Message ID | a13aae8e9670b5cb069379dee94735deb3663f21.1427223149.git.yann.morin.1998@free.fr |
---|---|
State | Changes Requested |
Headers | show |
Thank you, Yann! On 24/03/2015 19:54, Yann E. MORIN wrote: > From: Lorenzo Catucci <lorenzo@sancho.ccd.uniroma2.it> > > Currently, there is only three possibilities regarding the root account: > - it is enabled with no password (the default) > - it is enabled, using a clear-text, user-provided password > - it is disabled if the user sets the clear-text password to '*' > > This is deemed insufficient in many cases, especially when the .config > file has to be published (e.g. for the GPL compliance, or any other > reason.). > > Fix that in two ways: > > - add a bolean option that allows/diesaloows root login altogether, > which defaults to 'y' to keep backward compatibility; > > - accept already-encoded passwords, which we recognise as starting > with either of $1$, $5$ or $6$ (resp. for md5, sha256 or sha512). > For backward-compatibility, we stil accept '*' to disable the > account. > Works very well for me, especially since my primary need was a config option disabling root login; still, you summarized very well the reason I'd rather use a decent sha-512 encoded root password if I were to distribute my applicance's config file. Thank you once more, yours lorenzo
Dear Yann E. MORIN, On Tue, 24 Mar 2015 19:54:16 +0100, Yann E. MORIN wrote: > Currently, there is only three possibilities regarding the root account: > - it is enabled with no password (the default) > - it is enabled, using a clear-text, user-provided password > - it is disabled if the user sets the clear-text password to '*' > > This is deemed insufficient in many cases, especially when the .config > file has to be published (e.g. for the GPL compliance, or any other > reason.). > > Fix that in two ways: > > - add a bolean option that allows/diesaloows root login altogether, disallows. > which defaults to 'y' to keep backward compatibility; > > - accept already-encoded passwords, which we recognise as starting > with either of $1$, $5$ or $6$ (resp. for md5, sha256 or sha512). > For backward-compatibility, we stil accept '*' to disable the still. > @@ -70,9 +70,25 @@ TARGET_FINALIZE_HOOKS += SET_NETWORK > ifeq ($(BR2_ROOTFS_SKELETON_DEFAULT),y) > > define SYSTEM_ROOT_PASSWD > - [ -n "$(TARGET_GENERIC_ROOT_PASSWD)" ] && \ > - TARGET_GENERIC_ROOT_PASSWD_HASH=$$($(MKPASSWD) -m "$(TARGET_GENERIC_PASSWD_METHOD)" "$(TARGET_GENERIC_ROOT_PASSWD)"); \ > - $(SED) "s,^root:[^:]*:,root:$$TARGET_GENERIC_ROOT_PASSWD_HASH:," $(TARGET_DIR)/etc/shadow > + if [ "$(BR2_TARGET_ENABLE_ROOT_LOGIN)" = "y" ]; then \ > + case '$(TARGET_GENERIC_ROOT_PASSWD)' in \ > + ("") \ > + ROOT_PASSWD=""; \ > + ;; \ > + ("$$1$$"*|"$$5$$"*|"$$6$$"*) \ > + ROOT_PASSWD='$(TARGET_GENERIC_ROOT_PASSWD)'; \ > + ;; \ > + ('*') \ > + ROOT_PASSWD='*'; \ > + ;; \ > + (*) \ > + ROOT_PASSWD=$$($(MKPASSWD) -m "$(TARGET_GENERIC_PASSWD_METHOD)" "$(TARGET_GENERIC_ROOT_PASSWD)"); \ > + ;; \ > + esac; \ > + else \ > + ROOT_PASSWD='*'; \ > + fi; \ > + $(SED) "s,^root:[^:]*:,root:$${ROOT_PASSWD}:," $(TARGET_DIR)/etc/shadow Argh. Can we use make instead of turning Buildroot into a build system written in shell ? ifeq ($(BR2_TARGET_ENABLE_ROOT_LOGIN),) SYSTEM_ROOT_PASSWORD = * else ifeq ($(TARGET_GENERIC_ROOT_PASSWORD),) SYSTEM_ROOT_PASSWORD = # I believe we could simplify this, and assume that if the password # starts with $$, we have an already encoded password. else ifeq ($(or $(filter $$1$$%,$(TARGET_GENERIC_ROOT_PASSWORD)),$(filter $$5$$%,$(TARGET_GENERIC_ROOT_PASSWORD)),$(filter $$6$$%,$(TARGET_GENERIC_ROOT_PASSWORD))) SYSTEM_ROOT_PASSWORD = $(TARGET_GENERIC_ROOT_PASSWORD)) else ifeq ($(TARGET_GENERIC_ROOT_PASSWORD),*) SYSTEM_ROOT_PASSWORD = $(TARGET_GENERIC_ROOT_PASSWORD)) else SYSTEM_ROOT_PASSWORD = $(shell $(MKPASSWD) -m "$(TARGET_GENERIC_PASSWD_METHOD)" "$(TARGET_GENERIC_ROOT_PASSWD)") endif endif (Completely untested, of course). Thanks, Thomas
Thomas, All, On 2015-04-10 22:39 +0200, Thomas Petazzoni spake thusly: > On Tue, 24 Mar 2015 19:54:16 +0100, Yann E. MORIN wrote: > > Currently, there is only three possibilities regarding the root account: > > - it is enabled with no password (the default) > > - it is enabled, using a clear-text, user-provided password > > - it is disabled if the user sets the clear-text password to '*' > > > > This is deemed insufficient in many cases, especially when the .config > > file has to be published (e.g. for the GPL compliance, or any other > > reason.). > > > > Fix that in two ways: > > > > - add a bolean option that allows/diesaloows root login altogether, > > disallows. OK. > > which defaults to 'y' to keep backward compatibility; > > > > - accept already-encoded passwords, which we recognise as starting > > with either of $1$, $5$ or $6$ (resp. for md5, sha256 or sha512). > > For backward-compatibility, we stil accept '*' to disable the > > still. Well, I was wrong on that one: if the password is '*', it is crypt-encoded. We in fact could *not* use '*' to disable root login at all... I'll rework that part, and since we now have the option to explicitly allow/disallow (without typo) root logins, recognising that magic value is not needed. > > @@ -70,9 +70,25 @@ TARGET_FINALIZE_HOOKS += SET_NETWORK > > ifeq ($(BR2_ROOTFS_SKELETON_DEFAULT),y) > > > > define SYSTEM_ROOT_PASSWD > > - [ -n "$(TARGET_GENERIC_ROOT_PASSWD)" ] && \ > > - TARGET_GENERIC_ROOT_PASSWD_HASH=$$($(MKPASSWD) -m "$(TARGET_GENERIC_PASSWD_METHOD)" "$(TARGET_GENERIC_ROOT_PASSWD)"); \ > > - $(SED) "s,^root:[^:]*:,root:$$TARGET_GENERIC_ROOT_PASSWD_HASH:," $(TARGET_DIR)/etc/shadow > > + if [ "$(BR2_TARGET_ENABLE_ROOT_LOGIN)" = "y" ]; then \ > > + case '$(TARGET_GENERIC_ROOT_PASSWD)' in \ > > + ("") \ > > + ROOT_PASSWD=""; \ > > + ;; \ > > + ("$$1$$"*|"$$5$$"*|"$$6$$"*) \ > > + ROOT_PASSWD='$(TARGET_GENERIC_ROOT_PASSWD)'; \ > > + ;; \ > > + ('*') \ > > + ROOT_PASSWD='*'; \ > > + ;; \ > > + (*) \ > > + ROOT_PASSWD=$$($(MKPASSWD) -m "$(TARGET_GENERIC_PASSWD_METHOD)" "$(TARGET_GENERIC_ROOT_PASSWD)"); \ > > + ;; \ > > + esac; \ > > + else \ > > + ROOT_PASSWD='*'; \ > > + fi; \ > > + $(SED) "s,^root:[^:]*:,root:$${ROOT_PASSWD}:," $(TARGET_DIR)/etc/shadow > > Argh. Can we use make instead of turning Buildroot into a build system > written in shell ? > > ifeq ($(BR2_TARGET_ENABLE_ROOT_LOGIN),) > SYSTEM_ROOT_PASSWORD = * > else > ifeq ($(TARGET_GENERIC_ROOT_PASSWORD),) > SYSTEM_ROOT_PASSWORD = > # I believe we could simplify this, and assume that if the password > # starts with $$, we have an already encoded password. > else ifeq ($(or $(filter $$1$$%,$(TARGET_GENERIC_ROOT_PASSWORD)),$(filter $$5$$%,$(TARGET_GENERIC_ROOT_PASSWORD)),$(filter $$6$$%,$(TARGET_GENERIC_ROOT_PASSWORD))) > SYSTEM_ROOT_PASSWORD = $(TARGET_GENERIC_ROOT_PASSWORD)) > else ifeq ($(TARGET_GENERIC_ROOT_PASSWORD),*) > SYSTEM_ROOT_PASSWORD = $(TARGET_GENERIC_ROOT_PASSWORD)) > else > SYSTEM_ROOT_PASSWORD = $(shell $(MKPASSWD) -m "$(TARGET_GENERIC_PASSWD_METHOD)" "$(TARGET_GENERIC_ROOT_PASSWD)") > endif > endif > > (Completely untested, of course). OK, will try to make it work (hint: it does not right now: missing operand to the ifeq for md5/sha256/sha512 case). ;-) Regards, Yann E. MORIN.
diff --git a/system/Config.in b/system/Config.in index 8621def..17a626b 100644 --- a/system/Config.in +++ b/system/Config.in @@ -179,26 +179,36 @@ endif if BR2_ROOTFS_SKELETON_DEFAULT +config BR2_TARGET_ENABLE_ROOT_LOGIN + bool "Enable root login" + default "y" + help + Enable root login password + config BR2_TARGET_GENERIC_ROOT_PASSWD string "Root password" default "" + depends on BR2_TARGET_ENABLE_ROOT_LOGIN help - Set the initial root password (in clear). It will be md5-encrypted. + Set the initial root password. If set to empty (the default), then no root password will be set, and root will need no password to log in. - WARNING! WARNING! - Although pretty strong, MD5 is now an old hash function, and - suffers from some weaknesses, which makes it susceptible to attacks. - It is showing its age, so this root password should not be trusted - to properly secure any product that can be shipped to the wide, - hostile world. + If the password starts with any of $1$, $5$ or $6$, it is considered + to be already crypt-encoded with respectively md5, sha256 or sha512. + Any other value is taken to be a clear-text value, and is crypt-encoded + as per the "Passwords encoding" scheme, above. + + Note: "$" signs in the hashed password must be doubled. For example, + if the hashed password is "$1$longsalt$v35DIIeMo4yUfI23yditq0", then + you must enter it as "$$1$$longsalt$$v35DIIeMo4yUfI23yditq0". WARNING! WARNING! - The password appears in clear in the .config file, and may appear + The password appears as-is in the .config file, and may appear in the build log! Avoid using a valuable password if either the - .config file or the build log may be distributed! + .config file or the build log may be distributed, or at the + very least use a strong cryptographic hash for your password! choice bool "/bin/sh" diff --git a/system/system.mk b/system/system.mk index 4a1eb4a..2ac5d08 100644 --- a/system/system.mk +++ b/system/system.mk @@ -34,7 +34,7 @@ endef TARGET_FINALIZE_HOOKS += SYSTEM_ISSUE endif -ifneq ($(TARGET_GENERIC_ROOT_PASSWD),) +ifneq ($(BR2_TARGET_ENABLE_ROOT_LOGIN),) TARGETS += host-mkpasswd endif @@ -70,9 +70,25 @@ TARGET_FINALIZE_HOOKS += SET_NETWORK ifeq ($(BR2_ROOTFS_SKELETON_DEFAULT),y) define SYSTEM_ROOT_PASSWD - [ -n "$(TARGET_GENERIC_ROOT_PASSWD)" ] && \ - TARGET_GENERIC_ROOT_PASSWD_HASH=$$($(MKPASSWD) -m "$(TARGET_GENERIC_PASSWD_METHOD)" "$(TARGET_GENERIC_ROOT_PASSWD)"); \ - $(SED) "s,^root:[^:]*:,root:$$TARGET_GENERIC_ROOT_PASSWD_HASH:," $(TARGET_DIR)/etc/shadow + if [ "$(BR2_TARGET_ENABLE_ROOT_LOGIN)" = "y" ]; then \ + case '$(TARGET_GENERIC_ROOT_PASSWD)' in \ + ("") \ + ROOT_PASSWD=""; \ + ;; \ + ("$$1$$"*|"$$5$$"*|"$$6$$"*) \ + ROOT_PASSWD='$(TARGET_GENERIC_ROOT_PASSWD)'; \ + ;; \ + ('*') \ + ROOT_PASSWD='*'; \ + ;; \ + (*) \ + ROOT_PASSWD=$$($(MKPASSWD) -m "$(TARGET_GENERIC_PASSWD_METHOD)" "$(TARGET_GENERIC_ROOT_PASSWD)"); \ + ;; \ + esac; \ + else \ + ROOT_PASSWD='*'; \ + fi; \ + $(SED) "s,^root:[^:]*:,root:$${ROOT_PASSWD}:," $(TARGET_DIR)/etc/shadow endef TARGET_FINALIZE_HOOKS += SYSTEM_ROOT_PASSWD