[docs]: Explicitly mention that setting (and unlocking) passwords for existing users require the chpasswd module not users.[].hashed_passwd|plain_text_passwd + users.[].lock_passwd

[mostafaCamel]

Documentation request

The cloud-init examples suggest that using hashed_passwd and lock_passwd for already-exsting users

Here is the excerpt from the documentation

# Add users to the system. Users are added after groups are added.
# Note: Most of these configuration options will not be honored if the user
#       already exists. Following options are the exceptions and they are
#       applicable on already-existing users:
#       - 'plain_text_passwd', 'hashed_passwd', 'lock_passwd', 'sudo',
#         'ssh_authorized_keys', 'ssh_redirect_user'.

So I try the following cloud-init

#cloud-config
users:
  - default
  - name: ubuntu    
    shell: /bin/bash
    hashed_passwd: $6$ViQQI4kReDWrps3y$TSzStkHkxYKn6VlaWRVrhwZSsoVe3nxolR58Iz0063Rp1Ba4w8gFtep9uy4N8cpmcF7Ey0fYrm2lmcYEHT.E./
    lock_passwd: false
    sudo: ALL=(ALL) NOPASSWD:ALL

However, I am unable to loginvia console. When I ssh into it and I run sudo cat /etc/shadow | grep ubuntu , I get ubuntu:!$6$ViQQI4kReDWrps3y$TSzStkHkxYKn6VlaWRVrhwZSsoVe3nxolR58Iz0063Rp1Ba4w8gFtep9uy4N8cpmcF7Ey0fYrm2lmcYEHT.E./:20484:0:99999:7:::
Notice the exclamation mark before the hashed password, which means that we are unable to use this password for login

When I try the following cloud-init, I am able to login via console. Notice that I did not even need to set lock_passwd

users:
  - default
  - name: ubuntu    
    shell: /bin/bash
    sudo: ALL=(ALL) NOPASSWD:ALL
chpasswd:
  expire: false
  users:
  - {name: ubuntu, password: $6$ViQQI4kReDWrps3y$TSzStkHkxYKn6VlaWRVrhwZSsoVe3nxolR58Iz0063Rp1Ba4w8gFtep9uy4N8cpmcF7Ey0fYrm2lmcYEHT.E./}

Image used: https://cloud-images.ubuntu.com/jammy/20251216/jammy-server-cloudimg-amd64.img

ubuntu@vmwithpassword:~$ cloud-init --version
/usr/bin/cloud-init 25.2-0ubuntu1~22.04.1

ubuntu@vmwithpassword:~$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 22.04.5 LTS
Release:	22.04
Codename:	jammy

fwiw, sudo virt-cat -a ubuntu-22.04-server-cloudimg-amd64.img /etc/passwd | grep ubuntu and sudo virt-cat -a ubuntu-22.04-server-cloudimg-amd64.img /etc/shadow | grep ubuntu return nothing, which mean that the image by iitself does not have the user and that the user is created later (early during cloud-init)

[mostafaCamel]

Not sure if this should be considered a documentation issue or a bug that lock_passwd is not being honored

[mostafaCamel]

Thinking about it again, probably a bug on lock_passwd. Will leave it to the screener to decide

Either the documentation is wrong (in mentioning that lock_passwd will be honored for existing users) or there is a bug and lock_passwd is not being honored for existing users while it should be honored

[mostafaCamel]

Attaching the var/log/cloud-init.log in 2 cases

• with lock_passwd

#cloud-config
users:
  - default
  - name: ubuntu    
    shell: /bin/bash
    hashed_passwd: $6$ViQQI4kReDWrps3y$TSzStkHkxYKn6VlaWRVrhwZSsoVe3nxolR58Iz0063Rp1Ba4w8gFtep9uy4N8cpmcF7Ey0fYrm2lmcYEHT.E./
    lock_passwd: false
    sudo: ALL=(ALL) NOPASSWD:ALL

In that case the password is locked

ubuntu@mostafavm:~$ sudo grep ubuntu /etc/shadow
ubuntu:!$6$ViQQI4kReDWrps3y$TSzStkHkxYKn6VlaWRVrhwZSsoVe3nxolR58Iz0063Rp1Ba4w8gFtep9uy4N8cpmcF7Ey0fYrm2lmcYEHT.E./:20486:0:99999:7:::

and we can see in the cloud-init.log. These are the password-related excerpts

2026-02-02 02:03:15,116 - subp.py[DEBUG]: Running command chpasswd for ubuntu with allowed return codes [0] (shell=False, capture=True)
2026-02-02 02:03:15,124 - subp.py[DEBUG]: Running command ['passwd', '-l', 'ubuntu'] with allowed return codes [0] (shell=False, capture=True)
[...]
2026-02-02 02:03:15,306 - modules.py[DEBUG]: Running module set_passwords (<module 'cloudinit.config.cc_set_passwords' from '/usr/lib/python3/dist-packages/cloudinit/config/cc_set_passwords.py'>) with frequency once-per-instance
2026-02-02 02:03:15,306 - handlers.py[DEBUG]: start: init-network/config-set_passwords: running config-set_passwords with frequency once-per-instance
2026-02-02 02:03:15,306 - util.py[DEBUG]: Writing to /var/lib/cloud/instances/fe370385-0aa8-4f10-b13e-76e6ba3c6949/sem/config_set_passwords - wb: [644] 24 bytes
2026-02-02 02:03:15,306 - helpers.py[DEBUG]: Running config-set_passwords using lock (<FileLock using file '/var/lib/cloud/instances/fe370385-0aa8-4f10-b13e-76e6ba3c6949/sem/config_set_passwords'>)
2026-02-02 02:03:15,306 - cc_set_passwords.py[DEBUG]: Leaving SSH config 'PasswordAuthentication' unchanged. ssh_pwauth=None
2026-02-02 02:03:15,306 - handlers.py[DEBUG]: finish: init-network/config-set_passwords: SUCCESS: config-set_passwords ran successfully and took 0.000 seconds

• and with chpasswd

#cloud-config
users:
  - default
  - name: ubuntu    
    shell: /bin/bash
    sudo: ALL=(ALL) NOPASSWD:ALL
chpasswd:
  expire: false
  users:
  - {name: ubuntu, password: $6$ViQQI4kReDWrps3y$TSzStkHkxYKn6VlaWRVrhwZSsoVe3nxolR58Iz0063Rp1Ba4w8gFtep9uy4N8cpmcF7Ey0fYrm2lmcYEHT.E./}

We can see that the password is unlocked

ubuntu@mostafavm:~$ sudo grep ubuntu /etc/shadow
ubuntu:$6$ViQQI4kReDWrps3y$TSzStkHkxYKn6VlaWRVrhwZSsoVe3nxolR58Iz0063Rp1Ba4w8gFtep9uy4N8cpmcF7Ey0fYrm2lmcYEHT.E./:20486:0:99999:7:::

These are the password-related excerpts from the logs

2026-02-02 01:56:28,316 - distros[DEBUG]: Adding user ubuntu
2026-02-02 01:56:28,316 - subp.py[DEBUG]: Running command ['useradd', 'ubuntu', '--comment', 'Ubuntu', '--groups', 'adm,audio,cdrom,dialout,dip,floppy,lxd,netdev,plugdev,sudo,video', '--shell', '/bin/bash', '-m'] with allowed return codes [0] (shell=False, capture=True)
2026-02-02 01:56:28,361 - performance.py[DEBUG]: Running ['useradd', 'ubuntu', '--comment', 'Ubuntu', '--groups', 'adm,audio,cdrom,dialout,dip,floppy,lxd,netdev,plugdev,sudo,video', '--shell', '/bin/bash', '-m'] took 0.045 seconds
2026-02-02 01:56:28,362 - subp.py[DEBUG]: Running command ['passwd', '-l', 'ubuntu'] with allowed return codes [0] (shell=False, capture=True)
[...]
2026-02-02 01:56:28,805 - modules.py[DEBUG]: Running module set_passwords (<module 'cloudinit.config.cc_set_passwords' from '/usr/lib/python3/dist-packages/cloudinit/config/cc_set_passwords.py'>) with frequency once-per-instance
2026-02-02 01:56:28,805 - handlers.py[DEBUG]: start: init-network/config-set_passwords: running config-set_passwords with frequency once-per-instance
2026-02-02 01:56:28,805 - util.py[DEBUG]: Writing to /var/lib/cloud/instances/546a0fb8-34d5-4abd-812a-6259feab1404/sem/config_set_passwords - wb: [644] 24 bytes
2026-02-02 01:56:28,805 - helpers.py[DEBUG]: Running config-set_passwords using lock (<FileLock using file '/var/lib/cloud/instances/546a0fb8-34d5-4abd-812a-6259feab1404/sem/config_set_passwords'>)
2026-02-02 01:56:28,806 - cc_set_passwords.py[DEBUG]: Setting hashed password for ['ubuntu']:
2026-02-02 01:56:28,806 - subp.py[DEBUG]: Running command ['chpasswd', '-e'] with allowed return codes [0] (shell=False, capture=True)
2026-02-02 01:56:28,814 - cc_set_passwords.py[DEBUG]: Leaving SSH config 'PasswordAuthentication' unchanged. ssh_pwauth=None
2026-02-02 01:56:28,814 - handlers.py[DEBUG]: finish: init-network/config-set_passwords: SUCCESS: config-set_passwords ran successfully and took 0.009 seconds

[mostafaCamel]

cloud-init-lock_passwd.log
cloud-init-chpasswd.log

[mostafaCamel]

The logic fr the users setion seems to be

• password is set here as well as the ud_password_specified boolean

  cloud-init/cloudinit/distros/__init__.py

  Line 894 in 18c8830

  self.set_passwd(name, kwargs["hashed_passwd"], hashed=True)

• for some reason the unlocking below does not occur

  cloud-init/cloudinit/distros/__init__.py

  Lines 931 to 944 in 18c8830

  	elif has_existing_password or ud_password_specified:
  	# 'lock_passwd: False' and either existing account already with
  	# non-blank password or else existing/new account with password
  	# explicitly set in user-data.
  	if ud_blank_password_specified:
  	LOG.debug(
  	"Allowing unlocking empty password for %s based on empty"
  	" '%s' in user-data",
  	name,
  	password_key,
  	)
  	# Unlock the existing/new account
  	self.unlock_passwd(name)

[mostafaCamel]

Was able to reproduce. The problem is that lock_passwd passed in kwargs to create_user so somehow True even though I passed it as false. For reference, hashed_passwd is passed as I definied it

• Spin up lxd VM with cloud-init

lxc launch ubuntu:24.04 --vm myvm -c user.user-data="$(cat /tmp/user-data)


#cloud-config
users:
  - default
  - name: ubuntu
    shell: /bin/bash
    hashed_passwd: $6$ViQQI4kReDWrps3y$TSzStkHkxYKn6VlaWRVrhwZSsoVe3nxolR58Iz0063Rp1Ba4w8gFtep9uy4N8cpmcF7Ey0fYrm2lmcYEHT.E./
    lock_passwd: false
    sudo: ALL=(ALL) NOPASSWD:ALL

• Add additional debugging logs (copy the file to .original then add your changes)

lxc exec myvm -- diff -uN /usr/lib/python3/dist-packages/cloudinit/distros/__init__.py{.original,}
--- /usr/lib/python3/dist-packages/cloudinit/distros/__init__.py.original	2025-09-26 11:09:55.000000000 +0000
+++ /usr/lib/python3/dist-packages/cloudinit/distros/__init__.py	2026-05-01 11:38:22.685472723 +0000
@@ -919,12 +919,13 @@
                 password_key = "passwd"
                 if not kwargs["passwd"]:
                     ud_blank_password_specified = True
-
+        LOG.warning("Mostafa: before lock_passwd if-statement: name: %s , pre-existing: %s , ud_password_specified: %s , password_key: %s, kwargs: %s", name, pre_existing_user, ud_password_specified, password_key, kwargs)
         # Default locking down the account. 'lock_passwd' defaults to True.
         # Lock account unless lock_password is False in which case unlock
         # account as long as a password (blank or otherwise) was specified.
         if kwargs.get("lock_passwd", True):
             self.lock_passwd(name)
+            LOG.warning("Mostafa: got into lock_passwd branch. BAD")
         elif has_existing_password or ud_password_specified:
             # 'lock_passwd: False' and either existing account already with
             # non-blank password or else existing/new account with password

• Reset cloud-init and reboot the machine lxc exec myvm -- cloud-init clean --logs --reboot

• Wait 2 minutes then grep the cloud-init logs

lxc exec myvm -- grep Mostafa /var/log/cloud-init.log
2026-05-01 11:38:53,916 - distros[WARNING]: Mostafa: before lock_passwd if-statement: name: ubuntu , pre-existing: True , ud_password_specified: True , password_key: hashed_passwd, kwargs: {'lock_passwd': True, 'gecos': 'Ubuntu', 'sudo': ['ALL=(ALL) NOPASSWD:ALL'], 'shell': '/bin/bash', 'hashed_passwd': '$6$ViQQI4kReDWrps3y$TSzStkHkxYKn6VlaWRVrhwZSsoVe3nxolR58Iz0063Rp1Ba4w8gFtep9uy4N8cpmcF7Ey0fYrm2lmcYEHT.E./', 'groups': 'adm,cdrom,dip,lxd,sudo'}
2026-05-01 11:38:53,958 - distros[WARNING]: Mostafa: got into lock_passwd branch. BAD

• You can also confirm which user-data was passed

lxc exec myvm -- cat /var/lib/cloud/instance/cloud-config.txt
#cloud-config

# from 1 files
# part-001

---
users:
- default
-   hashed_passwd: $6$ViQQI4kReDWrps3y$TSzStkHkxYKn6VlaWRVrhwZSsoVe3nxolR58Iz0063Rp1Ba4w8gFtep9uy4N8cpmcF7Ey0fYrm2lmcYEHT.E./
    lock_passwd: false
    name: ubuntu
    shell: /bin/bash
    sudo: ALL=(ALL) NOPASSWD:ALL
...

[mostafaCamel]

It looks like normalize_users_groups somehow switches the value of lock_passd from boolean False (see logs below) to True (see logs below)

Added logs to cc_users_groups.py

--- /usr/lib/python3/dist-packages/cloudinit/config/cc_users_groups.py.original	2025-09-26 11:09:55.000000000 +0000
+++ /usr/lib/python3/dist-packages/cloudinit/config/cc_users_groups.py	2026-05-01 12:34:46.209108111 +0000
@@ -40,6 +40,8 @@
     for name, members in groups.items():
         cloud.distro.create_group(name, members)
 
+    LOG.warning("Mostafa: cfg[\"users\"]: %s", cfg["users"])
+    LOG.warning("Mostafa: users: %s", users)
     for user, config in users.items():
 
         no_home = [key for key in NO_HOME if config.get(key)]

then cleaned cloud-init and rebooted then grepped the logs

2026-05-01 12:35:09,007 - cc_users_groups.py[WARNING]: Mostafa: cfg["users"]: ['default', {'hashed_passwd': '$6$ViQQI4kReDWrps3y$TSzStkHkxYKn6VlaWRVrhwZSsoVe3nxolR58Iz0063Rp1Ba4w8gFtep9uy4N8cpmcF7Ey0fYrm2lmcYEHT.E./', 'lock_passwd': False, 'shell': '/bin/bash', 'sudo': 'ALL=(ALL) NOPASSWD:ALL'}]
2026-05-01 12:35:09,011 - cc_users_groups.py[WARNING]: Mostafa: users: {'ubuntu': {'lock_passwd': True, 'gecos': 'Ubuntu', 'sudo': ['ALL=(ALL) NOPASSWD:ALL'], 'shell': '/bin/bash', 'hashed_passwd': '$6$ViQQI4kReDWrps3y$TSzStkHkxYKn6VlaWRVrhwZSsoVe3nxolR58Iz0063Rp1Ba4w8gFtep9uy4N8cpmcF7Ey0fYrm2lmcYEHT.E./', 'groups': 'adm,cdrom,dip,lxd,sudo'}}
```

[mostafaCamel]

In ug_util.py, it seems that the _normalize_users function incorrectly merges the config that I passed and the default user' configuration 9as defined in the image/distro). Notice my "before weird" log below whee lock_passwd seems to be false

Logs

2026-05-01 13:05:56,635 - ug_util.py[WARNING]: Mostafa: baseusers: ['default', {'hashed_passwd': '$6$ViQQI4kReDWrps3y$TSzStkHkxYKn6VlaWRVrhwZSsoVe3nxolR58Iz0063Rp1Ba4w8gFtep9uy4N8cpmcF7Ey0fYrm2lmcYEHT.E./', 'lock_passwd': False, 'name': 'ubuntu', 'shell': '/bin/bash', 'sudo': 'ALL=(ALL) NOPASSWD:ALL'}]
2026-05-01 13:05:56,635 - ug_util.py[WARNING]: Mostafa: default_user_config: {'name': 'ubuntu', 'lock_passwd': True, 'gecos': 'Ubuntu', 'groups': ['adm', 'cdrom', 'dip', 'lxd', 'sudo'], 'sudo': ['ALL=(ALL) NOPASSWD:ALL'], 'shell': '/bin/bash'}
2026-05-01 13:05:56,635 - ug_util.py[WARNING]: Mostafa before weird: {'default': {}, 'ubuntu': {'hashed_passwd': '$6$ViQQI4kReDWrps3y$TSzStkHkxYKn6VlaWRVrhwZSsoVe3nxolR58Iz0063Rp1Ba4w8gFtep9uy4N8cpmcF7Ey0fYrm2lmcYEHT.E./', 'lock_passwd': False, 'shell': '/bin/bash', 'sudo': 'ALL=(ALL) NOPASSWD:ALL'}}
2026-05-01 13:05:56,635 - ug_util.py[WARNING]: Mostafa in weird , def_user_cfg: {'lock_passwd': True, 'gecos': 'Ubuntu', 'sudo': ['ALL=(ALL) NOPASSWD:ALL'], 'shell': '/bin/bash'}
2026-05-01 13:05:56,635 - ug_util.py[WARNING]: Mostafa in weird , def_config: {}
2026-05-01 13:05:56,635 - ug_util.py[WARNING]: Mostafa in weird , parsed_config: {'hashed_passwd': '$6$ViQQI4kReDWrps3y$TSzStkHkxYKn6VlaWRVrhwZSsoVe3nxolR58Iz0063Rp1Ba4w8gFtep9uy4N8cpmcF7Ey0fYrm2lmcYEHT.E./', 'lock_passwd': False, 'shell': '/bin/bash', 'sudo': 'ALL=(ALL) NOPASSWD:ALL', 'groups': 'adm,cdrom,dip,lxd,sudo'}

Added log statements

--- /usr/lib/python3/dist-packages/cloudinit/distros/ug_util.py.original	2025-09-26 11:09:55.000000000 +0000
+++ /usr/lib/python3/dist-packages/cloudinit/distros/ug_util.py	2026-05-01 13:05:35.623299505 +0000
@@ -119,6 +119,7 @@
 
     # Fix the default user into the actual default user name and replace it.
     def_user = None
+    LOG.warning("Mostafa before weird: %s", users)
     if users and "default" in users:
         def_config = users.pop("default")
         if def_user_cfg:
@@ -139,6 +140,9 @@
             # config provided by the above merging for the user 'default' and
             # then the parsed config from the user's 'real name' which does not
             # have to be 'default' (but could be)
+            LOG.warning("Mostafa in weird , def_user_cfg: %s", def_user_cfg)
+            LOG.warning("Mostafa in weird , def_config: %s", def_config)
+            LOG.warning("Mostafa in weird , parsed_config: %s", parsed_config)
             users[def_user] = util.mergemanydict(
                 [def_user_cfg, def_config, parsed_config]
             )
@@ -234,6 +238,8 @@
     if "groups" in cfg:
         groups = _normalize_groups(cfg["groups"])
 
+    LOG.warning("Mostafa: baseusers: %s",base_users)
+    LOG.warning("Mostafa: default_user_config: %s", default_user_config)
     users = _normalize_users(base_users, default_user_config)
     return (users, groups)

[mostafaCamel]

I think the problem is that ug_util.py::_normalize_users calls

cloud-init/cloudinit/distros/ug_util.py

Lines 142 to 144 in 18c8830

	users[def_user] = util.mergemanydict(
	[def_user_cfg, def_config, parsed_config]
	)

while mergemanydict gives the highest priority to the first argument. So the first argument should be parsed_config (the config passed by the user) then def_config (I guess this is the dict associated to the user-passed default in the users array in user-data) then def_user_cfg (the default user's configuration accordiing to the image/distro)

[mostafaCamel]

These comments were written in 2012

[mostafaCamel]

Raised #6860 which has 2 commits:

• after the first commit 749fd8d (where I jsut added a unit test to assert the precedence behavior), the unit test fails
• after the second commit 8d31a7e (where I change the arguments order in the mergemanydict call in ug_util::_normalize_users, the unit test suceeds as well as all the other unit tests and all the integration tests