Date
1 - 7 of 7
extrausers-bbclass: plaintext password (since shadow update to 4.9)
|
Matthias Klein
Hello,
I am trying to find a working alternative for the old -P option. Previous: EXTRA_USERS_PARAMS = "usermod -P toor root;" The suggestions from this thread don't seem to work: https://lists.openembedded.org/g/openembedded-core/topic/84548199 Current: hash="$(python3 -c "import crypt; print(crypt.crypt('toor', crypt.METHOD_SHA512))")" EXTRA_USERS_PARAMS = "usermod -p ${hash} root;" The hashed password does not seem to be escaped properly in the extrausers-bbclass. The password in the shadow file is missing $ characters. Is there a way (with the current master branch) to define a password? Many greetings, Matthias
|
|
|
|
Markus Volk
I also have problems with setting passwords in current master
branch. I only can provide a hacky workaround. I added the
following lines to my image recipe to inject the passwords
manually after rootfs creation:
Am 30.08.21 um 14:54 schrieb Matthias
Klein:
Hello, I am trying to find a working alternative for the old -P option. Previous: EXTRA_USERS_PARAMS = "usermod -P toor root;" The suggestions from this thread don't seem to work: https://lists.openembedded.org/g/openembedded-core/topic/84548199 Current: hash="$(python3 -c "import crypt; print(crypt.crypt('toor', crypt.METHOD_SHA512))")" EXTRA_USERS_PARAMS = "usermod -p ${hash} root;" The hashed password does not seem to be escaped properly in the extrausers-bbclass. The password in the shadow file is missing $ characters. Is there a way (with the current master branch) to define a password? Many greetings, Matthias
|
|
|
|
Peter Bergin
On 2021-08-30 14:54, Matthias Klein wrote:
Hello,You have to escape the password string in the recipe. Use '\\\$' to escape the '$' token. There are some levels of evaluation of the expression and that's the reason for multiple '\'. Just iterate until you have the correct string in the shadow file, also check the log.do_rootfs where you can see the parameters to usermod. /Peter
|
|
|
|
Matthias Klein
Hello Markus,
thanks for the workaround! Works great. Many greetings, Matthias Von: Markus Volk <f_l_k@...> Gesendet: Montag, 30. August 2021 20:46 An: Matthias Klein <matthias.klein@...> Cc: yocto@... Betreff: Re: [yocto] extrausers-bbclass: plaintext password (since shadow update to 4.9) I also have problems with setting passwords in current master branch. I only can provide a hacky workaround. I added the following lines to my image recipe to inject the passwords manually after rootfs creation: RETRO_USER_PASSWORD ?= "retro" ROOT_USER_PASSWORD ?= "root" ROOTFS_POSTPROCESS_COMMAND += "set_root_passwd;" ROOTFS_POSTPROCESS_COMMAND += "set_retro_passwd;" set_root_passwd() { ROOTPW_ENCRYPTED="$(openssl passwd -6 -salt xyz ${ROOT_USER_PASSWORD})" sed -i "s%^root:[^:]*:%root:${ROOTPW_ENCRYPTED}:%" ${IMAGE_ROOTFS}/etc/shadow } set_retro_passwd() { RETROPW_ENCRYPTED="$(openssl passwd -6 -salt xyz ${RETRO_USER_PASSWORD})" sed -i "s%^retro:[^:]*:%retro:${RETROPW_ENCRYPTED}:%" ${IMAGE_ROOTFS}/etc/shadow } Am 30.08.21 um 14:54 schrieb Matthias Klein: Hello, I am trying to find a working alternative for the old -P option. Previous: EXTRA_USERS_PARAMS = "usermod -P toor root;" The suggestions from this thread don't seem to work: https://lists.openembedded.org/g/openembedded-core/topic/84548199 Current: hash="$(python3 -c "import crypt; print(crypt.crypt('toor', crypt.METHOD_SHA512))")" EXTRA_USERS_PARAMS = "usermod -p ${hash} root;" The hashed password does not seem to be escaped properly in the extrausers-bbclass. The password in the shadow file is missing $ characters. Is there a way (with the current master branch) to define a password? Many greetings, Matthias
|
|
|
|
Matthias Klein
Hello Peter,
I have already tried many things to pass the hash escaped to the extrausers-bbclass. But I have not found a way to set the password with EXTRA_USERS_PARAMS. Do you know a working variant? Many greetings, Matthias -----Ursprüngliche Nachricht----- Von: Peter Bergin <peter@...> Gesendet: Montag, 30. August 2021 22:52 An: Matthias Klein <matthias.klein@...>; yocto@... Betreff: Re: [yocto] extrausers-bbclass: plaintext password (since shadow update to 4.9) On 2021-08-30 14:54, Matthias Klein wrote: Hello,You have to escape the password string in the recipe. Use '\\\$' to escape the '$' token. There are some levels of evaluation of the expression and that's the reason for multiple '\'. Just iterate until you have the correct string in the shadow file, also check the log.do_rootfs where you can see the parameters to usermod. /Peter
|
|
|
|
Peter Bergin
Hi Matthias,
On 2021-08-31 09:03, Matthias Klein wrote: But I have not found a way to set the password with EXTRA_USERS_PARAMS.Is it a requirement that you need to regenerate the hash on every build? If not one solution can be: inherit extrausers # # HASH generated with this command: # python3 -c "import crypt; print(crypt.crypt('toor', crypt.METHOD_SHA512))" # HASH = "\\\$6\\\$8Z5vMcqCIB19PgY8\\\$Sv4kAfsH1k.SANHL5JVb6hdqmQWHOeH0Rjrjyii7fGAK20Gclj/.qiBvUPnAfh.WSsr1.XV0pUNom2L9oYYDV/" EXTRA_USERS_PARAMS = " \ usermod -p ${HASH} root; \ " Best regards, /Peter
|
|
|
|
Matthias Klein
Hello Peter,
thanks for the solution! Many greetings, Matthias -----Ursprüngliche Nachricht----- Von: Peter Bergin <peter@...> Gesendet: Dienstag, 31. August 2021 09:45 An: Matthias Klein <matthias.klein@...>; yocto@... Betreff: Re: [yocto] extrausers-bbclass: plaintext password (since shadow update to 4.9) Hi Matthias, On 2021-08-31 09:03, Matthias Klein wrote: But I have not found a way to set the password with EXTRA_USERS_PARAMS.Is it a requirement that you need to regenerate the hash on every build? If not one solution can be: inherit extrausers # # HASH generated with this command: # python3 -c "import crypt; print(crypt.crypt('toor', crypt.METHOD_SHA512))" # HASH = "\\\$6\\\$8Z5vMcqCIB19PgY8\\\$Sv4kAfsH1k.SANHL5JVb6hdqmQWHOeH0Rjrjyii7fGAK20Gclj/.qiBvUPnAfh.WSsr1.XV0pUNom2L9oYYDV/" EXTRA_USERS_PARAMS = " \ usermod -p ${HASH} root; \ " Best regards, /Peter
|
|
|