Re: [PATCH 2/2] base-passwd: set root's default password to 'root'

[Mike Looijmans <mike.looijmans@topic.nl>]

On 24-11-16 03:01, Robert Yang wrote:
>
>
> On 11/23/2016 07:16 PM, Patrick Ohly wrote:
>> On Tue, 2016-11-22 at 23:49 -0800, Robert Yang wrote:
>>> [YOCTO #10710]
>>>
>>> Otherwise, we can't login as root when debug-tweaks is not in
>>> IMAGE_FEATURES, and there is no other users to login by default, so
>>> there is no way to login.
>>
>> Wait a second, are you really suggesting that OE-core should have a
>> default root password in its default configuration?
>>
>> That's very bad practice and I'm against doing it this way. Having a
>> default password is one of the common vulnerabilities in actual devices
>> on the market today. OE-core should make it hard to make that mistake,
>> not actively introduce it.
>>
>> So if you think that having a root password set (instead of empty), then
>> at least make it an opt-in behavior that explicitly has to be selected.
>> Make it an image feature so that images with and without default
>> password can be build in the same build configuration. Changing
>> base-passwd doesn't achieve that.
>>
>> Even then I'm still wondering what the benefit of a well-known password
>> compared to no password is. Both are equally insecure, so someone who
>> wants to allow logins might as well go with "empty password".
>
> The problem is that when debug-tweaks or empty-root-password is not in
> IMAGE_FEATURE, there is no way to login by default, which will surprise
> the user. How about:

We've used the following workaround for that in settop box images. Basically, 
what you want is that login as root without password is possible, since that 
can only be done from a local network connection or a serial port, which 
implies that you have physical access to the device anyway. But you do NOT 
want to be able to login using SSH with a blank password, because you'd 
typically forward that port from a router. So remove "debug-tweaks" but don't 
kill the logon:

# Some features in image.bbclass we do NOT want, so override them
# to be empty. We want to log in as root, but NOT via SSH. So we want
# to live without debug-tweaks...
zap_root_password () {
	true
}


> 1) Let user can set root passwd via a variable when building.
> 2) Warn the user at build time when the image is unable to login.

Setting a root password at build time is a very very very bad idea. It's only 
okay if there's ever going to be only one instance of your product in the world.

It's much better to have a blank or missing password. At least that makes it 
possible to check whether the user has configured it already, like for SSH. By 
default, SSH won't let you in until you have a password or a keyfile, which 
allows your device to be hooked up to the internet without a "gap" where you 
could access it with a trivial password.


Having written that, a bit more thought on the initial access is good. I for 
one would be glad to get rid of the aforementioned workaround.


Kind regards,

Mike Looijmans
System Expert

TOPIC Products
Materiaalweg 4, NL-5681 RJ Best
Postbus 440, NL-5680 AK Best
Telefoon: +31 (0) 499 33 69 79
E-mail: mike.looijmans@topicproducts.com
Website: www.topicproducts.com

Please consider the environment before printing this e-mail