From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 7187242631035879424 X-Received: by 2002:a05:651c:124e:b0:27f:bb2b:2163 with SMTP id h14-20020a05651c124e00b0027fbb2b2163mr4022923ljh.480.1673503037209; Wed, 11 Jan 2023 21:57:17 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:ac2:58f3:0:b0:49a:b814:856d with SMTP id v19-20020ac258f3000000b0049ab814856dls263383lfo.1.-pod-prod-gmail; Wed, 11 Jan 2023 21:57:15 -0800 (PST) X-Google-Smtp-Source: AMrXdXuOYsjkK2XHgTLuEiH7yO0GyWwsOyXtYGxKEIpx5CWucU4qmuFzsJt4zvZZbR4YFft3kaZ1 X-Received: by 2002:ac2:446b:0:b0:4a4:68b9:66cf with SMTP id y11-20020ac2446b000000b004a468b966cfmr18950968lfl.26.1673503035834; Wed, 11 Jan 2023 21:57:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673503035; cv=none; d=google.com; s=arc-20160816; b=k4R1hbz+73t2n9TiCMSFDQJ7575qLe1SSC+JN4gckVzCexZUKxJ5s5apJBdpAKLlKZ 4F+Qs1gxG5QznMxQgJamtPmqw3FHgm4SPg/dtxok5cmPSRYeTdUvt9dh41Fm0brjDTZW oyP+kz44jv+NAL5szz/+1eCwF6t5im+YKZ8FxX8aNt19ZrVoXEOOwmjRimjYAJRJy44R BHYZPfIj3d6pySYIe9KEYH53ON5gklpMrGb7TTzHoEPQbSkcoq54tdG1b8RY3SEKO7Ur muByWCjigl8InqV3wjEPySmhZQLuh9iG0eJvgQarVSBDbFgYL88NpLMaKkCEmb/mG3DN dB1w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=feedback-id:content-transfer-encoding:mime-version:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=HYagHO4ExCr/v/oPlj0KihAapfhzpO26P5x9H4JXu14=; b=PX2DzSBCLq3ElR8ovveZupAl6+n52NCOsbydBcZRe9168WeQAApf9MPem3z+V92yO3 gsd0raoy6O/2GdB4KIJu/AZr1Ix+J5ocqoJp1lwBqKLM5ZNMhvtq2VlTtojUgXLB9vET s9mrLUIXrCbGTj94nmUMs7BGdaNDwXu11cMDd2X6+8Rwf6LxCr9UVS0DnZ9hTsfrfFFl fR5GYCjPp1y2XaWrmV27ux8KNCTtW5EvLwlnwMki4OqLKhpTWd9HEc22Ux1Lka5GUwoo Io00KXG3kEvyoxRBI6t2x36HjtYUqkcEJs9OqAUXxC2wzjhhqPyT64Tj0YAvR75D04eP 0Y+g== ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=XKFBoY7G; spf=pass (google.com: domain of fm-72506-202301120557142fd32652995bccff34-i3nhko@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) smtp.mailfrom=fm-72506-202301120557142fd32652995bccff34-i3NHKo@rts-flowmailer.siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net. [185.136.64.227]) by gmr-mx.google.com with ESMTPS id 22-20020ac25f56000000b004cc9e4bc003si101002lfz.8.2023.01.11.21.57.15 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 11 Jan 2023 21:57:15 -0800 (PST) Received-SPF: pass (google.com: domain of fm-72506-202301120557142fd32652995bccff34-i3nhko@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) client-ip=185.136.64.227; Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=XKFBoY7G; spf=pass (google.com: domain of fm-72506-202301120557142fd32652995bccff34-i3nhko@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) smtp.mailfrom=fm-72506-202301120557142fd32652995bccff34-i3NHKo@rts-flowmailer.siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 202301120557142fd32652995bccff34 for ; Thu, 12 Jan 2023 06:57:15 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=felix.moessbauer@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=HYagHO4ExCr/v/oPlj0KihAapfhzpO26P5x9H4JXu14=; b=XKFBoY7G4nMVbNaWWq3dvPKH3xNrkwvlll+dFZhVt1x0lTRIPwzDFZcDT0uU4DG5q4+n5G OEJbtqh5z8wXP1t9rnz6H6Y/WnqlBc+w3dIZ8ITJbNIudS7/UhwrphA159iCwD8Wijb+hgBO sRuejPM032u8OSdfYPMGflGrlS51w=; From: Felix Moessbauer To: isar-users@googlegroups.com Cc: jan.kiszka@siemens.com, daniel.bovensiepen@siemens.com, henning.schild@siemens.com, venkata.pyla@toshiba-tsip.com, Felix Moessbauer Subject: [PATCH v2 05/10] generate deterministic clear-text password hash Date: Thu, 12 Jan 2023 05:56:14 +0000 Message-Id: <20230112055619.843445-6-felix.moessbauer@siemens.com> In-Reply-To: <20230112055619.843445-1-felix.moessbauer@siemens.com> References: <20230112055619.843445-1-felix.moessbauer@siemens.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-72506:519-21489:flowmailer X-TUID: at/LYOsSygyY This patch changes how we derive the hashed password of a user that is created using the clear-text-password flag. Previously, the clear-text password was directly input into chpasswd. However, chpasswd internally creates a 16-character random salt. This breaks the reproducability. Instead of letting chpasswd create the hashed password string, we now create it manually by deriving the salt from the SOURCE_DATE_EPOCH variable. This is technically done using the host openssl tool. As openssl is a transitive dependency of sbuild, we do not need to add it explicitly to the host-tools. In case SOURCE_DATE_EPOCH is not set, chpasswd is used directly to create the salt. Signed-off-by: Felix Moessbauer --- meta/classes/image-account-extension.bbclass | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/meta/classes/image-account-extension.bbclass b/meta/classes/image-account-extension.bbclass index 70950a7..bb173b1 100644 --- a/meta/classes/image-account-extension.bbclass +++ b/meta/classes/image-account-extension.bbclass @@ -253,7 +253,15 @@ image_postprocess_accounts() { if [ -n "$password" -o "${flags}" != "${flags%*,allow-empty-password,*}" ]; then chpasswd_args="-e" if [ "${flags}" != "${flags%*,clear-text-password,*}" ]; then - chpasswd_args="" + # chpasswd adds a random salt when running against a clear-text password. + # For reproducible images, we manually generate the password and use the + # SOURCE_DATE_EPOCH to generate the salt in a deterministic way. + if [ -z "${SOURCE_DATE_EPOCH}"]; then + chpasswd_args="" + else + salt="$(echo "${SOURCE_DATE_EPOCH}" | sha256sum -z | cut -c 1-15)" + password="$(openssl passwd -6 -salt $salt "$password")" + fi fi printf '%s:%s' "$name" "$password" | sudo chroot '${ROOTFSDIR}' \ /usr/sbin/chpasswd $chpasswd_args -- 2.34.1