Configuring Users

Default User

By default, a privileged user named core is created on the Fedora CoreOS system, but it is not configured with a default password or SSH key. If you wish to use the core user, you must provide an Ignition config which includes a password and/or SSH key(s) for the core user. Alternatively you may create additional, new users via Ignition configs.

If you do not want to use Ignition to manage the default user’s SSH key(s), you can make use of the Afterburn support and provide an SSH key via your cloud provider.

Creating a New User

To create a new user (or users), add it to the users list of your Butane config. In the following example, the config creates two new usernames, but doesn’t configure them to be especially useful.

variant: fcos
version: 1.5.0
passwd:
  users:
    - name: jlebon
    - name: miabbott

You will typically want to configure SSH keys or a password, in order to be able to log in as those users.

Using an SSH Key

To configure an SSH key for a local user, you can use a Butane config:

variant: fcos
version: 1.5.0
passwd:
  users:
    - name: core
      ssh_authorized_keys:
        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHn2eh...
    - name: jlebon
      ssh_authorized_keys:
        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDC5QFS...
        - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIveEaMRW...
    - name: miabbott
      ssh_authorized_keys:
        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTey7R...

Using File References to SSH Keys

Depending on the configuration variant and version you use, you can use local file references to SSH public keys instead of inlining them. The example from the previous section can thus be rewritten as follows:

variant: fcos
version: 1.5.0
passwd:
  users:
    - name: core
      ssh_authorized_keys_local:
        - users/core/id_rsa.pub
    - name: jlebon
      ssh_authorized_keys_local:
        - users/jlebon/id_rsa.pub
        - users/jlebon/id_ed25519.pub
    - name: miabbott
      ssh_authorized_keys_local:
        - users/miabbott/id_rsa.pub

You have to use butane with the --files-dir parameter to allow loading files from disk when converting to Ignition configurations for this to work.

Check the Configuration specifications for more details and which versions of your selected variant support it. Generally, each file may contain multiple SSH keys, one per line, and you may additionally specify inline ssh_authorized_keys as well as long as the SSH keys are unique.

SSH Key Locations

sshd uses a helper program, specified via the AuthorizedKeysCommand directive, to read public keys from files in a user’s ~/.ssh/authorized_keys.d directory. The AuthorizedKeysCommand is tried after the usual AuthorizedKeysFile files (defaulting to ~/.ssh/authorized_keys) and will not be executed if a matching key is found there. Key files in ~/.ssh/authorized_keys.d are read in alphabetical order, ignoring dotfiles.

Ignition writes configured SSH keys to ~/.ssh/authorized_keys.d/ignition. On platforms where SSH keys can be configured at the platform level, such as AWS, Afterburn writes those keys to ~/.ssh/authorized_keys.d/afterburn.

To debug the reading of ~/.ssh/authorized_keys.d, manually run the helper program and inspect its output:

/usr/libexec/ssh-key-dir

To view and validate the effective configuration for sshd, two test modes (-t, -T) are available as documented on the manual pages.

Using Password Authentication

Fedora CoreOS ships with no default passwords. You can use a Butane config to set a password for a local user. Building on the previous example, we can configure the password_hash for one or more users:

variant: fcos
version: 1.5.0
passwd:
  users:
    - name: core
      ssh_authorized_keys:
        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHn2eh...
    - name: jlebon
      ssh_authorized_keys:
        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDC5QFS...
        - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIveEaMRW...
    - name: miabbott
      password_hash: $y$j9T$aUmgEDoFIDPhGxEe2FUjc/$C5A...
      ssh_authorized_keys:
        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTey7R...

To generate a secure password hash, use mkpasswd from the whois package. Your Linux distro may ship a different mkpasswd implementation; you can ensure you’re using the correct one by running it from a container:

$ podman run -ti --rm quay.io/coreos/mkpasswd --method=yescrypt
Password:
$y$j9T$A0Y3wwVOKP69S.1K/zYGN.$S596l11UGH3XjN...

The yescrypt hashing method is recommended for new passwords. For more details on hashing methods, see man 5 crypt.

The configured password will be accepted for local authentication at the console. By default, Fedora CoreOS does not allow password authentication via SSH.

Configuring Groups

Fedora CoreOS comes with a few groups configured by default: root, adm, wheel, sudo, systemd-journal, docker

When configuring users via Butane configs, we can specify groups that the user(s) should be a part of.

variant: fcos
version: 1.5.0
passwd:
  users:
    - name: core
      ssh_authorized_keys:
        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHn2eh...
    - name: jlebon
      groups:
        - wheel
      ssh_authorized_keys:
        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDC5QFS...
        - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIveEaMRW...
    - name: miabbott
      groups:
        - docker
        - wheel
      password_hash: $y$j9T$aUmgEDoFIDPhGxEe2FUjc/$C5A...
      ssh_authorized_keys:
        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTey7R...

If a group does not exist, users should create them as part of the Butane config.

variant: fcos
version: 1.5.0
passwd:
  groups:
    - name: engineering
    - name: marketing
      gid: 9000
  users:
    - name: core
      ssh_authorized_keys:
        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHn2eh...
    - name: jlebon
      groups:
        - engineering
        - wheel
      ssh_authorized_keys:
        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDC5QFS...
        - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIveEaMRW...
    - name: miabbott
      groups:
        - docker
        - marketing
        - wheel
      password_hash: $y$j9T$aUmgEDoFIDPhGxEe2FUjc/$C5A...
      ssh_authorized_keys:
        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTey7R...

Configuring Administrative Privileges

The easiest way for users to be granted administrative privileges is to have them added to the sudo and wheel groups as part of the Butane config.

variant: fcos
version: 1.5.0
passwd:
  groups:
    - name: engineering
    - name: marketing
      gid: 9000
  users:
    - name: core
      ssh_authorized_keys:
        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHn2eh...
    - name: jlebon
      groups:
        - engineering
        - wheel
        - sudo
      ssh_authorized_keys:
        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDC5QFS...
        - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIveEaMRW...
    - name: miabbott
      groups:
        - docker
        - marketing
        - wheel
        - sudo
      password_hash: $y$j9T$aUmgEDoFIDPhGxEe2FUjc/$C5A...
      ssh_authorized_keys:
        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTey7R...

Enabling SSH Password Authentication

To enable password authentication via SSH, add the following to your Butane config:

variant: fcos
version: 1.5.0
storage:
  files:
    - path: /etc/ssh/sshd_config.d/20-enable-passwords.conf
      mode: 0644
      contents:
        inline: |
          # Fedora CoreOS disables SSH password login by default.
          # Enable it.
          # This file must sort before 40-disable-passwords.conf.
          PasswordAuthentication yes