[baseimage]: Improve password hashing for default user account (#1748)
* [slave.mk]: Fix displaying username and password in build summary We display contents of DEFAULT_USERNAME and DEFAULT_PASSWORD, while image can be build with USERNAME and/or PASSWORD given on make(1) command line. For example: $ make USERNAME=adm PASSWORD=mypass target/sonic-broadcom.bin Fix by displaying USERNAME and PASSWORD variables in build summary. Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co> * [baseimage]: Improve default user account handling There are couple of issues with current implementation of default user account management in baseimage: 1) It uses DES to encrypt accounts password. Furthermore this effectively limits password length to 8 symbols, even if more provided with PASSWORD or DEFAULT_PASSWORD from rules/config. 2) Salt value for password is same on all builds even with different password increasing attack surface. 3) During the build process password passed as command line parameter either as plain text (if given to make(1) as "make PASSWORD=...") or DES encrypted (if given to build_debian.sh) can be seen by non-build users using /proc/<pid>/cmdline file that has group and world readable permissions. Both 1) and 2) come from: perl -e 'print crypt("$(PASSWORD)", "salt"),"\n"')" that by defalt uses DES if salt does not have format $<id>$<salt>$, where <id> is hashing function id. See crypt(3) for more details on valid <id> values. To address issues above we propose following changes: 1) Do not create password by hands (e.g. using perl snippet above): put this job to chpasswd(8) which is aware about system wide password hashing policy specified in /etc/login.defs with ENCRYPT_METHOD (by default it is SHA512 for Debian 8). 2) Now chpasswd(8) will take care about proper salt value. 3) This has two steps: 3.1) For compatibility reasons accept USERNAME and PASSWORD as make(1) parameters, but warn user that this is unsafe. 3.2) Use process environment to pass USERNAME and PASSWORD variables from Makefile to build_debian.sh as more secure alternative to passing via command line parameters: /proc/<pid>/environ readable only by user running process or privileged users like root. Before change: -------------- hash1 ----- # u='admin' # p="$(LANG=C perl -e 'print crypt("YourPaSs", "salt"),"\n"')" ^^^^^^^^ 8 symbols # echo "$u:$p" | chpasswd -e # getent shadow admin admin:sazQDkwgZPfSk:17680:0:99999:7::: ^^^^^^^^^^^^^ Note the hash (DES encrypted password) hash2 ----- # u='admin' # p="$(LANG=C perl -e 'print crypt("YourPaSsWoRd", "salt"),"\n"')" ^^^^^^^^^^^^ 12 symbols # echo "$u:$p" | chpasswd -e # getent shadow admin admin:sazQDkwgZPfSk:17680:0:99999:7::: ^^^^^^^^^^^^^ Hash is the same as for "YourPaSs" After change: ------------- hash1 ----- # echo "admin:YourPaSs" | chpasswd # getent shadow admin admin:$6$1Nho1jHC$T8YwK58FYToXMFuetQta7/XouAAN2q1IzWC3bdIg86woAs6WuTg\ ^^^^^^^^ Note salt here ksLO3oyQInax/wNVq.N4de6dyWZDsCAvsZ1:17681:0:99999:7::: hash2 ----- # echo "admin:YourPaSs" | chpasswd # getent shadow admin admin:$6$yKU5g7BO$kdT02Z1wHXhr1VCniKkZbLaMPZXK0WSSVGhSLGrNhsrsVxCJ.D9\ ^^^^^^^^ Here salt completely different from case above plFpd8ksGNpw/Vb92hvgYyCL2i5cfI8QEY/:17681:0:99999:7::: Since salt is different hashes for same password different too. hash1 ----- # LANG=C perl -e 'print crypt("YourPaSs", "\$6\$salt\$"),"\n"' ^^^^^ We want SHA512 hash $6$salt$qkwPvXqUeGpexO1vatnIQFAreOTXs6rnDX.OI.Sz2rcy51JrO8dFc9aGv82bB\ yd2ELrIMJ.FQLNjgSD0nNha7/ hash2 ----- # LANG=C perl -e 'print crypt("YourPaSsWoRd", "\$6\$salt\$"),"\n"' $6$salt$1JVndGzyy/dj7PaXo6hNcttlQoZe23ob8GWYWxVGEiGOlh6sofbaIvwl6Ho7N\ kYDI8zwRumRwga/A29nHm4mZ1 Now with same "salt" and $<id>$, and same 8 symbol prefix in password, but different password length we have different hashes. Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>
This commit is contained in:
parent
d2b1a0bcea
commit
8d88455509
@ -3,26 +3,22 @@
|
||||
## an ONIE installer image.
|
||||
##
|
||||
## USAGE:
|
||||
## ./build_debian USERNAME PASSWORD_ENCRYPTED
|
||||
## PARAMETERS:
|
||||
## USERNAME=username PASSWORD=password ./build_debian
|
||||
## ENVIRONMENT:
|
||||
## USERNAME
|
||||
## The name of the default admin user
|
||||
## PASSWORD_ENCRYPTED
|
||||
## The encrypted password, expected by chpasswd command
|
||||
## PASSWORD
|
||||
## The password, expected by chpasswd command
|
||||
|
||||
## Default user
|
||||
USERNAME=$1
|
||||
[ -n "$USERNAME" ] || {
|
||||
echo "Error: no or empty USERNAME argument"
|
||||
echo "Error: no or empty USERNAME"
|
||||
exit 1
|
||||
}
|
||||
|
||||
## Password for the default user, customizable by environment variable
|
||||
## By default it is an empty password
|
||||
## You may get a crypted password by: perl -e 'print crypt("YourPaSsWoRd", "salt"),"\n"'
|
||||
PASSWORD_ENCRYPTED=$2
|
||||
[ -n "$PASSWORD_ENCRYPTED" ] || {
|
||||
echo "Error: no or empty PASSWORD_ENCRYPTED argument"
|
||||
## Password for the default user
|
||||
[ -n "$PASSWORD" ] || {
|
||||
echo "Error: no or empty PASSWORD"
|
||||
exit 1
|
||||
}
|
||||
|
||||
@ -178,7 +174,7 @@ sudo cp files/docker/docker.service.conf $_
|
||||
## Note: user should be in the group with the same name, and also in sudo/docker group
|
||||
sudo LANG=C chroot $FILESYSTEM_ROOT useradd -G sudo,docker $USERNAME -c "$DEFAULT_USERINFO" -m -s /bin/bash
|
||||
## Create password for the default user
|
||||
echo $USERNAME:$PASSWORD_ENCRYPTED | sudo LANG=C chroot $FILESYSTEM_ROOT chpasswd -e
|
||||
echo "$USERNAME:$PASSWORD" | sudo LANG=C chroot $FILESYSTEM_ROOT chpasswd
|
||||
|
||||
## Pre-install hardware drivers
|
||||
sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install \
|
||||
|
18
slave.mk
18
slave.mk
@ -76,10 +76,14 @@ endif
|
||||
|
||||
ifeq ($(USERNAME),)
|
||||
override USERNAME := $(DEFAULT_USERNAME)
|
||||
else
|
||||
$(warning USERNAME given on command line: could be visible to other users)
|
||||
endif
|
||||
|
||||
ifeq ($(PASSWORD),)
|
||||
override PASSWORD := $(DEFAULT_PASSWORD)
|
||||
else
|
||||
$(warning PASSWORD given on command line: could be visible to other users)
|
||||
endif
|
||||
|
||||
ifeq ($(SONIC_BUILD_JOBS),)
|
||||
@ -100,8 +104,8 @@ $(info "CONFIGURED_PLATFORM" : "$(if $(PLATFORM),$(PLATFORM),$(CONFI
|
||||
$(info "SONIC_CONFIG_PRINT_DEPENDENCIES" : "$(SONIC_CONFIG_PRINT_DEPENDENCIES)")
|
||||
$(info "SONIC_BUILD_JOBS" : "$(SONIC_BUILD_JOBS)")
|
||||
$(info "SONIC_CONFIG_MAKE_JOBS" : "$(SONIC_CONFIG_MAKE_JOBS)")
|
||||
$(info "DEFAULT_USERNAME" : "$(DEFAULT_USERNAME)")
|
||||
$(info "DEFAULT_PASSWORD" : "$(DEFAULT_PASSWORD)")
|
||||
$(info "USERNAME" : "$(USERNAME)")
|
||||
$(info "PASSWORD" : "$(PASSWORD)")
|
||||
$(info "ENABLE_DHCP_GRAPH_SERVICE" : "$(ENABLE_DHCP_GRAPH_SERVICE)")
|
||||
$(info "SHUTDOWN_BGP_ON_START" : "$(SHUTDOWN_BGP_ON_START)")
|
||||
$(info "ENABLE_PFCWD_ON_START" : "$(ENABLE_PFCWD_ON_START)")
|
||||
@ -484,8 +488,14 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
|
||||
|
||||
DIRTY_SUFFIX="$(shell date +%Y%m%d\.%H%M%S)"
|
||||
export DIRTY_SUFFIX
|
||||
./build_debian.sh "$(USERNAME)" "$(shell perl -e 'print crypt("$(PASSWORD)", "salt"),"\n"')" $(LOG)
|
||||
TARGET_MACHINE=$($*_MACHINE) IMAGE_TYPE=$($*_IMAGE_TYPE) ./build_image.sh $(LOG)
|
||||
|
||||
USERNAME="$(USERNAME)" \
|
||||
PASSWORD="$(PASSWORD)" \
|
||||
./build_debian.sh $(LOG)
|
||||
|
||||
TARGET_MACHINE=$($*_MACHINE) \
|
||||
IMAGE_TYPE=$($*_IMAGE_TYPE) \
|
||||
./build_image.sh $(LOG)
|
||||
|
||||
$(foreach docker, $($*_DOCKERS), \
|
||||
rm -f $($(docker)_CONTAINER_NAME).sh
|
||||
|
Loading…
Reference in New Issue
Block a user