From 356f9e1eaf8223f98db58fbe65400d3ad3190f7d Mon Sep 17 00:00:00 2001 From: Joseph Reynolds Date: Fri, 23 Jul 2021 20:15:32 -0500 Subject: Change default password hash MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Background: OpenBMC provisions the BMC firmware image with the root account password in a form which is no longer acceptable to Linux-PAM version 1.5.1. Specifically, [phosphor-defaults.inc][] sets the password hash into /etc/shadow as "\$1\$UGMqyqdG\$FZiylVFmRRfl9Z0Ue8G7e/", where $1 indicates the deprecated [MD5 hash algorithm][].  Ref: [wikipedia passwd entry][].  Beginning around PAM version 1.5.1, when you log in, the [pam_unix.so module][] authenticates okay but requires the password to be changed.  (For example, you'll get a message like "You are required to change your password immediately (administrator enforced)."  This behavior is undesirable for OpenBMC project defaults, and is not tolerated by the project's current continuous integration tools.) This change is to replace the password hash to keep the same cleartext password but hashed with an acceptable algorithm. Specifically, the password hash supplied in phosphor-defaults.inc is updated to use the same password as before but encoded with the SHA-512 algorithm.  The hash was generated by the `openssl passwd -6 0penBmc` command.  This change ought to be transparent and forward and backward compatible. Note various meta-layers use this same hash string in conf/local.conf.sample files. They are changed to match. References: [phosphor-defaults.inc]: https://github.com/openbmc/openbmc/blob/1a977b269ed437bebb9ae7810e3157746ec9174d/meta-phosphor/conf/distro/include/phosphor-defa ults.inc#L245 [wikipedia passwd entry]: https://en.wikipedia.org/wiki/Passwd [pam_unix.so module]: https://github.com/linux-pam/linux-pam/tree/master/modules/pam_unix [MD5 hash algorithm]: https://en.wikipedia.org/wiki/MD5 Tested: Created image with new password hash and PAM 1.5.1 and checked that login works okay and does not require the passwod to be changed. Signed-off-by: Joseph Reynolds Change-Id: I5b189374f08ba506dbed7f8b9b991f2808cc3bc5 --- meta-phosphor/conf/distro/include/phosphor-defaults.inc | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'meta-phosphor/conf/distro/include') diff --git a/meta-phosphor/conf/distro/include/phosphor-defaults.inc b/meta-phosphor/conf/distro/include/phosphor-defaults.inc index e3eb454ae..63aee78dc 100644 --- a/meta-phosphor/conf/distro/include/phosphor-defaults.inc +++ b/meta-phosphor/conf/distro/include/phosphor-defaults.inc @@ -246,6 +246,10 @@ EXTRA_OEMESON_append_class-target = " -Db_lto=true" # Override this in your local.conf inherit extrausers +# This is the default password for the OpenBMC root user account (0penBmc) +# salted and hashed with SHA512 suitable for /etc/shadow or `usermod -p`. +DEFAULT_OPENBMC_PASSWORD = "'\$6\$UGMqyqdG\$GqTb3tXPFx9AJlzTw/8X5RoW2Z.100dT.acuk8AFJfNQYr.ZRL8itMIgLqsdq46RNHgiv78XayOSl.IbR4DFU.'" + EXTRA_USERS_PARAMS_pn-obmc-phosphor-image = " \ - usermod -p '\$1\$UGMqyqdG\$FZiylVFmRRfl9Z0Ue8G7e/' root; \ + usermod -p ${DEFAULT_OPENBMC_PASSWORD} root; \ " -- cgit v1.2.3