[Buildroot] Root password and ssh issues

[Buildroot] Root password and ssh issues

[Michael Opdenacker]

Greetings,

Manuel and I have observed a strange phenomenon at least with Buildroot
2020.02.4...

When we generate a root filesystem with Dropbear for ssh, and set the
root password through BR2_TARGET_GENERIC_ROOT_PASSWD, we cannot manage
to login through ssh.

However, we can login as root on the console with this password, proving
that the password was valid. If we then use the "passwd" command from
the command line on the target to set the same password again, ssh
access starts to work!

Would you have an explanation for this behavior?

Thanks,

Michael and Manuel

-- 
Michael Opdenacker, CEO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] Root password and ssh issues

[Thomas Petazzoni]

On Fri, 7 Aug 2020 11:51:02 +0200
Michael Opdenacker <michael.opdenacker@bootlin.com> wrote:

> Manuel and I have observed a strange phenomenon at least with Buildroot
> 2020.02.4...
> 
> When we generate a root filesystem with Dropbear for ssh, and set the
> root password through BR2_TARGET_GENERIC_ROOT_PASSWD, we cannot manage
> to login through ssh.
> 
> However, we can login as root on the console with this password, proving
> that the password was valid. If we then use the "passwd" command from
> the command line on the target to set the same password again, ssh
> access starts to work!
> 
> Would you have an explanation for this behavior?

What is the state of /etc/shadow with the non-working SSH login, and
then the state of /etc/shadow after resetting the password with passwd
? I think I remember some issues with the expiration date/time of the
password, or something like that.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] Root password and ssh issues

[Michael Opdenacker]

Hi Thomas,

Thanks for your quick reply!


> What is the state of /etc/shadow with the non-working SSH login, and
> then the state of /etc/shadow after resetting the password with passwd
> ? I think I remember some issues with the expiration date/time of the
> password, or something like that.


Here are the details

# ls -la /etc/shadow
-rw-------??? 1 1000???? 1000?????????? 190 Aug? 7? 2020 /etc/shadow

# cat /etc/shadow
root:$5$D1pz/P1l$JCZhyjzCCqmXbnPx7g/mBtNtSSKkMqgctsmV/zBmlR2:::::::
daemon:*:::::::
bin:*:::::::
sys:*:::::::
sync:*:::::::
mail:*:::::::
www-data:*:::::::
operator:*:::::::
nobody:*:::::::

# passwd
Changing password for root
New password:
Bad password: too short
Retype password:
passwd: password for root changed by root

# cat /etc/shadow
root:$1$SYGd3a37$u2RV/VOsLPqWznY4GR1jU.:13514::::::
daemon:*:::::::
bin:*:::::::
sys:*:::::::
sync:*:::::::
mail:*:::::::
www-data:*:::::::
operator:*:::::::
nobody:*:::::::

# ls -la /etc/shadow
-rw-------??? 1 1000???? 1000?????????? 174 Aug? 7? 2020 /etc/shadow

I set the password the "root" (both in "menuconfig" and then through the
"passwd" command). Only after this command can I login through ssh.

Cheers,

Michael.

-- 
Michael Opdenacker, CEO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] Root password and ssh issues

[Peter Seiderer]

Hello Michael,

On Fri, 7 Aug 2020 12:21:51 +0200, Michael Opdenacker <michael.opdenacker@bootlin.com> wrote:

> Hi Thomas,
> 
> Thanks for your quick reply!
> 
> 
> > What is the state of /etc/shadow with the non-working SSH login, and
> > then the state of /etc/shadow after resetting the password with passwd
> > ? I think I remember some issues with the expiration date/time of the
> > password, or something like that.  
> 
> 
> Here are the details
> 
> # ls -la /etc/shadow
> -rw-------??? 1 1000???? 1000?????????? 190 Aug? 7? 2020 /etc/shadow
> 
> # cat /etc/shadow
> root:$5$D1pz/P1l$JCZhyjzCCqmXbnPx7g/mBtNtSSKkMqgctsmV/zBmlR2:::::::
> daemon:*:::::::
> bin:*:::::::
> sys:*:::::::
> sync:*:::::::
> mail:*:::::::
> www-data:*:::::::
> operator:*:::::::
> nobody:*:::::::
> 
> # passwd
> Changing password for root
> New password:
> Bad password: too short
> Retype password:
> passwd: password for root changed by root
> 
> # cat /etc/shadow
> root:$1$SYGd3a37$u2RV/VOsLPqWznY4GR1jU.:13514::::::
> daemon:*:::::::
> bin:*:::::::
> sys:*:::::::
> sync:*:::::::
> mail:*:::::::
> www-data:*:::::::
> operator:*:::::::
> nobody:*:::::::
> 
> # ls -la /etc/shadow
> -rw-------??? 1 1000???? 1000?????????? 174 Aug? 7? 2020 /etc/shadow
> 
> I set the password the "root" (both in "menuconfig" and then through the
> "passwd" command). Only after this command can I login through ssh.
> 

No problem here to login via ssh via preset password (raspberrypi4_64_defconfig with
additional dropbear enabled):

BR2_PACKAGE_DROPBEAR=y
BR2_PACKAGE_DROPBEAR_CLIENT=y
BR2_PACKAGE_DROPBEAR_DISABLE_REVERSEDNS=y
BR2_PACKAGE_DROPBEAR_SMALL=y
# BR2_PACKAGE_DROPBEAR_WTMP is not set
# BR2_PACKAGE_DROPBEAR_LASTLOG is not set
# BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO is not set
BR2_PACKAGE_DROPBEAR_LOCALOPTIONS_FILE=""

What looks strange are your /etc/shadow permissions, should give
root/root for user/group...

What is the /var/log/messages dropbear output for failure/success?

What is your config/defconfig?

Regards,
Peter

> Cheers,
> 
> Michael.
> 

[Buildroot] Root password and ssh issues

[Titouan Christophe]

Hello Michael, Thomas, Peter and all,

I'm also running my test device with Buildroot 2020.02.4, dropbear and 
root:root password authentication; I cannot reproduce the problem.

On 7/08/20 13:12, Peter Seiderer wrote:
> Hello Michael,
> 
> On Fri, 7 Aug 2020 12:21:51 +0200, Michael Opdenacker <michael.opdenacker@bootlin.com> wrote:
> 
>> Hi Thomas,
>>
>> Thanks for your quick reply!
>>
>>
>>> What is the state of /etc/shadow with the non-working SSH login, and
>>> then the state of /etc/shadow after resetting the password with passwd
>>> ? I think I remember some issues with the expiration date/time of the
>>> password, or something like that.
>>
>>
>> Here are the details
>>
>> # ls -la /etc/shadow
>> -rw-------??? 1 1000???? 1000?????????? 190 Aug? 7? 2020 /etc/shadow
>>
>> # cat /etc/shadow
>> root:$5$D1pz/P1l$JCZhyjzCCqmXbnPx7g/mBtNtSSKkMqgctsmV/zBmlR2:::::::

[--SNIP--]

>> # cat /etc/shadow
>> root:$1$SYGd3a37$u2RV/VOsLPqWznY4GR1jU.:13514::::::

So, when you used `passwd`, the password hashing algorithm has changed 
from SHA512 ($5$) to MD5 ($1$). I found a similar issue though it dates 
back to 2016, maybe that could help: 
http://lists.busybox.net/pipermail/buildroot/2016-February/154348.html

>> daemon:*:::::::
>> bin:*:::::::
>> sys:*:::::::
>> sync:*:::::::
>> mail:*:::::::
>> www-data:*:::::::
>> operator:*:::::::
>> nobody:*:::::::
>>
>> # ls -la /etc/shadow
>> -rw-------??? 1 1000???? 1000?????????? 174 Aug? 7? 2020 /etc/shadow
>>
>> I set the password the "root" (both in "menuconfig" and then through the
>> "passwd" command). Only after this command can I login through ssh.
>>
> 
> No problem here to login via ssh via preset password (raspberrypi4_64_defconfig with
> additional dropbear enabled):
> 
> BR2_PACKAGE_DROPBEAR=y
> BR2_PACKAGE_DROPBEAR_CLIENT=y
> BR2_PACKAGE_DROPBEAR_DISABLE_REVERSEDNS=y
> BR2_PACKAGE_DROPBEAR_SMALL=y
> # BR2_PACKAGE_DROPBEAR_WTMP is not set
> # BR2_PACKAGE_DROPBEAR_LASTLOG is not set
> # BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO is not set
> BR2_PACKAGE_DROPBEAR_LOCALOPTIONS_FILE=""
> 
> What looks strange are your /etc/shadow permissions, should give
> root/root for user/group...
> 
> What is the /var/log/messages dropbear output for failure/success?
> 
> What is your config/defconfig?
> 
> Regards,
> Peter
> 
>> Cheers,
>>
>> Michael.
>> 

Best regards,
Titouan

[Buildroot] Root password and ssh issues

[Peter Seiderer]

Hello *,

On Fri, 7 Aug 2020 13:16:56 +0200, Titouan Christophe <titouan.christophe@railnova.eu> wrote:

> Hello Michael, Thomas, Peter and all,
> 
> I'm also running my test device with Buildroot 2020.02.4, dropbear and 
> root:root password authentication; I cannot reproduce the problem.
> 
> On 7/08/20 13:12, Peter Seiderer wrote:
> > Hello Michael,
> > 
> > On Fri, 7 Aug 2020 12:21:51 +0200, Michael Opdenacker <michael.opdenacker@bootlin.com> wrote:
> >   
> >> Hi Thomas,
> >>
> >> Thanks for your quick reply!
> >>
> >>  
> >>> What is the state of /etc/shadow with the non-working SSH login, and
> >>> then the state of /etc/shadow after resetting the password with passwd
> >>> ? I think I remember some issues with the expiration date/time of the
> >>> password, or something like that.  
> >>
> >>
> >> Here are the details
> >>
> >> # ls -la /etc/shadow
> >> -rw-------??? 1 1000???? 1000?????????? 190 Aug? 7? 2020 /etc/shadow
> >>
> >> # cat /etc/shadow
> >> root:$5$D1pz/P1l$JCZhyjzCCqmXbnPx7g/mBtNtSSKkMqgctsmV/zBmlR2:::::::  
> 
> [--SNIP--]
> 
> >> # cat /etc/shadow
> >> root:$1$SYGd3a37$u2RV/VOsLPqWznY4GR1jU.:13514::::::  
> 
> So, when you used `passwd`, the password hashing algorithm has changed 
> from SHA512 ($5$) to MD5 ($1$). I found a similar issue though it dates 
> back to 2016, maybe that could help: 
> http://lists.busybox.net/pipermail/buildroot/2016-February/154348.html

...and should be fixed for uclibc by commit 'package/uclibc: defconfig:
enable sha-256/512 password auth support' ([1])...

By the way, maybe it would be nice if the buildroot password hash
selection although changes the busybox default via
busybox/.config CONFIG_FEATURE_DEFAULT_PASSWD_ALGO="md5"?

Regards,
Peter

[1] https://git.buildroot.net/buildroot/commit/?id=bdd8362a88428ed1c04fc6f4bbcbf7692b2a2b39

> 
> >> daemon:*:::::::
> >> bin:*:::::::
> >> sys:*:::::::
> >> sync:*:::::::
> >> mail:*:::::::
> >> www-data:*:::::::
> >> operator:*:::::::
> >> nobody:*:::::::
> >>
> >> # ls -la /etc/shadow
> >> -rw-------??? 1 1000???? 1000?????????? 174 Aug? 7? 2020 /etc/shadow
> >>
> >> I set the password the "root" (both in "menuconfig" and then through the
> >> "passwd" command). Only after this command can I login through ssh.
> >>  
> > 
> > No problem here to login via ssh via preset password (raspberrypi4_64_defconfig with
> > additional dropbear enabled):
> > 
> > BR2_PACKAGE_DROPBEAR=y
> > BR2_PACKAGE_DROPBEAR_CLIENT=y
> > BR2_PACKAGE_DROPBEAR_DISABLE_REVERSEDNS=y
> > BR2_PACKAGE_DROPBEAR_SMALL=y
> > # BR2_PACKAGE_DROPBEAR_WTMP is not set
> > # BR2_PACKAGE_DROPBEAR_LASTLOG is not set
> > # BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO is not set
> > BR2_PACKAGE_DROPBEAR_LOCALOPTIONS_FILE=""
> > 
> > What looks strange are your /etc/shadow permissions, should give
> > root/root for user/group...
> > 
> > What is the /var/log/messages dropbear output for failure/success?
> > 
> > What is your config/defconfig?
> > 
> > Regards,
> > Peter
> >   
> >> Cheers,
> >>
> >> Michael.
> >>   
> 
> Best regards,
> Titouan
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

[Buildroot] Root password and ssh issues

[Michael Opdenacker]

Greetings,

Thanks for these useful clarifications!

On 8/7/20 1:35 PM, Peter Seiderer wrote:
> ...and should be fixed for uclibc by commit 'package/uclibc: defconfig:
> enable sha-256/512 password auth support' ([1])...
>
> By the way, maybe it would be nice if the buildroot password hash
> selection although changes the busybox default via
> busybox/.config CONFIG_FEATURE_DEFAULT_PASSWD_ALGO="md5"?
>
> Regards,
> Peter
>
> [1] https://git.buildroot.net/buildroot/commit/?id=bdd8362a88428ed1c04fc6f4bbcbf7692b2a2b39

Right, I should have mentioned that I'm using an external uClibc
toolchain built by crosstool-ng.

Do I understand well that the trouble comes from Dropbear (not BusyBox)
supporting only MD5 in /etc/shadow, at least when built with my toolchain?

Thanks again,

Michael.

-- 
Michael Opdenacker, CEO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] Root password and ssh issues

[Peter Seiderer]

Hello Michael,

On Fri, 7 Aug 2020 15:41:04 +0200, Michael Opdenacker <michael.opdenacker@bootlin.com> wrote:

> Greetings,
>
> Thanks for these useful clarifications!
>
> On 8/7/20 1:35 PM, Peter Seiderer wrote:
> > ...and should be fixed for uclibc by commit 'package/uclibc: defconfig:
> > enable sha-256/512 password auth support' ([1])...
> >
> > By the way, maybe it would be nice if the buildroot password hash
> > selection although changes the busybox default via
> > busybox/.config CONFIG_FEATURE_DEFAULT_PASSWD_ALGO="md5"?
> >
> > Regards,
> > Peter
> >
> > [1] https://git.buildroot.net/buildroot/commit/?id=bdd8362a88428ed1c04fc6f4bbcbf7692b2a2b39
>
> Right, I should have mentioned that I'm using an external uClibc
> toolchain built by crosstool-ng.
>
> Do I understand well that the trouble comes from Dropbear (not BusyBox)
> supporting only MD5 in /etc/shadow, at least when built with my toolchain?

Yes, dropbear trouble, but by indirection of the used libc (here uclibc),
if possible take a look at your crosstol-ng uclibc .config file and search
for (for full support):

UCLIBC_HAS_SHA256_CRYPT_IMPL=y
UCLIBC_HAS_SHA512_CRYPT_IMPL=y

And adjust and rebuild accordingly...

And/or try to lower the buildroot default passoword hash from sha512 to sha256
in case your uclibc supports sha256 (you can check by testing ssh login after
setting the password with passwd -a sha256)...

Regards,
Peter


>
> Thanks again,
>
> Michael.
>