core: 支持修改密码

This commit is contained in:
bin456789 2024-10-13 22:58:12 +08:00
parent 0a6b5ba41c
commit 34d6c0a2c1
No known key found for this signature in database
GPG Key ID: EE301B386DE6C11B
9 changed files with 273 additions and 88 deletions

View File

@ -13,9 +13,9 @@ jobs:
os: [ubuntu-latest, windows-latest] os: [ubuntu-latest, windows-latest]
include: include:
- os: ubuntu-latest - os: ubuntu-latest
command: sudo bash reinstall.sh --debug command: sudo bash reinstall.sh --debug --password 123@@@
- os: windows-latest - os: windows-latest
command: ./reinstall.bat --debug command: ./reinstall.bat --debug --password 123@@@
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:
- run: | - run: |

View File

@ -125,11 +125,12 @@ certutil -urlcache -f -split https://jihulab.com/bin456789/reinstall/-/raw/main/
- Does not include a boot partition (except for Fedora), nor a swap partition, maximizing disk space utilization. - Does not include a boot partition (except for Fedora), nor a swap partition, maximizing disk space utilization.
- On virtual machines, the appropriate official slimmed-down kernel will be automatically installed. - On virtual machines, the appropriate official slimmed-down kernel will be automatically installed.
- To install Red Hat, you need to provide the `qcow2` image link obtained from <https://access.redhat.com/downloads/content/rhel>. - To install Red Hat, you need to provide the `qcow2` image link obtained from <https://access.redhat.com/downloads/content/rhel>.
- Username `root`, password `123@@@`. It may take a few minutes for the password to take effect on the first boot. - Username `root`, Default password `123@@@`. It may take a few minutes for the password to take effect on the first boot.
- After reinstalling, if you need to change SSH port or switch to key-based login, be sure to modify the files inside `/etc/ssh/sshd_config.d/`. - After reinstalling, if you need to change SSH port or switch to key-based login, be sure to modify the files inside `/etc/ssh/sshd_config.d/`.
- Optional parameters: - Optional parameters:
- `--ssh-port PORT` to change the SSH port - `--password PASSWORD` Set password
- `--hold 2` to prevent entering the system after installation. You can connect via SSH to modify system content, with the system mounted at `/os` (this feature is not supported on Debian/Kali). - `--ssh-port PORT` Change SSH port
- `--hold 2` Prevent entering the system after installation. You can connect via SSH to modify system content, with the system mounted at `/os` (this feature is not supported on Debian/Kali).
```bash ```bash
bash reinstall.sh centos 9 bash reinstall.sh centos 9
@ -161,21 +162,27 @@ bash reinstall.sh centos 9
<summary>Experimental Features</summary> <summary>Experimental Features</summary>
The following features are experimental and may not support modifying the SSH port or other options.
Install Debian using a cloud image, suitable for machines with slower CPUs Install Debian using a cloud image, suitable for machines with slower CPUs
```bash ```bash
bash reinstall.sh debian --ci bash reinstall.sh debian --ci
``` ```
Install CentOS, Alma, Rocky, Fedora using ISO, only supports machines with more than 2G of memory and dynamic IP Install CentOS, Alma, Rocky, Fedora using ISO, only supports machines with more than 2G of memory and dynamic IP.
Password `123@@@`, SSH Port `22`
Password and SSH port options are not supported.
```bash ```bash
bash reinstall.sh centos --installer bash reinstall.sh centos --installer
``` ```
Install Ubuntu using ISO, only supports machines with more than 1G of memory and dynamic IP Install Ubuntu using ISO, only supports machines with more than 1G of memory and dynamic IP.
Password `123@@@`, SSH Port `22`
Password and SSH port options are not supported.
```bash ```bash
bash reinstall.sh ubuntu --installer bash reinstall.sh ubuntu --installer
@ -189,9 +196,9 @@ bash reinstall.sh ubuntu --installer
- When deploy a Windows image, the system disk will be expanded, and machines with static IPs will have their IPs configured. However, it may take a few minutes after the first boot for the configuration to take effect. - When deploy a Windows image, the system disk will be expanded, and machines with static IPs will have their IPs configured. However, it may take a few minutes after the first boot for the configuration to take effect.
- When deploy a Linux image, the script will not modify any contents of the image. - When deploy a Linux image, the script will not modify any contents of the image.
- Optional parameters: - Optional parameters:
- `--rdp-port PORT` to change the RDP port (Windows only). - `--rdp-port PORT` Change RDP port (Windows only).
- `--allow-ping` to allow ping responses (Windows only). - `--allow-ping` Allow ping responses (Windows only).
- `--hold 2` to prevent entering the system after DD completion. You can connect via SSH to modify system content, with the system mounted at `/os`. - `--hold 2` Prevent entering the system after DD completion. You can connect via SSH to modify system content, with the system mounted at `/os`.
```bash ```bash
bash reinstall.sh dd --img https://example.com/xxx.xz bash reinstall.sh dd --img https://example.com/xxx.xz
@ -204,8 +211,10 @@ bash reinstall.sh dd --img https://example.com/xxx.xz
### Feature 3: Reboot to <img width="16" height="16" src="https://www.alpinelinux.org/alpine-logo.ico" /> Alpine Rescue System (Live OS) ### Feature 3: Reboot to <img width="16" height="16" src="https://www.alpinelinux.org/alpine-logo.ico" /> Alpine Rescue System (Live OS)
- You can use SSH to manually perform DD operations, modify partitions, and manually install Alpine, Arch, Gentoo, and other systems. - You can use SSH to manually perform DD operations, modify partitions, and manually install Alpine, Arch, Gentoo, and other systems.
- Username `root`, password `123@@@` - Username `root`, Default password `123@@@`
- If the disk content is not modified, rebooting again will return to the original system. - If the disk content is not modified, rebooting again will return to the original system.
- Optional parameters:
- `--password PASSWORD` Set password
```bash ```bash
bash reinstall.sh alpine --hold=1 bash reinstall.sh alpine --hold=1
@ -224,13 +233,14 @@ bash reinstall.sh netboot.xyz
### Feature 5: Install <img width="16" height="16" src="https://blogs.windows.com/wp-content/uploads/prod/2022/09/cropped-Windows11IconTransparent512-32x32.png" /> Windows ISO ### Feature 5: Install <img width="16" height="16" src="https://blogs.windows.com/wp-content/uploads/prod/2022/09/cropped-Windows11IconTransparent512-32x32.png" /> Windows ISO
- Username `administrator`, password `123@@@` - Username `administrator`, Default password `123@@@`
- If remote login fails, try using the username `.\administrator`. - If remote login fails, try using the username `.\administrator`.
- The machine with a static IP will automatically configure the IP. It may take a few minutes to take effect on the first boot. - The machine with a static IP will automatically configure the IP. It may take a few minutes to take effect on the first boot.
- Optional parameters: - Optional parameters:
- `--rdp-port PORT` to change the RDP port - `--password PASSWORD` Set Password
- `--allow-ping` to allow ping responses - `--rdp-port PORT` Change RDP port
- `--hold 2` to allow SSH connections for modifying the hard disk content before rebooting into the official Windows installation program, with the hard disk mounted at `/os`. - `--allow-ping` Allow ping responses
- `--hold 2` Allow SSH connections for modifying the hard disk content before rebooting into the official Windows installation program, with the hard disk mounted at `/os`.
![Windows Installation](https://github.com/bin456789/reinstall/assets/7548515/07c1aea2-1ce3-4967-904f-aaf9d6eec3f7) ![Windows Installation](https://github.com/bin456789/reinstall/assets/7548515/07c1aea2-1ce3-4967-904f-aaf9d6eec3f7)

View File

@ -125,9 +125,10 @@ certutil -urlcache -f -split https://jihulab.com/bin456789/reinstall/-/raw/main/
- 不含 boot 分区Fedora 例外),不含 swap 分区,最大化利用磁盘空间 - 不含 boot 分区Fedora 例外),不含 swap 分区,最大化利用磁盘空间
- 在虚拟机上,会自动安装合适的官方精简内核 - 在虚拟机上,会自动安装合适的官方精简内核
- 安装 Red Hat 需填写 <https://access.redhat.com/downloads/content/rhel> 得到的 `qcow2` 镜像链接 - 安装 Red Hat 需填写 <https://access.redhat.com/downloads/content/rhel> 得到的 `qcow2` 镜像链接
- 用户名 `root` 密码 `123@@@`,可能首次开机几分钟后密码才生效 - 用户名 `root` 默认密码 `123@@@`密码可能首次开机几分钟后才生效
- 重装后如需修改 SSH 端口 / 改成密钥登录,还要注意修改 `/etc/ssh/sshd_config.d/` 里面的文件 - 重装后如需修改 SSH 端口 / 改成密钥登录,还要注意修改 `/etc/ssh/sshd_config.d/` 里面的文件
- 可选参数 - 可选参数
- `--password PASSWORD` 设置密码
- `--ssh-port PORT` 修改 SSH 端口 - `--ssh-port PORT` 修改 SSH 端口
- `--hold 2` 安装结束后不进入系统。可连接 SSH 修改系统内容,系统挂载在 `/os` (此功能不支持 Debian / Kali) - `--hold 2` 安装结束后不进入系统。可连接 SSH 修改系统内容,系统挂载在 `/os` (此功能不支持 Debian / Kali)
@ -161,8 +162,6 @@ bash reinstall.sh centos 9
<summary>实验性功能</summary> <summary>实验性功能</summary>
以下功能为实验性质,可能不支持修改 ssh 端口等其它选项
用云镜像安装 Debian适合于 CPU 较慢的机器 用云镜像安装 Debian适合于 CPU 较慢的机器
```bash ```bash
@ -171,12 +170,20 @@ bash reinstall.sh debian --ci
用 ISO 安装 CentOS, Alma, Rocky, Fedora ,仅支持内存大于 2G 且为动态 IP 的机器 用 ISO 安装 CentOS, Alma, Rocky, Fedora ,仅支持内存大于 2G 且为动态 IP 的机器
密码 `123@@@`SSH 端口 `22`
不支持设置密码、SSH 端口等选项
```bash ```bash
bash reinstall.sh centos --installer bash reinstall.sh centos --installer
``` ```
用 ISO 安装 Ubuntu ,仅支持内存大于 1G 且为动态 IP 的机器 用 ISO 安装 Ubuntu ,仅支持内存大于 1G 且为动态 IP 的机器
密码 `123@@@`SSH 端口 `22`
不支持设置密码、SSH 端口等选项
```bash ```bash
bash reinstall.sh ubuntu --installer bash reinstall.sh ubuntu --installer
``` ```
@ -204,8 +211,10 @@ bash reinstall.sh dd --img https://example.com/xxx.xz
### 功能 3: 重启到 <img width="16" height="16" src="https://www.alpinelinux.org/alpine-logo.ico" /> Alpine 救援系统 (Live OS) ### 功能 3: 重启到 <img width="16" height="16" src="https://www.alpinelinux.org/alpine-logo.ico" /> Alpine 救援系统 (Live OS)
- 可用 ssh 连接,进行手动 DD、修改分区、手动安装 Alpine / Arch / Gentoo 等操作 - 可用 ssh 连接,进行手动 DD、修改分区、手动安装 Alpine / Arch / Gentoo 等操作
- 用户名 `root` 密码 `123@@@` - 用户名 `root` 默认密码 `123@@@`
- 如果没有修改硬盘内容,再次重启将回到原系统 - 如果没有修改硬盘内容,再次重启将回到原系统
- 可选参数
- `--password PASSWORD` 设置密码
```bash ```bash
bash reinstall.sh alpine --hold=1 bash reinstall.sh alpine --hold=1
@ -224,10 +233,11 @@ bash reinstall.sh netboot.xyz
### 功能 5: 安装 <img width="16" height="16" src="https://blogs.windows.com/wp-content/uploads/prod/2022/09/cropped-Windows11IconTransparent512-32x32.png" /> Windows ISO ### 功能 5: 安装 <img width="16" height="16" src="https://blogs.windows.com/wp-content/uploads/prod/2022/09/cropped-Windows11IconTransparent512-32x32.png" /> Windows ISO
- 用户名 `administrator` 密码 `123@@@` - 用户名 `administrator` 默认密码 `123@@@`
- 如果远程登录失败,尝试使用用户名 `.\administrator` - 如果远程登录失败,尝试使用用户名 `.\administrator`
- 静态机器会自动配置好 IP可能首次开机几分钟后才生效 - 静态机器会自动配置好 IP可能首次开机几分钟后才生效
- 可选参数 - 可选参数
- `--password PASSWORD` 设置密码
- `--rdp-port PORT` 更改 RDP 端口 - `--rdp-port PORT` 更改 RDP 端口
- `--allow-ping` 允许被 Ping - `--allow-ping` 允许被 Ping
- `--hold 2` 在重启进入 Windows 官方安装程序前,可连接 SSH 修改硬盘内容,硬盘挂载在 `/os` - `--hold 2` 在重启进入 Windows 官方安装程序前,可连接 SSH 修改硬盘内容,硬盘挂载在 `/os`

View File

@ -8,13 +8,13 @@ users:
lock_passwd: false lock_passwd: false
chpasswd: chpasswd:
expire: false expire: false
# 20.04 arm 需要 # <= cloud-init 22.2.x 需要
list: | list: |
root:@PASSWORD@ root:@PASSWORD@
users: users:
- name: root - name: root
password: "@PASSWORD@" password: "@PASSWORD@"
type: text type: hash
runcmd: runcmd:
# opensuse tumbleweed 镜像有 /etc/ssh/sshd_config.d/ 文件夹,没有 /etc/ssh/sshd_config有/usr/etc/ssh/sshd_config # opensuse tumbleweed 镜像有 /etc/ssh/sshd_config.d/ 文件夹,没有 /etc/ssh/sshd_config有/usr/etc/ssh/sshd_config
# opensuse tumbleweed cloud-init 直接创建并写入 /etc/ssh/sshd_config造成默认配置丢失 # opensuse tumbleweed cloud-init 直接创建并写入 /etc/ssh/sshd_config造成默认配置丢失
@ -28,6 +28,7 @@ runcmd:
# daemon-reload 会刷新 /run/systemd/generator/ssh.socket.d/addresses.conf # daemon-reload 会刷新 /run/systemd/generator/ssh.socket.d/addresses.conf
- systemctl daemon-reload - systemctl daemon-reload
- for s in ssh.socket ssh.service sshd.socket sshd.service; do systemctl is-enabled $s && systemctl restart $s && break; done - for s in ssh.socket ssh.service sshd.socket sshd.service; do systemctl is-enabled $s && systemctl restart $s && break; done
# 删除有密码的行
- sed -i -e '/^[[:space:]]*password:/d' -e '/[[:space:]]*root:/d' /etc/cloud/cloud.cfg.d/99_fallback.cfg - sed -i -e '/^[[:space:]]*password:/d' -e '/[[:space:]]*root:/d' /etc/cloud/cloud.cfg.d/99_fallback.cfg
- touch /etc/cloud/cloud-init.disabled - touch /etc/cloud/cloud-init.disabled
# ubuntu 镜像运行 echo -e '\nDone' -e 会被显示出来 # ubuntu 镜像运行 echo -e '\nDone' -e 会被显示出来

View File

@ -25,8 +25,9 @@ d-i mirror/country string manual
# B.4.5. 帐号设置 # B.4.5. 帐号设置
d-i passwd/make-user boolean false d-i passwd/make-user boolean false
d-i passwd/root-password password 123@@@ # 单纯为了跳过设置,实际上是在 partman/early_command 里设置密码preseed/early_command 无法设置密码
d-i passwd/root-password-again password 123@@@ d-i passwd/root-password password ''
d-i passwd/root-password-again password ''
# kali 需要下面这行,否则会提示输入用户名 # kali 需要下面这行,否则会提示输入用户名
d-i passwd/root-login boolean true d-i passwd/root-login boolean true
@ -155,6 +156,8 @@ d-i partman/early_command string true; \
[ -d /sys/firmware/efi ] && debconf-set partman-auto/expert_recipe "$(debconf-get partman-auto/expert_recipe_efi)"; \ [ -d /sys/firmware/efi ] && debconf-set partman-auto/expert_recipe "$(debconf-get partman-auto/expert_recipe_efi)"; \
[ -d /sys/firmware/efi ] || debconf-set partman-auto/expert_recipe "$(debconf-get partman-auto/expert_recipe_bios)"; \ [ -d /sys/firmware/efi ] || debconf-set partman-auto/expert_recipe "$(debconf-get partman-auto/expert_recipe_bios)"; \
debconf-set passwd/root-password-crypted "$(cat /configs/password-linux-sha512)"; \
true >/bin/os-prober true >/bin/os-prober
# kali ssh 默认关闭 # kali ssh 默认关闭

View File

@ -41,6 +41,7 @@ rem 检查是否国内
if not exist %tmp%\geoip ( if not exist %tmp%\geoip (
rem 部分地区 www.cloudflare.com 被墙 rem 部分地区 www.cloudflare.com 被墙
call :download http://dash.cloudflare.com/cdn-cgi/trace %tmp%\geoip call :download http://dash.cloudflare.com/cdn-cgi/trace %tmp%\geoip
if errorlevel 1 goto :download_failed
) )
findstr /c:"loc=CN" %tmp%\geoip >nul findstr /c:"loc=CN" %tmp%\geoip >nul
if not errorlevel 1 ( if not errorlevel 1 (
@ -61,9 +62,9 @@ if not errorlevel 1 (
) )
rem pkgs 改动了才重新运行 Cygwin 安装程序 rem pkgs 改动了才重新运行 Cygwin 安装程序
set pkgs="curl,cpio,p7zip,bind-utils,ipcalc,dos2unix,binutils,jq" set pkgs=curl,cpio,p7zip,bind-utils,ipcalc,dos2unix,binutils,jq,xz,gzip,zstd,openssl,libiconv
set tags=%tmp%\cygwin-installed-!pkgs! set tags=%tmp%\cygwin-installed-%pkgs%
if not exist !tags! ( if not exist "%tags%" (
rem win10 arm 支持运行 x86 软件 rem win10 arm 支持运行 x86 软件
rem win11 arm 支持运行 x86 和 x86_64 软件 rem win11 arm 支持运行 x86 和 x86_64 软件
rem wmic os get osarchitecture 显示中文 rem wmic os get osarchitecture 显示中文
@ -102,6 +103,7 @@ if not exist !tags! (
rem 下载 Cygwin rem 下载 Cygwin
call :download http://www.cygwin.com/setup-!CygwinArch!.exe %tmp%\setup-cygwin.exe call :download http://www.cygwin.com/setup-!CygwinArch!.exe %tmp%\setup-cygwin.exe
if errorlevel 1 goto :download_failed
rem 安装 Cygwin rem 安装 Cygwin
set site=!mirror!!dir! set site=!mirror!!dir!
@ -111,13 +113,14 @@ if not exist !tags! (
--site !site! ^ --site !site! ^
--root %SystemDrive%\cygwin ^ --root %SystemDrive%\cygwin ^
--local-package-dir %tmp%\cygwin-local-package-dir ^ --local-package-dir %tmp%\cygwin-local-package-dir ^
--packages !pkgs! ^ --packages %pkgs% ^
&& type nul >!tags! && type nul >"%tags%"
) )
rem 下载 reinstall.sh rem 下载 reinstall.sh
if not exist reinstall.sh ( if not exist reinstall.sh (
call :download %confhome%/reinstall.sh %~dp0reinstall.sh call :download %confhome%/reinstall.sh %~dp0reinstall.sh
if errorlevel 1 goto :download_failed
) )
rem 为每个参数添加引号,使参数正确传递到 bash rem 为每个参数添加引号,使参数正确传递到 bash
@ -147,8 +150,13 @@ rem https://learn.microsoft.com/en-us/windows/win32/bits/http-requirements-for-b
rem certutil 会被 windows Defender 报毒 rem certutil 会被 windows Defender 报毒
rem windows server 2019 要用第二条 certutil 命令 rem windows server 2019 要用第二条 certutil 命令
echo Download: %~1 %~2 echo Download: %~1 %~2
certutil -urlcache -f -split %~1 %~2 del /q "%~2" 2>nul
if not exist %~2 ( if exist "%~2" (echo Cannot delete %~2 & exit /b 1)
certutil -urlcache -split %~1 %~2 if not exist "%~2" certutil -urlcache -f -split "%~1" "%~2" >nul
) if not exist "%~2" certutil -urlcache -split "%~1" "%~2" >nul
if not exist "%~2" exit /b 1
exit /b exit /b
:download_failed
echo Download failed.
exit /b 1

View File

@ -8,7 +8,8 @@ confhome_cn=https://jihulab.com/bin456789/reinstall/-/raw/main
# confhome_cn=https://mirror.ghproxy.com/https://raw.githubusercontent.com/bin456789/reinstall/main # confhome_cn=https://mirror.ghproxy.com/https://raw.githubusercontent.com/bin456789/reinstall/main
# 用于判断 reinstall.sh 和 trans.sh 是否兼容 # 用于判断 reinstall.sh 和 trans.sh 是否兼容
SCRIPT_VERSION=4BACD833-A585-23BA-6CBB-9AA4E08E0001 SCRIPT_VERSION=4BACD833-A585-23BA-6CBB-9AA4E08E0002
DEFAULT_PASSWORD=123@@@
# https://www.gnu.org/software/gettext/manual/html_node/The-LANGUAGE-variable.html # https://www.gnu.org/software/gettext/manual/html_node/The-LANGUAGE-variable.html
export LC_ALL=C export LC_ALL=C
@ -1562,6 +1563,12 @@ install_pkg() {
yum | dnf | zypper) pkg="bind-utils" ;; yum | dnf | zypper) pkg="bind-utils" ;;
esac esac
;; ;;
iconv)
case "$pkg_mgr" in
apk) pkg="musl-utils" ;;
*) error_and_exit "Which GNU/Linux do not have iconv built-in?" ;;
esac
;;
*) pkg=$cmd ;; *) pkg=$cmd ;;
esac esac
} }
@ -1814,6 +1821,92 @@ del_empty_lines() {
sed '/^[[:space:]]*$/d' sed '/^[[:space:]]*$/d'
} }
prompt_password() {
while true; do
IFS= read -r -p "Password [$DEFAULT_PASSWORD]: " password
IFS= read -r -p "Retype password [$DEFAULT_PASSWORD]: " password_confirm
password=${password:-$DEFAULT_PASSWORD}
password_confirm=${password_confirm:-$DEFAULT_PASSWORD}
if [ -z "$password" ]; then
error "Passwords is empty. Try again."
elif [ "$password" != "$password_confirm" ]; then
error "Passwords don't match. Try again."
else
break
fi
done
}
save_password() {
dir=$1
# mkpasswd 有三个
# expect 里的 mkpasswd 是用来生成随机密码的
# whois 里的 mkpasswd 才是我们想要的,可能不支持 yescryptalpine 的 mkpasswd 是独立的包
# busybox 里的 mkpasswd 也是我们想要的,但多数不支持 yescrypt
# alpine 这两个包有冲突
# apk add expect mkpasswd
# 明文密码
# 假如用户运行 alpine live 直接打包硬盘镜像,则会暴露明文密码,因为 netboot initrd 在里面
# 通过 --password 传入密码history 有记录,也会暴露明文密码
# /reinstall.log 也会暴露明文密码
if false; then
echo "$password" >>"$dir/password-plaintext"
fi
# sha512
# 以下系统均支持 sha512 密码,但是生成密码需要不同的工具
# 兼容性 openssl mkpasswd busybox python
# centos 7 × 只有expect的 需要编译 √
# centos 8 √ 只有expect的
# debian 9 ×
# ubuntu 16 ×
# alpine √ 可能系统装了expect √
# cygwin √
# others √
# alpine
if is_have_cmd busybox && busybox mkpasswd --help 2>&1 | grep -wq sha512; then
crypted=$(printf '%s' "$password" | busybox mkpasswd -m sha512)
# centos 7
elif is_have_cmd python2; then
crypted=$(python2 -c "import crypt; print(crypt.crypt('$password', crypt.mksalt(crypt.METHOD_SHA512)))")
# others
elif install_pkg openssl && openssl passwd --help 2>&1 | grep -wq '\-6'; then
crypted=$(printf '%s' "$password" | openssl passwd -6 -stdin)
# debian 9 / ubuntu 16
elif is_have_cmd apt-get && install_pkg whois && mkpasswd -m help | grep -wq sha-512; then
crypted=$(printf '%s' "$password" | mkpasswd -m sha-512 --stdin)
else
error_and_exit "Could not generate sha512 password."
fi
echo "$crypted" >"$dir/password-linux-sha512"
# yescrypt
# 旧系统不支持,先不管
if false; then
if mkpasswd -m help | grep -wq yescrypt; then
crypted=$(printf '%s' "$password" | mkpasswd -m yescrypt --stdin)
echo "$crypted" >"$dir/password-linux-yescrypt"
fi
fi
# windows
if [ "$distro" = windows ] || [ "$distro" = dd ]; then
install_pkg iconv
# 要分两行写,因为 echo "$(xxx)" 返回值始终为 0出错也不会中断脚本
# grep . 为了保证脚本没有出错
base64=$(printf '%s' "${password}Password" | iconv -f UTF-8 -t UTF-16LE | base64 -w 0 | grep .)
echo "$base64" >"$dir/password-windows-user-base64"
base64=$(printf '%s' "${password}AdministratorPassword" | iconv -f UTF-8 -t UTF-16LE | base64 -w 0 | grep .)
echo "$base64" >"$dir/password-windows-administrator-base64"
fi
}
# 记录主硬盘 # 记录主硬盘
find_main_disk() { find_main_disk() {
if [ -n "$main_disk" ]; then if [ -n "$main_disk" ]; then
@ -2359,7 +2452,7 @@ build_extra_cmdline() {
# https://answers.launchpad.net/ubuntu/+question/249456 # https://answers.launchpad.net/ubuntu/+question/249456
# https://salsa.debian.org/installer-team/rootskel/-/blob/master/src/lib/debian-installer-startup.d/S02module-params?ref_type=heads # https://salsa.debian.org/installer-team/rootskel/-/blob/master/src/lib/debian-installer-startup.d/S02module-params?ref_type=heads
for key in confhome hold force force_old_windows_setup cloud_image main_disk \ for key in confhome hold force force_old_windows_setup cloud_image main_disk \
ssh_port rdp_port web_port allow_ping password; do ssh_port rdp_port web_port allow_ping; do
value=${!key} value=${!key}
if [ -n "$value" ]; then if [ -n "$value" ]; then
is_need_quote "$value" && is_need_quote "$value" &&
@ -2728,13 +2821,17 @@ EOF
# 5. debian 11/12 initrd 无法识别 < < # 5. debian 11/12 initrd 无法识别 < <
# 6. debian 11 initrd 无法识别 set -E # 6. debian 11 initrd 无法识别 set -E
# 7. debian 11 initrd 无法识别 trap ERR # 7. debian 11 initrd 无法识别 trap ERR
# 8. debian 9 initrd 无法识别 ${string//find/replace}
# 删除或注释,可能会导致空方法而报错,因此改为替换成'\n: #' # 删除或注释,可能会导致空方法而报错,因此改为替换成'\n: #'
replace='\n: #' replace='\n: #'
sed -Ei "s/> >/$replace/" $initrd_dir/trans.sh sed -Ei \
sed -Ei "s/< </$replace/" $initrd_dir/trans.sh -e "s/> >/$replace/" \
sed -Ei "s/(^[[:space:]]*set[[:space:]].*)E/\1/" $initrd_dir/trans.sh -e "s/< </$replace/" \
sed -Ei "s/^[[:space:]]*apk[[:space:]]/$replace/" $initrd_dir/trans.sh -e "s/^[[:space:]]*apk[[:space:]]/$replace/" \
sed -Ei "s/^[[:space:]]*trap[[:space:]]/$replace/" $initrd_dir/trans.sh -e "s/^[[:space:]]*trap[[:space:]]/$replace/" \
-e "s/\\$\{.*\/\/.*\/.*\}/$replace/" \
-e "/^[[:space:]]*set[[:space:]]/s/E//" \
$initrd_dir/trans.sh
} }
get_disk_drivers() { get_disk_drivers() {
@ -2915,11 +3012,15 @@ EOF
# ssl_client: SSL_connect # ssl_client: SSL_connect
# wget: bad header line: <20> # wget: bad header line: <20>
insert_into_file init before '^exec (/bin/busybox )?switch_root' <<EOF insert_into_file init before '^exec (/bin/busybox )?switch_root' <<EOF
# trans
# echo "wget --no-check-certificate -O- $confhome/trans.sh | /bin/ash" >\$sysroot/etc/local.d/trans.start # echo "wget --no-check-certificate -O- $confhome/trans.sh | /bin/ash" >\$sysroot/etc/local.d/trans.start
# wget --no-check-certificate -O \$sysroot/etc/local.d/trans.start $confhome/trans.sh # wget --no-check-certificate -O \$sysroot/etc/local.d/trans.start $confhome/trans.sh
cp /trans.sh \$sysroot/etc/local.d/trans.start cp /trans.sh \$sysroot/etc/local.d/trans.start
chmod a+x \$sysroot/etc/local.d/trans.start chmod a+x \$sysroot/etc/local.d/trans.start
ln -s /etc/init.d/local \$sysroot/etc/runlevels/default/ ln -s /etc/init.d/local \$sysroot/etc/runlevels/default/
# 配置文件夹
cp -r /configs \$sysroot/configs
EOF EOF
# 判断云镜像 debain 能否用云内核 # 判断云镜像 debain 能否用云内核
@ -2958,14 +3059,19 @@ mod_initrd() {
$(is_in_windows && echo --nonmatching 'dev/console' --nonmatching 'dev/null') $(is_in_windows && echo --nonmatching 'dev/console' --nonmatching 'dev/null')
curl -Lo $initrd_dir/trans.sh $confhome/trans.sh curl -Lo $initrd_dir/trans.sh $confhome/trans.sh
if ! grep -i "$SCRIPT_VERSION" $initrd_dir/trans.sh; then if ! grep -iq "$SCRIPT_VERSION" $initrd_dir/trans.sh; then
error_and_exit " error_and_exit "
This script is outdated, please download reinstall.sh again. This script is outdated, please download reinstall.sh again.
脚本有更新,请重新下载 reinstall.sh" 脚本有更新,请重新下载 reinstall.sh"
fi fi
curl -Lo $initrd_dir/alpine-network.sh $confhome/alpine-network.sh curl -Lo $initrd_dir/alpine-network.sh $confhome/alpine-network.sh
chmod a+x $initrd_dir/trans.sh $initrd_dir/alpine-network.sh chmod a+x $initrd_dir/trans.sh $initrd_dir/alpine-network.sh
# 保存配置
mkdir -p $initrd_dir/configs
save_password $initrd_dir/configs
if is_distro_like_debian $nextos_distro; then if is_distro_like_debian $nextos_distro; then
mod_initrd_debian_kali mod_initrd_debian_kali
else else
@ -3071,13 +3177,13 @@ fi
long_opts= long_opts=
for o in ci installer debug minimal allow-ping \ for o in ci installer debug minimal allow-ping \
hold: \ hold: sleep: \
sleep: \
iso: \ iso: \
image-name: \ image-name: \
boot-wim: \ boot-wim: \
img: \ img: \
lang: \ lang: \
passwd: password: \
ssh-port: \ ssh-port: \
rdp-port: \ rdp-port: \
web-port: \ web-port: \
@ -3091,7 +3197,7 @@ done
# 整理参数 # 整理参数
if ! opts=$(getopt -n $0 -o "" --long "$long_opts" -- "$@"); then if ! opts=$(getopt -n $0 -o "" --long "$long_opts" -- "$@"); then
usage_and_exit exit
fi fi
eval set -- "$opts" eval set -- "$opts"
@ -3138,6 +3244,11 @@ while true; do
force=$2 force=$2
shift 2 shift 2
;; ;;
--passwd | --password)
[ -n "$2" ] || error_and_exit "Need value for $1"
password=$2
shift 2
;;
--ssh-port) --ssh-port)
is_port_valid $2 || error_and_exit "Invalid $1 value: $2" is_port_valid $2 || error_and_exit "Invalid $1 value: $2"
ssh_port=$2 ssh_port=$2
@ -3202,6 +3313,21 @@ if is_secure_boot_enabled; then
error_and_exit "Please disable secure boot first." error_and_exit "Please disable secure boot first."
fi fi
# 密码
if ! is_netboot_xyz && [ -z "$password" ]; then
if is_use_dd; then
warn "
This password is only used for SSH access to view logs during the DD process.
Password of the image will NOT modify.
密码仅用于 DD 过程中通过 SSH 查看日志。
镜像的密码将不会被修改。
"
fi
prompt_password
fi
# 必备组件 # 必备组件
install_pkg curl grep install_pkg curl grep
@ -3635,7 +3761,7 @@ if ! { is_netboot_xyz || is_use_dd; }; then
username="root" username="root"
fi fi
echo "Username: $username" echo "Username: $username"
echo "Password: 123@@@" echo "Password: $password"
fi fi
if is_netboot_xyz; then if is_netboot_xyz; then

105
trans.sh
View File

@ -1,6 +1,6 @@
#!/bin/ash #!/bin/ash
# shellcheck shell=dash # shellcheck shell=dash
# shellcheck disable=SC2086,SC3047,SC3036,SC3010,SC3001 # shellcheck disable=SC2086,SC3047,SC3036,SC3010,SC3001,SC3060
# alpine 默认使用 busybox ash # alpine 默认使用 busybox ash
# 出错后停止运行,将进入到登录界面,防止失联 # 出错后停止运行,将进入到登录界面,防止失联
@ -8,10 +8,7 @@ set -eE
# 用于判断 reinstall.sh 和 trans.sh 是否兼容 # 用于判断 reinstall.sh 和 trans.sh 是否兼容
# shellcheck disable=SC2034 # shellcheck disable=SC2034
SCRIPT_VERSION=4BACD833-A585-23BA-6CBB-9AA4E08E0001 SCRIPT_VERSION=4BACD833-A585-23BA-6CBB-9AA4E08E0002
# debian 安装版、ubuntu 安装版、el/ol 安装版不使用该密码
PASSWORD=123@@@
TRUE=0 TRUE=0
FALSE=1 FALSE=1
@ -432,6 +429,27 @@ is_dmi_contains() {
echo "$_dmi" | grep -Eiwq "$1" echo "$_dmi" | grep -Eiwq "$1"
} }
get_config() {
cat "/configs/$1"
}
get_password_linux_sha512() {
get_config password-linux-sha512
}
get_password_windows_administrator_base64() {
get_config password-windows-administrator-base64
}
# debian 安装版、ubuntu 安装版、el/ol 安装版不使用该密码
get_password_plaintext() {
get_config password-plaintext
}
is_password_plaintext() {
get_password_plaintext >/dev/null 2>&1
}
show_netconf() { show_netconf() {
grep -r . /dev/netconf/ grep -r . /dev/netconf/
} }
@ -1399,8 +1417,8 @@ EOF
nixos-install --root /os --no-root-passwd -j $threads nixos-install --root /os --no-root-passwd -j $threads
# 设置密码 # 设置密码
echo "root:$PASSWORD" | nixos-enter --root /os -- \ echo "root:$(get_password_linux_sha512)" | nixos-enter --root /os -- \
/run/current-system/sw/bin/chpasswd /run/current-system/sw/bin/chpasswd -e
# 设置 channel # 设置 channel
if is_in_china; then if is_in_china; then
@ -2158,7 +2176,9 @@ download_cloud_init_config() {
sed -i '1!{/^[[:space:]]*#/d}' $ci_file sed -i '1!{/^[[:space:]]*#/d}' $ci_file
# 修改密码 # 修改密码
sed -i "s/@PASSWORD@/$PASSWORD/" $ci_file # 不能用 sed 替换,因为含有特殊字符
content=$(cat $ci_file)
echo "${content//@PASSWORD@/$(get_password_linux_sha512)}" >$ci_file
# 修改 ssh 端口 # 修改 ssh 端口
if is_need_change_ssh_port; then if is_need_change_ssh_port; then
@ -2467,9 +2487,9 @@ EOF
cp_resolv_conf $os_dir cp_resolv_conf $os_dir
# 在这里修改密码而不是用cloud-init因为我们的默认密码太弱 # 在这里修改密码而不是用cloud-init因为我们的默认密码太弱
sed -i 's/enforce=everyone/enforce=none/' $os_dir/etc/security/passwdqc.conf is_password_plaintext && sed -i 's/enforce=everyone/enforce=none/' $os_dir/etc/security/passwdqc.conf
echo "root:$PASSWORD" | chroot $os_dir chpasswd echo "root:$(get_password_linux_sha512)" | chroot $os_dir chpasswd -e
sed -i 's/enforce=none/enforce=everyone/' $os_dir/etc/security/passwdqc.conf is_password_plaintext && sed -i 's/enforce=none/enforce=everyone/' $os_dir/etc/security/passwdqc.conf
# 下载仓库,选择 profile # 下载仓库,选择 profile
chroot $os_dir emerge-webrsync chroot $os_dir emerge-webrsync
@ -2628,39 +2648,45 @@ change_root_password() {
info 'change root password' info 'change root password'
pam_d=$os_dir/etc/pam.d if is_password_plaintext; then
pam_d=$os_dir/etc/pam.d
[ -f $pam_d/chpasswd ] && has_pamd_chpasswd=true || has_pamd_chpasswd=false [ -f $pam_d/chpasswd ] && has_pamd_chpasswd=true || has_pamd_chpasswd=false
if $has_pamd_chpasswd; then if $has_pamd_chpasswd; then
cp $pam_d/chpasswd $pam_d/chpasswd.orig cp $pam_d/chpasswd $pam_d/chpasswd.orig
# cat /etc/pam.d/chpasswd # cat /etc/pam.d/chpasswd
# @include common-password # @include common-password
# cat /etc/pam.d/chpasswd # cat /etc/pam.d/chpasswd
# #%PAM-1.0 # #%PAM-1.0
# auth include system-auth # auth include system-auth
# account include system-auth # account include system-auth
# password substack system-auth # password substack system-auth
# -password optional pam_gnome_keyring.so use_authtok # -password optional pam_gnome_keyring.so use_authtok
# password substack postlogin # password substack postlogin
# 通过 /etc/pam.d/chpasswd 找到 /etc/pam.d/system-auth 或者 /etc/pam.d/system-auth # 通过 /etc/pam.d/chpasswd 找到 /etc/pam.d/system-auth 或者 /etc/pam.d/system-auth
# 再找到有 password 和 pam_unix.so 的行,并删除 use_authtok写入 /etc/pam.d/chpasswd # 再找到有 password 和 pam_unix.so 的行,并删除 use_authtok写入 /etc/pam.d/chpasswd
files=$(grep -E '^(password|@include)' $pam_d/chpasswd | awk '{print $NF}' | sort -u) files=$(grep -E '^(password|@include)' $pam_d/chpasswd | awk '{print $NF}' | sort -u)
for file in $files; do for file in $files; do
if [ -f "$pam_d/$file" ] && line=$(grep ^password "$pam_d/$file" | grep -F pam_unix.so); then if [ -f "$pam_d/$file" ] && line=$(grep ^password "$pam_d/$file" | grep -F pam_unix.so); then
echo "$line" | sed 's/use_authtok//' >$pam_d/chpasswd echo "$line" | sed 's/use_authtok//' >$pam_d/chpasswd
break break
fi fi
done done
fi fi
echo "root:$PASSWORD" | chroot $os_dir chpasswd # 分两行写,不然遇到错误不会终止
plaintext=$(get_password_plaintext)
echo "root:$plaintext" | chroot $os_dir chpasswd
if $has_pamd_chpasswd; then if $has_pamd_chpasswd; then
mv $pam_d/chpasswd.orig $pam_d/chpasswd mv $pam_d/chpasswd.orig $pam_d/chpasswd
fi
else
get_password_linux_sha512 | chroot $os_dir chpasswd -e
fi fi
} }
@ -4136,11 +4162,12 @@ install_windows() {
download $confhome/windows.xml /tmp/autounattend.xml download $confhome/windows.xml /tmp/autounattend.xml
locale=$(get_selected_image_prop 'Default Language') locale=$(get_selected_image_prop 'Default Language')
use_default_rdp_port=$(is_need_change_rdp_port && echo false || echo true) use_default_rdp_port=$(is_need_change_rdp_port && echo false || echo true)
password_base64=$(get_password_windows_administrator_base64)
sed -i \ sed -i \
-e "s|%arch%|$arch|" \ -e "s|%arch%|$arch|" \
-e "s|%image_name%|$image_name|" \ -e "s|%image_name%|$image_name|" \
-e "s|%locale%|$locale|" \ -e "s|%locale%|$locale|" \
-e "s|%password%|$PASSWORD|" \ -e "s|%administrator_password%|$password_base64|" \
-e "s|%use_default_rdp_port%|$use_default_rdp_port|" \ -e "s|%use_default_rdp_port%|$use_default_rdp_port|" \
/tmp/autounattend.xml /tmp/autounattend.xml
@ -4597,7 +4624,7 @@ mount / -o remount,size=100%
hwclock -s || true hwclock -s || true
# 设置密码,安装并打开 ssh # 设置密码,安装并打开 ssh
echo "root:$PASSWORD" | chpasswd echo "root:$(get_password_linux_sha512)" | chpasswd -e
apk add openssh apk add openssh
if is_need_change_ssh_port; then if is_need_change_ssh_port; then
change_ssh_port / $ssh_port change_ssh_port / $ssh_port

View File

@ -137,8 +137,8 @@
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="%arch%" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="%arch%" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<UserAccounts> <UserAccounts>
<AdministratorPassword> <AdministratorPassword>
<Value>%password%</Value> <Value>%administrator_password%</Value>
<PlainText>true</PlainText> <PlainText>false</PlainText>
</AdministratorPassword> </AdministratorPassword>
</UserAccounts> </UserAccounts>
<OOBE> <OOBE>