[yocto] problem adding a user

Greg Wilson-Lindberg GWilson at sakuraus.com
Mon May 20 11:54:58 PDT 2019 

Hi Rudolf,

I've had more time to work with this and I'm still having problems getting
everything to work properly. I've attached the image recipe recipe that I'm
using so I don't leave any thing out that may be relevant.

When I build with a password that is no more more than 8 characters long
and no non-alphabetic characters:

SAKURA_PASSWD = "Distract"
SAKURA_PASS = "WRsDFfg1BsrDM"


everything works correctly.

I first tried that using the `openssl ...` form, and then I tried the
-1, MD5 BSD form and had problems, so I changed to doing the openssl
on the command line and making sure that I don't have any characters
that display as '.' or '/'. Again, if I don't do more than 8 characters
and no special characters everything works.

When I changed to using 'Ds$tr at ct' it stopped working. The build finishes
and the log file shows the usermod being exectued correctly:

NOTE: scribe: Performing usermod with [-R /home/gwilson/Qt/Qt-5.12.3/Yocto-build-RPi3/build-raspberrypi3/tmp/work/raspberrypi3-poky-linux-gnueabi/scribe/1.0-r0/rootfs -p kyNsrvS0elMWU sakura]
NOTE: scribe: Performing usermod with [-R /home/gwilson/Qt/Qt-5.12.3/Yocto-build-RPi3/build-raspberrypi3/tmp/work/raspberrypi3-poky-linux-gnueabi/scribe/1.0-r0/rootfs -a -G sudo,dialout sakura]

But when I try to sign in it doesn't work.

I then tried the 10 character password 'Distracted', the build fails:

NOTE: scribe: Performing usermod with [-R /home/gwilson/Qt/Qt-5.12.3/Yocto-build-RPi3/build-raspberrypi3/tmp/work/raspberrypi3-poky-linux-gnueabi/scribe/1.0-r0/rootfs -p sakura]
Usage: usermod [options] LOGIN

Options:
  -c, --comment COMMENT         new value of the GECOS field
  -d, --home HOME_DIR           new home directory for the user account
  -e, --expiredate EXPIRE_DATE  set account expiration date to EXPIRE_DATE
  -f, --inactive INACTIVE       set password inactive after expiration
                                to INACTIVE
  -g, --gid GROUP               force use GROUP as new primary group
  -G, --groups GROUPS           new list of supplementary GROUPS
  -a, --append                  append the user to the supplemental GROUPS
                                mentioned by the -G option without removing
                                him/her from other groups
  -h, --help                    display this help message and exit
  -l, --login NEW_LOGIN         new value of the login name
  -L, --lock                    lock the user account
  -m, --move-home               move contents of the home directory to the
                                new location (use only with -d)
  -o, --non-unique              allow using duplicate (non-unique) UID
  -p, --password PASSWORD       use encrypted password for the new password
  -P, --clear-password PASSWORD use clear password for the new password
  -R, --root CHROOT_DIR         directory to chroot into
  -s, --shell SHELL             new login shell for the user account
  -u, --uid UID                 new UID for the user account
  -U, --unlock                  unlock the user account
  -v, --add-subuids FIRST-LAST  add range of subordinate uids
  -V, --del-subuids FIRST-LAST  remove range of subordinate uids
  -w, --add-subgids FIRST-LAST  add range of subordinate gids
  -W, --del-subgids FIRST-LAST  remove range of subordinate gids

ERROR: scribe: usermod command did not succeed.

So, even though I'm putting in the openssl output:
openssl passwd -1 "Distracted"
$1$QVO3K6Ii$fvkoDKnlzz3d5uVoL7KcM0

that I get back from what should be a valid run of openssl, I don't see anything
from the password on the usermod command line:
 "...linux-gnueabi/scribe/1.0-r0/rootfs -p sakura]"

I don't understand why the short passwords and passing along the proper hash works,
but not the longer password.

It also doesn't make sense that I can't put in the '$' & '@' characters and
have them work.

Any suggestions would be greatly appreciated.

Greg


________________________________
From: Rudolf Streif <rudolf.streif at ibeeto.com>
Sent: Wednesday, May 15, 2019 4:58:26 PM
To: Greg Wilson-Lindberg
Cc: Yocto list discussion
Subject: Re: [yocto] problem adding a user

Glad to hear that it works now. I am planning on attending the YP DevDay.

:rjs

On Wed, May 15, 2019, 13:53 Greg Wilson-Lindberg <GWilson at sakuraus.com<mailto:GWilson at sakuraus.com>> wrote:
Thank you very much, that got me back on the right path.
Maybe I'll see you at the Yocto day at the Embedded Linux Conference.
Regards,


Greg Wilson-Lindberg

Principal Firmware Engineer | Sakura Finetek USA, Inc.



1750 W 214th Street | Torrance, CA 90501 | U.S.A.

T: +1 310 783 5075

F: +1 310 618 6902 | E: gwilson at sakuraus.com<mailto:gwilson at sakuraus.com>

www.sakuraus.com<http://www.sakuraus.com>



[cid:image002.png at 01D35D7D.179A7510]

[cid:image003.png at 01D35D7D.179A7510]


________________________________

Confidentiality Notice: This e-mail transmission may contain confidential or legally privileged information that is intended only for the individual or entity named in the e-mail address. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or reliance upon the contents of this e-mail is strictly prohibited. If you have received this e-mail transmission in error, please reply to the sender, so that Sakura Finetek USA, Inc. can arrange for proper delivery, and then please delete the message from your inbox. Thank you.



From: Rudolf J Streif [mailto:rudolf.streif at ibeeto.com<mailto:rudolf.streif at ibeeto.com>]
Sent: Wednesday, May 15, 2019 01:30 PM
To: Greg Wilson-Lindberg <GWilson at sakuraus.com<mailto:GWilson at sakuraus.com>>; Yocto list discussion <yocto at yoctoproject.org<mailto:yocto at yoctoproject.org>>
Subject: Re: [yocto] problem adding a user


Instead of



useradd -p `openssl passwd test` sakura



which attempts to add the user and set the password which fails if the user already exists, use



usermod -p `openssl passwd test` sakura



which sets the user's password.



:rjs


On 5/15/19 1:18 PM, Greg Wilson-Lindberg wrote:

Ok, I had been using the useradd class in a couple of other recipes to allow me to copy files to the sakura user directory and another location, but owned by sakura. That seems to have been what was causing the problem.



I had been using the extrausers class in my top level image recipe.

So now how do I get all of this to work together? Do I need to put everything that touches the sakura user in the same recipe? It seems that I need to use only one of the useradd or extrausers classes?

Greg
________________________________
From: Rudolf J Streif <rudolf.streif at ibeeto.com><mailto:rudolf.streif at ibeeto.com>
Sent: Wednesday, May 15, 2019 12:31 PM
To: Greg Wilson-Lindberg; Yocto list discussion
Subject: Re: [yocto] problem adding a user


The ! for the password in /etc/shadow indicates that the account is disabled:

sakura:!:18031:0:99999:7:::



Either there is something wrong with the password generation or it gets disabled by something else. Maybe it's worth trying with a plain image without Boot2Qt or anything else.



:rjs




On 5/15/19 11:46 AM, Greg Wilson-Lindberg wrote:

Hi Rudolf,

1st, yes I inherit extrausers. Attached are the passwd & shadow files.



It shouldn't make any difference, but I'm building this for an RPi3 using the Qt Boot2Qt version of the Yocto environment, distro 2.5.3.


Greg
________________________________
From: Rudolf J Streif <rudolf.streif at ibeeto.com><mailto:rudolf.streif at ibeeto.com>
Sent: Wednesday, May 15, 2019 11:26 AM
To: Greg Wilson-Lindberg; Yocto list discussion
Subject: Re: [yocto] problem adding a user


Hi Greg,



> I've also tried both the back-quote and the single-quote, no difference.



Help me to understand this. the back-quotes are the right ones. If you use the single ones your password in the /etc/shadow ends up being 'openssl passwd test' (without the quotes), unless the build fails because of a parsing error (I have not tried it). Silly question, you did inherit extrausers class?



Can you post your /etc/passwd and /etc/shadow



I am surprised that this does not work with your setup. I have been doing this a gazillion times always with success.



:rjs






On 5/15/19 11:03 AM, Greg Wilson-Lindberg wrote:

Hi Rudolf,

Thanks for the reply, and the information on how openssl works.



I'm trying to create a user with the same group name so the code that I'm using reduces to:

EXTRA_USERS_PARAMS = "\

    useradd -p `openssl passwd test` sakura; \

    usermod -a -G sudo ${SAKURA_USER}; \

    "
I also, as you can see, removed the macros to eliminate as much confusion as possible.



I still can't login in using the password 'test'.



I've also tried both the back-quote and the single-quote, no difference.

Regards,



Greg

________________________________
From: Rudolf J Streif <rudolf.streif at ibeeto.com><mailto:rudolf.streif at ibeeto.com>
Sent: Wednesday, May 15, 2019 10:07:47 AM
To: Greg Wilson-Lindberg; Yocto list discussion
Subject: Re: [yocto] problem adding a user

Hi Greg,

Well, I suppose I wrote the book you are referring to...


Using

useradd -p PASSWORD USER

takes the password hash for PASSWORD hence the use of openssl in:

useadd -p `openssl passwd PASSWORD` USER

openssl password creates the password hash using the original crypt hash
algorithm if no other options are specified. e.g.

$ openssl passwd hello
6hEsTksgRkeiI

With this the first two characters of the output is the salt and the
rest is the password hash. If you want openssl to create the same result
again:

$ openssl passwd -salt "6h" hello
6hEsTksgRkeiI

You can use newer algorithms like MD5 based BSD password algorithm 1:

$ openssl passwd -1 hello
$1$4Mu8Fcs.$eIKgPP7RCYrb3lFZjhADA1

$1 : password algorithm 1
$4Mu8Fcs. : salt
$eIKgPP7RCYrb3lFZjhADA1 : password hash


If you log into the system you have to use the clear password. The
system reads the salt, creates the password hash and compares the results.


:rjs


On 5/14/19 5:34 PM, Greg Wilson-Lindberg wrote:
> I'm trying to use the example in "Embedded Linux Systems with the Yocto Project" to add a user to my Yocto build. In the book the sample code:
>
>     useradd -p `openssl passwd ${DEV_PASSWORD}` developer; \
>
> uses openssl to generate the encrypted password string to pass to useradd. I have never been able to get this to work. When I run the openssl
> command on the cmd line I get a different value every time, this seems wrong, How can the password code compare against it if every encode
> produces a different value?
>
> I am getting the user added to the system, the home directory shows up and the user is in the passwd and group files. I just can't login to the
> account.
>
> I've obviously got something confused, any help would be appreciated.
>
> Greg Wilson-Lindberg
>

--
-----
Rudolf J Streif
CEO/CTO ibeeto
+1.855.442.3396 x700

--

-----

Rudolf J Streif

CEO/CTO ibeeto

+1.855.442.3396 x700

--

-----

Rudolf J Streif

CEO/CTO ibeeto

+1.855.442.3396 x700

--

-----

Rudolf J Streif

CEO/CTO ibeeto

+1.855.442.3396 x700
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20190520/f19aaf62/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: scribe.bb
Type: application/octet-stream
Size: 4611 bytes
Desc: scribe.bb
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20190520/f19aaf62/attachment-0001.obj>

More information about the yocto mailing list