* [Buildroot] Root password and ssh issues @ 2020-08-07 9:51 Michael Opdenacker 2020-08-07 9:54 ` Thomas Petazzoni 0 siblings, 1 reply; 8+ messages in thread From: Michael Opdenacker @ 2020-08-07 9:51 UTC (permalink / raw) To: buildroot Greetings, Manuel and I have observed a strange phenomenon at least with Buildroot 2020.02.4... When we generate a root filesystem with Dropbear for ssh, and set the root password through BR2_TARGET_GENERIC_ROOT_PASSWD, we cannot manage to login through ssh. However, we can login as root on the console with this password, proving that the password was valid. If we then use the "passwd" command from the command line on the target to set the same password again, ssh access starts to work! Would you have an explanation for this behavior? Thanks, Michael and Manuel -- Michael Opdenacker, CEO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Buildroot] Root password and ssh issues 2020-08-07 9:51 [Buildroot] Root password and ssh issues Michael Opdenacker @ 2020-08-07 9:54 ` Thomas Petazzoni 2020-08-07 10:21 ` Michael Opdenacker 0 siblings, 1 reply; 8+ messages in thread From: Thomas Petazzoni @ 2020-08-07 9:54 UTC (permalink / raw) To: buildroot On Fri, 7 Aug 2020 11:51:02 +0200 Michael Opdenacker <michael.opdenacker@bootlin.com> wrote: > Manuel and I have observed a strange phenomenon at least with Buildroot > 2020.02.4... > > When we generate a root filesystem with Dropbear for ssh, and set the > root password through BR2_TARGET_GENERIC_ROOT_PASSWD, we cannot manage > to login through ssh. > > However, we can login as root on the console with this password, proving > that the password was valid. If we then use the "passwd" command from > the command line on the target to set the same password again, ssh > access starts to work! > > Would you have an explanation for this behavior? What is the state of /etc/shadow with the non-working SSH login, and then the state of /etc/shadow after resetting the password with passwd ? I think I remember some issues with the expiration date/time of the password, or something like that. Thomas -- Thomas Petazzoni, CTO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Buildroot] Root password and ssh issues 2020-08-07 9:54 ` Thomas Petazzoni @ 2020-08-07 10:21 ` Michael Opdenacker 2020-08-07 11:12 ` Peter Seiderer 0 siblings, 1 reply; 8+ messages in thread From: Michael Opdenacker @ 2020-08-07 10:21 UTC (permalink / raw) To: buildroot Hi Thomas, Thanks for your quick reply! > What is the state of /etc/shadow with the non-working SSH login, and > then the state of /etc/shadow after resetting the password with passwd > ? I think I remember some issues with the expiration date/time of the > password, or something like that. Here are the details # ls -la /etc/shadow -rw-------??? 1 1000???? 1000?????????? 190 Aug? 7? 2020 /etc/shadow # cat /etc/shadow root:$5$D1pz/P1l$JCZhyjzCCqmXbnPx7g/mBtNtSSKkMqgctsmV/zBmlR2::::::: daemon:*::::::: bin:*::::::: sys:*::::::: sync:*::::::: mail:*::::::: www-data:*::::::: operator:*::::::: nobody:*::::::: # passwd Changing password for root New password: Bad password: too short Retype password: passwd: password for root changed by root # cat /etc/shadow root:$1$SYGd3a37$u2RV/VOsLPqWznY4GR1jU.:13514:::::: daemon:*::::::: bin:*::::::: sys:*::::::: sync:*::::::: mail:*::::::: www-data:*::::::: operator:*::::::: nobody:*::::::: # ls -la /etc/shadow -rw-------??? 1 1000???? 1000?????????? 174 Aug? 7? 2020 /etc/shadow I set the password the "root" (both in "menuconfig" and then through the "passwd" command). Only after this command can I login through ssh. Cheers, Michael. -- Michael Opdenacker, CEO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Buildroot] Root password and ssh issues 2020-08-07 10:21 ` Michael Opdenacker @ 2020-08-07 11:12 ` Peter Seiderer 2020-08-07 11:16 ` Titouan Christophe 0 siblings, 1 reply; 8+ messages in thread From: Peter Seiderer @ 2020-08-07 11:12 UTC (permalink / raw) To: buildroot Hello Michael, On Fri, 7 Aug 2020 12:21:51 +0200, Michael Opdenacker <michael.opdenacker@bootlin.com> wrote: > Hi Thomas, > > Thanks for your quick reply! > > > > What is the state of /etc/shadow with the non-working SSH login, and > > then the state of /etc/shadow after resetting the password with passwd > > ? I think I remember some issues with the expiration date/time of the > > password, or something like that. > > > Here are the details > > # ls -la /etc/shadow > -rw-------??? 1 1000???? 1000?????????? 190 Aug? 7? 2020 /etc/shadow > > # cat /etc/shadow > root:$5$D1pz/P1l$JCZhyjzCCqmXbnPx7g/mBtNtSSKkMqgctsmV/zBmlR2::::::: > daemon:*::::::: > bin:*::::::: > sys:*::::::: > sync:*::::::: > mail:*::::::: > www-data:*::::::: > operator:*::::::: > nobody:*::::::: > > # passwd > Changing password for root > New password: > Bad password: too short > Retype password: > passwd: password for root changed by root > > # cat /etc/shadow > root:$1$SYGd3a37$u2RV/VOsLPqWznY4GR1jU.:13514:::::: > daemon:*::::::: > bin:*::::::: > sys:*::::::: > sync:*::::::: > mail:*::::::: > www-data:*::::::: > operator:*::::::: > nobody:*::::::: > > # ls -la /etc/shadow > -rw-------??? 1 1000???? 1000?????????? 174 Aug? 7? 2020 /etc/shadow > > I set the password the "root" (both in "menuconfig" and then through the > "passwd" command). Only after this command can I login through ssh. > No problem here to login via ssh via preset password (raspberrypi4_64_defconfig with additional dropbear enabled): BR2_PACKAGE_DROPBEAR=y BR2_PACKAGE_DROPBEAR_CLIENT=y BR2_PACKAGE_DROPBEAR_DISABLE_REVERSEDNS=y BR2_PACKAGE_DROPBEAR_SMALL=y # BR2_PACKAGE_DROPBEAR_WTMP is not set # BR2_PACKAGE_DROPBEAR_LASTLOG is not set # BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO is not set BR2_PACKAGE_DROPBEAR_LOCALOPTIONS_FILE="" What looks strange are your /etc/shadow permissions, should give root/root for user/group... What is the /var/log/messages dropbear output for failure/success? What is your config/defconfig? Regards, Peter > Cheers, > > Michael. > ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Buildroot] Root password and ssh issues 2020-08-07 11:12 ` Peter Seiderer @ 2020-08-07 11:16 ` Titouan Christophe 2020-08-07 11:35 ` Peter Seiderer 0 siblings, 1 reply; 8+ messages in thread From: Titouan Christophe @ 2020-08-07 11:16 UTC (permalink / raw) To: buildroot Hello Michael, Thomas, Peter and all, I'm also running my test device with Buildroot 2020.02.4, dropbear and root:root password authentication; I cannot reproduce the problem. On 7/08/20 13:12, Peter Seiderer wrote: > Hello Michael, > > On Fri, 7 Aug 2020 12:21:51 +0200, Michael Opdenacker <michael.opdenacker@bootlin.com> wrote: > >> Hi Thomas, >> >> Thanks for your quick reply! >> >> >>> What is the state of /etc/shadow with the non-working SSH login, and >>> then the state of /etc/shadow after resetting the password with passwd >>> ? I think I remember some issues with the expiration date/time of the >>> password, or something like that. >> >> >> Here are the details >> >> # ls -la /etc/shadow >> -rw-------??? 1 1000???? 1000?????????? 190 Aug? 7? 2020 /etc/shadow >> >> # cat /etc/shadow >> root:$5$D1pz/P1l$JCZhyjzCCqmXbnPx7g/mBtNtSSKkMqgctsmV/zBmlR2::::::: [--SNIP--] >> # cat /etc/shadow >> root:$1$SYGd3a37$u2RV/VOsLPqWznY4GR1jU.:13514:::::: So, when you used `passwd`, the password hashing algorithm has changed from SHA512 ($5$) to MD5 ($1$). I found a similar issue though it dates back to 2016, maybe that could help: http://lists.busybox.net/pipermail/buildroot/2016-February/154348.html >> daemon:*::::::: >> bin:*::::::: >> sys:*::::::: >> sync:*::::::: >> mail:*::::::: >> www-data:*::::::: >> operator:*::::::: >> nobody:*::::::: >> >> # ls -la /etc/shadow >> -rw-------??? 1 1000???? 1000?????????? 174 Aug? 7? 2020 /etc/shadow >> >> I set the password the "root" (both in "menuconfig" and then through the >> "passwd" command). Only after this command can I login through ssh. >> > > No problem here to login via ssh via preset password (raspberrypi4_64_defconfig with > additional dropbear enabled): > > BR2_PACKAGE_DROPBEAR=y > BR2_PACKAGE_DROPBEAR_CLIENT=y > BR2_PACKAGE_DROPBEAR_DISABLE_REVERSEDNS=y > BR2_PACKAGE_DROPBEAR_SMALL=y > # BR2_PACKAGE_DROPBEAR_WTMP is not set > # BR2_PACKAGE_DROPBEAR_LASTLOG is not set > # BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO is not set > BR2_PACKAGE_DROPBEAR_LOCALOPTIONS_FILE="" > > What looks strange are your /etc/shadow permissions, should give > root/root for user/group... > > What is the /var/log/messages dropbear output for failure/success? > > What is your config/defconfig? > > Regards, > Peter > >> Cheers, >> >> Michael. >> Best regards, Titouan ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Buildroot] Root password and ssh issues 2020-08-07 11:16 ` Titouan Christophe @ 2020-08-07 11:35 ` Peter Seiderer 2020-08-07 13:41 ` Michael Opdenacker 0 siblings, 1 reply; 8+ messages in thread From: Peter Seiderer @ 2020-08-07 11:35 UTC (permalink / raw) To: buildroot Hello *, On Fri, 7 Aug 2020 13:16:56 +0200, Titouan Christophe <titouan.christophe@railnova.eu> wrote: > Hello Michael, Thomas, Peter and all, > > I'm also running my test device with Buildroot 2020.02.4, dropbear and > root:root password authentication; I cannot reproduce the problem. > > On 7/08/20 13:12, Peter Seiderer wrote: > > Hello Michael, > > > > On Fri, 7 Aug 2020 12:21:51 +0200, Michael Opdenacker <michael.opdenacker@bootlin.com> wrote: > > > >> Hi Thomas, > >> > >> Thanks for your quick reply! > >> > >> > >>> What is the state of /etc/shadow with the non-working SSH login, and > >>> then the state of /etc/shadow after resetting the password with passwd > >>> ? I think I remember some issues with the expiration date/time of the > >>> password, or something like that. > >> > >> > >> Here are the details > >> > >> # ls -la /etc/shadow > >> -rw-------??? 1 1000???? 1000?????????? 190 Aug? 7? 2020 /etc/shadow > >> > >> # cat /etc/shadow > >> root:$5$D1pz/P1l$JCZhyjzCCqmXbnPx7g/mBtNtSSKkMqgctsmV/zBmlR2::::::: > > [--SNIP--] > > >> # cat /etc/shadow > >> root:$1$SYGd3a37$u2RV/VOsLPqWznY4GR1jU.:13514:::::: > > So, when you used `passwd`, the password hashing algorithm has changed > from SHA512 ($5$) to MD5 ($1$). I found a similar issue though it dates > back to 2016, maybe that could help: > http://lists.busybox.net/pipermail/buildroot/2016-February/154348.html ...and should be fixed for uclibc by commit 'package/uclibc: defconfig: enable sha-256/512 password auth support' ([1])... By the way, maybe it would be nice if the buildroot password hash selection although changes the busybox default via busybox/.config CONFIG_FEATURE_DEFAULT_PASSWD_ALGO="md5"? Regards, Peter [1] https://git.buildroot.net/buildroot/commit/?id=bdd8362a88428ed1c04fc6f4bbcbf7692b2a2b39 > > >> daemon:*::::::: > >> bin:*::::::: > >> sys:*::::::: > >> sync:*::::::: > >> mail:*::::::: > >> www-data:*::::::: > >> operator:*::::::: > >> nobody:*::::::: > >> > >> # ls -la /etc/shadow > >> -rw-------??? 1 1000???? 1000?????????? 174 Aug? 7? 2020 /etc/shadow > >> > >> I set the password the "root" (both in "menuconfig" and then through the > >> "passwd" command). Only after this command can I login through ssh. > >> > > > > No problem here to login via ssh via preset password (raspberrypi4_64_defconfig with > > additional dropbear enabled): > > > > BR2_PACKAGE_DROPBEAR=y > > BR2_PACKAGE_DROPBEAR_CLIENT=y > > BR2_PACKAGE_DROPBEAR_DISABLE_REVERSEDNS=y > > BR2_PACKAGE_DROPBEAR_SMALL=y > > # BR2_PACKAGE_DROPBEAR_WTMP is not set > > # BR2_PACKAGE_DROPBEAR_LASTLOG is not set > > # BR2_PACKAGE_DROPBEAR_LEGACY_CRYPTO is not set > > BR2_PACKAGE_DROPBEAR_LOCALOPTIONS_FILE="" > > > > What looks strange are your /etc/shadow permissions, should give > > root/root for user/group... > > > > What is the /var/log/messages dropbear output for failure/success? > > > > What is your config/defconfig? > > > > Regards, > > Peter > > > >> Cheers, > >> > >> Michael. > >> > > Best regards, > Titouan > _______________________________________________ > buildroot mailing list > buildroot at busybox.net > http://lists.busybox.net/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Buildroot] Root password and ssh issues 2020-08-07 11:35 ` Peter Seiderer @ 2020-08-07 13:41 ` Michael Opdenacker 2020-08-07 13:51 ` Peter Seiderer 0 siblings, 1 reply; 8+ messages in thread From: Michael Opdenacker @ 2020-08-07 13:41 UTC (permalink / raw) To: buildroot Greetings, Thanks for these useful clarifications! On 8/7/20 1:35 PM, Peter Seiderer wrote: > ...and should be fixed for uclibc by commit 'package/uclibc: defconfig: > enable sha-256/512 password auth support' ([1])... > > By the way, maybe it would be nice if the buildroot password hash > selection although changes the busybox default via > busybox/.config CONFIG_FEATURE_DEFAULT_PASSWD_ALGO="md5"? > > Regards, > Peter > > [1] https://git.buildroot.net/buildroot/commit/?id=bdd8362a88428ed1c04fc6f4bbcbf7692b2a2b39 Right, I should have mentioned that I'm using an external uClibc toolchain built by crosstool-ng. Do I understand well that the trouble comes from Dropbear (not BusyBox) supporting only MD5 in /etc/shadow, at least when built with my toolchain? Thanks again, Michael. -- Michael Opdenacker, CEO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Buildroot] Root password and ssh issues 2020-08-07 13:41 ` Michael Opdenacker @ 2020-08-07 13:51 ` Peter Seiderer 0 siblings, 0 replies; 8+ messages in thread From: Peter Seiderer @ 2020-08-07 13:51 UTC (permalink / raw) To: buildroot Hello Michael, On Fri, 7 Aug 2020 15:41:04 +0200, Michael Opdenacker <michael.opdenacker@bootlin.com> wrote: > Greetings, > > Thanks for these useful clarifications! > > On 8/7/20 1:35 PM, Peter Seiderer wrote: > > ...and should be fixed for uclibc by commit 'package/uclibc: defconfig: > > enable sha-256/512 password auth support' ([1])... > > > > By the way, maybe it would be nice if the buildroot password hash > > selection although changes the busybox default via > > busybox/.config CONFIG_FEATURE_DEFAULT_PASSWD_ALGO="md5"? > > > > Regards, > > Peter > > > > [1] https://git.buildroot.net/buildroot/commit/?id=bdd8362a88428ed1c04fc6f4bbcbf7692b2a2b39 > > Right, I should have mentioned that I'm using an external uClibc > toolchain built by crosstool-ng. > > Do I understand well that the trouble comes from Dropbear (not BusyBox) > supporting only MD5 in /etc/shadow, at least when built with my toolchain? Yes, dropbear trouble, but by indirection of the used libc (here uclibc), if possible take a look at your crosstol-ng uclibc .config file and search for (for full support): UCLIBC_HAS_SHA256_CRYPT_IMPL=y UCLIBC_HAS_SHA512_CRYPT_IMPL=y And adjust and rebuild accordingly... And/or try to lower the buildroot default passoword hash from sha512 to sha256 in case your uclibc supports sha256 (you can check by testing ssh login after setting the password with passwd -a sha256)... Regards, Peter > > Thanks again, > > Michael. > ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2020-08-07 13:51 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2020-08-07 9:51 [Buildroot] Root password and ssh issues Michael Opdenacker 2020-08-07 9:54 ` Thomas Petazzoni 2020-08-07 10:21 ` Michael Opdenacker 2020-08-07 11:12 ` Peter Seiderer 2020-08-07 11:16 ` Titouan Christophe 2020-08-07 11:35 ` Peter Seiderer 2020-08-07 13:41 ` Michael Opdenacker 2020-08-07 13:51 ` Peter Seiderer
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox