From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 7187242631035879424 X-Received: by 2002:a5d:5a90:0:b0:275:2c23:1402 with SMTP id bp16-20020a5d5a90000000b002752c231402mr2548895wrb.294.1673840190475; Sun, 15 Jan 2023 19:36:30 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a05:600c:2cbc:b0:3da:f543:3b48 with SMTP id h28-20020a05600c2cbc00b003daf5433b48ls340065wmc.1.-pod-preprod-gmail; Sun, 15 Jan 2023 19:36:29 -0800 (PST) X-Google-Smtp-Source: AMrXdXsdlE+0jDAorJziNx1ZsAI0H1fdcuCRJ4J2oMkuxEPjKi9AQzgOyHxuDjcng1negj8lKpGh X-Received: by 2002:a7b:cb56:0:b0:3d2:3be4:2d9a with SMTP id v22-20020a7bcb56000000b003d23be42d9amr66241115wmj.20.1673840189186; Sun, 15 Jan 2023 19:36:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673840189; cv=none; d=google.com; s=arc-20160816; b=Y6WfDXtMvzf5/JyPMvMxpXW1xe6AMaXHjGdO6bLEbOBnu93Et90J/pWtbi/DeYiqIA GnRMVBTu2XNHGoE/crtjs3vZ6VLzlIaETw7HAs6jqcFnTmL7gDLi7ZZ37WVok9QC3XGE eU9Etpkf0OLEmaynFX4TtsBtlC4xWza/GQQ04U0EKT1hBEDYpmObFGqs9mpnLzqI4EGy RYVb1TBYQSooaa+zPtJM7RgoS7DkRerRPwIDurLJE+ccgzq6Ctw64Sck1TQ1YtbZjfE7 KAg1/xOhwvzMXmBgDCdr2Fs144qUMddvl2LxAxc6htX4oVU3C95rZwCaJTVT/aNU1tvB Dn6Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=feedback-id:content-transfer-encoding:mime-version:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=yIEqJ+acaC/b9YtIxwcTwzSacdG56Xu1ZHGrWCgB0E0=; b=fUpjv0bfGfa4f99jm3vYTSpY6OX2irBY5chqCsAW9Q2NSfqi590IuYpYsTDfP00GAx aOlqZnO+2jJXbhfv7XE5r8UROI4LrwETglhpvOQe1JB6uAgWS1ceHr73l8MrlSrjMDAy ws6R59IDJgpTlRGojBJRf86U61cia20jidKRslruIcGLdjDRUVzMyMvbAGlleM4RLojB BOo7IwvsQAUVDnfe8ftOXzGGlfk4i+6vjT2yZcGgCDaWcDkmiv0n28XnEPXnU5q8uZp/ TXv1ymar4KTw6vCGZgsCrNiVUTi/riTzn5SBiyQIYif+L0TLZc029rukvSRS6MvD+vff nsMg== ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=lT6YGMYM; spf=pass (google.com: domain of fm-72506-202301160336283efaebad947b955b50-yskk0g@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) smtp.mailfrom=fm-72506-202301160336283efaebad947b955b50-ySkk0G@rts-flowmailer.siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net. [185.136.65.227]) by gmr-mx.google.com with ESMTPS id j1-20020a05600c1c0100b003d9c73c820asi137980wms.3.2023.01.15.19.36.29 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 15 Jan 2023 19:36:29 -0800 (PST) Received-SPF: pass (google.com: domain of fm-72506-202301160336283efaebad947b955b50-yskk0g@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) client-ip=185.136.65.227; Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=lT6YGMYM; spf=pass (google.com: domain of fm-72506-202301160336283efaebad947b955b50-yskk0g@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) smtp.mailfrom=fm-72506-202301160336283efaebad947b955b50-ySkk0G@rts-flowmailer.siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 202301160336283efaebad947b955b50 for ; Mon, 16 Jan 2023 04:36:28 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=felix.moessbauer@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=yIEqJ+acaC/b9YtIxwcTwzSacdG56Xu1ZHGrWCgB0E0=; b=lT6YGMYMu4Lv0uSXN4mr8Qogg3rjIAvIsWO/tuMip6SxPl3d6SArsHRPPDsW0YZoD/92yz vKkGpK/GszPpdxMVYUa3rytsv1uN+TZJ2TppE0Pk7lZyTMQWJnDuD7tyxxwgXdWZrDnkvvlb DrGsrzxDk8XpnfVpHUm6x+mvqmPkg=; From: Felix Moessbauer To: isar-users@googlegroups.com Cc: jan.kiszka@siemens.com, daniel.bovensiepen@siemens.com, henning.schild@siemens.com, venkata.pyla@toshiba-tsip.com, Felix Moessbauer Subject: [PATCH v3 05/10] generate deterministic clear-text password hash Date: Mon, 16 Jan 2023 03:35:47 +0000 Message-Id: <20230116033552.139048-6-felix.moessbauer@siemens.com> In-Reply-To: <20230116033552.139048-1-felix.moessbauer@siemens.com> References: <20230116033552.139048-1-felix.moessbauer@siemens.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-72506:519-21489:flowmailer X-TUID: gzpE6bTQiCeD This patch changes how we derive the hashed password of a user that is created using the clear-text-password flag. Previously, the clear-text password was directly input into chpasswd. However, chpasswd internally creates a 16-character random salt. This breaks the reproducability. Instead of letting chpasswd create the hashed password string, we now create it manually by deriving the salt from the SOURCE_DATE_EPOCH variable. This is technically done using the host openssl tool. As openssl is a transitive dependency of sbuild, we do not need to add it explicitly to the host-tools. In case SOURCE_DATE_EPOCH is not set, chpasswd is used directly to create the salt. Signed-off-by: Felix Moessbauer --- meta/classes/image-account-extension.bbclass | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/meta/classes/image-account-extension.bbclass b/meta/classes/image-account-extension.bbclass index 70950a7..cbc20a2 100644 --- a/meta/classes/image-account-extension.bbclass +++ b/meta/classes/image-account-extension.bbclass @@ -253,7 +253,15 @@ image_postprocess_accounts() { if [ -n "$password" -o "${flags}" != "${flags%*,allow-empty-password,*}" ]; then chpasswd_args="-e" if [ "${flags}" != "${flags%*,clear-text-password,*}" ]; then - chpasswd_args="" + # chpasswd adds a random salt when running against a clear-text password. + # For reproducible images, we manually generate the password and use the + # SOURCE_DATE_EPOCH to generate the salt in a deterministic way. + if [ -z "${SOURCE_DATE_EPOCH}" ]; then + chpasswd_args="" + else + salt="$(echo "${SOURCE_DATE_EPOCH}" | sha256sum -z | cut -c 1-15)" + password="$(openssl passwd -6 -salt $salt "$password")" + fi fi printf '%s:%s' "$name" "$password" | sudo chroot '${ROOTFSDIR}' \ /usr/sbin/chpasswd $chpasswd_args -- 2.34.1