[docs]: Explicitly mention that setting (and unlocking) passwords for existing users require the chpasswd module not users.[].hashed_passwd|plain_text_passwd + users.[].lock_passwd

[mostafaCamel]

Documentation request

The cloud-init examples suggest that using hashed_passwd and lock_passwd for already-exsting users

Here is the excerpt from the documentation

# Add users to the system. Users are added after groups are added.
# Note: Most of these configuration options will not be honored if the user
#       already exists. Following options are the exceptions and they are
#       applicable on already-existing users:
#       - 'plain_text_passwd', 'hashed_passwd', 'lock_passwd', 'sudo',
#         'ssh_authorized_keys', 'ssh_redirect_user'.

So I try the following cloud-init

#cloud-config
users:
  - default
  - name: ubuntu    
    shell: /bin/bash
    hashed_passwd: $6$ViQQI4kReDWrps3y$TSzStkHkxYKn6VlaWRVrhwZSsoVe3nxolR58Iz0063Rp1Ba4w8gFtep9uy4N8cpmcF7Ey0fYrm2lmcYEHT.E./
    lock_passwd: false
    sudo: ALL=(ALL) NOPASSWD:ALL

However, I am unable to loginvia console. When I ssh into it and I run sudo cat /etc/shadow | grep ubuntu , I get ubuntu:!$6$ViQQI4kReDWrps3y$TSzStkHkxYKn6VlaWRVrhwZSsoVe3nxolR58Iz0063Rp1Ba4w8gFtep9uy4N8cpmcF7Ey0fYrm2lmcYEHT.E./:20484:0:99999:7:::
Notice the exclamation mark before the hashed password, which means that we are unable to use this password for login

When I try the following cloud-init, I am able to login via console. Notice that I did not even need to set lock_passwd

users:
  - default
  - name: ubuntu    
    shell: /bin/bash
    sudo: ALL=(ALL) NOPASSWD:ALL
chpasswd:
  expire: false
  users:
  - {name: ubuntu, password: $6$ViQQI4kReDWrps3y$TSzStkHkxYKn6VlaWRVrhwZSsoVe3nxolR58Iz0063Rp1Ba4w8gFtep9uy4N8cpmcF7Ey0fYrm2lmcYEHT.E./}

Image used: https://cloud-images.ubuntu.com/jammy/20251216/jammy-server-cloudimg-amd64.img

ubuntu@vmwithpassword:~$ cloud-init --version
/usr/bin/cloud-init 25.2-0ubuntu1~22.04.1

ubuntu@vmwithpassword:~$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 22.04.5 LTS
Release:	22.04
Codename:	jammy

fwiw, sudo virt-cat -a ubuntu-22.04-server-cloudimg-amd64.img /etc/passwd | grep ubuntu and sudo virt-cat -a ubuntu-22.04-server-cloudimg-amd64.img /etc/shadow | grep ubuntu return nothing, which mean that the image by iitself does not have the user and that the user is created later (early during cloud-init)

[mostafaCamel]

Not sure if this should be considered a documentation issue or a bug that lock_passwd is not being honored

[mostafaCamel]

Thinking about it again, probably a bug on lock_passwd. Will leave it to the screener to decide

Either the documentation is wrong (in mentioning that lock_passwd will be honored for existing users) or there is a bug and lock_passwd is not being honored for existing users while it should be honored

[mostafaCamel]

Attaching the var/log/cloud-init.log in 2 cases

• with lock_passwd

#cloud-config
users:
  - default
  - name: ubuntu    
    shell: /bin/bash
    hashed_passwd: $6$ViQQI4kReDWrps3y$TSzStkHkxYKn6VlaWRVrhwZSsoVe3nxolR58Iz0063Rp1Ba4w8gFtep9uy4N8cpmcF7Ey0fYrm2lmcYEHT.E./
    lock_passwd: false
    sudo: ALL=(ALL) NOPASSWD:ALL

In that case the password is locked

ubuntu@mostafavm:~$ sudo grep ubuntu /etc/shadow
ubuntu:!$6$ViQQI4kReDWrps3y$TSzStkHkxYKn6VlaWRVrhwZSsoVe3nxolR58Iz0063Rp1Ba4w8gFtep9uy4N8cpmcF7Ey0fYrm2lmcYEHT.E./:20486:0:99999:7:::

and we can see in the cloud-init.log. These are the password-related excerpts

2026-02-02 02:03:15,116 - subp.py[DEBUG]: Running command chpasswd for ubuntu with allowed return codes [0] (shell=False, capture=True)
2026-02-02 02:03:15,124 - subp.py[DEBUG]: Running command ['passwd', '-l', 'ubuntu'] with allowed return codes [0] (shell=False, capture=True)
[...]
2026-02-02 02:03:15,306 - modules.py[DEBUG]: Running module set_passwords (<module 'cloudinit.config.cc_set_passwords' from '/usr/lib/python3/dist-packages/cloudinit/config/cc_set_passwords.py'>) with frequency once-per-instance
2026-02-02 02:03:15,306 - handlers.py[DEBUG]: start: init-network/config-set_passwords: running config-set_passwords with frequency once-per-instance
2026-02-02 02:03:15,306 - util.py[DEBUG]: Writing to /var/lib/cloud/instances/fe370385-0aa8-4f10-b13e-76e6ba3c6949/sem/config_set_passwords - wb: [644] 24 bytes
2026-02-02 02:03:15,306 - helpers.py[DEBUG]: Running config-set_passwords using lock (<FileLock using file '/var/lib/cloud/instances/fe370385-0aa8-4f10-b13e-76e6ba3c6949/sem/config_set_passwords'>)
2026-02-02 02:03:15,306 - cc_set_passwords.py[DEBUG]: Leaving SSH config 'PasswordAuthentication' unchanged. ssh_pwauth=None
2026-02-02 02:03:15,306 - handlers.py[DEBUG]: finish: init-network/config-set_passwords: SUCCESS: config-set_passwords ran successfully and took 0.000 seconds

• and with chpasswd

#cloud-config
users:
  - default
  - name: ubuntu    
    shell: /bin/bash
    sudo: ALL=(ALL) NOPASSWD:ALL
chpasswd:
  expire: false
  users:
  - {name: ubuntu, password: $6$ViQQI4kReDWrps3y$TSzStkHkxYKn6VlaWRVrhwZSsoVe3nxolR58Iz0063Rp1Ba4w8gFtep9uy4N8cpmcF7Ey0fYrm2lmcYEHT.E./}

We can see that the password is unlocked

ubuntu@mostafavm:~$ sudo grep ubuntu /etc/shadow
ubuntu:$6$ViQQI4kReDWrps3y$TSzStkHkxYKn6VlaWRVrhwZSsoVe3nxolR58Iz0063Rp1Ba4w8gFtep9uy4N8cpmcF7Ey0fYrm2lmcYEHT.E./:20486:0:99999:7:::

These are the password-related excerpts from the logs

2026-02-02 01:56:28,316 - distros[DEBUG]: Adding user ubuntu
2026-02-02 01:56:28,316 - subp.py[DEBUG]: Running command ['useradd', 'ubuntu', '--comment', 'Ubuntu', '--groups', 'adm,audio,cdrom,dialout,dip,floppy,lxd,netdev,plugdev,sudo,video', '--shell', '/bin/bash', '-m'] with allowed return codes [0] (shell=False, capture=True)
2026-02-02 01:56:28,361 - performance.py[DEBUG]: Running ['useradd', 'ubuntu', '--comment', 'Ubuntu', '--groups', 'adm,audio,cdrom,dialout,dip,floppy,lxd,netdev,plugdev,sudo,video', '--shell', '/bin/bash', '-m'] took 0.045 seconds
2026-02-02 01:56:28,362 - subp.py[DEBUG]: Running command ['passwd', '-l', 'ubuntu'] with allowed return codes [0] (shell=False, capture=True)
[...]
2026-02-02 01:56:28,805 - modules.py[DEBUG]: Running module set_passwords (<module 'cloudinit.config.cc_set_passwords' from '/usr/lib/python3/dist-packages/cloudinit/config/cc_set_passwords.py'>) with frequency once-per-instance
2026-02-02 01:56:28,805 - handlers.py[DEBUG]: start: init-network/config-set_passwords: running config-set_passwords with frequency once-per-instance
2026-02-02 01:56:28,805 - util.py[DEBUG]: Writing to /var/lib/cloud/instances/546a0fb8-34d5-4abd-812a-6259feab1404/sem/config_set_passwords - wb: [644] 24 bytes
2026-02-02 01:56:28,805 - helpers.py[DEBUG]: Running config-set_passwords using lock (<FileLock using file '/var/lib/cloud/instances/546a0fb8-34d5-4abd-812a-6259feab1404/sem/config_set_passwords'>)
2026-02-02 01:56:28,806 - cc_set_passwords.py[DEBUG]: Setting hashed password for ['ubuntu']:
2026-02-02 01:56:28,806 - subp.py[DEBUG]: Running command ['chpasswd', '-e'] with allowed return codes [0] (shell=False, capture=True)
2026-02-02 01:56:28,814 - cc_set_passwords.py[DEBUG]: Leaving SSH config 'PasswordAuthentication' unchanged. ssh_pwauth=None
2026-02-02 01:56:28,814 - handlers.py[DEBUG]: finish: init-network/config-set_passwords: SUCCESS: config-set_passwords ran successfully and took 0.009 seconds

[mostafaCamel]

cloud-init-lock_passwd.log
cloud-init-chpasswd.log