55# Renames the default desktop user (e.g. hyperi) to a new username, updates:
66# - Linux user account (username, group, home directory)
77# - Passwordless sudo configuration
8+ # - GNOME keyring (reset so PAM auto-unlocks with new password)
89# - GNOME Remote Desktop (RDP) credentials
910# - Local cloud-init default user
1011#
@@ -136,12 +137,32 @@ LOG_FILE="/var/log/rename-user.log"
136137WORKER_SCRIPT=$( mktemp /tmp/rename-worker.XXXXXX.sh)
137138chmod 700 " $WORKER_SCRIPT "
138139
139- cat > " $WORKER_SCRIPT " << WORKER_EOF
140+ # Write credentials to secure temp file (avoids shell expansion issues with
141+ # special characters like $ in passwords when using heredocs)
142+ CREDS_FILE=$( mktemp /tmp/rename-creds.XXXXXX)
143+ chmod 600 " $CREDS_FILE "
144+ printf ' %s\n' " $NEW_USER " " $NEW_PASS " " $DEFAULT_USER " " $IP_ADDR " " $WORKER_SCRIPT " > " $CREDS_FILE "
145+
146+ cat > " $WORKER_SCRIPT " << 'WORKER_EOF '
140147#!/bin/bash
141148set -euo pipefail
149+
150+ # Read credentials from temp file (avoids special character issues)
151+ CREDS_FILE="$1"
152+ mapfile -t CREDS < "$CREDS_FILE"
153+ NEW_USER="${CREDS[0]}"
154+ NEW_PASS="${CREDS[1]}"
155+ DEFAULT_USER="${CREDS[2]}"
156+ IP_ADDR="${CREDS[3]}"
157+ WORKER_SCRIPT="${CREDS[4]}"
158+
159+ # Securely delete credentials file
160+ rm -f "$CREDS_FILE"
161+
162+ LOG_FILE="/var/log/rename-user.log"
142163exec > "$LOG_FILE" 2>&1
143164
144- echo "=== rename-user: \ $ (date '+%Y-%m-%d %H:%M:%S %Z') ==="
165+ echo "=== rename-user: $(date '+%Y-%m-%d %H:%M:%S %Z') ==="
145166echo "Renaming $DEFAULT_USER -> $NEW_USER"
146167
147168# Wait for parent to finish printing
@@ -166,7 +187,7 @@ groupmod -n "$NEW_USER" "$DEFAULT_USER" 2>/dev/null || true
166187echo "Group renamed"
167188
168189# Set new password
169- echo "$NEW_USER : $NEW_PASS " | chpasswd
190+ printf '%s:%s\n' "$NEW_USER" " $NEW_PASS" | chpasswd
170191echo "Password set"
171192
172193# Update sudoers
@@ -178,6 +199,16 @@ echo "$NEW_USER ALL=(ALL) NOPASSWD: ALL" > "/etc/sudoers.d/90-${NEW_USER}-nopass
178199chmod 440 "/etc/sudoers.d/90-${NEW_USER}-nopasswd"
179200echo "Sudoers updated"
180201
202+ # Reset GNOME keyring so it re-creates with the new login password
203+ # PAM auto-unlocks the login keyring when the keyring password matches
204+ # the user's login password. Old keyring files use the old password.
205+ KEYRING_DIR="/home/${NEW_USER}/.local/share/keyrings"
206+ if [[ -d "$KEYRING_DIR" ]]; then
207+ echo "Resetting GNOME keyring..."
208+ rm -f "${KEYRING_DIR}"/*.keyring "${KEYRING_DIR}"/default 2>/dev/null || true
209+ echo "GNOME keyring reset (will be recreated on next login)"
210+ fi
211+
181212# Update RDP credentials
182213if command -v grdctl &>/dev/null; then
183214 echo "Updating RDP credentials..."
@@ -200,7 +231,7 @@ echo "=== rename-user: COMPLETE ==="
200231echo "Old user: $DEFAULT_USER"
201232echo "New user: $NEW_USER"
202233echo "Home: /home/$NEW_USER"
203- echo "Groups: \ $ (id -nG "$NEW_USER ")"
234+ echo "Groups: $(id -nG "$NEW_USER")"
204235echo ""
205236echo "SSH: ssh $NEW_USER@$IP_ADDR"
206237echo "RDP: $IP_ADDR:3389 (user: $NEW_USER)"
@@ -219,7 +250,7 @@ print_info "Log: ${LOG_FILE}"
219250echo " "
220251
221252# setsid detaches from the controlling terminal and session
222- setsid bash " $WORKER_SCRIPT " &
253+ setsid bash " $WORKER_SCRIPT " " $CREDS_FILE " &
223254disown 2> /dev/null || true
224255
225256print_info " Your session will be terminated in a few seconds."
0 commit comments