattend.xml',)
 	$(PACKER) build $(if $(findstring windows,$@),$(PACKER_WINDOWS_NODE_FLAGS),$(PACKER_NODE_FLAGS))  -var-file="packer/ova/packer-common.json" -var-file="$(abspath packer/ova/$(subst build-node-ova-vsphere-,,$@).json)" -var-file="packer/ova/vsphere.json"  -except=local -only=vsphere-iso $(ABSOLUTE_PACKER_VAR_FILES) -only=vsphere packer/ova/packer-$(if $(findstring windows,$@),windows,node).json
 
 .PHONY: $(NODE_OVA_VSPHERE_BASE_BUILD_TARGETS)
-$(NODE_OVA_VSPHERE_BASE_BUILD_TARGETS): deps-ova
+$(NODE_OVA_VSPHERE_BASE_BUILD_TARGETS): deps-ova set-ssh-password
 	$(PACKER) build $(PACKER_NODE_FLAGS) -var-file="packer/ova/packer-common.json" -var-file="$(abspath packer/ova/$(subst build-node-ova-vsphere-base-,,$@).json)" -var-file="packer/ova/vsphere.json" -except=local -except=manifest -except=vsphere -only=vsphere-iso-base $(ABSOLUTE_PACKER_VAR_FILES) packer/ova/packer-node.json
 
 .PHONY: $(NODE_OVA_VSPHERE_CLONE_BUILD_TARGETS)
-$(NODE_OVA_VSPHERE_CLONE_BUILD_TARGETS): deps-ova
+$(NODE_OVA_VSPHERE_CLONE_BUILD_TARGETS): deps-ova set-ssh-password
 	$(PACKER) build $(PACKER_NODE_FLAGS) -var-file="packer/ova/packer-common.json" -var-file="$(abspath packer/ova/$(subst build-node-ova-vsphere-clone-,,$@).json)" -var-file="packer/ova/vsphere.json" -except=local -only=vsphere-clone $(ABSOLUTE_PACKER_VAR_FILES) packer/ova/packer-node.json
 
 .PHONY: $(AMI_BUILD_TARGETS)
@@ -524,27 +539,27 @@ $(OPENSTACK_VALIDATE_TARGETS): deps-openstack
 	packer validate $(PACKER_NODE_FLAGS) -var-file="$(abspath packer/openstack/$(subst validate-openstack-,,$@).json)" $(ABSOLUTE_PACKER_VAR_FILES) packer/openstack/packer.json
 
 .PHONY: $(QEMU_BUILD_TARGETS)
-$(QEMU_BUILD_TARGETS): deps-qemu
+$(QEMU_BUILD_TARGETS): deps-qemu set-ssh-password
 	$(PACKER) build $(PACKER_NODE_FLAGS) -var-file="$(abspath packer/qemu/$(subst build-,,$@).json)" $(ABSOLUTE_PACKER_VAR_FILES) packer/qemu/packer.json
 
 .PHONY: $(QEMU_VALIDATE_TARGETS)
-$(QEMU_VALIDATE_TARGETS): deps-qemu
+$(QEMU_VALIDATE_TARGETS): deps-qemu set-ssh-password
 	$(PACKER) validate $(PACKER_NODE_FLAGS) -var-file="$(abspath packer/qemu/$(subst validate-,,$@).json)" $(ABSOLUTE_PACKER_VAR_FILES) packer/qemu/packer.json
 
 .PHONY: $(QEMU_KUBEVIRT_BUILD_TARGETS)
-$(QEMU_KUBEVIRT_BUILD_TARGETS): deps-qemu
+$(QEMU_KUBEVIRT_BUILD_TARGETS): deps-qemu set-ssh-password
 	$(PACKER) build $(PACKER_NODE_FLAGS) -var-file="$(abspath packer/qemu/$(subst build-kubevirt-,,$@).json)" --var 'kubevirt=true' $(ABSOLUTE_PACKER_VAR_FILES) packer/qemu/packer.json
 
 .PHONY: $(QEMU_KUBEVIRT_VALIDATE_TARGETS)
-$(QEMU_KUBEVIRT_VALIDATE_TARGETS): deps-qemu
+$(QEMU_KUBEVIRT_VALIDATE_TARGETS): deps-qemu set-ssh-password
 	$(PACKER) validate $(PACKER_NODE_FLAGS) -var-file="$(abspath packer/qemu/$(subst validate-kubevirt-,,$@).json)" --var 'kubevirt=true' $(ABSOLUTE_PACKER_VAR_FILES) packer/qemu/packer.json
 
 .PHONY: $(RAW_BUILD_TARGETS)
-$(RAW_BUILD_TARGETS): deps-raw
+$(RAW_BUILD_TARGETS): deps-raw set-ssh-password
 	$(PACKER) build $(PACKER_NODE_FLAGS) -var-file="$(abspath packer/raw/$(subst build-,,$@).json)" $(ABSOLUTE_PACKER_VAR_FILES) packer/raw/packer.json
 
 .PHONY: $(RAW_VALIDATE_TARGETS)
-$(RAW_VALIDATE_TARGETS): deps-raw
+$(RAW_VALIDATE_TARGETS): deps-raw set-ssh-password
 	$(PACKER) validate $(PACKER_NODE_FLAGS) -var-file="$(abspath packer/raw/$(subst validate-,,$@).json)" $(ABSOLUTE_PACKER_VAR_FILES) packer/raw/packer.json
 
 .PHONY: $(OCI_BUILD_TARGETS)
@@ -574,11 +589,14 @@ $(POWERVS_VALIDATE_TARGETS): deps-powervs
 	$(PACKER) validate $(PACKER_POWERVS_NODE_FLAGS) -var-file="$(abspath packer/powervs/$(subst validate-powervs-,,$@).json)" $(ABSOLUTE_PACKER_VAR_FILES) -except=flatcar packer/powervs/packer.json
 
 .PHONY: $(NUTANIX_BUILD_TARGETS)
-$(NUTANIX_BUILD_TARGETS): deps-nutanix
+$(NUTANIX_BUILD_TARGETS): deps-nutanix set-ssh-password
+	$(eval NUTANIX_USERDATA:=$(shell cat $(abspath packer/nutanix/linux/cloud-init/$(subst -,/,$(if $(findstring ubuntu,$@),$(call GET_UBUNTU_DOTTED_SEMVER,$(subst build-nutanix-,,$@)),$(subst build-nutanix-,,$@)))/user-data) | base64 -w0))
+	$(eval NUTANIX_VAR_FILE:=$(abspath packer/nutanix/$(subst build-nutanix-,,$@).json))
+	jq '.user_data = "$(NUTANIX_USERDATA)"' $(NUTANIX_VAR_FILE) > $(NUTANIX_VAR_FILE).templated && mv $(NUTANIX_VAR_FILE).templated $(NUTANIX_VAR_FILE) 
 	$(PACKER) build $(if $(findstring windows,$@),$(PACKER_WINDOWS_NODE_FLAGS),$(PACKER_NODE_FLAGS)) -var-file="packer/nutanix/nutanix.json" -var-file="$(abspath packer/nutanix/$(subst build-nutanix-,,$@).json)" $(ABSOLUTE_PACKER_VAR_FILES) packer/nutanix/packer$(if $(findstring windows,$@),-windows,).json
 
 .PHONY: $(NUTANIX_VALIDATE_TARGETS)
-$(NUTANIX_VALIDATE_TARGETS): deps-nutanix
+$(NUTANIX_VALIDATE_TARGETS): deps-nutanix set-ssh-password
 	$(PACKER) validate $(if $(findstring windows,$@),$(PACKER_WINDOWS_NODE_FLAGS),$(PACKER_NODE_FLAGS)) -var-file="packer/nutanix/nutanix.json" -var-file="$(abspath packer/nutanix/$(subst validate-nutanix-,,$@).json)" $(ABSOLUTE_PACKER_VAR_FILES) packer/nutanix/packer$(if $(findstring windows,$@),-windows,).json
 
 .PHONY: $(HCLOUD_BUILD_TARGETS)
@@ -590,11 +608,11 @@ $(HCLOUD_VALIDATE_TARGETS): deps-hcloud
 	$(PACKER) validate $(PACKER_NODE_FLAGS) -var-file="packer/hcloud/hcloud-config.json" -var-file="$(abspath packer/hcloud/$(subst validate-hcloud-,,$@).json)" $(ABSOLUTE_PACKER_VAR_FILES) packer/hcloud/packer$(if $(findstring flatcar,$@),-flatcar,).json
 
 .PHONY: $(PROXMOX_BUILD_TARGETS)
-$(PROXMOX_BUILD_TARGETS): deps-proxmox
+$(PROXMOX_BUILD_TARGETS): deps-proxmox set-ssh-password
 	$(PACKER) build $(PACKER_NODE_FLAGS) -var-file="$(abspath packer/proxmox/$(subst build-proxmox-,,$@).json)" $(ABSOLUTE_PACKER_VAR_FILES) packer/proxmox/packer.json
 
 .PHONY: $(PROXMOX_VALIDATE_TARGETS)
-$(PROXMOX_VALIDATE_TARGETS): deps-proxmox
+$(PROXMOX_VALIDATE_TARGETS): deps-proxmox set-ssh-password
 	$(PACKER) validate $(PACKER_NODE_FLAGS) -var-file="$(abspath packer/proxmox/$(subst validate-proxmox-,,$@).json)" $(ABSOLUTE_PACKER_VAR_FILES) packer/proxmox/packer.json
 
 .PHONY: $(VULTR_BUILD_TARGETS)

images/capi/hack/set-ssh-password.sh

@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+
+# Copyright 2024 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+PACKER_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../packer" && pwd -P)"
+
+openssl_binary=openssl11
+if ! command -v $openssl_binary >/dev/null 2>&1; then
+  openssl_binary=openssl
+  if ! command -v $openssl_binary >/dev/null 2>&1; then
+    echo "openssl or openssl11 binary must be in \$PATH" 1>&2
+    exit 1
+  fi
+fi
+
+# Check if openssl version is atleast 1.1.1 to support SHA-512 algorithm
+current_openssl_version=$($openssl_binary version | grep -Po "\d.\d.\d" | head -n1)
+minimum_openssl_version="1.1.1"
+if ! [ "$(printf '%s\n' "$minimum_openssl_version" "$current_openssl_version" | sort -V | head -n1)" = "$minimum_openssl_version" ]; then
+  echo "OpenSSL version must be atleast $minimum_openssl_version, current OpenSSL version is $current_openssl_version" 1>&2
+  exit 1
+fi
+
+export SSH_PASSWORD=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 16; echo)
+SALT=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 16; echo)
+export ENCRYPTED_SSH_PASSWORD=$($openssl_binary passwd -6 -salt $SALT -stdin <<< $SSH_PASSWORD)
+
+for file in $(find $PACKER_DIR -type f -name "*.tmpl"); do
+  if [ -f "${file%.*}" ]; then
+    rm ${file%.*}
+  fi
+  sed -e "s|\$SSH_PASSWORD|$SSH_PASSWORD|g" -e "s|\$ENCRYPTED_SSH_PASSWORD|$ENCRYPTED_SSH_PASSWORD|g" $file | tee ${file%.*}
+done

images/capi/packer/nutanix/.gitignore

@@ -0,0 +1,2 @@
+packer.json
+user-data.tmpl

images/capi/packer/nutanix/linux/cloud-init/rhel/8/user-data.tmpl

@@ -0,0 +1,9 @@
+#cloud-config
+users:
+  - name: builder
+    sudo: ['ALL=(ALL) NOPASSWD:ALL']
+chpasswd:
+  list: |
+    builder:$SSH_PASSWORD
+  expire: False
+ssh_pwauth: True

images/capi/packer/nutanix/linux/cloud-init/rhel/9/user-data.tmpl

@@ -0,0 +1,9 @@
+#cloud-config
+users:
+  - name: builder
+    sudo: ['ALL=(ALL) NOPASSWD:ALL']
+chpasswd:
+  list: |
+    builder:$SSH_PASSWORD
+  expire: False
+ssh_pwauth: True

images/capi/packer/nutanix/linux/cloud-init/rockylinux/8/user-data.tmpl

@@ -0,0 +1,9 @@
+#cloud-config
+users:
+  - name: builder
+    sudo: ['ALL=(ALL) NOPASSWD:ALL']
+chpasswd:
+  list: |
+    builder:$SSH_PASSWORD
+  expire: False
+ssh_pwauth: True

images/capi/packer/nutanix/linux/cloud-init/rockylinux/9/user-data.tmpl

@@ -0,0 +1,9 @@
+#cloud-config
+users:
+  - name: builder
+    sudo: ['ALL=(ALL) NOPASSWD:ALL']
+chpasswd:
+  list: |
+    builder:$SSH_PASSWORD
+  expire: False
+ssh_pwauth: True

images/capi/packer/nutanix/linux/cloud-init/ubuntu/20.04/user-data.tmpl

@@ -0,0 +1,10 @@
+#cloud-config
+users:
+  - name: builder
+    sudo: ['ALL=(ALL) NOPASSWD:ALL']
+    shell: /bin/bash
+chpasswd:
+  list: |
+    builder:$SSH_PASSWORD
+  expire: False
+ssh_pwauth: True

images/capi/packer/nutanix/linux/cloud-init/ubuntu/22.04/user-data.tmpl

@@ -0,0 +1,10 @@
+#cloud-config
+users:
+  - name: builder
+    sudo: ['ALL=(ALL) NOPASSWD:ALL']
+    shell: /bin/bash
+chpasswd:
+  list: |
+    builder:$SSH_PASSWORD
+  expire: False
+ssh_pwauth: True

images/capi/packer/nutanix/linux/cloud-init/ubuntu/24.04/user-data.tmpl

@@ -0,0 +1,10 @@
+#cloud-config
+users:
+  - name: builder
+    sudo: ['ALL=(ALL) NOPASSWD:ALL']
+    shell: /bin/bash
+chpasswd:
+  list: |
+    builder:$SSH_PASSWORD
+  expire: False
+ssh_pwauth: True

images/capi/packer/nutanix/packer.json → images/capi/packer/nutanix/packer.json.tmpl

@@ -157,8 +157,8 @@
     "scp_extra_vars": "",
     "source_image_delete": "false",
     "source_image_force": "false",
-    "ssh_password": "{{ uuid }}",
+    "ssh_password": "$SSH_PASSWORD",
     "ssh_username": "builder",
-    "vm_force_delete": "false"
+    "vm_force_delete": "true"
   }
 }

images/capi/packer/ova/.gitignore

@@ -0,0 +1,6 @@
+packer-common.json
+ks.cfg
+ks.json
+preseed.cfg
+preseed-efi.cfg
+user-data

images/capi/packer/ova/linux/rhel/http/7/ks.cfg → images/capi/packer/ova/linux/centos/http/7/ks.cfg.tmpl

@@ -37,7 +37,7 @@ unsupported_hardware
 
 # Configure the user(s)
 auth --enableshadow --passalgo=sha512 --kickstart
-user --name=builder --plaintext --password builder --groups=builder,wheel
+user --name=builder --plaintext --password $SSH_PASSWORD --groups=builder,wheel
 
 # Disable general install minutia
 firstboot --disabled

images/capi/packer/ova/linux/centos/http/8/ks.cfg → images/capi/packer/ova/linux/centos/http/8/ks.cfg.tmpl

@@ -26,7 +26,7 @@ skipx
 # System timezone
 timezone UTC
 # Add a user named builder
-user --groups=wheel --name=builder --password=builder --plaintext --gecos="builder"
+user --groups=wheel --name=builder --password=$SSH_PASSWORD --plaintext --gecos="builder"
 
 # System bootloader configuration
 bootloader --location=mbr --boot-drive=sda

images/capi/packer/ova/linux/photon/http/4/ks.json → images/capi/packer/ova/linux/photon/http/3/ks.json.tmpl

@@ -49,7 +49,7 @@
   },
   "postinstall": [
     "#!/bin/sh",
-    "useradd -U -d /home/builder -m --groups wheel builder && echo 'builder:builder' | chpasswd",
+    "useradd -U -d /home/builder -m --groups wheel builder && echo 'builder:$SSH_PASSWORD' | chpasswd",
     "echo 'builder ALL=(ALL) NOPASSWD: ALL' >/etc/sudoers.d/builder",
     "chmod 440 /etc/sudoers.d/builder",
     "systemctl enable sshd",

images/capi/packer/ova/linux/photon/http/3/ks.json → images/capi/packer/ova/linux/photon/http/4/ks.json.tmpl

@@ -49,7 +49,7 @@
   },
   "postinstall": [
     "#!/bin/sh",
-    "useradd -U -d /home/builder -m --groups wheel builder && echo 'builder:builder' | chpasswd",
+    "useradd -U -d /home/builder -m --groups wheel builder && echo 'builder:$SSH_PASSWORD' | chpasswd",
     "echo 'builder ALL=(ALL) NOPASSWD: ALL' >/etc/sudoers.d/builder",
     "chmod 440 /etc/sudoers.d/builder",
     "systemctl enable sshd",

images/capi/packer/ova/linux/photon/http/5/ks.json → images/capi/packer/ova/linux/photon/http/5/ks.json.tmpl

@@ -47,7 +47,7 @@
   },
   "postinstall": [
     "#!/bin/sh",
-    "useradd -U -d /home/builder -m --groups wheel builder && echo 'builder:builder' | chpasswd",
+    "useradd -U -d /home/builder -m --groups wheel builder && echo 'builder:$SSH_PASSWORD' | chpasswd",
     "echo 'builder ALL=(ALL) NOPASSWD: ALL' >/etc/sudoers.d/builder",
     "chmod 440 /etc/sudoers.d/builder",
     "systemctl enable sshd",

images/capi/packer/ova/linux/centos/http/7/ks.cfg → images/capi/packer/ova/linux/rhel/http/7/ks.cfg.tmpl

@@ -37,7 +37,7 @@ unsupported_hardware
 
 # Configure the user(s)
 auth --enableshadow --passalgo=sha512 --kickstart
-user --name=builder --plaintext --password builder --groups=builder,wheel
+user --name=builder --plaintext --password $SSH_PASSWORD --groups=builder,wheel
 
 # Disable general install minutia
 firstboot --disabled

images/capi/packer/ova/linux/rhel/http/8/ks.cfg → images/capi/packer/ova/linux/rhel/http/8/ks.cfg.tmpl

@@ -26,7 +26,7 @@ skipx
 # System timezone
 timezone UTC
 # Add a user named builder
-user --groups=wheel --name=builder --password=builder --plaintext --gecos="builder"
+user --groups=wheel --name=builder --password=$SSH_PASSWORD --plaintext --gecos="builder"
 
 # System bootloader configuration
 bootloader --location=mbr --boot-drive=sda

images/capi/packer/ova/linux/rhel/http/9/ks.cfg → images/capi/packer/ova/linux/rhel/http/9/ks.cfg.tmpl

@@ -22,7 +22,7 @@ network --bootproto=dhcp --onboot=on --ipv6=auto --activate --hostname=rhel9
 rootpw --lock
 
 # Create builder user
-user --name=builder --groups=wheel --password=builder --plaintext --shell=/bin/bash
+user --name=builder --groups=wheel --password=$SSH_PASSWORD --plaintext --shell=/bin/bash
 
 # System services
 selinux --permissive

images/capi/packer/ova/linux/rockylinux/http/8/ks.cfg → images/capi/packer/ova/linux/rockylinux/http/8/ks.cfg.tmpl

@@ -22,7 +22,7 @@ network --bootproto=dhcp --onboot=on --ipv6=auto --activate --hostname=capv.vm
 rootpw --lock
 
 # Create builder user
-user --name=builder --groups=wheel --password=builder --plaintext --shell=/bin/bash
+user --name=builder --groups=wheel --password=$SSH_PASSWORD --plaintext --shell=/bin/bash
 
 # System services
 selinux --permissive

images/capi/packer/ova/linux/rockylinux/http/9/ks.cfg → images/capi/packer/ova/linux/rockylinux/http/9/ks.cfg.tmpl

@@ -22,7 +22,7 @@ network --bootproto=dhcp --onboot=on --ipv6=auto --activate --hostname=capv.vm
 rootpw --lock
 
 # Create builder user
-user --name=builder --groups=wheel --password=builder --plaintext --shell=/bin/bash
+user --name=builder --groups=wheel --password=$SSH_PASSWORD --plaintext --shell=/bin/bash
 
 # System services
 selinux --permissive

images/capi/packer/ova/linux/ubuntu/http/22.04.efi/user-data → images/capi/packer/ova/linux/ubuntu/http/22.04.efi/user-data.tmpl

@@ -90,8 +90,8 @@ autoinstall:
   user-data:
     users:
       - name: builder
-        # openssl passwd -6 -stdin <<< builder
-        passwd: $6$xyz$UtXVazU08Q5b8AW.TJ3MPYZglyXa3Ttf2RCel8MCUPlEYO1evWxeWBhZ2QqivU/Ij4tqYAxMCqc2ujEM4dMSe1
+        # openssl passwd -6 -salt <random salt> -stdin <<< <SSH password>
+        passwd: $ENCRYPTED_SSH_PASSWORD
         groups: [adm, cdrom, dip, plugdev, lxd, sudo]
         lock-passwd: false
         sudo: ALL=(ALL) NOPASSWD:ALL