From 4565103c8600ae4c09ecb80ec79bb143e46df54f Mon Sep 17 00:00:00 2001
From: Peter Bex <peter@more-magic.net>
Date: Mon, 22 Feb 2016 20:27:19 +0100
Subject: Ensure we set an empty (crypted!) password, so user can set it after
 logging in with a key

---
 vps-builder.scm | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/vps-builder.scm b/vps-builder.scm
index df63fec..845213c 100644
--- a/vps-builder.scm
+++ b/vps-builder.scm
@@ -254,7 +254,12 @@
               (cs-groups (cadr user+cs-groups))
               (~ (make-pathname `("/" "home") user))
               (~/.ssh (make-pathname ~ ".ssh")))
-         (run* (chroot ,root-dir useradd -m -G ,cs-groups ,user))
+         ;; Use -p to set empty *crypted* password.  This ensures the
+         ;; user has no password (which differs from having an empty one!)
+         ;; and can choose to set a password.  If we didn't supply -p, the
+         ;; password would be *locked*, which means "passwd" will prompt
+         ;; for a password, but there's none, so it can't be changed.
+         (run* (chroot ,root-dir useradd -p "" -m -G ,cs-groups ,user))
          (install-directory root-dir ~/.ssh user user #o700)
          (install-file root-dir pubkey
                        (make-pathname ~/.ssh "authorized_keys")
-- 
cgit v1.2.3