I'm trying to create a RHEL8 Template with OpenScap Security Profile enabled. Unfortunately it fails due to a required password reset after activating the security profile.
I've tried to login via ssh certificate, but still get the same issue, because even for ssh-key login a password change is required.
Hope anybody has an idea to work around this issue.
Here the code:
HCL
packer {
required_plugins {
vmware = {
version = ">= 1.0.3"
source = "github.com/hashicorp/vmware"
}
}
}
variable "boot_wait" {
type = string
default = "15s"
}
variable "disk_size" {
type = string
default = "40960"
}
variable "iso_checksum" {
type = string
default = "sha256:8CB0DFACC94B789933253D5583A2FB7AFCE26D38D75BE7C204975FE20B7BDF71"
}
variable "iso_url" {
type = string
default = "D:\\isos\\rhel-8.6-x86_64-dvd.iso"
}
variable "memsize" {
# type = int
default = 2048
}
variable "numvcpus" {
# type = int
default = 2
}
variable "ssh_password" {
type = string
default = "admin123"
}
variable "ssh_ppk" {
type = string
default = "E:\\Workspace\\Packer\\RHEL8\\ssh\\id_rsa"
}
variable "ssh_username" {
type = string
default = "admin"
}
variable "vm_name" {
type = string
default = "RHEL8-x86_64"
}
source "vmware-iso" "rhel8-template" {
boot_command = ["<tab><bs><bs><bs><bs><bs>inst.text inst.ks=http://{{ .HTTPIP }}:{{ .HTTPPort }}/ks.cfg<enter><wait>"]
boot_wait = "${var.boot_wait}"
cpus = "${var.numvcpus}"
memory = "${var.memsize}"
disk_adapter_type = "nvme"
disk_size = "${var.disk_size}"
disk_type_id = "0"
guest_os_type = "rhel8-64"
headless = false
http_directory = "http"
iso_checksum = "${var.iso_checksum}"
iso_url = "${var.iso_url}"
shutdown_command = "echo 'admin123'|sudo -S /sbin/halt -h -p"
#ssh_password = "${var.ssh_password}"
remote_private_key_file = "${var.ssh_ppk}"
ssh_port = 22
ssh_timeout = "30m"
ssh_username = "${var.ssh_username}"
ssh_certificate_file = "${var.ssh_ppk}"
vm_name = "${var.vm_name}"
vmx_data = {
"ethernet0.addressType" = "generated"
"ethernet0.present" = "TRUE"
"ethernet0.virtualDev" = "vmxnet3"
"virtualHW.version" = "15"
}
}
build {
sources = ["source.vmware-iso.rhel8-template"]
}
Kickstart
cdrom
lang en_US.UTF-8
keyboard --xlayouts='de (nodeadkeys)'
timezone --utc Europe/Berlin
network --onboot yes --device eth0 --bootproto dhcp --noipv6
rootpw --iscrypted $6$3AKU...c.w0
rootpw --lock
user --name=admin --groups=wheel --password=$6$3AN....c.w0 --iscrypted
sshkey --username=admin "ssh-rsa AAAAB3N...QteU="
firewall --enabled --ssh
authselect select sssd
selinux --enforcing
bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBA...s5qNto0
zerombr
clearpart --linux --initlabel
part /boot --fstype=xfs --size=512
part pv.01 --grow --size=1
volgroup rhel --pesize=4096 pv.01
logvol / --fstype=xfs --name=root --vgname=rhel --size=10240 --grow
logvol /home --fstype=xfs --name=home --vgname=rhel --size=1024 --fsoptions="nodev"
logvol /tmp --fstype=xfs --name=tmp --vgname=rhel --size=1024 --fsoptions="nodev,noexec,nosuid"
logvol /var/tmp --fstype=xfs --name=var_tmp --vgname=rhel --size=1024 --fsoptions="nodev,nosuid,noexec"
logvol /var --fstype=xfs --name=var --vgname=rhel --size=3072
logvol /var/log --fstype=xfs --name=var_log --vgname=rhel --size=1024
logvol /var/log/audit --fstype=xfs --name=var_log_audit --vgname=rhel --size=512
logvol swap --name=swap --vgname=rhel --size=2016
%addon org_fedora_oscap
content-type = scap-security-guide
profile = xccdf_org.ssgproject.content_profile_cis
%end
%packages
@^minimal-environment
kexec-tools
python38
# Exclude unnecessary firmwares
-iwl*firmware
-aic94xx-firmware*
-alsa-*
%end
reboot --eject
Error
==> vmware-iso.rhel8-template: Error waiting for SSH: Packer experienced an authentication error when trying to connect via SSH. This can happen if your username/password are wrong. You may want to double-check your credentials as part of your debugging process. original error: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none], no supported methods remain
