* Forced password change in first login
@ 2022-05-24 11:17 Livius
2022-06-03 21:45 ` Livius
0 siblings, 1 reply; 6+ messages in thread
From: Livius @ 2022-05-24 11:17 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 666 bytes --]
Hi!
In extrausers.bbclass ( https://github.com/openembedded/openembedded-core/blob/honister/meta/classes/extrausers.bbclass ) there is a quite new passwd-expire ( https://www.mail-archive.com/yocto@lists.yoctoproject.org/msg05373.html ) to force password change on first login. I am using honister release now, my experience is that my root user has always an expired password in default and i need to change it in every first login of my flashed image, even though I pre-configured my root password by usermod -p <hash_pass> and i am not using new passwd-expire command.
Can i disable that new method somehow to be avoid to change password in first login?
[-- Attachment #2: Type: text/html, Size: 825 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Forced password change in first login
2022-05-24 11:17 Forced password change in first login Livius
@ 2022-06-03 21:45 ` Livius
2022-07-18 20:28 ` [OE-core] " Quentin Schulz
0 siblings, 1 reply; 6+ messages in thread
From: Livius @ 2022-06-03 21:45 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 374 bytes --]
Finaly, i found the problem and i could solve it. SHA-256 is too weak to make a password hash, this is why on first login we need to change password always.
Please fix it in Yocto manual ( https://docs.yoctoproject.org/singleindex.html#term-EXTRA_USERS_PARAMS ). When i set it to generate sha512crypt hash it works fine, there are no any change request on first login.
[-- Attachment #2: Type: text/html, Size: 445 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [OE-core] Forced password change in first login
2022-06-03 21:45 ` Livius
@ 2022-07-18 20:28 ` Quentin Schulz
2022-07-18 21:48 ` Livius
0 siblings, 1 reply; 6+ messages in thread
From: Quentin Schulz @ 2022-07-18 20:28 UTC (permalink / raw)
To: Livius, openembedded-core
Hi Livius,
On 6/3/22 23:45, Livius wrote:
> Finaly, i found the problem and i could solve it. SHA-256 is too weak to make a password hash, this is why on first login we need to change password always.
>
> Please fix it in Yocto manual ( https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.yoctoproject.org_singleindex.html-23term-2DEXTRA-5FUSERS-5FPARAMS&d=DwIFaQ&c=_sEr5x9kUWhuk4_nFwjJtA&r=LYjLexDn7rXIzVmkNPvw5ymA1XTSqHGq8yBP6m6qZZ4njZguQhZhkI_-172IIy1t&m=0uV8RQppxWsB3H_ISKM3TtcskB-MIQyiSP7s0BMWyk5zDyOJ2v-Hmu1z51A1H1Td&s=bI64ytMKJ6c4SoARAXvTxdYfYoS61-EPSeqxAbok8CY&e= ). When i set it to generate sha512crypt hash it works fine, there are no any change request on first login.
>
With poky commit 2d1838b7bc ("python3-picobuild: upgrade to 0.2") master
branch and the following diff:
diff --git a/meta/recipes-core/images/core-image-minimal.bb
b/meta/recipes-core/images/core-image-minimal.bb
index 84343adcd8..f21f467bfd 100644
--- a/meta/recipes-core/images/core-image-minimal.bb
+++ b/meta/recipes-core/images/core-image-minimal.bb
@@ -10,3 +10,8 @@ inherit core-image
IMAGE_ROOTFS_SIZE ?= "8192"
IMAGE_ROOTFS_EXTRA_SPACE:append =
"${@bb.utils.contains("DISTRO_FEATURES", "systemd", " + 4096", "", d)}"
+
+inherit extrausers
+
+PASSWD =
"\$5\$AEz8bdRlSRIc3Ejb\$g3M6ww5SouP5wwkjw126ulgdxNMlLfx5b.hbCRpZMM4"
+EXTRA_USERS_PARAMS = "usermod -p '${PASSWD}' root; "
with brand new build directory created with source oe-init-build-env
../build
Then running the qemu image with:
runqemu noslirp nographic
I can successfully login and do not get any request for a password
change, even though the password I created was generated as explained in
the docs.
Can you give us more info so we can reproduce this and amend the
documentation or fix the code for the usecase you found required sha512?
Thanks,
Quentin
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: Forced password change in first login
2022-07-18 20:28 ` [OE-core] " Quentin Schulz
@ 2022-07-18 21:48 ` Livius
2022-07-19 12:57 ` [OE-core] " Quentin Schulz
0 siblings, 1 reply; 6+ messages in thread
From: Livius @ 2022-07-18 21:48 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 222 bytes --]
In Yocto Honister if i use sha256crypt for my password hash my finished Linux image can not like it, and at first boot it forces to me to change it. If i use sha512crypt for my hash everything is ok at Linux first boot.
[-- Attachment #2: Type: text/html, Size: 226 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [OE-core] Forced password change in first login
2022-07-18 21:48 ` Livius
@ 2022-07-19 12:57 ` Quentin Schulz
2022-07-19 19:38 ` Livius
0 siblings, 1 reply; 6+ messages in thread
From: Quentin Schulz @ 2022-07-19 12:57 UTC (permalink / raw)
To: Livius, openembedded-core
Hi Livius,
On 7/18/22 23:48, Livius wrote:
> In Yocto Honister if i use sha256crypt for my password hash my finished Linux image can not like it, and at first boot it forces to me to change it. If i use sha512crypt for my hash everything is ok at Linux first boot.
>
Just tested on top of honister branch (fd00d74f47 yocto-bsps: update to
v5.10.113) with the same process/diff as given in yesterday's mail. I
couldn't reproduce what you experienced.
Is there some minimal reproducer you could give us so that we can make
sure this is fixed? I don't want to fix the docs if the issue is
actually in the code elsewhere :)
Cheers,
Quentin
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Forced password change in first login
2022-07-19 12:57 ` [OE-core] " Quentin Schulz
@ 2022-07-19 19:38 ` Livius
0 siblings, 0 replies; 6+ messages in thread
From: Livius @ 2022-07-19 19:38 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 597 bytes --]
I got this "feature" on Yocto project of Xilinx ( https://xilinx-wiki.atlassian.net/wiki/spaces/A/pages/18841883/Yocto ) rel-v2022.1 (honister). It seems to me my Linux kernel uses SHA-512 in default because after my first password change i could se the ident number of this encryption in /etc/shadow ( https://www.cyberciti.biz/faq/understanding-etcshadow-file/ ). For all of my pre-made users from Yocto recipes if they had SHA-256 password hash, in first login it was forced to change. I could solve it after that i realizedm my Linux build likes to generate SHA-512 password has in run-time.
[-- Attachment #2: Type: text/html, Size: 679 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-07-19 19:38 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-24 11:17 Forced password change in first login Livius
2022-06-03 21:45 ` Livius
2022-07-18 20:28 ` [OE-core] " Quentin Schulz
2022-07-18 21:48 ` Livius
2022-07-19 12:57 ` [OE-core] " Quentin Schulz
2022-07-19 19:38 ` Livius
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.