How to Change Default “torizon” Password and Skip Mandatory Password Change on First Boot

For every fresh flashing through USB, the system boots and prompts to change the default password for the user torizon

I want to change this default password (from torizon to mypassword) automatically during the deployment for example, through the wrapup.sh script or any other method.

My goal is:

• The system should boot with the user torizon having the password mypassword.

• The mandatory password change prompt on first boot should be disabled or skipped.

• The device should boot directly to the shell without requiring manual password updates.

Is there a recommended way to achieve this on TorizonCore through a customization script?

Regards
Alex

Hi, I’m the Toradex AI Assistant.

I might make mistakes or occasionally get you wrong. Our support team will step in if needed.

Based on the available documentation, I can help you customize the default password and skip the password change prompt using TorizonCore Builder. While the provided sources don’t explicitly detail password customization scripts, they do show how to apply filesystem changes and customizations to Torizon OS images.

Recommended Approach

You can achieve this through TorizonCore Builder by creating a custom image with pre-configured user settings. Here’s how:

Method 1: Using Configuration File with Build Command

Create a configuration file that includes filesystem modifications to set the password and disable the password change prompt (1).

The TorizonCore Builder supports customization through configuration files where you can specify filesystem changes (1). You would need to:

1. Create a tcbuild.yaml configuration file using the template generator (1):

$ torizoncore-builder build --create-template

(1)

2. Add custom filesystem modifications to pre-set the password hash and disable password expiration.

Method 2: Using Standalone Commands with Changes Directory

You can capture and apply filesystem changes using the standalone commands approach (2):

1. Set up your base image by unpacking a Torizon OS image (2):

$ torizoncore-builder images unpack torizon-core-docker-[your-module]-Tezi_[version].tar

(2)

2. Create filesystem modifications in a changes directory that includes:

   • Modified /etc/passwd and /etc/shadow files with your custom password hash
   • Configuration to disable password expiration prompts

3. Apply the changes using the union command (2):

$ torizoncore-builder union custom-branch

(2)

4. Deploy the custom image (2):

$ torizoncore-builder deploy custom-branch --output-directory [output-directory]

(2)

Important Security Considerations

The documentation shows that Torizon OS supports password quality modules through pam_pwquality (3). When customizing passwords, ensure you maintain security standards by:

• Using strong password hashes
• Considering the security implications of pre-set passwords
• Potentially enabling password quality enforcement for production use (3)

Deployment Options

Once you’ve created your custom image, you can deploy it through (4):

• Toradex Easy Installer for production programming
• Direct SSH deployment for development
• Torizon Cloud for field updates

The custom image will boot directly with your specified password without prompting for password changes, achieving your goal of automatic login capability.

Best regards, Toradex AI Assistant.

Did you like my answer?

If I answered your question, please tick the “Solution” checkbox.

For follow-up questions to me, please use @ToradexAI in your post.

Hi @alexx

You can use the capture changes feature to create a configured base image.

This is going to “isolate” the changes made to /etc, which includes the password set.

1. Boot the device for the first time and set the desired password.
2. Use the torizoncore-builder isolate command to capture the customization.
3. In the tcbuild.yaml file include the modifications folder.
4. Build the new image.

This new image is going to have the same password you set on the device.

Thanks for the reply @allan.tx

Let me also explain why I need this.

I’m working with a large batch of Colibri modules for production.
For each fresh module, I must do two things automatically:

1. Set a custom password instead of the default ’torizon’
   (This is required for security and also for our production workflow, we cannot keep the default password in deployed units.)

2. Run an automation script that is stored on a USB drive
   This script configures some device specific settings
   It only needs to run once, immediately after flashing, just like the Toradex first boot password expire script works.

Since this is for bulk production, we must avoid any manual steps like logging in or typing passwords.
So the requirement is:

• After flashing TorizonCore (On first boot only)

• The system should

  1. Skip the mandatory password-change screen
  2. Automatically run our system-rules/system_init.sh script from the USB

• On normal boots after that, the script must not run again

Basically, I want a mechanism similar to your /etc/.passwd_changed logic, but with our own first boot script.

My question is:

Can this “first boot script + password preset” be implemented using a customization layer (wrapup/torizoncore builder), without building a custom Torizon OS image from source?

Or is building a custom base image the only reliable way?

Regards
Alexx

Hey @alexx,

Since our Torizon images come with the “torizon” user and password by default, you do need a customized image if you want a different default password.

Did you try what Allan suggested? I think you can implement your desired workflow with the TorizonCore Builder approach he pointed out. You can manually apply the necessary configuration to a running module, use the isolate command to capture the customization and generate a new image with TorizonCore Builder. You can then copy and use the customized image in your automated workflow instead of our default ones.

Best regards,