From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 7187242631035879424
X-Received: by 2002:a05:6000:1082:b0:278:e217:3941 with SMTP id y2-20020a056000108200b00278e2173941mr3014134wrw.651.1673425321915;
        Wed, 11 Jan 2023 00:22:01 -0800 (PST)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a7b:cbd8:0:b0:3cf:afd2:ab84 with SMTP id n24-20020a7bcbd8000000b003cfafd2ab84ls185415wmi.2.-pod-control-gmail;
 Wed, 11 Jan 2023 00:22:00 -0800 (PST)
X-Google-Smtp-Source: AMrXdXtjeEDLX2wZ3a0n+x1K1lqzhz2mVWLMyd0jz1a73SdWsgErwxD1DTepszU/JjBm/LK/6QVi
X-Received: by 2002:a1c:5442:0:b0:3cf:7385:677f with SMTP id p2-20020a1c5442000000b003cf7385677fmr50248589wmi.35.1673425320799;
        Wed, 11 Jan 2023 00:22:00 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1673425320; cv=pass;
        d=google.com; s=arc-20160816;
        b=wZbSEuT6BEMJ2X90GI7HEFi0vpW/fDKqPbuAcf19fe0uc/vnjju55n+gWRiIRB9E7W
         94T+3Bo8KSsu9BVT6axEib+oqJXvOHGNDrqShA5N7cHGrla9k3KSWjsMCLaQL7wePWJI
         U1L0/M5yI14nbpWto4dRrIe0uC6dLrUYITZH4ooDJyzINeCCz+U6g8lu25Vh8yxxhhU8
         rYAp18MDD1EsmGPlBK3Zlyk83W8APIviTpVHTPevtUtTbkbBBposR63fW5fs93YLEeDq
         ra0RhIEydObMJAib7QPIk950vSP+wqPB9cHJTCvhkqUKxV77UAk5Cp41YDol5eHRISKC
         Hhsw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=mime-version:content-transfer-encoding:references:in-reply-to
         :message-id:subject:cc:to:from:date:dkim-signature;
        bh=uYyltGkRc3UsgT/CA/+0McI4SOPxT1WRRb4MwsQVgws=;
        b=tJtm2WnUaEn+G1Ap03MCjoBC+w16cCi1LSs58DWw3srP7EL6jvKpxX6z6grVRxTwhX
         duT5XAy+6AkyXX4CJSEwb8LPr/k1TgFMV+3VVZLiqc2HsxhU/2W6zNiozUynkCInwJqS
         wiXh36SF6EoD9W8tt68+P3PSkbdY6VBn6pVCUqRepdqeFH/Phox2kOEOv5tDz5bomjr4
         0opv9pyL/xRZgfxyz4YJfwDIZ6AzKP9ZEKqpe3moXjPhrw2zBoTcbIxVl81tk18UbTxI
         ojEICl9n5QG6ogu6568eGvU5y2Hu1XzDSyEO50hkub084IVV1yLRhhooiyQ9+NnMim87
         kEGg==
ARC-Authentication-Results: i=2; gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=selector2 header.b=LgPx7XKR;
       arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com);
       spf=pass (google.com: domain of henning.schild@siemens.com designates 40.107.15.59 as permitted sender) smtp.mailfrom=henning.schild@siemens.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com
Return-Path: <henning.schild@siemens.com>
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01on2059.outbound.protection.outlook.com. [40.107.15.59])
        by gmr-mx.google.com with ESMTPS id bh25-20020a05600c3d1900b003d9dfe01039si188617wmb.4.2023.01.11.00.22.00
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 11 Jan 2023 00:22:00 -0800 (PST)
Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 40.107.15.59 as permitted sender) client-ip=40.107.15.59;
Authentication-Results: gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=selector2 header.b=LgPx7XKR;
       arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com);
       spf=pass (google.com: domain of henning.schild@siemens.com designates 40.107.15.59 as permitted sender) smtp.mailfrom=henning.schild@siemens.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=Imgrpxip6yVOxMZAd3klYM12X0fqd7olRmVywBps3BzN0rmnGmYwv869C566mjU8Fjli5gFJtd+pU+oGgDGmLYiR/RV+cDhG84CdbK3QRNq3ApLSY5VHB+VQNULoOAAVjVitv5iBmaXK45ZWkZQjrUaNw1hH6/bJSZWXvI5CfPRE7PdydC75UDCwz9yv3SMOWnMr0Ad3m094eZHxpLtsjqRFTRrE3crf3DQDRJ4XHIKJj1dhUsYqjtgUSO6FtmAhOJl5wmh/ACetlPJYkVtknPYeOCZSwynxb5AcacwqBbyxySD3ETSiwlLaRvQ9SKAb5//xsZuffB59fKPylVVMPQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=uYyltGkRc3UsgT/CA/+0McI4SOPxT1WRRb4MwsQVgws=;
 b=FdPARbUuFuAWCyKHga9M2wGYjQDifv3Ry/xVdFXnVo67o9ugCm5T5ZeXswAu+FTQd8Jk3TsLnJCm2d3OTihONwcSww9lJLtjHhpNi0jneKT0noFn3PqHmw40M8BzAvYFPEDPxgzlGo1Exsy0aERkXKUavlb1yqdcx2h+UgOP5s1sykPk4hz9zdsOfwo+vU2uJo4Te08L2QsYdKrkVuOpTs4uvbgOGKNEW2Q6lalUK3odvY6qhzJ8G0TKHt+yrT3+JFkyqe+xGMyNZ4dWtVKwT/WoRe86kqBcTvjpDVvKLQZuhGzjoFXoff/TphWq0DC0ASFARzOzjwYiijavbp9aJA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com;
 dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com;
 s=selector2;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=uYyltGkRc3UsgT/CA/+0McI4SOPxT1WRRb4MwsQVgws=;
 b=LgPx7XKROPNsbJkZ9He2xCjMLDI+y27o8gDcHkyKWxAKkcD1twzy5h6arNpXc5fqTtoqPjnTJtNsSjmraoyO7JEtm7EwLWTV7kRs9bLbezpYT0cab5YRMzeabsDWFhxKLEw1RFMfNTWaR5IYLLMC6j2/HykPY9pk/K5JUZKOn2ZK/cTQlkEx9wGITPLSRCzWAerhmyYsfm0O+0fDuUtM/2rDCnk43vjwIbYLxLlA8m4UD2UaQlOp7ebI0J2YdwkL/xeOSNoYcTAN4bgu2OZkcMNvH38TTM0ucO4JzwLfVMs8CcC1ENrn7iMsVSGxCu286m+pOkc/wfEu6omKUAQlMg==
Authentication-Results: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=siemens.com;
Received: from PA4PR10MB5780.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:269::8)
 by DB9PR10MB7986.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:3d6::16) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.13; Wed, 11 Jan
 2023 08:21:59 +0000
Received: from PA4PR10MB5780.EURPRD10.PROD.OUTLOOK.COM
 ([fe80::bdf0:fdeb:f955:bc79]) by PA4PR10MB5780.EURPRD10.PROD.OUTLOOK.COM
 ([fe80::bdf0:fdeb:f955:bc79%4]) with mapi id 15.20.6002.012; Wed, 11 Jan 2023
 08:21:59 +0000
Date: Wed, 11 Jan 2023 09:21:52 +0100
From: Henning Schild <henning.schild@siemens.com>
To: Felix Moessbauer <felix.moessbauer@siemens.com>
Cc: isar-users@googlegroups.com, jan.kiszka@siemens.com,
 daniel.bovensiepen@siemens.com, venkata.pyla@toshiba-tsip.com
Subject: Re: [PATCH 05/11] generate deterministic clear-text password hash
Message-ID: <20230111092152.68342faa@md1za8fc.ad001.siemens.net>
In-Reply-To: <20230111041140.3460393-6-felix.moessbauer@siemens.com>
References: <20230111041140.3460393-1-felix.moessbauer@siemens.com>
	<20230111041140.3460393-6-felix.moessbauer@siemens.com>
X-Mailer: Claws Mail 4.1.0 (GTK 3.24.35; x86_64-pc-linux-gnu)
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-ClientProxiedBy: CH0PR03CA0395.namprd03.prod.outlook.com
 (2603:10b6:610:11b::12) To PA4PR10MB5780.EURPRD10.PROD.OUTLOOK.COM
 (2603:10a6:102:269::8)
Return-Path: henning.schild@siemens.com
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: PA4PR10MB5780:EE_|DB9PR10MB7986:EE_
X-MS-Office365-Filtering-Correlation-Id: d2f33c9f-a9eb-4ffa-77fc-08daf3ace8cf
X-LD-Processed: 38ae3bcd-9579-4fd4-adda-b42e1495d55a,ExtAddr
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info:
	GiQqfzAzOaGfSu9vuX487fQNCD166jjqL1iNiKhPUOQVSULGCWwBkG2feXqemNRxjIKHSe6eq43yKZt+by7zqe+efnp0UgT1BE1ducIO5TDYtRGo4/qVn7PyPui1WwrtVfWkgTn9P0CBKScFaFLd6tAU5IXd3FqpXmGxJ3fwAbER82o3BJQjXUZQqlWc2lbuNHHnEMZkYJDQOTJ+wgsDraHvl1NhPFKgrb2dY05vjmTTOb/E5Fi86AnoPn8eIz/kR9q3AUh+0OZ7ohZa5zZ/pB2OExASVuWXdD6GIQp0anvQZ7Q+RIU+2ghd0xIRUfy28Aij/6HI0oZsJusd1UW6pROw7ktcPsDq6IEunG2HTx/EdHe61C8P0lKhS7KFGf9DP3I/73XlnGCL2Dv34VDSNV8+irZvo2YTD6f+88HX53EsIg2BZ1Cvs08/MKmHVKCkO4cUwfIJnjugzTRKF+fAkU45fUl18PL3x6PHQVMzpiDreA82/SBRx0GyZRDJVBFKC3vYFW9Nq4KqPvLXuO4OwD7UJQTSUiCQwEF58n8NuRfY6hHx4/bGyRUQbzTnU6ixzSa5Tb5Ok9tAFrcvsLJoXRkKrxiOB6tahKwPc+uYfgEwo51dgJFi+TMFAo6P5prjAOwZQ7kxK91RbpcZJjX/yQ==
X-Forefront-Antispam-Report:
	CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PA4PR10MB5780.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230022)(4636009)(376002)(366004)(39860400002)(396003)(346002)(136003)(451199015)(82960400001)(9686003)(478600001)(6486002)(41300700001)(38100700002)(6512007)(1076003)(86362001)(6636002)(316002)(186003)(66556008)(66476007)(66946007)(8676002)(4326008)(5660300002)(6666004)(6506007)(2906002)(44832011)(83380400001)(8936002)(6862004);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0:
	=?us-ascii?Q?zLcwXOMBxgTJb4DlrjESEytJk5zx86XcocIXEDbZzz8P0rWXSj7to9K1XJFj?=
 =?us-ascii?Q?U2YuaQ8l3b6ZlrlDVXXl1s8EDGEaRnLQlezfVUP2msxZ121UUXs9lDq8kAod?=
 =?us-ascii?Q?vJYWJ2ldY3QoEoqcq1QlUFHvAp1Jhn2e/EoFBmHlYDdrosXgCtOt0dcOdcOg?=
 =?us-ascii?Q?CRZc/EJlauYGOKwGrKGEcdDilGvzonRszqBsLuybFcqplCuDl+pOavu2t5hZ?=
 =?us-ascii?Q?VkEkciw/yyh+vnV2nJpPrHdY5ESmsQp/6Wa8Bo+kFNlYaC/QKyYoJIPAJfz1?=
 =?us-ascii?Q?9dkyV33OzbmP8BrpntEgJ1ackGIyOOKvetmg5WOHNO8aWGPUveEcnpH8Fiw5?=
 =?us-ascii?Q?z8CjJwAmDawXR5Yo0QiBkU1X/W+kbDy1sb6KRtRDHkwgYGbikT1W/nTqYVCc?=
 =?us-ascii?Q?63bxMsZsi0t1Vo+2OYkXjBhsEiwRQFgQBkTOq0plcd360F8SpxlF5dE/ShEZ?=
 =?us-ascii?Q?FgLUHm+FQI9D/j5pY2uXcm9ZKEb8dm7k6UGRQz7TR4qDVOnu+OfB5dhwTyNn?=
 =?us-ascii?Q?NQtxHzIlxA+AvVrEtV2fP79zdSObHOmSEClKoLaQymBi4EQbJIAwvO20oNLN?=
 =?us-ascii?Q?zY7PGSLn7W/hP62nSvrHuV8q2iToI/z3YNYPpcnzfffY8U2Kh0kj2AjSqmAu?=
 =?us-ascii?Q?kymw3fx1cGYo5FN40A0KzLKp/Lza8lo0/GsTOPwd9tG8LyY7lHzvSmxz61kf?=
 =?us-ascii?Q?oT8iNiZJV4mIfwgATfm8j4MnH5DkqPgtgfKPG5duUT+4GqF1F5HF2kTn9vIo?=
 =?us-ascii?Q?gtyvH948QpeXEy6JgS2slUt2uS44ueoPVBWlsqQTdKMJzoFFSAEOoJzolA0n?=
 =?us-ascii?Q?Tsb3pZVJ0snxyh8bBEJI9pS8PNOo3nw6PReTIlRcLHnK7mwy8QmSjfX8nWFs?=
 =?us-ascii?Q?Q0I2S1qf1A1ua8BdFj4Kl52KkAvNxh47tzCDJaeIpfbH0KIBzguVnU6IaA5p?=
 =?us-ascii?Q?J49orUGM7Ymba+P4c/L2FsF94ZqN1bMSo3yjODoGM8eykwGYllYxVM1gQov8?=
 =?us-ascii?Q?/qGMDDoN1rIBS9Yx3x6ox0thQYZ8tw++GC6sxAREQi3aCGLYTfyt04yRDZdD?=
 =?us-ascii?Q?seD+W/w3ZLX+q/KxHqL+zWlwMAh800CQLlARvcchat3vniaQV7H41dCH3kW4?=
 =?us-ascii?Q?71nLFIGYUmL0OKtnPfNCoMBny++Sy9g5+AM4cFdWVWX9COLcscyLx5GmDoak?=
 =?us-ascii?Q?u8+ErG71r381aSGO6xSfAUnhhXWyoLpj2khyU8E4+y6rTqKWMiNvUVvUejFw?=
 =?us-ascii?Q?+ip2cqa985L9HvzjXjc/zVsOrSz0AS/0/EGIQhQJ1n15C+xBwmvBFJHc9Lea?=
 =?us-ascii?Q?OgERkLWm/c8SKrJmLhDfR94qT/vMLnHGh7mcok8vQrIiInuQKwQ6YLc8y0mS?=
 =?us-ascii?Q?jtyA9tHt+spQtcHkADaUn35cIWDBzS323i456KU3DtHV9wABS1Xdad1oguW6?=
 =?us-ascii?Q?oC8R9a1Fd/ItPD31P7f3O6lsL4+dUDrclmyT/tNfs1TwobETLN7nAGNjesrk?=
 =?us-ascii?Q?1+QbEovOryETizUKO4VmAWLeV9l6kM/kFX5RR9jA7ChtQGgSJI2o87/aafZQ?=
 =?us-ascii?Q?5r0CjmlrelSQsLqebW2qSdCw+1RlLbdnNgVRS0Cqv27CNb35BLve3zXZ3VoQ?=
 =?us-ascii?Q?ZEUKnpPDqJO7hupk2VEBusf6pT649wbb0SFmutwZVsI4nOyLfxeyW0w0uIjg?=
 =?us-ascii?Q?hqJEkA=3D=3D?=
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d2f33c9f-a9eb-4ffa-77fc-08daf3ace8cf
X-MS-Exchange-CrossTenant-AuthSource: PA4PR10MB5780.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Jan 2023 08:21:59.5476
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: mHBXGPPKigOjig3DbAEqQ+EHM5OJU6Pa0Xorj0pqQwYguzM7CR36qJYcNs3nNcWpwulw5g21oRKCuYCWYkufS4T2kKdH6GeUUboYtOmVVkU=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR10MB7986
X-TUID: uJ6GioDDZwE3

Am Wed, 11 Jan 2023 04:11:34 +0000
schrieb Felix Moessbauer <felix.moessbauer@siemens.com>:

> This patch changes how we derive the hashed password of a user that is
> created using the clear-text-password flag. Previously, the clear-text
> password was directly input into chpasswd. However, chpasswd
> internally creates a 16-character random salt. This breaks the
> reproducability.
> 
> Instead of letting chpasswd create the hashed password string, we now
> create it manually by deriving the salt from the SOURCE_DATE_EPOCH
> variable. This is technically done using the host openssl tool. As
> openssl is a transitive dependency of sbuild, we do not need to add
> it explicitly to the host-tools.
> 
> In case SOURCE_DATE_EPOCH is not set, chpasswd is used
> directly to create the salt.
> 
> Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
> ---
>  meta/classes/image-account-extension.bbclass | 10 +++++++++-
>  1 file changed, 9 insertions(+), 1 deletion(-)
> 
> diff --git a/meta/classes/image-account-extension.bbclass
> b/meta/classes/image-account-extension.bbclass index 70950a7..bcaa9c3
> 100644 --- a/meta/classes/image-account-extension.bbclass
> +++ b/meta/classes/image-account-extension.bbclass
> @@ -253,7 +253,15 @@ image_postprocess_accounts() {
>          if [ -n "$password" -o "${flags}" !=
> "${flags%*,allow-empty-password,*}" ]; then chpasswd_args="-e"
>              if [ "${flags}" != "${flags%*,clear-text-password,*}" ];
> then
> -                chpasswd_args=""
> +                # chpasswd adds a random salt when running against a
> clean-text password.

clear-text

> +                # For reproducible images, we manually generate the
> password and use the
> +                # SOURCE_DATE_EPOCH to generate the salt in a
> deterministic way.
> +                if [ -z "${SOURCE_DATE_EPOCH}"]; then
> +                    chpasswd_args=""
> +                else
> +                    salt="$(echo "${SOURCE_DATE_EPOCH}" | sha256sum
> -z | cut -c 1-15)"
> +                    password="$(openssl passwd -6 -salt $salt
> "$password")"
> +                fi
>              fi
>              printf '%s:%s' "$name" "$password" | sudo chroot
> '${ROOTFSDIR}' \ /usr/sbin/chpasswd $chpasswd_args