[lmi] `openssl passwd` not appearing with 'set -vx'

[Greg Chicares]

Today I ran 'install_centos.sh' and compared its output to yesterday's,
and this seemed odd:

 getent group "greg" || groupadd --gid="1000" "greg"
 + getent group greg
 + groupadd --gid=1000 greg
-getent passwd "greg" || useradd   --gid="1000"   --uid="1000"   --create-home  
 --shell=/bin/zsh   --password="$1$irXaygJk$/bPP/s2keK3ch23UrfXmf/"   "greg"
+getent passwd "greg" || useradd   --gid="1000"   --uid="1000"   --create-home  
 --shell=/bin/zsh   --password="$1$HjRcinT1$zVMljzLGLRDenLwa7OUgP0"   "greg"
 + getent passwd greg
-+ useradd --gid=1000 --uid=1000 --create-home --shell=/bin/zsh 
'--password=$/bPP/s2keK3ch23UrfXmf/' greg
++ useradd --gid=1000 --uid=1000 --create-home --shell=/bin/zsh --password= greg

Both yesterday's (-) and today's (+) 'getent ... || useradd ...' commands
give nonempty random passwords, but on the last pair of quoted lines,
yesterday's has a single-quoted
  '--password=$/bPP/s2keK3ch23UrfXmf/' greg
whereas today's has a non-quoted, empty
  --password= greg
which is what seems odd to me.

The main script creates a script, thus:

cat >/srv/chroot/centos7lmi/tmp/setup0.sh <<EOF
#!/bin/sh
set -evx
[...]
getent passwd "${NORMAL_USER}" || useradd \
  --gid="${NORMAL_GROUP_GID}" \
  --uid="${NORMAL_USER_UID}" \
  --create-home \
  --shell=/bin/zsh \
  --password="$(openssl passwd -1 expired)" \
  "${NORMAL_USER}"

to be run inside a chroot, and that script contains this line:

getent passwd "greg" || useradd   --gid="1000"   --uid="1000"   --create-home   
--shell=/bin/zsh   --password="$1$HjRcinT1$zVMljzLGLRDenLwa7OUgP0"   "greg"

which, when executed, appears like this on the screen:

getent passwd "greg" || useradd   --gid="1000"   --uid="1000"   --create-home   
--shell=/bin/zsh   --password="$1$HjRcinT1$zVMljzLGLRDenLwa7OUgP0"   "greg"
+ getent passwd greg
+ useradd --gid=1000 --uid=1000 --create-home --shell=/bin/zsh --password= greg

We've previously seen odd splitting of "+" lines with 'dash -x':
  https://lists.nongnu.org/archive/html/lmi/2019-04/msg00050.html
This script is executed in a chroot where:
  $cat /etc/centos-release 
  CentOS Linux release 7.8.2003 (Core)
  $ls -l /usr/bin/sh      
  lrwxrwxrwx 1 root root 4 May  5 20:42 /usr/bin/sh -> bash
so might the above surprise be a similarly random 'bash -x' artifact?

I don't think any relevant package changed:

-Extracting: bash-4.2.46-34.el7.x86_64.rpm
+Extracting: bash-4.2.46-34.el7.x86_64.rpm

-Extracting: openssl-libs-1.0.2k-19.el7.x86_64.rpm
+Extracting: openssl-libs-1.0.2k-19.el7.x86_64.rpm

Is there something about today's password
  $/bPP/s2keK3ch23UrfXmf/
generated by this particular invocation of 'openssl' that causes
misbehavior when yesterday's
  $1$irXaygJk$/bPP/s2keK3ch23UrfXmf/
seemed to work? Aligning them both this way:
             $/bPP/s2keK3ch23UrfXmf/
  $1$irXaygJk$/bPP/s2keK3ch23UrfXmf/
shows that the last 23 characters match, yet in yesterday's
case where a non-empty string was passed:
  -+ useradd [...] '--password=$/bPP/s2keK3ch23UrfXmf/' greg
it looks like only those 23 were passed. But the behavior
doesn't seem to be invariant, except for the initial "$1":
  for z in 1 2 3 4 5; do openssl passwd -1 expired; done
  $1$g4yg78K2$quQQfkwJHMcxJM7pmvgir.
  $1$Zz/YeWiv$Fs8orLrKOMTHIubxnLd2Q.
  $1$BkXQcVgK$93lkl6YrqJJU2IPIHQ5/N/
  $1$ty0ET9aZ$QwiXRlGY0SgszAsAdU7Dz.
  $1$GX7Y2dO8$tTEeIUjj14QhdsOogzniC1
That 23 characters match seems so weird that I feel compelled
to double-check it--indeed, they occur in two logs generated
a day apart, but in none of the other dozens of logs I've saved:
  grep -r s2keK centos*
  centos_log_20200504T2251Z:getent passwd "greg" || useradd   --gid="1000"   
--uid="1000"   --create-home   --shell=/bin/zsh   
--password="$1$irXaygJk$/bPP/s2keK3ch23UrfXmf/"   "greg"
  centos_log_20200504T2251Z:+ useradd --gid=1000 --uid=1000 --create-home 
--shell=/bin/zsh '--password=$/bPP/s2keK3ch23UrfXmf/' greg
The more I dig into this, the more puzzled I grow.