Skip to content

New features and bug fixes for login user#1320

Merged
brianmcgillion merged 2 commits intotiiuae:mainfrom
gngram:pr.login_user_features
Aug 21, 2025
Merged

New features and bug fixes for login user#1320
brianmcgillion merged 2 commits intotiiuae:mainfrom
gngram:pr.login_user_features

Conversation

@gngram
Copy link
Copy Markdown
Contributor

@gngram gngram commented Aug 14, 2025
edited
Loading

Description of Changes

  • Added options for password quality check.
  • Added option to generate recovery key.
  • Repeat the prompt if 'user name' or 'user full name' is empty.
  • Fixed SSRCSP-6972

Type of Change

  • New Feature
  • Bug Fix
  • Improvement / Refactor

Related Issues / Tickets

Checklist

  • Clear summary in PR description
  • Detailed and meaningful commit message(s)
  • Commits are logically organized and squashed if appropriate
  • Contribution guidelines followed
  • Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
  • Author has run make-checks and it passes
  • All automatic GitHub Action checks pass - see actions
  • Author has added reviewers and removed PR draft status

Testing Instructions

Applicable Targets

  • Orin AGX aarch64
  • Orin NX aarch64
  • Lenovo X1 x86_64
  • Dell Latitude x86_64

Installation Method

  • Requires full re-installation
  • Can be updated with nixos-rebuild ... switch
  • Other:

Test Steps To Verify:

  1. Password quality check and recovery key features are not available in debug build. Either test with release build or enable the features in 'debug' build using the patch below:
diff --git a/modules/common/systemd/base.nix b/modules/common/systemd/base.nix
index d9dd986a..400f8baf 100644
--- a/modules/common/systemd/base.nix
+++ b/modules/common/systemd/base.nix
@@ -48,7 +48,7 @@ let
         inherit (cfg) withNss;
         withOomd = true;
         withPam = true;
-        withPasswordQuality = !cfg.withDebug;
+        withPasswordQuality = cfg.withDebug;
         inherit (cfg) withPolkit;
         inherit (cfg) withResolved;
         inherit (cfg) withRepart;
diff --git a/modules/microvm/sysvms/guivm.nix b/modules/microvm/sysvms/guivm.nix
index 24ab23d1..bbe41fa7 100644
--- a/modules/microvm/sysvms/guivm.nix
+++ b/modules/microvm/sysvms/guivm.nix
@@ -53,6 +53,8 @@ let
           ];
 
           ghaf = {
+            security.pwquality.enable = true;
+            users.loginUser.createRecoveryKey = true;
             # Profiles
             profiles = {
               debug.enable = lib.mkDefault config.ghaf.profiles.debug.enable;
  1. Empty user name and full name can be tested in debug build.
    Just press return key when prompted for user name or full name.

@gngram gngram requested a review from everton-dematos August 14, 2025 12:44
mbssrc
mbssrc reviewed Aug 14, 2025
View reviewed changes
@gngram gngram force-pushed the pr.login_user_features branch from fbf09d6 to 6e9f8fe Compare August 15, 2025 07:17
@gngram gngram force-pushed the pr.login_user_features branch from 6e9f8fe to ab0ff53 Compare August 15, 2025 07:21
vunnyso
vunnyso reviewed Aug 15, 2025
View reviewed changes
@milva-unikie
Copy link
Copy Markdown

milva-unikie commented Aug 15, 2025

sudo systemctl start setup-test-user.service is not working in pre-merge pipeline tests. It times out and causes Lenovo-X1 and Dell-7330 tests to fail.

@gngram gngram force-pushed the pr.login_user_features branch from ab0ff53 to b416e9d Compare August 15, 2025 09:54
@gngram
Copy link
Copy Markdown
Contributor Author

gngram commented Aug 15, 2025

I tested on my machine systemctl start setup-test-user.service works fine for me.
The PR change set comes in picture only in release build.

[ghaf@gui-vm:~]$ sudo systemctl start setup-test-user.service 

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

For security reasons, the password you type will not be visible.

[sudo] password for ghaf: 

[ghaf@gui-vm:~]$ sudo systemctl status setup-test-user.service 
○ setup-test-user.service - Automated boot user setup script
     Loaded: loaded (/etc/systemd/system/setup-test-user.service; linked; preset: ignored)
     Active: inactive (dead)

Aug 15 09:49:07 gui-vm systemd[1]: Starting Automated boot user setup script...
Aug 15 09:49:08 gui-vm setup-test-user[1150]: Automated boot user setup script
Aug 15 09:49:22 gui-vm setup-test-user[1150]: User testuser created.
Aug 15 09:49:22 gui-vm systemd[1]: setup-test-user.service: Deactivated successfully.
Aug 15 09:49:22 gui-vm systemd[1]: Finished Automated boot user setup script.

@gngram gngram force-pushed the pr.login_user_features branch from b416e9d to d739323 Compare August 15, 2025 12:11
@gngram gngram force-pushed the pr.login_user_features branch from d739323 to 9313eec Compare August 15, 2025 12:47
@gngram gngram added the Needs Testing CI Team to pre-verify label Aug 18, 2025
mbssrc
mbssrc reviewed Aug 18, 2025
View reviewed changes
mbssrc
mbssrc reviewed Aug 18, 2025
View reviewed changes
mbssrc
mbssrc reviewed Aug 18, 2025
View reviewed changes
mbssrc
mbssrc reviewed Aug 18, 2025
View reviewed changes
@milva-unikie
Copy link
Copy Markdown

milva-unikie commented Aug 18, 2025

Tested on lenovo-x1-carbon-gen11-release

  • Empty username or full name is not allowed
  • A recovery key is generated
  • Password quality is validated
  • The recovery key can be used to login instead of the password

Tested on lenovo-x1-carbon-gen11-debug

  • Test-automation passes

Notes

  • User cannot see the password while creating an account. The password quality check now requires special characters but the user has no way of knowing what keyboard layout is used (right now it is always English). Especially the users with different keyboards may face issues when they later change the layout to match their keyboard and try to login.

@milva-unikie milva-unikie added Tested on Lenovo X1 Carbon This PR has been tested on Lenovo X1 Carbon and removed Needs Testing CI Team to pre-verify labels Aug 18, 2025
@gngram gngram force-pushed the pr.login_user_features branch from 9313eec to f28adcc Compare August 20, 2025 10:10
gngram added 2 commits August 21, 2025 10:38
@gngram
Bug fixes for login user
e9aeb21 
- Repeat the prompt if 'user name' or 'user full name' is empty.
- Added option to generate recovery key.

Signed-off-by: Ganga Ram <Ganga.Ram@tii.ae>
@gngram
Password quality check
35352fe 
- Enabled in release build only
- Provides option to configure for stronger password

Signed-off-by: Ganga Ram <Ganga.Ram@tii.ae>
@gngram gngram force-pushed the pr.login_user_features branch from f28adcc to 35352fe Compare August 21, 2025 06:39
@brianmcgillion brianmcgillion merged commit b25d317 into tiiuae:main Aug 21, 2025
28 checks passed
@gngram gngram deleted the pr.login_user_features branch October 27, 2025 08:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mbssrc mbssrc mbssrc approved these changes

@brianmcgillion brianmcgillion Awaiting requested review from brianmcgillion

@vunnyso vunnyso Awaiting requested review from vunnyso

+2 more reviewers

@milva-unikie milva-unikie milva-unikie left review comments

@everton-dematos everton-dematos everton-dematos approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Tested on Lenovo X1 Carbon This PR has been tested on Lenovo X1 Carbon

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@gngram @milva-unikie @everton-dematos @mbssrc @vunnyso @brianmcgillion