Change default password hash
Background:
OpenBMC provisions the BMC firmware image with the root account password
in a form which is no longer acceptable to Linux-PAM version 1.5.1.
Specifically, [phosphor-defaults.inc][] sets the password hash into
/etc/shadow as "\$1\$UGMqyqdG\$FZiylVFmRRfl9Z0Ue8G7e/", where $1
indicates the deprecated [MD5 hash algorithm][]. Ref: [wikipedia passwd
entry][]. Beginning around PAM version 1.5.1, when you log in, the
[pam_unix.so module][] authenticates okay but requires the password to
be changed. (For example, you'll get a message like "You are required
to change your password immediately (administrator enforced)." This
behavior is undesirable for OpenBMC project defaults, and is not
tolerated by the project's current continuous integration tools.)
This change is to replace the password hash to keep the same cleartext
password but hashed with an acceptable algorithm.
Specifically, the password hash supplied in phosphor-defaults.inc is
updated to use the same password as before but encoded
with the SHA-512 algorithm. The hash was generated by the
`openssl passwd -6 0penBmc` command. This change ought to be
transparent and forward and backward compatible.
Note various meta-layers use this same hash string in
conf/local.conf.sample files. They are changed to match.
References:
[phosphor-defaults.inc]: https://github.com/openbmc/openbmc/blob/1a977b269ed437bebb9ae7810e3157746ec9174d/meta-phosphor/conf/distro/include/phosphor-defa
ults.inc#L245
[wikipedia passwd entry]: https://en.wikipedia.org/wiki/Passwd
[pam_unix.so module]: https://github.com/linux-pam/linux-pam/tree/master/modules/pam_unix
[MD5 hash algorithm]: https://en.wikipedia.org/wiki/MD5
Tested:
Created image with new password hash and PAM 1.5.1 and checked that
login works okay and does not require the passwod to be changed.
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
Change-Id: I5b189374f08ba506dbed7f8b9b991f2808cc3bc5
diff --git a/meta-ibm/recipes-phosphor/images/obmc-phosphor-image.bbappend b/meta-ibm/recipes-phosphor/images/obmc-phosphor-image.bbappend
index 45061f7..05fc303 100644
--- a/meta-ibm/recipes-phosphor/images/obmc-phosphor-image.bbappend
+++ b/meta-ibm/recipes-phosphor/images/obmc-phosphor-image.bbappend
@@ -36,10 +36,8 @@
# Override defaults from meta-phosphor/conf/distro/include/phosphor-defaults.inc
inherit extrausers
-# The password hash used here is the traditional 0penBmc password.
-
#IBM_EXTRA_USERS_PARAMS += " \
-# usermod -p '\$1\$UGMqyqdG\$FZiylVFmRRfl9Z0Ue8G7e/' root; \
+# usermod -p ${DEFAULT_OPENBMC_PASSWORD} root; \
# "
# Add group "wheel" (before adding the "service" account).
@@ -50,13 +48,13 @@
# Add the "admin" account.
IBM_EXTRA_USERS_PARAMS += " \
useradd -M -d / --groups priv-admin,redfish,web -s /sbin/nologin admin; \
- usermod -p '\$1\$UGMqyqdG\$FZiylVFmRRfl9Z0Ue8G7e/' admin; \
+ usermod -p ${DEFAULT_OPENBMC_PASSWORD} admin; \
"
# Add the "service" account.
IBM_EXTRA_USERS_PARAMS += " \
useradd -M -d / --groups priv-admin,redfish,web,wheel service; \
- usermod -p '\$1\$UGMqyqdG\$FZiylVFmRRfl9Z0Ue8G7e/' service; \
+ usermod -p ${DEFAULT_OPENBMC_PASSWORD} service; \
"
# This is recipe specific to ensure it takes effect.