From: Henning Schild <henning.schild@siemens.com>
To: Felix Moessbauer <felix.moessbauer@siemens.com>
Cc: isar-users@googlegroups.com, jan.kiszka@siemens.com,
daniel.bovensiepen@siemens.com, venkata.pyla@toshiba-tsip.com
Subject: Re: [PATCH 05/11] generate deterministic clear-text password hash
Date: Wed, 11 Jan 2023 09:21:52 +0100 [thread overview]
Message-ID: <20230111092152.68342faa@md1za8fc.ad001.siemens.net> (raw)
In-Reply-To: <20230111041140.3460393-6-felix.moessbauer@siemens.com>
Am Wed, 11 Jan 2023 04:11:34 +0000
schrieb Felix Moessbauer <felix.moessbauer@siemens.com>:
> This patch changes how we derive the hashed password of a user that is
> created using the clear-text-password flag. Previously, the clear-text
> password was directly input into chpasswd. However, chpasswd
> internally creates a 16-character random salt. This breaks the
> reproducability.
>
> Instead of letting chpasswd create the hashed password string, we now
> create it manually by deriving the salt from the SOURCE_DATE_EPOCH
> variable. This is technically done using the host openssl tool. As
> openssl is a transitive dependency of sbuild, we do not need to add
> it explicitly to the host-tools.
>
> In case SOURCE_DATE_EPOCH is not set, chpasswd is used
> directly to create the salt.
>
> Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
> ---
> meta/classes/image-account-extension.bbclass | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/meta/classes/image-account-extension.bbclass
> b/meta/classes/image-account-extension.bbclass index 70950a7..bcaa9c3
> 100644 --- a/meta/classes/image-account-extension.bbclass
> +++ b/meta/classes/image-account-extension.bbclass
> @@ -253,7 +253,15 @@ image_postprocess_accounts() {
> if [ -n "$password" -o "${flags}" !=
> "${flags%*,allow-empty-password,*}" ]; then chpasswd_args="-e"
> if [ "${flags}" != "${flags%*,clear-text-password,*}" ];
> then
> - chpasswd_args=""
> + # chpasswd adds a random salt when running against a
> clean-text password.
clear-text
> + # For reproducible images, we manually generate the
> password and use the
> + # SOURCE_DATE_EPOCH to generate the salt in a
> deterministic way.
> + if [ -z "${SOURCE_DATE_EPOCH}"]; then
> + chpasswd_args=""
> + else
> + salt="$(echo "${SOURCE_DATE_EPOCH}" | sha256sum
> -z | cut -c 1-15)"
> + password="$(openssl passwd -6 -salt $salt
> "$password")"
> + fi
> fi
> printf '%s:%s' "$name" "$password" | sudo chroot
> '${ROOTFSDIR}' \ /usr/sbin/chpasswd $chpasswd_args
next prev parent reply other threads:[~2023-01-11 8:22 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-11 4:11 [PATCH 00/11] Make rootfs build reproducible Felix Moessbauer
2023-01-11 4:11 ` [PATCH 01/11] fix rebuild of rootfs_finalize task Felix Moessbauer
2023-01-11 4:11 ` [PATCH 02/11] image.bbclass: fix non-reproducible file time-stamps inside rootfs Felix Moessbauer
2023-01-11 4:11 ` [PATCH 03/11] rootfs postprocess: clean python cache Felix Moessbauer
2023-01-11 8:06 ` Henning Schild
2023-01-11 8:23 ` Moessbauer, Felix
2023-01-11 12:47 ` Henning Schild
2023-01-11 13:18 ` Moessbauer, Felix
2023-01-11 13:23 ` Jan Kiszka
2023-01-11 4:11 ` [PATCH 04/11] remove non-portable ldconfig aux-cache Felix Moessbauer
2023-01-11 8:19 ` Henning Schild
2023-01-11 8:31 ` Moessbauer, Felix
2023-01-11 12:52 ` Henning Schild
2023-01-11 4:11 ` [PATCH 05/11] generate deterministic clear-text password hash Felix Moessbauer
2023-01-11 8:21 ` Henning Schild [this message]
2023-01-11 4:11 ` [PATCH 06/11] update debian initramfs in deterministic mode Felix Moessbauer
2023-01-11 8:23 ` Henning Schild
2023-01-11 8:39 ` Moessbauer, Felix
2023-01-11 12:55 ` Henning Schild
2023-01-11 4:11 ` [PATCH 07/11] create custom " Felix Moessbauer
2023-01-11 4:11 ` [PATCH 08/11] make deb_add_changelog idempotent Felix Moessbauer
2023-01-11 4:11 ` [PATCH 09/11] deb_add_changelog: set timestamp to valid epoch Felix Moessbauer
2023-01-11 4:11 ` [PATCH 10/11] deb_add_changelog: use SOURCE_DATE_EPOCH Felix Moessbauer
2023-01-11 8:49 ` Henning Schild
2023-01-11 9:06 ` Moessbauer, Felix
2023-01-11 4:11 ` [PATCH 11/11] make custom linux-image bit-by-bit reproducible Felix Moessbauer
2023-01-11 6:51 ` [PATCH 00/11] Make rootfs build reproducible Jan Kiszka
2023-01-11 9:04 ` Venkata.Pyla
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230111092152.68342faa@md1za8fc.ad001.siemens.net \
--to=henning.schild@siemens.com \
--cc=daniel.bovensiepen@siemens.com \
--cc=felix.moessbauer@siemens.com \
--cc=isar-users@googlegroups.com \
--cc=jan.kiszka@siemens.com \
--cc=venkata.pyla@toshiba-tsip.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox