extrausers-bbclass: plaintext password (since shadow update to 4.9)


Matthias Klein
 

Hello,

I am trying to find a working alternative for the old -P option.

Previous:
EXTRA_USERS_PARAMS = "usermod -P toor root;"

The suggestions from this thread don't seem to work: https://lists.openembedded.org/g/openembedded-core/topic/84548199

Current:
hash="$(python3 -c "import crypt; print(crypt.crypt('toor', crypt.METHOD_SHA512))")"
EXTRA_USERS_PARAMS = "usermod -p ${hash} root;"

The hashed password does not seem to be escaped properly in the extrausers-bbclass. The password in the shadow file is missing $ characters.

Is there a way (with the current master branch) to define a password?

Many greetings,
Matthias


Markus Volk
 

I also have problems with setting passwords in current master branch. I only can provide a hacky workaround. I added the following lines to my image recipe to inject the passwords manually after rootfs creation:

RETRO_USER_PASSWORD ?= "retro"
ROOT_USER_PASSWORD ?= "root"
ROOTFS_POSTPROCESS_COMMAND += "set_root_passwd;"
ROOTFS_POSTPROCESS_COMMAND += "set_retro_passwd;"

set_root_passwd() {
   ROOTPW_ENCRYPTED="$(openssl passwd -6 -salt xyz ${ROOT_USER_PASSWORD})"
   sed -i "s%^root:[^:]*:%root:${ROOTPW_ENCRYPTED}:%" ${IMAGE_ROOTFS}/etc/shadow
}

set_retro_passwd() {
   RETROPW_ENCRYPTED="$(openssl passwd -6 -salt xyz ${RETRO_USER_PASSWORD})"
   sed -i "s%^retro:[^:]*:%retro:${RETROPW_ENCRYPTED}:%" ${IMAGE_ROOTFS}/etc/shadow
}


Am 30.08.21 um 14:54 schrieb Matthias Klein:

Hello,

I am trying to find a working alternative for the old -P option.

Previous: 
EXTRA_USERS_PARAMS = "usermod -P toor root;"

The suggestions from this thread don't seem to work: https://lists.openembedded.org/g/openembedded-core/topic/84548199

Current: 
hash="$(python3 -c "import crypt; print(crypt.crypt('toor', crypt.METHOD_SHA512))")"
EXTRA_USERS_PARAMS = "usermod -p ${hash} root;"

The hashed password does not seem to be escaped properly in the extrausers-bbclass. The password in the shadow file is missing $ characters.

Is there a way (with the current master branch) to define a password?

Many greetings,
Matthias





Peter Bergin
 

On 2021-08-30 14:54, Matthias Klein wrote:

Hello,

I am trying to find a working alternative for the old -P option.

Previous:
EXTRA_USERS_PARAMS = "usermod -P toor root;"

The suggestions from this thread don't seem to work: https://lists.openembedded.org/g/openembedded-core/topic/84548199

Current:
hash="$(python3 -c "import crypt; print(crypt.crypt('toor', crypt.METHOD_SHA512))")"
EXTRA_USERS_PARAMS = "usermod -p ${hash} root;"

The hashed password does not seem to be escaped properly in the extrausers-bbclass. The password in the shadow file is missing $ characters.

Is there a way (with the current master branch) to define a password?

You have to escape the password string in the recipe. Use '\\\$' to escape the '$' token. There are some levels of evaluation of the expression and that's the reason for multiple '\'. Just iterate until you have the correct string in the shadow file, also check the log.do_rootfs where you can see the parameters to usermod.

/Peter


Matthias Klein
 

Hello Markus,

thanks for the workaround!
Works great.

Many greetings,
Matthias


Von: Markus Volk <f_l_k@...>
Gesendet: Montag, 30. August 2021 20:46
An: Matthias Klein <matthias.klein@...>
Cc: yocto@...
Betreff: Re: [yocto] extrausers-bbclass: plaintext password (since shadow update to 4.9)

I also have problems with setting passwords in current master branch. I only can provide a hacky workaround. I added the following lines to my image recipe to inject the passwords manually after rootfs creation:

RETRO_USER_PASSWORD ?= "retro"
ROOT_USER_PASSWORD ?= "root"
ROOTFS_POSTPROCESS_COMMAND += "set_root_passwd;"
ROOTFS_POSTPROCESS_COMMAND += "set_retro_passwd;"

set_root_passwd() {
   ROOTPW_ENCRYPTED="$(openssl passwd -6 -salt xyz ${ROOT_USER_PASSWORD})"
   sed -i "s%^root:[^:]*:%root:${ROOTPW_ENCRYPTED}:%" ${IMAGE_ROOTFS}/etc/shadow
}

set_retro_passwd() {
   RETROPW_ENCRYPTED="$(openssl passwd -6 -salt xyz ${RETRO_USER_PASSWORD})"
   sed -i "s%^retro:[^:]*:%retro:${RETROPW_ENCRYPTED}:%" ${IMAGE_ROOTFS}/etc/shadow
}

Am 30.08.21 um 14:54 schrieb Matthias Klein:
Hello,

I am trying to find a working alternative for the old -P option.

Previous:
EXTRA_USERS_PARAMS = "usermod -P toor root;"

The suggestions from this thread don't seem to work: https://lists.openembedded.org/g/openembedded-core/topic/84548199

Current:
hash="$(python3 -c "import crypt; print(crypt.crypt('toor', crypt.METHOD_SHA512))")"
EXTRA_USERS_PARAMS = "usermod -p ${hash} root;"

The hashed password does not seem to be escaped properly in the extrausers-bbclass. The password in the shadow file is missing $ characters.

Is there a way (with the current master branch) to define a password?

Many greetings,
Matthias


Matthias Klein
 

Hello Peter,

I have already tried many things to pass the hash escaped to the extrausers-bbclass.

But I have not found a way to set the password with EXTRA_USERS_PARAMS.
Do you know a working variant?

Many greetings,
Matthias

-----Ursprüngliche Nachricht-----
Von: Peter Bergin <peter@...>
Gesendet: Montag, 30. August 2021 22:52
An: Matthias Klein <matthias.klein@...>; yocto@...
Betreff: Re: [yocto] extrausers-bbclass: plaintext password (since shadow update to 4.9)

On 2021-08-30 14:54, Matthias Klein wrote:

Hello,

I am trying to find a working alternative for the old -P option.

Previous:
EXTRA_USERS_PARAMS = "usermod -P toor root;"

The suggestions from this thread don't seem to work:
https://lists.openembedded.org/g/openembedded-core/topic/84548199

Current:
hash="$(python3 -c "import crypt; print(crypt.crypt('toor', crypt.METHOD_SHA512))")"
EXTRA_USERS_PARAMS = "usermod -p ${hash} root;"

The hashed password does not seem to be escaped properly in the extrausers-bbclass. The password in the shadow file is missing $ characters.

Is there a way (with the current master branch) to define a password?

You have to escape the password string in the recipe. Use '\\\$' to escape the '$' token. There are some levels of evaluation of the expression and that's the reason for multiple '\'. Just iterate until you have the correct string in the shadow file, also check the log.do_rootfs where you can see the parameters to usermod.

/Peter


Peter Bergin
 

Hi Matthias,

On 2021-08-31 09:03, Matthias Klein wrote:
But I have not found a way to set the password with EXTRA_USERS_PARAMS.
Do you know a working variant?
Is it a requirement that you need to regenerate the hash on every build? If not one solution can be:

    inherit extrausers

    #
    # HASH generated with this command:
    # python3 -c "import crypt; print(crypt.crypt('toor', crypt.METHOD_SHA512))"
    #
    HASH = "\\\$6\\\$8Z5vMcqCIB19PgY8\\\$Sv4kAfsH1k.SANHL5JVb6hdqmQWHOeH0Rjrjyii7fGAK20Gclj/.qiBvUPnAfh.WSsr1.XV0pUNom2L9oYYDV/"

    EXTRA_USERS_PARAMS = " \
       usermod -p ${HASH} root; \
    "

Best regards,
/Peter


Matthias Klein
 

Hello Peter,

thanks for the solution!

Many greetings,
Matthias

-----Ursprüngliche Nachricht-----
Von: Peter Bergin <peter@...>
Gesendet: Dienstag, 31. August 2021 09:45
An: Matthias Klein <matthias.klein@...>; yocto@...
Betreff: Re: [yocto] extrausers-bbclass: plaintext password (since shadow update to 4.9)

Hi Matthias,

On 2021-08-31 09:03, Matthias Klein wrote:
But I have not found a way to set the password with EXTRA_USERS_PARAMS.
Do you know a working variant?
Is it a requirement that you need to regenerate the hash on every build?
If not one solution can be:

    inherit extrausers

    #
    # HASH generated with this command:
    # python3 -c "import crypt; print(crypt.crypt('toor', crypt.METHOD_SHA512))"
    #
    HASH =
"\\\$6\\\$8Z5vMcqCIB19PgY8\\\$Sv4kAfsH1k.SANHL5JVb6hdqmQWHOeH0Rjrjyii7fGAK20Gclj/.qiBvUPnAfh.WSsr1.XV0pUNom2L9oYYDV/"

    EXTRA_USERS_PARAMS = " \
       usermod -p ${HASH} root; \
    "

Best regards,
/Peter