Y On Tue, Jul 15, 2014 at 10:44 AM, Neil Wilson <neil at brightbox.co.uk> wrote: > I do the opposite and don’t lock the root user, but lock it in %post > > As in: > > # Install root password - removed and locked in post. > rootpw --iscrypted $1$2e74e5$wMj25e4rEb4rJxqm7BAnk0 %post steps are potentially destabilizing. system-config-kickstart doesn't handle multiple %post steps correctly, it's currently broken anyway, they don't get recorded in anaconda-ks.cfg, and overall they can be very confusing when you access a machine later and say "how was this set up" Instead use something like this. # Install locked root password rootpw --iscrypted ***LOCKED*** If you have to add '%post' steps, add this first to preserve a copy for stability. %post /bin/cp /tmp/ks.cfg /mnt/sysimage/root/ks.cfg I've no idea why the anaconda kickstart doesn't do this, as well as or instead of that horrid, interpreted, mess of an interpreted and deduced kickstart file that may have no legible resemblance to the original ks.cfg.