Set root password with SHA512?

Set root password with SHA512?

[Juha Vuorivirta]

[-- Attachment #1: Type: text/plain, Size: 540 bytes --]

I'm able to set the root password in /etc/shadow with adding
ROOTFS_POSTPROCESS_COMMAND to .bb file. It seems that only DES works
(yocto/oe-core etc. layers are pretty old though). Is it possible to enable
SHA512 hashing for root password?
Just replacing DES password with SHA512 is not enough, could not log in
even password hash is correct in /etc/shadow file. Noticed that DES is
default encryption method(in recipes-extended/shadow/...), how can I set it
to SHA512, or is it even possible with this older set up?

br,


jv

[-- Attachment #2: Type: text/html, Size: 618 bytes --]

Re: Set root password with SHA512?

[Mark Hatle]

On 10/28/15 3:07 AM, Juha Vuorivirta wrote:
> I'm able to set the root password in /etc/shadow with adding
> ROOTFS_POSTPROCESS_COMMAND to .bb file. It seems that only DES works
> (yocto/oe-core etc. layers are pretty old though). Is it possible to enable
> SHA512 hashing for root password?
> Just replacing DES password with SHA512 is not enough, could not log in even
> password hash is correct in /etc/shadow file. Noticed that DES is default
> encryption method(in recipes-extended/shadow/...), how can I set it to SHA512,
> or is it even possible with this older set up?

If you are using PAM, you should be able to adjust the settings to enable SHA512
passwords.

I've not done it in a while, but this page might help you find the right settings.

https://wiki.archlinux.org/index.php/SHA_password_hashes

If you find things not working, please let us know.... it likely means they are
not using PAM and using their own password validation.

--Mark

> br,
> 
> 
> jv
> 
> 

Re: Set root password with SHA512?

[Paul Eggleton]

On Wednesday 28 October 2015 10:07:31 Juha Vuorivirta wrote:
> I'm able to set the root password in /etc/shadow with adding
> ROOTFS_POSTPROCESS_COMMAND to .bb file. It seems that only DES works
> (yocto/oe-core etc. layers are pretty old though). Is it possible to enable
> SHA512 hashing for root password?
> Just replacing DES password with SHA512 is not enough, could not log in
> even password hash is correct in /etc/shadow file. Noticed that DES is
> default encryption method(in recipes-extended/shadow/...), how can I set it
> to SHA512, or is it even possible with this older set up?

Not sure if this is relevant, but since you mention you're on an old release I 
recall fixing something relating to this a while back:

  http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=68fbbd1008a76d78c7cef141dc06696d27fe2d0c

The first release to have this fix in it was 1.6 (daisy).

Cheers,
Paul

-- 

Paul Eggleton
Intel Open Source Technology Centre

Re: Set root password with SHA512?

[Paul Eggleton]

(Adding mailing list back onto CC)

I believe that was another issue that got solved a bit more recently:

http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=c38fee231b42b9123dd1fd102235eac6240ba4c8

Cheers,
Paul

On Thursday 29 October 2015 11:55:48 Juha Vuorivirta wrote:
> Thank you for answers, I got it working with Paul's fix by adding that line
> to the .bbappend file. One notice though, without debug-tweaks this does
> not work.
> 
> br,
> 
> jv
> 
> 2015-10-28 16:38 GMT+02:00 Paul Eggleton <paul.eggleton@linux.intel.com>:
> > On Wednesday 28 October 2015 10:07:31 Juha Vuorivirta wrote:
> > > I'm able to set the root password in /etc/shadow with adding
> > > ROOTFS_POSTPROCESS_COMMAND to .bb file. It seems that only DES works
> > > (yocto/oe-core etc. layers are pretty old though). Is it possible to
> > 
> > enable
> > 
> > > SHA512 hashing for root password?
> > > Just replacing DES password with SHA512 is not enough, could not log in
> > > even password hash is correct in /etc/shadow file. Noticed that DES is
> > > default encryption method(in recipes-extended/shadow/...), how can I set
> > 
> > it
> > 
> > > to SHA512, or is it even possible with this older set up?
> > 
> > Not sure if this is relevant, but since you mention you're on an old
> > release I
> > recall fixing something relating to this a while back:
> > 
> > 
> > http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=68fbbd1008a76d78
> > c7cef141dc06696d27fe2d0c
> > 
> > The first release to have this fix in it was 1.6 (daisy).
> > 
> > Cheers,
> > Paul
> > 
> > --
> > 
> > Paul Eggleton
> > Intel Open Source Technology Centre

-- 

Paul Eggleton
Intel Open Source Technology Centre