Forced password change in first login

Forced password change in first login

[Livius]

[-- Attachment #1: Type: text/plain, Size: 666 bytes --]

Hi!

In extrausers.bbclass ( https://github.com/openembedded/openembedded-core/blob/honister/meta/classes/extrausers.bbclass ) there is a quite new passwd-expire ( https://www.mail-archive.com/yocto@lists.yoctoproject.org/msg05373.html ) to force password change on first login. I am using honister release now, my experience is that my root user has always an expired password in default and i need to change it in every first login of my flashed image, even though I pre-configured my root password by usermod -p <hash_pass> and i am not using new passwd-expire command.

Can i disable that new method somehow to be avoid to change password in first login?

[-- Attachment #2: Type: text/html, Size: 825 bytes --]

Re: Forced password change in first login

[Livius]

[-- Attachment #1: Type: text/plain, Size: 374 bytes --]

Finaly, i found the problem and i could solve it. SHA-256 is too weak to make a password hash, this is why on first login we need to change password always.

Please fix it in Yocto manual ( https://docs.yoctoproject.org/singleindex.html#term-EXTRA_USERS_PARAMS ). When i set it to generate sha512crypt hash it works fine, there are no any change request on first login.

[-- Attachment #2: Type: text/html, Size: 445 bytes --]

Re: [OE-core] Forced password change in first login

[Quentin Schulz]

Hi Livius,

On 6/3/22 23:45, Livius wrote:
> Finaly, i found the problem and i could solve it. SHA-256 is too weak to make a password hash, this is why on first login we need to change password always.
> 
> Please fix it in Yocto manual ( https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.yoctoproject.org_singleindex.html-23term-2DEXTRA-5FUSERS-5FPARAMS&d=DwIFaQ&c=_sEr5x9kUWhuk4_nFwjJtA&r=LYjLexDn7rXIzVmkNPvw5ymA1XTSqHGq8yBP6m6qZZ4njZguQhZhkI_-172IIy1t&m=0uV8RQppxWsB3H_ISKM3TtcskB-MIQyiSP7s0BMWyk5zDyOJ2v-Hmu1z51A1H1Td&s=bI64ytMKJ6c4SoARAXvTxdYfYoS61-EPSeqxAbok8CY&e=  ). When i set it to generate sha512crypt hash it works fine, there are no any change request on first login.
> 

With poky commit 2d1838b7bc ("python3-picobuild: upgrade to 0.2") master 
branch and the following diff:
diff --git a/meta/recipes-core/images/core-image-minimal.bb 
b/meta/recipes-core/images/core-image-minimal.bb
index 84343adcd8..f21f467bfd 100644
--- a/meta/recipes-core/images/core-image-minimal.bb
+++ b/meta/recipes-core/images/core-image-minimal.bb
@@ -10,3 +10,8 @@ inherit core-image

  IMAGE_ROOTFS_SIZE ?= "8192"
  IMAGE_ROOTFS_EXTRA_SPACE:append = 
"${@bb.utils.contains("DISTRO_FEATURES", "systemd", " + 4096", "", d)}"
+
+inherit extrausers
+
+PASSWD = 
"\$5\$AEz8bdRlSRIc3Ejb\$g3M6ww5SouP5wwkjw126ulgdxNMlLfx5b.hbCRpZMM4"
+EXTRA_USERS_PARAMS = "usermod -p '${PASSWD}' root; "

with brand new build directory created with source oe-init-build-env 
../build
Then running the qemu image with:
runqemu noslirp nographic
I can successfully login and do not get any request for a password 
change, even though the password I created was generated as explained in 
the docs.

Can you give us more info so we can reproduce this and amend the 
documentation or fix the code for the usecase you found required sha512?

Thanks,
Quentin

Re: Forced password change in first login

[Livius]

[-- Attachment #1: Type: text/plain, Size: 222 bytes --]

In Yocto Honister if i use sha256crypt for my password hash my finished Linux image can not like it, and at first boot it forces to me to change it. If i use sha512crypt for my hash everything is ok at Linux first boot.

[-- Attachment #2: Type: text/html, Size: 226 bytes --]

Re: [OE-core] Forced password change in first login

[Quentin Schulz]

Hi Livius,

On 7/18/22 23:48, Livius wrote:
> In Yocto Honister if i use sha256crypt for my password hash my finished Linux image can not like it, and at first boot it forces to me to change it. If i use sha512crypt for my hash everything is ok at Linux first boot.
> 

Just tested on top of honister branch (fd00d74f47 yocto-bsps: update to 
v5.10.113) with the same process/diff as given in yesterday's mail. I 
couldn't reproduce what you experienced.

Is there some minimal reproducer you could give us so that we can make 
sure this is fixed? I don't want to fix the docs if the issue is 
actually in the code elsewhere :)

Cheers,
Quentin

Re: Forced password change in first login

[Livius]

[-- Attachment #1: Type: text/plain, Size: 597 bytes --]

I got this "feature" on Yocto project of Xilinx ( https://xilinx-wiki.atlassian.net/wiki/spaces/A/pages/18841883/Yocto ) rel-v2022.1 (honister). It seems to me my Linux kernel uses SHA-512 in default because after my first password change i could se the ident number of this encryption in /etc/shadow ( https://www.cyberciti.biz/faq/understanding-etcshadow-file/ ). For all of my pre-made users from Yocto recipes if they had SHA-256 password hash, in first login it was forced to change. I could solve it after that i realizedm my Linux build likes to generate SHA-512 password has in run-time.

[-- Attachment #2: Type: text/html, Size: 679 bytes --]