From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 7187242631035879424 X-Received: by 2002:a17:906:b18:b0:855:63bb:d3cb with SMTP id u24-20020a1709060b1800b0085563bbd3cbmr571757ejg.532.1673410351450; Tue, 10 Jan 2023 20:12:31 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a05:6402:40cf:b0:488:1679:c417 with SMTP id z15-20020a05640240cf00b004881679c417ls5859169edb.1.-pod-prod-gmail; Tue, 10 Jan 2023 20:12:30 -0800 (PST) X-Google-Smtp-Source: AMrXdXud2N8NiwmM6erItReqkqfMMHo7h1xoCvAoy8r6TAwjsp40x4BItkni/z3qSAAJL59syeKj X-Received: by 2002:aa7:cb4b:0:b0:491:3a5c:6e2 with SMTP id w11-20020aa7cb4b000000b004913a5c06e2mr20494801edt.5.1673410350006; Tue, 10 Jan 2023 20:12:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673410349; cv=none; d=google.com; s=arc-20160816; b=gSLh4OKRQopsL2HaLAf8m0yFQkxwchE31zTUqiD+0RxfDvZxtpDmx4TE+KINhhsZDT LO3y9Gzf2UORvEymFYl/vmtRyB8i/D3JI1H+poev69a1gp73/tPC5jENOby2sBVdd80q a4NQB8iF4oXUrv40JA9OI8RF7t1DhphSPoJlC4ljsZMHAU9TR6E7CucTVZrSlBFZx+Nf m9C4MCEIgpInKOBNn3GzlGY7ed1R0kkadTelYDT7rV07m1BL9MxnRDR+N60c6ZkhMYvH CuFeV4Xo63GrhtlU4NTP1WV/5fz/Jkd+dZo9O2zM9UkqsqRRUhRF5GHOD9ZOONdCnYJr SAng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=feedback-id:content-transfer-encoding:mime-version:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=Qa5Zor8tyaFDE/MKqqW/8CrGB25ROq7qggt+9zs8E/s=; b=tI4VzDNv9YTpmR0COHGTE4utwxpVKWxs/X2CNz5DjXgdJd+j4IoTINFh2l4kSIZ0Av vkBkb9oY+jAD1JhoKdmmgD+LXlzlSPV8ZpCCU2eVXbRUJUbg7tEw+GLgxv1XBVjv2KgK g5E/nDudT88V65t0BiFHvXVpqtzLGAsv9SabkbMuwZ/p1l6AbpY3Bak8Fc4Jzx/ulhmS bE6Gf1BrsushpjdOj6zypEUoHqcFGF1sn2mNXMJJgriJbE9mhQAxJmEpLiYp0CpoPLyV bVBhRwxS1jkCIPoXyFm8ayd21F7t52wJWB2p0ngba7apXRI+Gd919FAomcyeXgKbnhY3 pBqQ== ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=gtMr8oR3; spf=pass (google.com: domain of fm-72506-202301110412299a93bfa541d54e59e7-kqddba@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) smtp.mailfrom=fm-72506-202301110412299a93bfa541d54e59e7-kQdDBA@rts-flowmailer.siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net. [185.136.64.227]) by gmr-mx.google.com with ESMTPS id q5-20020aa7d445000000b0045a1a4ee8d3si522846edr.0.2023.01.10.20.12.29 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 10 Jan 2023 20:12:29 -0800 (PST) Received-SPF: pass (google.com: domain of fm-72506-202301110412299a93bfa541d54e59e7-kqddba@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) client-ip=185.136.64.227; Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=gtMr8oR3; spf=pass (google.com: domain of fm-72506-202301110412299a93bfa541d54e59e7-kqddba@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) smtp.mailfrom=fm-72506-202301110412299a93bfa541d54e59e7-kQdDBA@rts-flowmailer.siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 202301110412299a93bfa541d54e59e7 for ; Wed, 11 Jan 2023 05:12:29 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=felix.moessbauer@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=Qa5Zor8tyaFDE/MKqqW/8CrGB25ROq7qggt+9zs8E/s=; b=gtMr8oR3KfQZ8UmkSscJTHqZHBV9GzngPHptfBcTIwNX7RsIxdaWpJAnGJ806h7UnzWkYv v8Ezon0a4iSgjJK786rYCNaQyUduwnrmkctvP6geXhOo1AXQ1w2b0439C02r0E6UT2UYKZdh 51betTdepoKfexiQQRaMHdOtl5f5w=; From: Felix Moessbauer To: isar-users@googlegroups.com Cc: jan.kiszka@siemens.com, daniel.bovensiepen@siemens.com, henning.schild@siemens.com, venkata.pyla@toshiba-tsip.com, Felix Moessbauer Subject: [PATCH 05/11] generate deterministic clear-text password hash Date: Wed, 11 Jan 2023 04:11:34 +0000 Message-Id: <20230111041140.3460393-6-felix.moessbauer@siemens.com> In-Reply-To: <20230111041140.3460393-1-felix.moessbauer@siemens.com> References: <20230111041140.3460393-1-felix.moessbauer@siemens.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-72506:519-21489:flowmailer X-TUID: QePBybRGIb7C This patch changes how we derive the hashed password of a user that is created using the clear-text-password flag. Previously, the clear-text password was directly input into chpasswd. However, chpasswd internally creates a 16-character random salt. This breaks the reproducability. Instead of letting chpasswd create the hashed password string, we now create it manually by deriving the salt from the SOURCE_DATE_EPOCH variable. This is technically done using the host openssl tool. As openssl is a transitive dependency of sbuild, we do not need to add it explicitly to the host-tools. In case SOURCE_DATE_EPOCH is not set, chpasswd is used directly to create the salt. Signed-off-by: Felix Moessbauer --- meta/classes/image-account-extension.bbclass | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/meta/classes/image-account-extension.bbclass b/meta/classes/image-account-extension.bbclass index 70950a7..bcaa9c3 100644 --- a/meta/classes/image-account-extension.bbclass +++ b/meta/classes/image-account-extension.bbclass @@ -253,7 +253,15 @@ image_postprocess_accounts() { if [ -n "$password" -o "${flags}" != "${flags%*,allow-empty-password,*}" ]; then chpasswd_args="-e" if [ "${flags}" != "${flags%*,clear-text-password,*}" ]; then - chpasswd_args="" + # chpasswd adds a random salt when running against a clean-text password. + # For reproducible images, we manually generate the password and use the + # SOURCE_DATE_EPOCH to generate the salt in a deterministic way. + if [ -z "${SOURCE_DATE_EPOCH}"]; then + chpasswd_args="" + else + salt="$(echo "${SOURCE_DATE_EPOCH}" | sha256sum -z | cut -c 1-15)" + password="$(openssl passwd -6 -salt $salt "$password")" + fi fi printf '%s:%s' "$name" "$password" | sudo chroot '${ROOTFSDIR}' \ /usr/sbin/chpasswd $chpasswd_args -- 2.34.1