| Message ID | 20240923171825.148902-12-john@phrozen.org |
|---|---|
| State | Under Review |
| Delegated to: | John Crispin |
| Headers | show |
| Series | allow loading default credentials from flash | expand |
Hi, > The code checks if the first character is "$". In that case it is assumed > that the string contains a solted hash. Alternatively we assume that it is > a cleartext password. IMHO that kind of heuristic is undesirable. Imagine a scenario where something autogenerates passwords and those happen to start with `$`, the resulting configuration would not allow authentication with the expected password. You should probably just separate the variables into `root_password_plain` and `root_password_hash`, then make the latter take precedence over the former in case both are defined. ~ Jo > > Signed-off-by: John Crispin <john@phrozen.org> > --- > .../files/etc/uci-defaults/50-root-passwd | 15 +++++++++++++++ > 1 file changed, 15 insertions(+) > create mode 100644 package/base-files/files/etc/uci-defaults/50-root-passwd > > diff --git a/package/base-files/files/etc/uci-defaults/50-root-passwd b/package/base-files/files/etc/uci-defaults/50-root-passwd > new file mode 100644 > index 0000000000..a7e5ace913 > --- /dev/null > +++ b/package/base-files/files/etc/uci-defaults/50-root-passwd > @@ -0,0 +1,15 @@ > +. /usr/share/libubox/jshn.sh > + > +json_init > +json_load "$(cat /etc/board.json)" > + > +json_select credentials > +json_get_vars root_password root_password > + [ -z "$root_password" ] || { > + if [ "${root_password:0:1}" == "$" ]; then > + sed -i "s|^root:[^:]*|root:$root_password|g" /etc/shadow > + else > + (echo "$root_password"; sleep 1; echo "$root_password") | passwd root > + fi > + } > +json_select ..
Hi, > The code checks if the first character is "$". In that case it is assumed > that the string contains a solted hash. Alternatively we assume that it is > a cleartext password. IMHO that kind of heuristic is undesirable. Imagine a scenario where something autogenerates passwords and those happen to start with `$`, the resulting configuration would not allow authentication with the expected password. You should probably just separate the variables into `root_password_plain` and `root_password_hash`, then make the latter take precedence over the former in case both are defined. ~ Jo > > Signed-off-by: John Crispin <john@phrozen.org> > --- > .../files/etc/uci-defaults/50-root-passwd | 15 +++++++++++++++ > 1 file changed, 15 insertions(+) > create mode 100644 package/base-files/files/etc/uci-defaults/50-root-passwd > > diff --git a/package/base-files/files/etc/uci-defaults/50-root-passwd b/package/base-files/files/etc/uci-defaults/50-root-passwd > new file mode 100644 > index 0000000000..a7e5ace913 > --- /dev/null > +++ b/package/base-files/files/etc/uci-defaults/50-root-passwd > @@ -0,0 +1,15 @@ > +. /usr/share/libubox/jshn.sh > + > +json_init > +json_load "$(cat /etc/board.json)" > + > +json_select credentials > +json_get_vars root_password root_password > + [ -z "$root_password" ] || { > + if [ "${root_password:0:1}" == "$" ]; then > + sed -i "s|^root:[^:]*|root:$root_password|g" /etc/shadow > + else > + (echo "$root_password"; sleep 1; echo "$root_password") | passwd root > + fi > + } > +json_select ..
On 24.09.24 11:58, Jo-Philipp Wich wrote: > You should probably just separate the variables into > `root_password_plain` and `root_password_hash`, then make the latter > take precedence over the former in case both are defined. makes sense
diff --git a/package/base-files/files/etc/uci-defaults/50-root-passwd b/package/base-files/files/etc/uci-defaults/50-root-passwd new file mode 100644 index 0000000000..a7e5ace913 --- /dev/null +++ b/package/base-files/files/etc/uci-defaults/50-root-passwd @@ -0,0 +1,15 @@ +. /usr/share/libubox/jshn.sh + +json_init +json_load "$(cat /etc/board.json)" + +json_select credentials +json_get_vars root_password root_password + [ -z "$root_password" ] || { + if [ "${root_password:0:1}" == "$" ]; then + sed -i "s|^root:[^:]*|root:$root_password|g" /etc/shadow + else + (echo "$root_password"; sleep 1; echo "$root_password") | passwd root + fi + } +json_select ..
The code checks if the first character is "$". In that case it is assumed that the string contains a solted hash. Alternatively we assume that it is a cleartext password. Signed-off-by: John Crispin <john@phrozen.org> --- .../files/etc/uci-defaults/50-root-passwd | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 package/base-files/files/etc/uci-defaults/50-root-passwd