Clearing the "you must change your password" flag

I am trying to figure out how to get rid of the “you must change your password” process on first login on a newly flashed board.

We’ve already changed the default password away from torizon so this shouldn’t apply anymore. My “custom directory” used by torizoncore-builder has an updated set of groups, gshadow and shadow files that are reflected in the deployed configuration, and the password change is taking effect because I must use the new password for first-time login. However, the board still prompts me to change it, which is suboptimal from a production standpoint.

Hey @bw908,

Can you tell us a bit more about your situation.

What module and carrier board are you using?
What OS/version?

And walking through your specific case:
How are you deploying the new image?
Are the included files creating a new usr/password that you are trying to log into with?
What do you mean you have already changed the default password away from torizon? Is is asking you every-time you shell into the board?

Thanks for the info,



Verdin IMX8MP, TorizonCore 5.7.0

We are deploying a customized image using TEZI, and one of the customization files is /usr/etc/shadow which changes the password away from the default to something more secure.

However, on first SSH into a freshly deployed board, we are still prompted that the password must be changed, even though it is already not set to ‘torizon’ anymore.

I am looking to have it not nag me to change the password because we have already changed it as part of the customized image.

Thanks for the reply, I’ll be looking to recreate the problem. Are you building the customized image with TorizonCore Builder?

If so:
When building the image with TorizonCore Builder and you capture the original password change, this modification is persistent. It should not be prompting for a new password change.

There is also some issue if you are using the isolate command with specific files/directories being ignored (shadow- files included in this) see:


Yes, we are using TorizonCore Builder.

If I understand correctly, the isolate command might be missing a file that is needed to persist the “changed password” state?

(Note we do have the shadow file as part of our custom FS overlay)


Sorry these are two related but different points of information.

To answer specifically: The “persist changed password state” is built into TorizonCore Builder, unrelated to the isolate command. Following (1) should provide you with the desired* results.

(1) When building an image with TorizonCore builder. You preform the modified password change once (It has prompted you). This information is persistent/saved in the built image. There isn’t any additional steps required.

Are you going through this step successfully? And if not can you describe your workflow in a step by step manner.

(2) When you are developing the image with TorizonCore Builder. If you are using the provided command tools, such as isolate to capture configuration changes. This command isolate by default will ignore certain files. This happens to be one of the files you are working with. As described in the linked article.


Aha, I figured it out - I think I was missing the .passwd_changed file, I re-tried the isolate command from scratch and after I added that (+modified shadow file) to my custom overlay it started working.