feat(B-0792 iter-5.3): prompt-for-initial-password at install-time (not default zeta-change-me); injected-hashedpassword.nix substrate (Aaron 2026-05-26)#5118
Merged
AceHack merged 1 commit intoMay 26, 2026
Conversation
…ot default zeta-change-me) + injected-hashedpassword.nix substrate (Aaron 2026-05-26)
Aaron 2026-05-26: 'also on startup can it ask for me to type a
password instead of having a default'.
Replaces the iter-4.x hardcoded `zeta-change-me` default with an
operator-chosen password set at install time. Composes with iter-5.2.2
hostname-injection substrate (same pattern: operator-typed-once-on-
console; written to /mnt/etc/zeta/<file>; NixOS module reads via
builtins.readFile at evaluation time).
Three changes:
(1) full-ai-cluster/usb-nixos-installer/zeta-install.sh: NEW Step
6.55 prompts for password using `read -r -s -p` (hidden input),
confirms via second prompt, hashes via `mkpasswd -m sha-512 -s`
(stdin so no argv exposure), writes hash to
/mnt/etc/zeta/initial-hashedpassword (chmod 0600, chown
root:root). Operator can press Enter to skip + keep the iter-4.x
default ('zeta-change-me') via the BACKWARD-COMPAT fallback.
(2) full-ai-cluster/nixos/modules/initial-password.nix: reads
/etc/zeta/initial-hashedpassword via builtins.readFile if
present + uses for users.users.zeta.hashedPassword. Falls back
to documented iter-4.x default hash when file absent (e.g.,
during `nix flake check` in CI; during nixos-rebuild on
already-installed system without prior install-time prompt).
(3) full-ai-cluster/usb-nixos-installer/nixos/installer/
configuration.nix: adds `mkpasswd` to environment.systemPackages
so the install-time prompt step can hash the operator's input.
Operator UX (one typed prompt at install time; can't avoid for
secrets — they shouldn't transit non-operator surfaces like USB ESP
or operator Mac keychain):
[iter-5.3] ── prompt for initial password (instead of default) ──
[iter-5.3] Set initial password for the 'zeta' user (used for
[iter-5.3] console login; SSH uses the iter-4.2-injected pubkey).
[iter-5.3] Operator can rotate later via 'passwd zeta' on the
[iter-5.3] installed system. Press Enter to skip + keep the
[iter-5.3] iter-4.x default ('zeta-change-me').
[iter-5.3] Password (or Enter to skip): ********
[iter-5.3] Confirm: ********
[iter-5.3] operator-chosen password hash written + chmod 0600
Why one type-on-console exception to typing-avoidance discipline:
secrets shouldn't transit non-operator surfaces; operator-typed at
install time is safest. Composes with the wifi nmtui exception in
zeta-first-boot.sh — both are operator-typed-once-on-cluster.
Composes with iter-5.1 + iter-5.2 + iter-5.2.2 substrate. After
this lands + a fresh ISO build, next zflash → install will:
1. Boot from USB (zeta-first-boot.sh; eth-30s or nmtui-once)
2. zeta-install.sh runs:
- Step 6.5: pubkey injection (iter-4.2; existing)
- Step 6.55: PROMPT FOR PASSWORD (iter-5.3; NEW)
- Step 6.6: hostname injection (iter-5.2; existing)
- Step 6.7: NM-profile persistence (iter-5.1; existing)
3. nixos-install runs with operator's password baked in
4. Reboot → pre-login banner shows hostname + ssh hint
5. Operator console login uses their typed password
6. Operator SSH login uses iter-4.2-injected pubkey (no password)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
AceHack
deleted the
otto-cli/iter53-prompt-password-instead-of-default-zeta-change-me-2026-05-26
branch
AceHack
added a commit
that referenced
this pull request
May 26, 2026
…nt accuracy + path correction + banner-password truth + sk-* FIDO key support (#5214) P0 + P1 + P1 + P1 + P2 findings on PR #5210 (iter-5.4.0 just merged at e30b567). All 5 substantive; addressed: (1) P0 — prompt copy said "Press Enter to skip" but default is Y so Enter actually triggers gh-auth-login. Updated copy to "Default is YES (recommended); press Enter to proceed OR type 'n' to skip" matching the actual [Y/n] default-Y behavior. (2) P1 (comment accuracy) — block-comment said "NOT skippable if iter- 4.2 injection also failed" but impl always allows skip. Rewrote comment to reflect reality ("skippable warning-only when iter-4.2 also failed"). (3) P2 (path correction) — warning message referenced "usb-nixos-installer/nixos/installer/configuration.nix" missing the "full-ai-cluster/" prefix. Fixed to the in-repo-correct path so post-mortem debugging of missing-gh-binary stays clear. (4) P1 (banner-password truth) — install-complete banner always printed "password: zeta-change-me" but iter-5.3 (landed earlier today via #5118) lets operator set a custom password. Conditional on /mnt/etc/zeta/initial-hashedpassword existence: print "(the value you set during iter-5.3 prompt; iter-4.x default is NOT in effect)" OR fall back to documented iter-4.x default with rotation hint. (5) P1 (sk-* FIDO key support) — operator-authorized-keys.nix isKeyLine filter only accepted ssh- + ecdsa- prefixes, silently dropping sk-ssh-ed25519 / sk-ecdsa-sha2-* (FIDO/U2F security-key- backed pubkeys per RFC8709) that GitHub stores when operators register security keys. Existing operator-ssh-keys.nix explicitly documents sk-* support; this module now matches that parity. Refactored to validPrefixes list + hasValidPrefix helper for readability + future-extensibility. Substrate-inventory pass per `.claude/rules/verify-existing-substrate- before-authoring.md`: existing operator-ssh-keys.nix substrate has sk-* documented — verified before authoring the parity fix per the discipline rule landed today. Co-authored-by: Lior <lior@zeta.dev> Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Aaron 2026-05-26: 'also on startup can it ask for me to type a password instead of having a default'. Three changes: (1) zeta-install.sh NEW Step 6.55 prompts via
read -s+ hashes viamkpasswd -m sha-512 -s+ writes /mnt/etc/zeta/initial-hashedpassword (chmod 0600); (2) initial-password.nix reads injected hash if present, falls back to iter-4.x default hash if absent (CI eval / nixos-rebuild without prior install); (3) installer ISO addsmkpasswdto systemPackages. Operator can press Enter to skip + keep default. Composes with iter-5.1+5.2+5.2.2. One type-on-console exception (same as wifi nmtui).