# Add groups to the system # The following example adds the ubuntu group with members 'root' and 'sys' # and the empty group cloud-users. groups: - ubuntu: [root,sys] - cloud-users # Add users to the system. Users are added after groups are added. users: - default - name: foobar gecos: Foo B. Bar primary_group: foobar groups: users selinux_user: staff_u expiredate: 2012-09-01 ssh_import_id: foobar lock_passwd: false passwd: $6$j212wezy$7H/1LT4f9/N3wpgNunhsIqtMj62OKiS3nyNwuizouQc3u7MbYCarYeAHWYPYb2FT.lbioDm2RrkJPb9BZMN1O/ - name: barfoo gecos: Bar B. Foo sudo: ALL=(ALL) NOPASSWD:ALL groups: users, admin ssh_import_id: None lock_passwd: true ssh_authorized_keys: - - - name: cloudy gecos: Magic Cloud App Daemon User inactive: true system: true - name: fizzbuzz sudo: False ssh_authorized_keys: - - - snapuser: joe@joeuser.io - name: nosshlogins ssh_redirect_user: true # Valid Values: # name: The user's login name # gecos: The user name's real name, i.e. "Bob B. Smith" # homedir: Optional. Set to the local path you want to use. Defaults to # /home/ # primary_group: define the primary group. Defaults to a new group created # named after the user. # groups: Optional. Additional groups to add the user to. Defaults to none # selinux_user: Optional. The SELinux user for the user's login, such as # "staff_u". When this is omitted the system will select the default # SELinux user. # lock_passwd: Defaults to true. Lock the password to disable password login # inactive: Create the user as inactive # passwd: The hash -- not the password itself -- of the password you want # to use for this user. You can generate a safe hash via: # mkpasswd --method=SHA-512 --rounds=4096 # (the above command would create from stdin an SHA-512 password hash # with 4096 salt rounds) # # Please note: while the use of a hashed password is better than # plain text, the use of this feature is not ideal. Also, # using a high number of salting rounds will help, but it should # not be relied upon. # # To highlight this risk, running John the Ripper against the # example hash above, with a readily available wordlist, revealed # the true password in 12 seconds on a i7-2620QM. # # In other words, this feature is a potential security risk and is # provided for your convenience only. If you do not fully trust the # medium over which your cloud-config will be transmitted, then you # should use SSH authentication only. # # You have thus been warned. # no_create_home: When set to true, do not create home directory. # no_user_group: When set to true, do not create a group named after the user. # no_log_init: When set to true, do not initialize lastlog and faillog database. # ssh_import_id: Optional. Import SSH ids # ssh_authorized_keys: Optional. [list] Add keys to user's authorized keys file # ssh_redirect_user: Optional. [bool] Set true to block ssh logins for cloud # ssh public keys and emit a message redirecting logins to # use instead. This option only disables cloud # provided public-keys. An error will be raised if ssh_authorized_keys # or ssh_import_id is provided for the same user. # # ssh_authorized_keys. # sudo: Defaults to none. Accepts a sudo rule string, a list of sudo rule # strings or False to explicitly deny sudo usage. Examples: # # Allow a user unrestricted sudo access. # sudo: ALL=(ALL) NOPASSWD:ALL # # Adding multiple sudo rule strings. # sudo: # - ALL=(ALL) NOPASSWD:/bin/mysql # - ALL=(ALL) ALL # # Prevent sudo access for a user. # sudo: False # # Note: Please double check your syntax and make sure it is valid. # cloud-init does not parse/check the syntax of the sudo # directive. # system: Create the user as a system user. This means no home directory. # snapuser: Create a Snappy (Ubuntu-Core) user via the snap create-user # command available on Ubuntu systems. If the user has an account # on the Ubuntu SSO, specifying the email will allow snap to # request a username and any public ssh keys and will import # these into the system with username specifed by SSO account. # If 'username' is not set in SSO, then username will be the # shortname before the email domain. # # Default user creation: # # Unless you define users, you will get a 'ubuntu' user on ubuntu systems with the # legacy permission (no password sudo, locked user, etc). If however, you want # to have the 'ubuntu' user in addition to other users, you need to instruct # cloud-init that you also want the default user. To do this use the following # syntax: # users: # - default # - bob # - .... # foobar: ... # # users[0] (the first user in users) overrides the user directive. # # The 'default' user above references the distro's config: # system_info: # default_user: # name: Ubuntu # plain_text_passwd: 'ubuntu' # home: /home/ubuntu # shell: /bin/bash # lock_passwd: True # gecos: Ubuntu # groups: [adm, audio, cdrom, dialout, floppy, video, plugdev, dip, netdev]