[yocto] problem adding a user

Rudolf Streif rudolf.streif at ibeeto.com
Tue May 21 05:37:23 PDT 2019


Greg,

usermod does not work for the MD5 algorithm with the explicit password hash
as it contains the $ field delimiters which are interpreted by the shell
executing the usermod command. Use single quotes around the password hash:

usermod -p '${SAKURA_PASS}' ${SAKURA_USER};

:rjs

On Mon, May 20, 2019, 11:55 Greg Wilson-Lindberg <GWilson at sakuraus.com>
wrote:

> Hi Rudolf,
>
> I've had more time to work with this and I'm still having problems getting
> everything to work properly. I've attached the image recipe recipe that I'm
> using so I don't leave any thing out that may be relevant.
>
> When I build with a password that is no more more than 8 characters long
> and no non-alphabetic characters:
>
> SAKURA_PASSWD = "Distract"
> SAKURA_PASS = "WRsDFfg1BsrDM"
>
> everything works correctly.
>
> I first tried that using the `openssl ...` form, and then I tried the
> -1, MD5 BSD form and had problems, so I changed to doing the openssl
> on the command line and making sure that I don't have any characters
> that display as '.' or '/'. Again, if I don't do more than 8 characters
> and no special characters everything works.
>
> When I changed to using 'Ds$tr at ct' it stopped working. The build finishes
> and the log file shows the usermod being exectued correctly:
>
> NOTE: scribe: Performing usermod with [-R /home/gwilson/Qt/Qt-5.12.3/Yocto-build-RPi3/build-raspberrypi3/tmp/work/raspberrypi3-poky-linux-gnueabi/scribe/1.0-r0/rootfs -p kyNsrvS0elMWU sakura]
> NOTE: scribe: Performing usermod with [-R /home/gwilson/Qt/Qt-5.12.3/Yocto-build-RPi3/build-raspberrypi3/tmp/work/raspberrypi3-poky-linux-gnueabi/scribe/1.0-r0/rootfs -a -G sudo,dialout sakura]
>
> But when I try to sign in it doesn't work.
>
> I then tried the 10 character password 'Distracted', the build fails:
>
> NOTE: scribe: Performing usermod with [-R /home/gwilson/Qt/Qt-5.12.3/Yocto-build-RPi3/build-raspberrypi3/tmp/work/raspberrypi3-poky-linux-gnueabi/scribe/1.0-r0/rootfs -p sakura]
> Usage: usermod [options] LOGIN
>
> Options:
>   -c, --comment COMMENT         new value of the GECOS field
>   -d, --home HOME_DIR           new home directory for the user account
>   -e, --expiredate EXPIRE_DATE  set account expiration date to EXPIRE_DATE
>   -f, --inactive INACTIVE       set password inactive after expiration
>                                 to INACTIVE
>   -g, --gid GROUP               force use GROUP as new primary group
>   -G, --groups GROUPS           new list of supplementary GROUPS
>   -a, --append                  append the user to the supplemental GROUPS
>                                 mentioned by the -G option without removing
>                                 him/her from other groups
>   -h, --help                    display this help message and exit
>   -l, --login NEW_LOGIN         new value of the login name
>   -L, --lock                    lock the user account
>   -m, --move-home               move contents of the home directory to the
>                                 new location (use only with -d)
>   -o, --non-unique              allow using duplicate (non-unique) UID
>   -p, --password PASSWORD       use encrypted password for the new password
>   -P, --clear-password PASSWORD use clear password for the new password
>   -R, --root CHROOT_DIR         directory to chroot into
>   -s, --shell SHELL             new login shell for the user account
>   -u, --uid UID                 new UID for the user account
>   -U, --unlock                  unlock the user account
>   -v, --add-subuids FIRST-LAST  add range of subordinate uids
>   -V, --del-subuids FIRST-LAST  remove range of subordinate uids
>   -w, --add-subgids FIRST-LAST  add range of subordinate gids
>   -W, --del-subgids FIRST-LAST  remove range of subordinate gids
>
> ERROR: scribe: usermod command did not succeed.
>
> So, even though I'm putting in the openssl output:
> openssl passwd -1 "Distracted"
> $1$QVO3K6Ii$fvkoDKnlzz3d5uVoL7KcM0
>
> that I get back from what should be a valid run of openssl, I don't see anything
> from the password on the usermod command line:
>  "...linux-gnueabi/scribe/1.0-r0/rootfs -p sakura]"
>
> I don't understand why the short passwords and passing along the proper hash works,
> but not the longer password.
>
> It also doesn't make sense that I can't put in the '$' & '@' characters and
> have them work.
>
> Any suggestions would be greatly appreciated.
>
> Greg
>
> ------------------------------
> *From:* Rudolf Streif <rudolf.streif at ibeeto.com>
> *Sent:* Wednesday, May 15, 2019 4:58:26 PM
> *To:* Greg Wilson-Lindberg
> *Cc:* Yocto list discussion
> *Subject:* Re: [yocto] problem adding a user
>
> Glad to hear that it works now. I am planning on attending the YP DevDay.
>
> :rjs
>
> On Wed, May 15, 2019, 13:53 Greg Wilson-Lindberg <GWilson at sakuraus.com>
> wrote:
>
>> Thank you very much, that got me back on the right path.
>>
>> Maybe I'll see you at the Yocto day at the Embedded Linux Conference.
>>
>> Regards,
>>
>> [image: cid:image001.png at 01D35D7D.179A7510]
>>
>> *Greg Wilson-Lindberg  *
>>
>> *Principal Firmware Engineer | Sakura Finetek USA, Inc.  *
>>
>>
>>
>> 1750 W 214th Street | Torrance, CA 90501 | U.S.A.
>>
>> T: +1 310 783 5075
>>
>> F: +1 310 618 6902 | E: gwilson at sakuraus.com
>>
>> www.sakuraus.com
>>
>>
>>
>> [image: cid:image002.png at 01D35D7D.179A7510]
>>
>> [image: cid:image003.png at 01D35D7D.179A7510]
>> ------------------------------
>>
>> Confidentiality Notice: This e-mail transmission may contain confidential
>> or legally privileged information that is intended only for the individual
>> or entity named in the e-mail address. If you are not the intended
>> recipient, you are hereby notified that any disclosure, copying,
>> distribution, or reliance upon the contents of this e-mail is strictly
>> prohibited. If you have received this e-mail transmission in error, please
>> reply to the sender, so that Sakura Finetek USA, Inc. can arrange for
>> proper delivery, and then please delete the message from your inbox. Thank
>> you.
>>
>>
>>
>>
>>
>> *From:* Rudolf J Streif [mailto:rudolf.streif at ibeeto.com]
>> *Sent:* Wednesday, May 15, 2019 01:30 PM
>> *To:* Greg Wilson-Lindberg <GWilson at sakuraus.com>; Yocto list discussion
>> <yocto at yoctoproject.org>
>> *Subject:* Re: [yocto] problem adding a user
>>
>>
>>
>> Instead of
>>
>>
>>
>> useradd -p `openssl passwd test` sakura
>>
>>
>>
>> which attempts to add the user and set the password which fails if the
>> user already exists, use
>>
>>
>>
>> usermod -p `openssl passwd test` sakura
>>
>>
>>
>> which sets the user's password.
>>
>>
>>
>> :rjs
>>
>>
>>
>> On 5/15/19 1:18 PM, Greg Wilson-Lindberg wrote:
>>
>> Ok, I had been using the useradd class in a couple of other recipes to
>> allow me to copy files to the sakura user directory and another location,
>> but owned by sakura. That seems to have been what was causing the problem.
>>
>>
>>
>> I had been using the extrausers class in my top level image recipe.
>>
>>
>> So now how do I get all of this to work together? Do I need to put
>> everything that touches the sakura user in the same recipe? It seems that I
>> need to use only one of the useradd or extrausers classes?
>>
>>
>>
>> Greg
>> ------------------------------
>>
>> *From:* Rudolf J Streif <rudolf.streif at ibeeto.com>
>> <rudolf.streif at ibeeto.com>
>> *Sent:* Wednesday, May 15, 2019 12:31 PM
>> *To:* Greg Wilson-Lindberg; Yocto list discussion
>> *Subject:* Re: [yocto] problem adding a user
>>
>>
>>
>> The ! for the password in /etc/shadow indicates that the account is
>> disabled:
>>
>> sakura:!:18031:0:99999:7:::
>>
>>
>>
>> Either there is something wrong with the password generation or it gets
>> disabled by something else. Maybe it's worth trying with a plain image
>> without Boot2Qt or anything else.
>>
>>
>>
>> :rjs
>>
>>
>>
>>
>>
>> On 5/15/19 11:46 AM, Greg Wilson-Lindberg wrote:
>>
>> Hi Rudolf,
>>
>> 1st, yes I inherit extrausers. Attached are the passwd & shadow files.
>>
>>
>>
>> It shouldn't make any difference, but I'm building this for an RPi3 using
>> the Qt Boot2Qt version of the Yocto environment, distro 2.5.3.
>>
>>
>>
>> Greg
>> ------------------------------
>>
>> *From:* Rudolf J Streif <rudolf.streif at ibeeto.com>
>> <rudolf.streif at ibeeto.com>
>> *Sent:* Wednesday, May 15, 2019 11:26 AM
>> *To:* Greg Wilson-Lindberg; Yocto list discussion
>> *Subject:* Re: [yocto] problem adding a user
>>
>>
>>
>> Hi Greg,
>>
>>
>>
>> > I've also tried both the back-quote and the single-quote, no difference.
>>
>>
>>
>> Help me to understand this. the back-quotes are the right ones. If you
>> use the single ones your password in the /etc/shadow ends up being 'openssl
>> passwd test' (without the quotes), unless the build fails because of a
>> parsing error (I have not tried it). Silly question, you did inherit
>> extrausers class?
>>
>>
>>
>> Can you post your /etc/passwd and /etc/shadow
>>
>>
>>
>> I am surprised that this does not work with your setup. I have been doing
>> this a gazillion times always with success.
>>
>>
>>
>> :rjs
>>
>>
>>
>>
>>
>>
>>
>> On 5/15/19 11:03 AM, Greg Wilson-Lindberg wrote:
>>
>> Hi Rudolf,
>>
>> Thanks for the reply, and the information on how openssl works.
>>
>>
>>
>> I'm trying to create a user with the same group name so the code that I'm
>> using reduces to:
>>
>> EXTRA_USERS_PARAMS = "\
>>
>>     useradd -p `openssl passwd test` sakura; \
>>
>>     usermod -a -G sudo ${SAKURA_USER}; \
>>
>>     "
>>
>> I also, as you can see, removed the macros to eliminate as much confusion
>> as possible.
>>
>>
>>
>> I still can't login in using the password 'test'.
>>
>>
>>
>> I've also tried both the back-quote and the single-quote, no difference.
>>
>> Regards,
>>
>>
>>
>> Greg
>> ------------------------------
>>
>> *From:* Rudolf J Streif <rudolf.streif at ibeeto.com>
>> <rudolf.streif at ibeeto.com>
>> *Sent:* Wednesday, May 15, 2019 10:07:47 AM
>> *To:* Greg Wilson-Lindberg; Yocto list discussion
>> *Subject:* Re: [yocto] problem adding a user
>>
>>
>>
>> Hi Greg,
>>
>> Well, I suppose I wrote the book you are referring to...
>>
>>
>> Using
>>
>> useradd -p PASSWORD USER
>>
>> takes the password hash for PASSWORD hence the use of openssl in:
>>
>> useadd -p `openssl passwd PASSWORD` USER
>>
>> openssl password creates the password hash using the original crypt hash
>> algorithm if no other options are specified. e.g.
>>
>> $ openssl passwd hello
>> 6hEsTksgRkeiI
>>
>> With this the first two characters of the output is the salt and the
>> rest is the password hash. If you want openssl to create the same result
>> again:
>>
>> $ openssl passwd -salt "6h" hello
>> 6hEsTksgRkeiI
>>
>> You can use newer algorithms like MD5 based BSD password algorithm 1:
>>
>> $ openssl passwd -1 hello
>> $1$4Mu8Fcs.$eIKgPP7RCYrb3lFZjhADA1
>>
>> $1 : password algorithm 1
>> $4Mu8Fcs. : salt
>> $eIKgPP7RCYrb3lFZjhADA1 : password hash
>>
>>
>> If you log into the system you have to use the clear password. The
>> system reads the salt, creates the password hash and compares the results.
>>
>>
>> :rjs
>>
>>
>> On 5/14/19 5:34 PM, Greg Wilson-Lindberg wrote:
>> > I'm trying to use the example in "Embedded Linux Systems with the Yocto
>> Project" to add a user to my Yocto build. In the book the sample code:
>> >
>> >     useradd -p `openssl passwd ${DEV_PASSWORD}` developer; \
>> >
>> > uses openssl to generate the encrypted password string to pass to
>> useradd. I have never been able to get this to work. When I run the openssl
>> > command on the cmd line I get a different value every time, this seems
>> wrong, How can the password code compare against it if every encode
>> > produces a different value?
>> >
>> > I am getting the user added to the system, the home directory shows up
>> and the user is in the passwd and group files. I just can't login to the
>> > account.
>> >
>> > I've obviously got something confused, any help would be appreciated.
>> >
>> > Greg Wilson-Lindberg
>> >
>>
>> --
>> -----
>> Rudolf J Streif
>> CEO/CTO ibeeto
>> +1.855.442.3396 x700
>>
>> --
>>
>> -----
>>
>> Rudolf J Streif
>>
>> CEO/CTO ibeeto
>>
>> +1.855.442.3396 x700
>>
>> --
>>
>> -----
>>
>> Rudolf J Streif
>>
>> CEO/CTO ibeeto
>>
>> +1.855.442.3396 x700
>>
>> --
>>
>> -----
>>
>> Rudolf J Streif
>>
>> CEO/CTO ibeeto
>>
>> +1.855.442.3396 x700
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20190521/6efd3102/attachment-0001.html>


More information about the yocto mailing list