[poky] Default root password without 'debug-tweaks'?

Bryan Evenson bevenson at melinkcorp.com
Mon Aug 5 06:59:05 PDT 2013 


> -----Original Message-----
> From: ChenQi [mailto:Qi.Chen at windriver.com]
> Sent: Thursday, August 01, 2013 10:35 PM
> To: Bryan Evenson
> Cc: poky at yoctoproject.org
> Subject: Re: [poky] Default root password without 'debug-tweaks'?
> 
> On 08/01/2013 11:27 PM, Bryan Evenson wrote:
> > All,
> >
> > I'm having some issues with setting the root password.  My image is
> based off of core-image-minimal, which uses TinyLogin for password
> management.  First, I tried getting the encrypted password by setting
> root's password and seeing what it looked like in /etc/shadow.
> However, it looks like more information than what is shown in
> /etc/shadow is used to encrypt the password, because the encrypted
> password is different each time.
> >
> > For example, I have a new image that created with 'debug-tweaks' on,
> so root has a blank password.  From /etc/shadow:
> >
> > root::15918:0:99999:7:::
> >
> > showing root has no password.  If I change root's password to
> "password", I get:
> >
> > root:bZMfmHD5uJ3l6:15918:0:99999:7:::
> >
> > If I change root's password to "password" again, I get:
> >
> > root:CiwTL1eJx70ps:15918:0:99999:7:::
> >
> > So at this time I do not know how to get the encrypted password.  And
> also related to the password, it looks like TinyLogin limits the
> password to 8 characters.  You can type something more than 8
> characters for your password, but it will only use the first 8
> characters.  I'd like to be able to use a slightly stronger password.
> So my questions are:
> >
> > * Is there a different password manager package that I can use that
> doesn't have the 8 character limit?  I see that Busybox has password
> management, but I don't yet know if it has the same limitation.
> Tinylogin has been deprecated and officially removed from Yocto. We now
> use busybox as a replacement. It doesn't have 8-char limitation, as far
> as I know.
> > * If there is another one to use, how do I ensure TinyLogin is not
> installed?
> If you're using Dylan, perhaps you need to backport relevant patches
> ...
> 
> http://git.yoctoproject.org/cgit.cgi/poky-
> contrib/log/?h=ChenQi/busybox-fixes
> (9 patches)
> http://git.yoctoproject.org/cgit.cgi/poky-
> contrib/log/?h=ChenQi/busybox-on-device-upgrade
> (1 patch)
> 
> > * With the other password manager, how do I get the encrypted
> password to insert in the EXTRA_USER_PARAMS feature?
> The user interface remains all the same with tinylogin.
> 
> Best Regards,
> Chen Qi

Chen Qi,

I think I'm still missing something.  I applied the 10 listed patches to my poky/dylan build environment; I had to make minor tweaks to the patches (adjust the before/after text on some patches) but overall they applied cleanly.  I verified that the Busybox configuration now has a number of options set under the "Login/Password Management Utilities" section under menuconfig.  I also verified the new image is not using Tinylogin for password management.  However, my two original problems remain.  The encrypted password shown in /etc/shadow uses some extra information that I don't know about, as the same password does not encrypt to the same value on successive attempts.  Also, only the first 8 characters are used for the password.  For my test, I changed root's password to "password" twice.  On the two occasions, the encrypted password shown in /etc/shadow for root were different.  I then changed root's password to "passwordplus" and logged out; I then successfully logged in just typing "password" for the password.

Are there some other settings I'm missing to use longer passwords?  And how do I get the encrypted password to use for the EXTRA_USER_PARAMS feature?

Thanks,
Bryan
> 
> > * The TinyLogin package is using the source code that was last
> updated in 2003, and the TinyLogin web page as directed from the
> package script states: "TinyLogin was merged into BusyBox, current
> sources can thus be checked out via BusyBox."  Should the TinyLogin
> package be removed from core-image-minimal and BusyBox password
> management turned on to use more recent sources?
> >
> > Regards,
> > Bryan
> >
> >> -----Original Message-----
> >> From: poky-bounces at yoctoproject.org [mailto:poky-
> >> bounces at yoctoproject.org] On Behalf Of ChenQi
> >> Sent: Friday, July 26, 2013 1:44 AM
> >> To: poky at yoctoproject.org
> >> Subject: Re: [poky] Default root password without 'debug-tweaks'?
> >>
> >> On 07/25/2013 08:28 PM, Bryan Evenson wrote:
> >>> Paul,
> >>>
> >>> >From looking at the patch series Chen Qi recently posted about the
> >>> EXTRA_USER_PARAMS, one could do the following in your local.conf:
> >>>
> >>> require conf/distro/include/security_flags.inc
> >> The above line is not needed for this feature.
> >>
> >>> INHERIT += "extrausers"
> >>> EXTRA_USERS_PARAMS = "\
> >>>       usermod -p 'encrypted_password' root; \ "
> >>>
> >>> If I understand correctly, that should change the root password to
> >> the
> >>> listed encrypted password.  But that still leaves the problem of
> >>> getting the encrypted root password.  Changing the password on the
> >>> hardware and then viewing the encrypted password under /etc/shadow
> >>> is a little messy,
> >> That's the way I used when testing this feature. As we're creating
> an
> >> image, this method is acceptable for me.
> >>
> >>>    but I'm at a loss for a better
> >>> solution that is guaranteed to work.  You could use crypt or mcrypt
> >> to
> >>> encrypt a file containing the password in plaintext on the host,
> but
> >>> you have to know the encryption algorithm used on the target
> >>> filesystem.
> >> If you find one, please let me know. Thanks.
> >>
> >>> If anyone knows of a better way to create the encrypted password
> >>> that would be used by the target, I'm open to suggestions.
> >>>
> >>> Thanks,
> >>> Bryan
> >> Just to be clear, use the way of copying files is not acceptable, as
> >> there are some directories related to user setting such as the
> user's
> >> home directory and mail directory. And these files should also be
> >> handled correctly.
> >>
> >> Best Regards,
> >> Chen Qi
> >>
> >>>> -----Original Message-----
> >>>> From: Paul Eggleton [mailto:paul.eggleton at linux.intel.com]
> >>>> Sent: Thursday, July 25, 2013 8:01 AM
> >>>> To: Bryan Evenson
> >>>> Cc: poky at yoctoproject.org
> >>>> Subject: Re: [poky] Default root password without 'debug-tweaks'?
> >>>>
> >>>> On Thursday 25 July 2013 07:53:20 Bryan Evenson wrote:
> >>>>> Thank you for the explanation.  And just earlier this morning, I
> >>>> found
> >>>>> this description of how to change the root password for an image:
> >>>>> http://bec-systems.com/site/967/setting-the-root-password-in-an-
> >>>> openem
> >>>>> bedded
> >>>>> -image.
> >>>>>
> >>>>> If this would be a suggested method of performing the task, I
> >>>>> could write a patch for the documentation to add the details
> about
> >>>>> the root account being locked and the suggested method for
> >>>>> modifying
> >> the
> >>>>> root password.  If you could point me to a good place to add this
> >>>>> detail, I'll send out a patch.
> >>>> Hmm, that method does seem a bit messy though. Ideally there would
> >> be
> >>>> a simple method available that didn't require you to boot the
> >>>> target system. Presumably it wouldn't be too hard to do it using
> >>>> tools on the host.
> >>>>
> >>>> Cheers,
> >>>> Paul
> >>>>
> >>>> --
> >>>>
> >>>> Paul Eggleton
> >>>> Intel Open Source Technology Centre
> >>> _______________________________________________
> >>> poky mailing list
> >>> poky at yoctoproject.org
> >>> https://lists.yoctoproject.org/listinfo/poky
> >>>
> >>>
> >> _______________________________________________
> >> poky mailing list
> >> poky at yoctoproject.org
> >> https://lists.yoctoproject.org/listinfo/poky
> >

More information about the poky mailing list