Default root password without 'debug-tweaks'?

Default root password without 'debug-tweaks'?

[Bryan Evenson]

I have an image that I built without the 'debug-tweaks' image feature, just to confirm that there is a root password.  Sure enough, I need to type something in to login as root.  Unfortunately, the default root password for the image is not something obvious, and I haven't been able to track down what the default is set to.

Does anyone know what the default root password is set to when you turn off the 'debug-tweaks' image feature?  While we're at it, what's a good method to set the default root password to a different value for an image?  I'm on Poky 1.4.1 (danny 9.0.1) if that makes a difference.

Thanks,
Bryan

Re: Default root password without 'debug-tweaks'?

[Paul Eggleton]

Hi Bryan,

On Wednesday 24 July 2013 14:56:36 Bryan Evenson wrote:
> I have an image that I built without the 'debug-tweaks' image feature, just
> to confirm that there is a root password.  Sure enough, I need to type
> something in to login as root.  Unfortunately, the default root password
> for the image is not something obvious, and I haven't been able to track
> down what the default is set to.
> 
> Does anyone know what the default root password is set to when you turn off
> the 'debug-tweaks' image feature? 

When debug-tweaks is not in IMAGE_FEATURES, there is no valid password set for 
root, i.e. the account is effectively locked.

> While we're at it, what's a good method to set the default root password to
> a different value for an image?

One way to do it would be to define a shell function in your image recipe (or a 
class that your image recipes all inherit, if you have more than one) that 
modifies ${IMAGE_ROOTFS}/etc/passwd, and then add that function to 
ROOTFS_POSTPROCESS_COMMAND.

Cheers,
Paul

-- 

Paul Eggleton
Intel Open Source Technology Centre

Re: Default root password without 'debug-tweaks'?

[Bryan Evenson]

Paul,

Thank you for the explanation.  And just earlier this morning, I found this
description of how to change the root password for an image:
http://bec-systems.com/site/967/setting-the-root-password-in-an-openembedded-image.

If this would be a suggested method of performing the task, I could
write a patch for the documentation to add the details about the 
root account being locked and the suggested method for modifying the
root password.  If you could point me to a good place to add this
detail, I'll send out a patch.

Thanks,
Bryan


> -----Original Message-----
> From: Paul Eggleton [mailto:paul.eggleton@linux.intel.com]
> Sent: Thursday, July 25, 2013 7:47 AM
> To: Bryan Evenson
> Cc: poky@yoctoproject.org
> Subject: Re: [poky] Default root password without 'debug-tweaks'?
> 
> Hi Bryan,
> 
> On Wednesday 24 July 2013 14:56:36 Bryan Evenson wrote:
> > I have an image that I built without the 'debug-tweaks' image
> feature,
> > just to confirm that there is a root password.  Sure enough, I need
> to
> > type something in to login as root.  Unfortunately, the default root
> > password for the image is not something obvious, and I haven't been
> > able to track down what the default is set to.
> >
> > Does anyone know what the default root password is set to when you
> > turn off the 'debug-tweaks' image feature?
> 
> When debug-tweaks is not in IMAGE_FEATURES, there is no valid password
> set for root, i.e. the account is effectively locked.
> 
> > While we're at it, what's a good method to set the default root
> > password to a different value for an image?
> 
> One way to do it would be to define a shell function in your image
> recipe (or a class that your image recipes all inherit, if you have
> more than one) that modifies ${IMAGE_ROOTFS}/etc/passwd, and then add
> that function to ROOTFS_POSTPROCESS_COMMAND.
> 
> Cheers,
> Paul
> 
> --
> 
> Paul Eggleton
> Intel Open Source Technology Centre

Re: Default root password without 'debug-tweaks'?

[Paul Eggleton]

On Thursday 25 July 2013 07:53:20 Bryan Evenson wrote:
> Thank you for the explanation.  And just earlier this morning, I found this
> description of how to change the root password for an image:
> http://bec-systems.com/site/967/setting-the-root-password-in-an-openembedded
> -image.
> 
> If this would be a suggested method of performing the task, I could
> write a patch for the documentation to add the details about the
> root account being locked and the suggested method for modifying the
> root password.  If you could point me to a good place to add this
> detail, I'll send out a patch.

Hmm, that method does seem a bit messy though. Ideally there would be a simple 
method available that didn't require you to boot the target system. Presumably 
it wouldn't be too hard to do it using tools on the host.

Cheers,
Paul

-- 

Paul Eggleton
Intel Open Source Technology Centre

Re: Default root password without 'debug-tweaks'?

[Bryan Evenson]

Paul,

From looking at the patch series Chen Qi recently posted about the
EXTRA_USER_PARAMS, one could do the following in your local.conf:

require conf/distro/include/security_flags.inc
INHERIT += "extrausers"
EXTRA_USERS_PARAMS = "\
    usermod -p 'encrypted_password' root; \
"

If I understand correctly, that should change the root password
to the listed encrypted password.  But that still leaves the problem
of getting the encrypted root password.  Changing the password on
the hardware and then viewing the encrypted password under
/etc/shadow is a little messy, but I'm at a loss for a better
solution that is guaranteed to work.  You could use crypt or
mcrypt to encrypt a file containing the password in plaintext on
the host, but you have to know the encryption algorithm used on
the target filesystem.

If anyone knows of a better way to create the encrypted password
that would be used by the target, I'm open to suggestions.

Thanks,
Bryan

> -----Original Message-----
> From: Paul Eggleton [mailto:paul.eggleton@linux.intel.com]
> Sent: Thursday, July 25, 2013 8:01 AM
> To: Bryan Evenson
> Cc: poky@yoctoproject.org
> Subject: Re: [poky] Default root password without 'debug-tweaks'?
> 
> On Thursday 25 July 2013 07:53:20 Bryan Evenson wrote:
> > Thank you for the explanation.  And just earlier this morning, I
> found
> > this description of how to change the root password for an image:
> > http://bec-systems.com/site/967/setting-the-root-password-in-an-
> openem
> > bedded
> > -image.
> >
> > If this would be a suggested method of performing the task, I could
> > write a patch for the documentation to add the details about the root
> > account being locked and the suggested method for modifying the root
> > password.  If you could point me to a good place to add this detail,
> > I'll send out a patch.
> 
> Hmm, that method does seem a bit messy though. Ideally there would be a
> simple method available that didn't require you to boot the target
> system. Presumably it wouldn't be too hard to do it using tools on the
> host.
> 
> Cheers,
> Paul
> 
> --
> 
> Paul Eggleton
> Intel Open Source Technology Centre

Re: Default root password without 'debug-tweaks'?

[ChenQi]

On 07/25/2013 08:28 PM, Bryan Evenson wrote:
> Paul,
>
> >From looking at the patch series Chen Qi recently posted about the
> EXTRA_USER_PARAMS, one could do the following in your local.conf:
>
> require conf/distro/include/security_flags.inc
The above line is not needed for this feature.

> INHERIT += "extrausers"
> EXTRA_USERS_PARAMS = "\
>      usermod -p 'encrypted_password' root; \
> "
>
> If I understand correctly, that should change the root password
> to the listed encrypted password.  But that still leaves the problem
> of getting the encrypted root password.  Changing the password on
> the hardware and then viewing the encrypted password under
> /etc/shadow is a little messy,
That's the way I used when testing this feature. As we're creating an 
image, this method is acceptable for me.

>   but I'm at a loss for a better
> solution that is guaranteed to work.  You could use crypt or
> mcrypt to encrypt a file containing the password in plaintext on
> the host, but you have to know the encryption algorithm used on
> the target filesystem.
If you find one, please let me know. Thanks.

> If anyone knows of a better way to create the encrypted password
> that would be used by the target, I'm open to suggestions.
>
> Thanks,
> Bryan
Just to be clear, use the way of copying files is not acceptable, as 
there are some directories related to user setting such as the user's 
home directory and mail directory. And these files should also be 
handled correctly.

Best Regards,
Chen Qi

>
>> -----Original Message-----
>> From: Paul Eggleton [mailto:paul.eggleton@linux.intel.com]
>> Sent: Thursday, July 25, 2013 8:01 AM
>> To: Bryan Evenson
>> Cc: poky@yoctoproject.org
>> Subject: Re: [poky] Default root password without 'debug-tweaks'?
>>
>> On Thursday 25 July 2013 07:53:20 Bryan Evenson wrote:
>>> Thank you for the explanation.  And just earlier this morning, I
>> found
>>> this description of how to change the root password for an image:
>>> http://bec-systems.com/site/967/setting-the-root-password-in-an-
>> openem
>>> bedded
>>> -image.
>>>
>>> If this would be a suggested method of performing the task, I could
>>> write a patch for the documentation to add the details about the root
>>> account being locked and the suggested method for modifying the root
>>> password.  If you could point me to a good place to add this detail,
>>> I'll send out a patch.
>> Hmm, that method does seem a bit messy though. Ideally there would be a
>> simple method available that didn't require you to boot the target
>> system. Presumably it wouldn't be too hard to do it using tools on the
>> host.
>>
>> Cheers,
>> Paul
>>
>> --
>>
>> Paul Eggleton
>> Intel Open Source Technology Centre
> _______________________________________________
> poky mailing list
> poky@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/poky
>
>

Re: Default root password without 'debug-tweaks'?

[Bryan Evenson]

All,

I'm having some issues with setting the root password.  My image is based off of core-image-minimal, which uses TinyLogin for password management.  First, I tried getting the encrypted password by setting root's password and seeing what it looked like in /etc/shadow.  However, it looks like more information than what is shown in /etc/shadow is used to encrypt the password, because the encrypted password is different each time.

For example, I have a new image that created with 'debug-tweaks' on, so root has a blank password.  From /etc/shadow:

root::15918:0:99999:7:::

showing root has no password.  If I change root's password to "password", I get:

root:bZMfmHD5uJ3l6:15918:0:99999:7:::

If I change root's password to "password" again, I get:

root:CiwTL1eJx70ps:15918:0:99999:7:::

So at this time I do not know how to get the encrypted password.  And also related to the password, it looks like TinyLogin limits the password to 8 characters.  You can type something more than 8 characters for your password, but it will only use the first 8 characters.  I'd like to be able to use a slightly stronger password.  So my questions are:

* Is there a different password manager package that I can use that doesn't have the 8 character limit?  I see that Busybox has password management, but I don't yet know if it has the same limitation.
* If there is another one to use, how do I ensure TinyLogin is not installed?
* With the other password manager, how do I get the encrypted password to insert in the EXTRA_USER_PARAMS feature?
* The TinyLogin package is using the source code that was last updated in 2003, and the TinyLogin web page as directed from the package script states: "TinyLogin was merged into BusyBox, current sources can thus be checked out via BusyBox."  Should the TinyLogin package be removed from core-image-minimal and BusyBox password management turned on to use more recent sources?

Regards,
Bryan

> -----Original Message-----
> From: poky-bounces@yoctoproject.org [mailto:poky-
> bounces@yoctoproject.org] On Behalf Of ChenQi
> Sent: Friday, July 26, 2013 1:44 AM
> To: poky@yoctoproject.org
> Subject: Re: [poky] Default root password without 'debug-tweaks'?
> 
> On 07/25/2013 08:28 PM, Bryan Evenson wrote:
> > Paul,
> >
> > >From looking at the patch series Chen Qi recently posted about the
> > EXTRA_USER_PARAMS, one could do the following in your local.conf:
> >
> > require conf/distro/include/security_flags.inc
> The above line is not needed for this feature.
> 
> > INHERIT += "extrausers"
> > EXTRA_USERS_PARAMS = "\
> >      usermod -p 'encrypted_password' root; \ "
> >
> > If I understand correctly, that should change the root password to
> the
> > listed encrypted password.  But that still leaves the problem of
> > getting the encrypted root password.  Changing the password on the
> > hardware and then viewing the encrypted password under /etc/shadow is
> > a little messy,
> That's the way I used when testing this feature. As we're creating an
> image, this method is acceptable for me.
> 
> >   but I'm at a loss for a better
> > solution that is guaranteed to work.  You could use crypt or mcrypt
> to
> > encrypt a file containing the password in plaintext on the host, but
> > you have to know the encryption algorithm used on the target
> > filesystem.
> If you find one, please let me know. Thanks.
> 
> > If anyone knows of a better way to create the encrypted password that
> > would be used by the target, I'm open to suggestions.
> >
> > Thanks,
> > Bryan
> Just to be clear, use the way of copying files is not acceptable, as
> there are some directories related to user setting such as the user's
> home directory and mail directory. And these files should also be
> handled correctly.
> 
> Best Regards,
> Chen Qi
> 
> >
> >> -----Original Message-----
> >> From: Paul Eggleton [mailto:paul.eggleton@linux.intel.com]
> >> Sent: Thursday, July 25, 2013 8:01 AM
> >> To: Bryan Evenson
> >> Cc: poky@yoctoproject.org
> >> Subject: Re: [poky] Default root password without 'debug-tweaks'?
> >>
> >> On Thursday 25 July 2013 07:53:20 Bryan Evenson wrote:
> >>> Thank you for the explanation.  And just earlier this morning, I
> >> found
> >>> this description of how to change the root password for an image:
> >>> http://bec-systems.com/site/967/setting-the-root-password-in-an-
> >> openem
> >>> bedded
> >>> -image.
> >>>
> >>> If this would be a suggested method of performing the task, I could
> >>> write a patch for the documentation to add the details about the
> >>> root account being locked and the suggested method for modifying
> the
> >>> root password.  If you could point me to a good place to add this
> >>> detail, I'll send out a patch.
> >> Hmm, that method does seem a bit messy though. Ideally there would
> be
> >> a simple method available that didn't require you to boot the target
> >> system. Presumably it wouldn't be too hard to do it using tools on
> >> the host.
> >>
> >> Cheers,
> >> Paul
> >>
> >> --
> >>
> >> Paul Eggleton
> >> Intel Open Source Technology Centre
> > _______________________________________________
> > poky mailing list
> > poky@yoctoproject.org
> > https://lists.yoctoproject.org/listinfo/poky
> >
> >
> 
> _______________________________________________
> poky mailing list
> poky@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/poky

Re: Default root password without 'debug-tweaks'?

[ChenQi]

On 08/01/2013 11:27 PM, Bryan Evenson wrote:
> All,
>
> I'm having some issues with setting the root password.  My image is based off of core-image-minimal, which uses TinyLogin for password management.  First, I tried getting the encrypted password by setting root's password and seeing what it looked like in /etc/shadow.  However, it looks like more information than what is shown in /etc/shadow is used to encrypt the password, because the encrypted password is different each time.
>
> For example, I have a new image that created with 'debug-tweaks' on, so root has a blank password.  From /etc/shadow:
>
> root::15918:0:99999:7:::
>
> showing root has no password.  If I change root's password to "password", I get:
>
> root:bZMfmHD5uJ3l6:15918:0:99999:7:::
>
> If I change root's password to "password" again, I get:
>
> root:CiwTL1eJx70ps:15918:0:99999:7:::
>
> So at this time I do not know how to get the encrypted password.  And also related to the password, it looks like TinyLogin limits the password to 8 characters.  You can type something more than 8 characters for your password, but it will only use the first 8 characters.  I'd like to be able to use a slightly stronger password.  So my questions are:
>
> * Is there a different password manager package that I can use that doesn't have the 8 character limit?  I see that Busybox has password management, but I don't yet know if it has the same limitation.
Tinylogin has been deprecated and officially removed from Yocto. We now 
use busybox as a replacement. It doesn't have 8-char limitation, as far 
as I know.
> * If there is another one to use, how do I ensure TinyLogin is not installed?
If you're using Dylan, perhaps you need to backport relevant patches ...

http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=ChenQi/busybox-fixes
(9 patches)
http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=ChenQi/busybox-on-device-upgrade
(1 patch)

> * With the other password manager, how do I get the encrypted password to insert in the EXTRA_USER_PARAMS feature?
The user interface remains all the same with tinylogin.

Best Regards,
Chen Qi

> * The TinyLogin package is using the source code that was last updated in 2003, and the TinyLogin web page as directed from the package script states: "TinyLogin was merged into BusyBox, current sources can thus be checked out via BusyBox."  Should the TinyLogin package be removed from core-image-minimal and BusyBox password management turned on to use more recent sources?
>
> Regards,
> Bryan
>
>> -----Original Message-----
>> From: poky-bounces@yoctoproject.org [mailto:poky-
>> bounces@yoctoproject.org] On Behalf Of ChenQi
>> Sent: Friday, July 26, 2013 1:44 AM
>> To: poky@yoctoproject.org
>> Subject: Re: [poky] Default root password without 'debug-tweaks'?
>>
>> On 07/25/2013 08:28 PM, Bryan Evenson wrote:
>>> Paul,
>>>
>>> >From looking at the patch series Chen Qi recently posted about the
>>> EXTRA_USER_PARAMS, one could do the following in your local.conf:
>>>
>>> require conf/distro/include/security_flags.inc
>> The above line is not needed for this feature.
>>
>>> INHERIT += "extrausers"
>>> EXTRA_USERS_PARAMS = "\
>>>       usermod -p 'encrypted_password' root; \ "
>>>
>>> If I understand correctly, that should change the root password to
>> the
>>> listed encrypted password.  But that still leaves the problem of
>>> getting the encrypted root password.  Changing the password on the
>>> hardware and then viewing the encrypted password under /etc/shadow is
>>> a little messy,
>> That's the way I used when testing this feature. As we're creating an
>> image, this method is acceptable for me.
>>
>>>    but I'm at a loss for a better
>>> solution that is guaranteed to work.  You could use crypt or mcrypt
>> to
>>> encrypt a file containing the password in plaintext on the host, but
>>> you have to know the encryption algorithm used on the target
>>> filesystem.
>> If you find one, please let me know. Thanks.
>>
>>> If anyone knows of a better way to create the encrypted password that
>>> would be used by the target, I'm open to suggestions.
>>>
>>> Thanks,
>>> Bryan
>> Just to be clear, use the way of copying files is not acceptable, as
>> there are some directories related to user setting such as the user's
>> home directory and mail directory. And these files should also be
>> handled correctly.
>>
>> Best Regards,
>> Chen Qi
>>
>>>> -----Original Message-----
>>>> From: Paul Eggleton [mailto:paul.eggleton@linux.intel.com]
>>>> Sent: Thursday, July 25, 2013 8:01 AM
>>>> To: Bryan Evenson
>>>> Cc: poky@yoctoproject.org
>>>> Subject: Re: [poky] Default root password without 'debug-tweaks'?
>>>>
>>>> On Thursday 25 July 2013 07:53:20 Bryan Evenson wrote:
>>>>> Thank you for the explanation.  And just earlier this morning, I
>>>> found
>>>>> this description of how to change the root password for an image:
>>>>> http://bec-systems.com/site/967/setting-the-root-password-in-an-
>>>> openem
>>>>> bedded
>>>>> -image.
>>>>>
>>>>> If this would be a suggested method of performing the task, I could
>>>>> write a patch for the documentation to add the details about the
>>>>> root account being locked and the suggested method for modifying
>> the
>>>>> root password.  If you could point me to a good place to add this
>>>>> detail, I'll send out a patch.
>>>> Hmm, that method does seem a bit messy though. Ideally there would
>> be
>>>> a simple method available that didn't require you to boot the target
>>>> system. Presumably it wouldn't be too hard to do it using tools on
>>>> the host.
>>>>
>>>> Cheers,
>>>> Paul
>>>>
>>>> --
>>>>
>>>> Paul Eggleton
>>>> Intel Open Source Technology Centre
>>> _______________________________________________
>>> poky mailing list
>>> poky@yoctoproject.org
>>> https://lists.yoctoproject.org/listinfo/poky
>>>
>>>
>> _______________________________________________
>> poky mailing list
>> poky@yoctoproject.org
>> https://lists.yoctoproject.org/listinfo/poky
>

Re: Default root password without 'debug-tweaks'?

[Bryan Evenson]

> -----Original Message-----
> From: ChenQi [mailto:Qi.Chen@windriver.com]
> Sent: Thursday, August 01, 2013 10:35 PM
> To: Bryan Evenson
> Cc: poky@yoctoproject.org
> Subject: Re: [poky] Default root password without 'debug-tweaks'?
> 
> On 08/01/2013 11:27 PM, Bryan Evenson wrote:
> > All,
> >
> > I'm having some issues with setting the root password.  My image is
> based off of core-image-minimal, which uses TinyLogin for password
> management.  First, I tried getting the encrypted password by setting
> root's password and seeing what it looked like in /etc/shadow.
> However, it looks like more information than what is shown in
> /etc/shadow is used to encrypt the password, because the encrypted
> password is different each time.
> >
> > For example, I have a new image that created with 'debug-tweaks' on,
> so root has a blank password.  From /etc/shadow:
> >
> > root::15918:0:99999:7:::
> >
> > showing root has no password.  If I change root's password to
> "password", I get:
> >
> > root:bZMfmHD5uJ3l6:15918:0:99999:7:::
> >
> > If I change root's password to "password" again, I get:
> >
> > root:CiwTL1eJx70ps:15918:0:99999:7:::
> >
> > So at this time I do not know how to get the encrypted password.  And
> also related to the password, it looks like TinyLogin limits the
> password to 8 characters.  You can type something more than 8
> characters for your password, but it will only use the first 8
> characters.  I'd like to be able to use a slightly stronger password.
> So my questions are:
> >
> > * Is there a different password manager package that I can use that
> doesn't have the 8 character limit?  I see that Busybox has password
> management, but I don't yet know if it has the same limitation.
> Tinylogin has been deprecated and officially removed from Yocto. We now
> use busybox as a replacement. It doesn't have 8-char limitation, as far
> as I know.
> > * If there is another one to use, how do I ensure TinyLogin is not
> installed?
> If you're using Dylan, perhaps you need to backport relevant patches
> ...
> 
> http://git.yoctoproject.org/cgit.cgi/poky-
> contrib/log/?h=ChenQi/busybox-fixes
> (9 patches)
> http://git.yoctoproject.org/cgit.cgi/poky-
> contrib/log/?h=ChenQi/busybox-on-device-upgrade
> (1 patch)
> 
> > * With the other password manager, how do I get the encrypted
> password to insert in the EXTRA_USER_PARAMS feature?
> The user interface remains all the same with tinylogin.
> 
> Best Regards,
> Chen Qi

Chen Qi,

I think I'm still missing something.  I applied the 10 listed patches to my poky/dylan build environment; I had to make minor tweaks to the patches (adjust the before/after text on some patches) but overall they applied cleanly.  I verified that the Busybox configuration now has a number of options set under the "Login/Password Management Utilities" section under menuconfig.  I also verified the new image is not using Tinylogin for password management.  However, my two original problems remain.  The encrypted password shown in /etc/shadow uses some extra information that I don't know about, as the same password does not encrypt to the same value on successive attempts.  Also, only the first 8 characters are used for the password.  For my test, I changed root's password to "password" twice.  On the two occasions, the encrypted password shown in /etc/shadow for root were different.  I then changed root's password to "passwordplus" and logged out; I then successfully logged in just typing "password" for the password.

Are there some other settings I'm missing to use longer passwords?  And how do I get the encrypted password to use for the EXTRA_USER_PARAMS feature?

Thanks,
Bryan
> 
> > * The TinyLogin package is using the source code that was last
> updated in 2003, and the TinyLogin web page as directed from the
> package script states: "TinyLogin was merged into BusyBox, current
> sources can thus be checked out via BusyBox."  Should the TinyLogin
> package be removed from core-image-minimal and BusyBox password
> management turned on to use more recent sources?
> >
> > Regards,
> > Bryan
> >
> >> -----Original Message-----
> >> From: poky-bounces@yoctoproject.org [mailto:poky-
> >> bounces@yoctoproject.org] On Behalf Of ChenQi
> >> Sent: Friday, July 26, 2013 1:44 AM
> >> To: poky@yoctoproject.org
> >> Subject: Re: [poky] Default root password without 'debug-tweaks'?
> >>
> >> On 07/25/2013 08:28 PM, Bryan Evenson wrote:
> >>> Paul,
> >>>
> >>> >From looking at the patch series Chen Qi recently posted about the
> >>> EXTRA_USER_PARAMS, one could do the following in your local.conf:
> >>>
> >>> require conf/distro/include/security_flags.inc
> >> The above line is not needed for this feature.
> >>
> >>> INHERIT += "extrausers"
> >>> EXTRA_USERS_PARAMS = "\
> >>>       usermod -p 'encrypted_password' root; \ "
> >>>
> >>> If I understand correctly, that should change the root password to
> >> the
> >>> listed encrypted password.  But that still leaves the problem of
> >>> getting the encrypted root password.  Changing the password on the
> >>> hardware and then viewing the encrypted password under /etc/shadow
> >>> is a little messy,
> >> That's the way I used when testing this feature. As we're creating
> an
> >> image, this method is acceptable for me.
> >>
> >>>    but I'm at a loss for a better
> >>> solution that is guaranteed to work.  You could use crypt or mcrypt
> >> to
> >>> encrypt a file containing the password in plaintext on the host,
> but
> >>> you have to know the encryption algorithm used on the target
> >>> filesystem.
> >> If you find one, please let me know. Thanks.
> >>
> >>> If anyone knows of a better way to create the encrypted password
> >>> that would be used by the target, I'm open to suggestions.
> >>>
> >>> Thanks,
> >>> Bryan
> >> Just to be clear, use the way of copying files is not acceptable, as
> >> there are some directories related to user setting such as the
> user's
> >> home directory and mail directory. And these files should also be
> >> handled correctly.
> >>
> >> Best Regards,
> >> Chen Qi
> >>
> >>>> -----Original Message-----
> >>>> From: Paul Eggleton [mailto:paul.eggleton@linux.intel.com]
> >>>> Sent: Thursday, July 25, 2013 8:01 AM
> >>>> To: Bryan Evenson
> >>>> Cc: poky@yoctoproject.org
> >>>> Subject: Re: [poky] Default root password without 'debug-tweaks'?
> >>>>
> >>>> On Thursday 25 July 2013 07:53:20 Bryan Evenson wrote:
> >>>>> Thank you for the explanation.  And just earlier this morning, I
> >>>> found
> >>>>> this description of how to change the root password for an image:
> >>>>> http://bec-systems.com/site/967/setting-the-root-password-in-an-
> >>>> openem
> >>>>> bedded
> >>>>> -image.
> >>>>>
> >>>>> If this would be a suggested method of performing the task, I
> >>>>> could write a patch for the documentation to add the details
> about
> >>>>> the root account being locked and the suggested method for
> >>>>> modifying
> >> the
> >>>>> root password.  If you could point me to a good place to add this
> >>>>> detail, I'll send out a patch.
> >>>> Hmm, that method does seem a bit messy though. Ideally there would
> >> be
> >>>> a simple method available that didn't require you to boot the
> >>>> target system. Presumably it wouldn't be too hard to do it using
> >>>> tools on the host.
> >>>>
> >>>> Cheers,
> >>>> Paul
> >>>>
> >>>> --
> >>>>
> >>>> Paul Eggleton
> >>>> Intel Open Source Technology Centre
> >>> _______________________________________________
> >>> poky mailing list
> >>> poky@yoctoproject.org
> >>> https://lists.yoctoproject.org/listinfo/poky
> >>>
> >>>
> >> _______________________________________________
> >> poky mailing list
> >> poky@yoctoproject.org
> >> https://lists.yoctoproject.org/listinfo/poky
> >

Re: Default root password without 'debug-tweaks'?

[Mehaffey, John]

> From: poky-bounces@yoctoproject.org [poky-bounces@yoctoproject.org] on behalf of Bryan Evenson [bevenson@melinkcorp.com]
> Sent: Monday, August 05, 2013 6:59 AM
> To: ChenQi
> Cc: poky@yoctoproject.org
> Subject: Re: [poky] Default root password without 'debug-tweaks'?
> 
> > -----Original Message-----
> > From: ChenQi [mailto:Qi.Chen@windriver.com]
> > Sent: Thursday, August 01, 2013 10:35 PM
> > To: Bryan Evenson
> > Cc: poky@yoctoproject.org
> > Subject: Re: [poky] Default root password without 'debug-tweaks'?
> >
> > On 08/01/2013 11:27 PM, Bryan Evenson wrote:
> > > All,
> > >
> > > I'm having some issues with setting the root password.  My image is
> > based off of core-image-minimal, which uses TinyLogin for password
> > management.  First, I tried getting the encrypted password by setting
> > root's password and seeing what it looked like in /etc/shadow.
> > However, it looks like more information than what is shown in
> > /etc/shadow is used to encrypt the password, because the encrypted
> > password is different each time.
> > >
> > > For example, I have a new image that created with 'debug-tweaks' on,
> > so root has a blank password.  From /etc/shadow:
> > >
> > > root::15918:0:99999:7:::
> > >
> > > showing root has no password.  If I change root's password to
> > "password", I get:
> > >
> > > root:bZMfmHD5uJ3l6:15918:0:99999:7:::
> > >
> > > If I change root's password to "password" again, I get:
> > >
> > > root:CiwTL1eJx70ps:15918:0:99999:7:::
> > >
> > > So at this time I do not know how to get the encrypted password.  And
> > also related to the password, it looks like TinyLogin limits the
> > password to 8 characters.  You can type something more than 8
> > characters for your password, but it will only use the first 8
> > characters.  I'd like to be able to use a slightly stronger password.
> > So my questions are:
> > >
> > > * Is there a different password manager package that I can use that
> > doesn't have the 8 character limit?  I see that Busybox has password
> > management, but I don't yet know if it has the same limitation.
> > Tinylogin has been deprecated and officially removed from Yocto. We now
> > use busybox as a replacement. It doesn't have 8-char limitation, as far
> > as I know.
> > > * If there is another one to use, how do I ensure TinyLogin is not
> > installed?
> > If you're using Dylan, perhaps you need to backport relevant patches
> > ...
> >
> > http://git.yoctoproject.org/cgit.cgi/poky-
> > contrib/log/?h=ChenQi/busybox-fixes
> > (9 patches)
> > http://git.yoctoproject.org/cgit.cgi/poky-
> > contrib/log/?h=ChenQi/busybox-on-device-upgrade
> > (1 patch)
> >
> > > * With the other password manager, how do I get the encrypted
> > password to insert in the EXTRA_USER_PARAMS feature?
> > The user interface remains all the same with tinylogin.
> >
> > Best Regards,
> > Chen Qi
> 
> Chen Qi,
> 
> I think I'm still missing something.  I applied the 10 listed patches to my poky/dylan build environment; I had to make minor tweaks to the patches (adjust the before/after text on some patches) but overall they applied cleanly.  I verified that the Busybox configuration now has a number of options set under the "Login/Password Management Utilities" section under menuconfig.  I also verified the new image is not using Tinylogin for password management.  However, my two original problems remain.  The encrypted password shown in /etc/shadow uses some extra information that I don't know about, as the same password does not encrypt to the same value on successive attempts.  Also, only the first 8 characters are used for the password.  For my test, I changed root's password to "password" twice.  On the two occasions, the encrypted password shown in /etc/shadow for root were different.  I then changed root's password to "passwordplus" and logged out; I then successfully logged in j
>  ust typing "password" for the password.
> 
> Are there some other settings I'm missing to use longer passwords?  And how do I get the encrypted password to use for the EXTRA_USER_PARAMS feature?
> 
> Thanks,
> Bryan

Perhaps the workaround at http://forum.tinycorelinux.net/index.php?topic=9215.0 applies here.

Also, search for "password salt" for an explanation about why the password does not encrypt to the same value on successive attempts.

John Mehaffey
Senior System Architect
Mentor Graphics Corporation

> >
> > > * The TinyLogin package is using the source code that was last
> > updated in 2003, and the TinyLogin web page as directed from the
> > package script states: "TinyLogin was merged into BusyBox, current
> > sources can thus be checked out via BusyBox."  Should the TinyLogin
> > package be removed from core-image-minimal and BusyBox password
> > management turned on to use more recent sources?
> > >
> > > Regards,
> > > Bryan
> > >
> > >> -----Original Message-----
> > >> From: poky-bounces@yoctoproject.org [mailto:poky-
> > >> bounces@yoctoproject.org] On Behalf Of ChenQi
> > >> Sent: Friday, July 26, 2013 1:44 AM
> > >> To: poky@yoctoproject.org
> > >> Subject: Re: [poky] Default root password without 'debug-tweaks'?
> > >>
> > >> On 07/25/2013 08:28 PM, Bryan Evenson wrote:
> > >>> Paul,
> > >>>
> > >>> >From looking at the patch series Chen Qi recently posted about the
> > >>> EXTRA_USER_PARAMS, one could do the following in your local.conf:
> > >>>
> > >>> require conf/distro/include/security_flags.inc
> > >> The above line is not needed for this feature.
> > >>
> > >>> INHERIT += "extrausers"
> > >>> EXTRA_USERS_PARAMS = "\
> > >>>       usermod -p 'encrypted_password' root; \ "
> > >>>
> > >>> If I understand correctly, that should change the root password to
> > >> the
> > >>> listed encrypted password.  But that still leaves the problem of
> > >>> getting the encrypted root password.  Changing the password on the
> > >>> hardware and then viewing the encrypted password under /etc/shadow
> > >>> is a little messy,
> > >> That's the way I used when testing this feature. As we're creating
> > an
> > >> image, this method is acceptable for me.
> > >>
> > >>>    but I'm at a loss for a better
> > >>> solution that is guaranteed to work.  You could use crypt or mcrypt
> > >> to
> > >>> encrypt a file containing the password in plaintext on the host,
> > but
> > >>> you have to know the encryption algorithm used on the target
> > >>> filesystem.
> > >> If you find one, please let me know. Thanks.
> > >>
> > >>> If anyone knows of a better way to create the encrypted password
> > >>> that would be used by the target, I'm open to suggestions.
> > >>>
> > >>> Thanks,
> > >>> Bryan
> > >> Just to be clear, use the way of copying files is not acceptable, as
> > >> there are some directories related to user setting such as the
> > user's
> > >> home directory and mail directory. And these files should also be
> > >> handled correctly.
> > >>
> > >> Best Regards,
> > >> Chen Qi
> > >>
> > >>>> -----Original Message-----
> > >>>> From: Paul Eggleton [mailto:paul.eggleton@linux.intel.com]
> > >>>> Sent: Thursday, July 25, 2013 8:01 AM
> > >>>> To: Bryan Evenson
> > >>>> Cc: poky@yoctoproject.org
> > >>>> Subject: Re: [poky] Default root password without 'debug-tweaks'?
> > >>>>
> > >>>> On Thursday 25 July 2013 07:53:20 Bryan Evenson wrote:
> > >>>>> Thank you for the explanation.  And just earlier this morning, I
> > >>>> found
> > >>>>> this description of how to change the root password for an image:
> > >>>>> http://bec-systems.com/site/967/setting-the-root-password-in-an-
> > >>>> openem
> > >>>>> bedded
> > >>>>> -image.
> > >>>>>
> > >>>>> If this would be a suggested method of performing the task, I
> > >>>>> could write a patch for the documentation to add the details
> > about
> > >>>>> the root account being locked and the suggested method for
> > >>>>> modifying
> > >> the
> > >>>>> root password.  If you could point me to a good place to add this
> > >>>>> detail, I'll send out a patch.
> > >>>> Hmm, that method does seem a bit messy though. Ideally there would
> > >> be
> > >>>> a simple method available that didn't require you to boot the
> > >>>> target system. Presumably it wouldn't be too hard to do it using
> > >>>> tools on the host.
> > >>>>
> > >>>> Cheers,
> > >>>> Paul
> > >>>>
> > >>>> --
> > >>>>
> > >>>> Paul Eggleton
> > >>>> Intel Open Source Technology Centre
> > >>> _______________________________________________
> > >>> poky mailing list
> > >>> poky@yoctoproject.org
> > >>> https://lists.yoctoproject.org/listinfo/poky
> > >>>
> > >>>
> > >> _______________________________________________
> > >> poky mailing list
> > >> poky@yoctoproject.org
> > >> https://lists.yoctoproject.org/listinfo/poky
> > >
> 
> _______________________________________________
> poky mailing list
> poky@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/poky
>