From patchwork Sat Jan 5 14:52:03 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Yann E. MORIN" X-Patchwork-Id: 209680 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from fraxinus.osuosl.org (fraxinus.osuosl.org [140.211.166.137]) by ozlabs.org (Postfix) with ESMTP id D14ED2C0082 for ; Sun, 6 Jan 2013 01:52:41 +1100 (EST) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 6F09810189F; Sat, 5 Jan 2013 14:52:30 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "References" Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RZNvbjOPCGgw; Sat, 5 Jan 2013 14:52:21 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by fraxinus.osuosl.org (Postfix) with ESMTP id 694E61019F0; Sat, 5 Jan 2013 14:52:09 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from whitealder.osuosl.org (whitealder.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id 5BBC78F753 for ; Sat, 5 Jan 2013 14:52:21 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 4C2718BDEE for ; Sat, 5 Jan 2013 14:52:15 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "References" Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mpSRb9iN57om for ; Sat, 5 Jan 2013 14:52:14 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-we0-f176.google.com (mail-we0-f176.google.com [74.125.82.176]) by whitealder.osuosl.org (Postfix) with ESMTPS id 301D08BDD7 for ; Sat, 5 Jan 2013 14:52:14 +0000 (UTC) Received: by mail-we0-f176.google.com with SMTP id r5so8163600wey.21 for ; Sat, 05 Jan 2013 06:52:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:sender:from:to:cc:subject:date:message-id:x-mailer :in-reply-to:references:in-reply-to:references; bh=784utXhZ8pTb8aHujvwkwsVbMTLqXRdjbDTBkbvZqeM=; b=C9JSW6Hz8zE6lemqgEmIvqT9O/jSPih8v1Qr8f4lVXss1iC/Wl49BZXcnQlLriEvwm TEdFZ8ZTioCHPPGJFt83DdEEniBRsCrwmXGVICKJBMIU47au+8vSfr46T12DqXRw7WPY gsaw/k/l6YDNLSK+ps+t8SBoCGLRJU3/WKA7ZQg+BD/1QAdwaSwGV625kbx3BTQILxtd xoyU4FNkMmuSIXC8+TTHA17U1dKCC/09m0FTBbIuo1izkoESwq9n3BvKyiJ9e2j4ue/B B4kJ4KoNy/SKP7YExqIQdJ0MUEaLXuw7NFwY7WTgDz7xnXPIs1lyAmX6vYSlQpsedxDQ 3oDg== X-Received: by 10.180.99.129 with SMTP id eq1mr2247221wib.30.1357397532511; Sat, 05 Jan 2013 06:52:12 -0800 (PST) Received: from localhost.localdomain (ARennes-256-1-70-176.w90-32.abo.wanadoo.fr. [90.32.149.176]) by mx.google.com with ESMTPS id h19sm3593620wiv.7.2013.01.05.06.52.10 (version=TLSv1 cipher=RC4-SHA bits=128/128); Sat, 05 Jan 2013 06:52:11 -0800 (PST) From: "Yann E. MORIN" To: buildroot@busybox.net Date: Sat, 5 Jan 2013 15:52:03 +0100 Message-Id: <72dbc53320e890cc9e5f3838a9d93186656964af.1357397453.git.yann.morin.1998@free.fr> X-Mailer: git-send-email 1.7.2.5 In-Reply-To: References: In-Reply-To: References: Cc: "Yann E. MORIN" Subject: [Buildroot] [PATCH 2/2] target: add different methods to encode passwords X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.14 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: buildroot-bounces@busybox.net Passwords can be encoded in different ways (from the weakest to the strongest): des, md5, sha-256, sha-512 Add a choice entry to select the method, defaulting to 'md5'. Signed-off-by: "Yann E. MORIN" Tested-by: Gustavo Zacarias --- Previously, this was specific to encode the root password. I have made it generic (ie. not root-specific), in case buildroot needs to encode other passwords in the future (eg. when packages can create users, for which I've just sent an RFC) --- system/Config.in | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ system/system.mk | 3 ++- 2 files changed, 56 insertions(+), 1 deletions(-) diff --git a/system/Config.in b/system/Config.in index 19bdd2d..69863c4 100644 --- a/system/Config.in +++ b/system/Config.in @@ -13,6 +13,60 @@ config BR2_TARGET_GENERIC_ISSUE Select system banner (/etc/issue) to be displayed at login. choice + bool "Passwords encoding" + default BR2_TARGET_GENERIC_PASSWD_MD5 + help + Choose the password encoding scheme to use when Buildroot + needs to encode a password (eg. the root password, below). + + Note: this is used at build-time, and *not* at runtime. + +config BR2_TARGET_GENERIC_PASSWD_DES + bool "des" + help + Use standard 56-bit DES-based crypt(3) to encode passwords. + + Old, wildly available, but also the weakest, very susceptible to + brute-force attacks. + +config BR2_TARGET_GENERIC_PASSWD_MD5 + bool "md5" + help + Use MD5 to encode passwords. + + The default. Wildly available, and pretty good. + Although pretty strong, MD5 is now an old hash function, and + suffers from some weaknesses, which makes it susceptible to + brute-force attacks. + +config BR2_TARGET_GENERIC_PASSWD_SHA256 + bool "sha-256" + help + Use SHA256 to encode passwords. + + Very strong, but not ubiquitous, although available in glibc + for some time now. Choose only if you are sure your C library + understands SHA256 passwords. + +config BR2_TARGET_GENERIC_PASSWD_SHA512 + bool "sha-512" + help + Use SHA512 to encode passwords. + + Extremely strong, but not ubiquitous, although available in glibc + for some time now. Choose only if you are sure your C library + understands SHA512 passwords. + +endchoice # Passwd encoding + +config BR2_TARGET_GENERIC_PASSWD_METHOD + string + default "des" if BR2_TARGET_GENERIC_PASSWD_DES + default "md5" if BR2_TARGET_GENERIC_PASSWD_MD5 + default "sha-256" if BR2_TARGET_GENERIC_PASSWD_SHA256 + default "sha-512" if BR2_TARGET_GENERIC_PASSWD_SHA512 + +choice prompt "/dev management" default BR2_ROOTFS_DEVICE_CREATION_STATIC diff --git a/system/system.mk b/system/system.mk index 651f7df..4e131b0 100644 --- a/system/system.mk +++ b/system/system.mk @@ -1,8 +1,9 @@ TARGET_GENERIC_HOSTNAME:=$(call qstrip,$(BR2_TARGET_GENERIC_HOSTNAME)) TARGET_GENERIC_ISSUE:=$(call qstrip,$(BR2_TARGET_GENERIC_ISSUE)) TARGET_GENERIC_ROOT_PASSWD:=$(call qstrip,$(BR2_TARGET_GENERIC_ROOT_PASSWD)) +TARGET_GENERIC_PASSWD_METHOD:=$(call qstrip,$(BR2_TARGET_GENERIC_PASSWD_METHOD)) ifneq ($(TARGET_GENERIC_ROOT_PASSWD),) -TARGET_GENERIC_ROOT_PASSWD_HASH=$(shell mkpasswd -m md5 "$(TARGET_GENERIC_ROOT_PASSWD)") +TARGET_GENERIC_ROOT_PASSWD_HASH=$(shell mkpasswd -m "$(TARGET_GENERIC_PASSWD_METHOD)" "$(TARGET_GENERIC_ROOT_PASSWD)") endif TARGET_GENERIC_GETTY:=$(call qstrip,$(BR2_TARGET_GENERIC_GETTY_PORT)) TARGET_GENERIC_GETTY_BAUDRATE:=$(call qstrip,$(BR2_TARGET_GENERIC_GETTY_BAUDRATE))