[yocto] problem adding a user
Greg Wilson-Lindberg
GWilson at sakuraus.com
Fri May 24 11:45:32 PDT 2019
Hi Khem,
> -----Original Message-----
> From: Khem Raj [mailto:raj.khem at gmail.com]
> Sent: Thursday, May 23, 2019 07:11 PM
> To: Rudolf Streif <rudolf.streif at ibeeto.com>; Greg Wilson-Lindberg
> <GWilson at sakuraus.com>
> Cc: Yocto list discussion <yocto at yoctoproject.org>
> Subject: Re: [yocto] problem adding a user
>
>
>
> On 5/23/19 1:40 PM, Rudolf Streif wrote:
> > Greg,
> >
> > It eluded me earlier but in both instances the variable containing the
> > password does not seem to be expanded.
> >
> > First version without the single quotes:
> >
> > SAKURA_PASS = "$1$QVO3K6Ii$fvkoDKnlzz3d5uVoL7KcM0"
> >
> > EXTRA_USERS_PARAMS = "\
> > usermod -p ${SAKURA_PASS} ${SAKURA_USER}; \
> > usermod -a -G sudo,dialout ${SAKURA_USER}; \
> > "
> > results in:
> >
> > NOTE: scribe: Performing usermod with [-R
> > /home/gwilson/Qt/Qt-5.12.3/Yocto-build-RPi3/build-raspberrypi3/tmp/wor
> > k/raspberrypi3-poky-linux-gnueabi/scribe/1.0-r0/rootfs -p sakura]
> >
> > and with the quotes:
> >
> > SAKURA_PASS = "$1$QVO3K6Ii$fvkoDKnlzz3d5uVoL7KcM0"
> >
> > EXTRA_USERS_PARAMS = "\
> > usermod -p '${SAKURA_PASS}' ${SAKURA_USER}; \
> > usermod -a -G sudo,dialout ${SAKURA_USER}; \
> > "
> > results in:
> > NOTE: scribe: Performing usermod with [-R
> > /home/gwilson/Qt/Qt-5.12.3/Yocto-build-RPi3/build-raspberrypi3/tmp/wor
> > k/raspberrypi3-poky-linux-gnueabi/scribe/1.0-r0/rootfs -p '' sakura]
> >
> > It looks as if the variable SAKURA_PASS is not set at all. I looked at
> > your scribe.bb <http://scribe.bb> recipe you attached earlier but I
> > could not find any reason why the variable is not set. Is there a
> > chance that it is overridden somewhere elase?
> >
>
>
> This is correct with one small nit that we need to escape some characters which has
> special meaning for shell. e.g. $
>
> e.g. in local.conf something like below
>
> INHERIT += "extrausers"
>
> EXTRA_USERS_PARAMS += "\
> useradd sakura; \
> usermod -p '\$1\$QVO3K6Ii\$fvkoDKnlzz3d5uVoL7KcM0' sakura; \ "
>
> might work as you expect.
This does leave the hash in the usermod command line finally.
So it is possible to pass MD5 hashes through if the '$' are escaped. I can't use non-alphabetic
characters, i.e replace 's' with '$', and 'a' with '@', I can't login with those changes. But MD5 hashes
of alphabetic only passwords work for the cases that I have tested. I can also pass the escaped
hash in to usermod as a macro.
It looks like I've got something that I can work with.
Thanks to all for the help that you have so kindly given,
Greg
>
> > :rjs
> >
> >
> > On Wed, May 22, 2019 at 1:28 PM Greg Wilson-Lindberg
> > <GWilson at sakuraus.com <mailto:GWilson at sakuraus.com>> wrote:
> >
> > Rudolf,
> >
> > Here is the first half of the file, the whole file is over the 500k
> > limit of free pastebin:
> >
> > https://pastebin.com/UcnKebce
> >
> >
> > And here is the 2nd half of the file:
> >
> > https://pastebin.com/9117tdUU
> >
> >
> > Greg
> >
> > ------------------------------------------------------------------------
> > *From:* Rudolf Streif <rudolf.streif at ibeeto.com
> > <mailto:rudolf.streif at ibeeto.com>>
> > *Sent:* Wednesday, May 22, 2019 12:42:40 PM
> > *To:* Greg Wilson-Lindberg
> > *Cc:* Yocto list discussion
> > *Subject:* Re: [yocto] problem adding a user
> > Greg,
> > Can you share the logfile via Pastebin?
> > :rjs
> >
> > On Tue, May 21, 2019 at 11:09 AM Greg Wilson-Lindberg
> > <GWilson at sakuraus.com <mailto:GWilson at sakuraus.com>> wrote:
> >
> > Rudolf,
> >
> > Something else is happening to me. I changed to this in the
> > image recipe:
> >
> > SAKURA_USER = "sakura"
> >
> > SAKURA_PASSWD = "Distracted"
> > SAKURA_PASS = "$1$QVO3K6Ii$fvkoDKnlzz3d5uVoL7KcM0"
> >
> > EXTRA_USERS_PARAMS = "\
> > usermod -p '${SAKURA_PASS}' ${SAKURA_USER}; \
> > usermod -a -G sudo,dialout ${SAKURA_USER}; \
> > "
> >
> > deleting all of the commented out lines, and I get this in the
> > log file:
> >
> >
> > ..../scribe/1.0-r0/rootfs -p '' sakura]
> >
> >
> > nothing between the single quotes. It's acting like SAKURA_PASS
> > is not defined.
> >
> > This is only happening when I'm trying the MD5 password.
> >
> >
> > Greg
> >
> > ------------------------------------------------------------------------
> > *From:* Rudolf Streif <rudolf.streif at ibeeto.com
> > <mailto:rudolf.streif at ibeeto.com>>
> > *Sent:* Tuesday, May 21, 2019 5:37:23 AM
> > *To:* Greg Wilson-Lindberg
> > *Cc:* Yocto list discussion
> > *Subject:* Re: [yocto] problem adding a user
> > Greg,
> >
> > usermod does not work for the MD5 algorithm with the explicit
> > password hash as it contains the $ field delimiters which are
> > interpreted by the shell executing the usermod command. Use
> > single quotes around the password hash:
> >
> > usermod -p '${SAKURA_PASS}' ${SAKURA_USER};
> >
> > :rjs
> >
> > On Mon, May 20, 2019, 11:55 Greg Wilson-Lindberg
> > <GWilson at sakuraus.com <mailto:GWilson at sakuraus.com>> wrote:
> >
> > Hi Rudolf,
> >
> > I've had more time to work with this and I'm still having problems getting
> > everything to work properly. I've attached the image recipe recipe that I'm
> > using so I don't leave any thing out that may be relevant.
> >
> > When I build with a password that is no more more than 8 characters long
> > and no non-alphabetic characters:
> >
> > SAKURA_PASSWD = "Distract"
> > SAKURA_PASS = "WRsDFfg1BsrDM"
> >
> > everything works correctly.
> >
> > I first tried that using the `openssl ...` form, and then I tried the
> > -1, MD5 BSD form and had problems, so I changed to doing the openssl
> > on the command line and making sure that I don't have any characters
> > that display as '.' or '/'. Again, if I don't do more than 8 characters
> > and no special characters everything works.
> >
> > When I changed to using 'Ds$tr at ct' it stopped working. The build finishes
> > and the log file shows the usermod being exectued correctly:
> >
> > NOTE: scribe: Performing usermod with [-R /home/gwilson/Qt/Qt-
> 5.12.3/Yocto-build-RPi3/build-raspberrypi3/tmp/work/raspberrypi3-poky-linux-
> gnueabi/scribe/1.0-r0/rootfs -p kyNsrvS0elMWU sakura]
> > NOTE: scribe: Performing usermod with [-R
> > /home/gwilson/Qt/Qt-5.12.3/Yocto-build-RPi3/build-raspberrypi3/tmp/wor
> > k/raspberrypi3-poky-linux-gnueabi/scribe/1.0-r0/rootfs -a -G
> > sudo,dialout sakura]
> >
> > But when I try to sign in it doesn't work.
> >
> > I then tried the 10 character password 'Distracted', the build fails:
> >
> > NOTE: scribe: Performing usermod with [-R /home/gwilson/Qt/Qt-
> 5.12.3/Yocto-build-RPi3/build-raspberrypi3/tmp/work/raspberrypi3-poky-linux-
> gnueabi/scribe/1.0-r0/rootfs -p sakura]
> > Usage: usermod [options] LOGIN
> >
> > Options:
> > -c, --comment COMMENT new value of the GECOS field
> > -d, --home HOME_DIR new home directory for the user account
> > -e, --expiredate EXPIRE_DATE set account expiration date to
> EXPIRE_DATE
> > -f, --inactive INACTIVE set password inactive after expiration
> > to INACTIVE
> > -g, --gid GROUP force use GROUP as new primary group
> > -G, --groups GROUPS new list of supplementary GROUPS
> > -a, --append append the user to the supplemental GROUPS
> > mentioned by the -G option without removing
> > him/her from other groups
> > -h, --help display this help message and exit
> > -l, --login NEW_LOGIN new value of the login name
> > -L, --lock lock the user account
> > -m, --move-home move contents of the home directory to the
> > new location (use only with -d)
> > -o, --non-unique allow using duplicate (non-unique) UID
> > -p, --password PASSWORD use encrypted password for the new
> password
> > -P, --clear-password PASSWORD use clear password for the new
> password
> > -R, --root CHROOT_DIR directory to chroot into
> > -s, --shell SHELL new login shell for the user account
> > -u, --uid UID new UID for the user account
> > -U, --unlock unlock the user account
> > -v, --add-subuids FIRST-LAST add range of subordinate uids
> > -V, --del-subuids FIRST-LAST remove range of subordinate uids
> > -w, --add-subgids FIRST-LAST add range of subordinate gids
> > -W, --del-subgids FIRST-LAST remove range of
> > subordinate gids
> >
> > ERROR: scribe: usermod command did not succeed.
> >
> > So, even though I'm putting in the openssl output:
> > openssl passwd -1 "Distracted"
> > $1$QVO3K6Ii$fvkoDKnlzz3d5uVoL7KcM0
> >
> > that I get back from what should be a valid run of openssl, I don't see
> anything
> > from the password on the usermod command line:
> > "...linux-gnueabi/scribe/1.0-r0/rootfs -p sakura]"
> >
> > I don't understand why the short passwords and passing along the proper
> hash works,
> > but not the longer password.
> >
> > It also doesn't make sense that I can't put in the '$' & '@' characters and
> > have them work.
> >
> > Any suggestions would be greatly appreciated.
> >
> > Greg
> >
> > ------------------------------------------------------------------------
> > *From:* Rudolf Streif <rudolf.streif at ibeeto.com
> > <mailto:rudolf.streif at ibeeto.com>>
> > *Sent:* Wednesday, May 15, 2019 4:58:26 PM
> > *To:* Greg Wilson-Lindberg
> > *Cc:* Yocto list discussion
> > *Subject:* Re: [yocto] problem adding a user
> > Glad to hear that it works now. I am planning on attending
> > the YP DevDay.
> >
> > :rjs
> >
> > On Wed, May 15, 2019, 13:53 Greg Wilson-Lindberg
> > <GWilson at sakuraus.com <mailto:GWilson at sakuraus.com>> wrote:
> >
> > Thank you very much, that got me back on the right
> > path.____
> >
> > Maybe I'll see you at the Yocto day at the Embedded
> > Linux Conference.____
> >
> > Regards,____
> >
> > cid:image001.png at 01D35D7D.179A7510____
> >
> > *Greg Wilson-Lindberg ____*
> >
> > *Principal Firmware Engineer | Sakura Finetek USA, Inc.
> > ____*
> >
> > *____*
> >
> > 1750 W 214^th Street | Torrance, CA 90501 | U.S.A.
> > ____
> >
> > T: +1 310 783 5075 ____
> >
> > F: +1 310 618 6902 | E: gwilson at sakuraus.com
> > <mailto:gwilson at sakuraus.com>____
> >
> > www.sakuraus.com <http://www.sakuraus.com>____
> >
> > ____
> >
> > cid:image002.png at 01D35D7D.179A7510____
> >
> >
> >
> > cid:image003.png at 01D35D7D.179A7510____
> >
> >
> > ----------------------------------------------------------------------
> > --
> >
> > Confidentiality Notice: This e-mail transmission may
> > contain confidential or legally privileged information
> > that is intended only for the individual or entity named
> > in the e-mail address. If you are not the intended
> > recipient, you are hereby notified that any disclosure,
> > copying, distribution, or reliance upon the contents of
> > this e-mail is strictly prohibited. If you have received
> > this e-mail transmission in error, please reply to the
> > sender, so that Sakura Finetek USA, Inc. can arrange for
> > proper delivery, and then please delete the message from
> > your inbox. Thank you.____
> >
> > __ __
> >
> > __ __
> >
> > *From:*Rudolf J Streif [mailto:rudolf.streif at ibeeto.com
> > <mailto:rudolf.streif at ibeeto.com>]
> > *Sent:* Wednesday, May 15, 2019 01:30 PM
> > *To:* Greg Wilson-Lindberg <GWilson at sakuraus.com
> > <mailto:GWilson at sakuraus.com>>; Yocto list discussion
> > <yocto at yoctoproject.org <mailto:yocto at yoctoproject.org>>
> > *Subject:* Re: [yocto] problem adding a user____
> >
> > __ __
> >
> > Instead of____
> >
> > __ __
> >
> > useradd -p `openssl passwd test` sakura____
> >
> > __ __
> >
> > which attempts to add the user and set the password
> > which fails if the user already exists, use____
> >
> > __ __
> >
> > usermod -p `openssl passwd test` sakura____
> >
> > __ __
> >
> > which sets the user's password.____
> >
> > __ __
> >
> > :rjs____
> >
> > __ __
> >
> > On 5/15/19 1:18 PM, Greg Wilson-Lindberg wrote:____
> >
> > Ok, I had been using the useradd class in a couple
> > of other recipes to allow me to copy files to the
> > sakura user directory and another location, but
> > owned by sakura. That seems to have been what was
> > causing the problem.____
> >
> > __ __
> >
> > I had been using the extrausers class in my
> > top level image recipe.____
> >
> >
> > So now how do I get all of this to work together? Do
> > I need to put everything that touches the sakura
> > user in the same recipe? It seems that I need to use
> > only one of the useradd or extrausers classes?____
> >
> > __ __
> >
> > Greg____
> >
> >
> > ----------------------------------------------------------------------
> > --
> >
> > *From:*Rudolf J Streif <rudolf.streif at ibeeto.com>
> > <mailto:rudolf.streif at ibeeto.com>
> > *Sent:* Wednesday, May 15, 2019 12:31 PM
> > *To:* Greg Wilson-Lindberg; Yocto list discussion
> > *Subject:* Re: [yocto] problem adding a user____
> >
> > ____
> >
> > The ! for the password in /etc/shadow indicates that
> > the account is disabled:____
> >
> > sakura:!:18031:0:99999:7:::____
> >
> > __ __
> >
> > Either there is something wrong with the password
> > generation or it gets disabled by something else.
> > Maybe it's worth trying with a plain image without
> > Boot2Qt or anything else.____
> >
> > __ __
> >
> > :rjs____
> >
> > __ __
> >
> > __ __
> >
> > On 5/15/19 11:46 AM, Greg Wilson-Lindberg
> > wrote:____
> >
> > Hi Rudolf,____
> >
> > 1st, yes I inherit extrausers. Attached are the
> > passwd & shadow files.____
> >
> > __ __
> >
> > It shouldn't make any difference, but I'm
> > building this for an RPi3 using the Qt Boot2Qt
> > version of the Yocto environment, distro
> > 2.5.3.____
> >
> > __ __
> >
> > Greg____
> >
> >
> > ----------------------------------------------------------------------
> > --
> >
> > *From:*Rudolf J Streif
> > <rudolf.streif at ibeeto.com>
> > <mailto:rudolf.streif at ibeeto.com>
> > *Sent:* Wednesday, May 15, 2019 11:26 AM
> > *To:* Greg Wilson-Lindberg; Yocto list discussion
> > *Subject:* Re: [yocto] problem adding a
> > user____
> >
> > ____
> >
> > Hi Greg,____
> >
> > __ __
> >
> > > I've also tried both the back-quote and the
> > single-quote, no difference.____
> >
> > __ __
> >
> > Help me to understand this. the back-quotes are
> > the right ones. If you use the single ones your
> > password in the /etc/shadow ends up being
> > 'openssl passwd test' (without the quotes),
> > unless the build fails because of a parsing
> > error (I have not tried it). Silly question, you
> > did inherit extrausers class?____
> >
> > __ __
> >
> > Can you post your /etc/passwd and
> > /etc/shadow____
> >
> > __ __
> >
> > I am surprised that this does not work with your
> > setup. I have been doing this a gazillion times
> > always with success.____
> >
> > __ __
> >
> > :rjs____
> >
> > __ __
> >
> > __ __
> >
> > __ __
> >
> > On 5/15/19 11:03 AM, Greg Wilson-Lindberg
> > wrote:____
> >
> > Hi Rudolf,____
> >
> > Thanks for the reply, and the information on
> > how openssl works.____
> >
> > __ __
> >
> > I'm trying to create a user with the same
> > group name so the code that I'm using
> > reduces to:____
> >
> > EXTRA_USERS_PARAMS = "\____
> >
> > useradd -p `openssl passwd test`
> > sakura; \____
> >
> > usermod -a -G sudo ${SAKURA_USER};
> > \____
> >
> > "____
> >
> > I also, as you can see, removed the macros
> > to eliminate as much confusion as
> > possible. ____
> >
> > __ __
> >
> > I still can't login in using
> > the password 'test'.____
> >
> > __ __
> >
> > I've also tried both the back-quote and the
> > single-quote, no difference.____
> >
> > Regards,____
> >
> > __ __
> >
> > Greg____
> >
> >
> > ----------------------------------------------------------------------
> > --
> >
> > *From:*Rudolf J Streif
> > <rudolf.streif at ibeeto.com>
> > <mailto:rudolf.streif at ibeeto.com>
> > *Sent:* Wednesday, May 15, 2019 10:07:47 AM
> > *To:* Greg Wilson-Lindberg; Yocto list
> > discussion
> > *Subject:* Re: [yocto] problem adding a
> > user____
> >
> > ____
> >
> > Hi Greg,
> >
> > Well, I suppose I wrote the book you are
> > referring to...
> >
> >
> > Using
> >
> > useradd -p PASSWORD USER
> >
> > takes the password hash for PASSWORD hence
> > the use of openssl in:
> >
> > useadd -p `openssl passwd PASSWORD` USER
> >
> > openssl password creates the password hash
> > using the original crypt hash
> > algorithm if no other options are specified.
> > e.g.
> >
> > $ openssl passwd hello
> > 6hEsTksgRkeiI
> >
> > With this the first two characters of the
> > output is the salt and the
> > rest is the password hash. If you want
> > openssl to create the same result
> > again:
> >
> > $ openssl passwd -salt "6h" hello
> > 6hEsTksgRkeiI
> >
> > You can use newer algorithms like MD5 based
> > BSD password algorithm 1:
> >
> > $ openssl passwd -1 hello
> > $1$4Mu8Fcs.$eIKgPP7RCYrb3lFZjhADA1
> >
> > $1 : password algorithm 1
> > $4Mu8Fcs. : salt
> > $eIKgPP7RCYrb3lFZjhADA1 : password hash
> >
> >
> > If you log into the system you have to use
> > the clear password. The
> > system reads the salt, creates the password
> > hash and compares the results.
> >
> >
> > :rjs
> >
> >
> > On 5/14/19 5:34 PM, Greg Wilson-Lindberg wrote:
> > > I'm trying to use the example in "Embedded Linux Systems
> with the Yocto Project" to add a user to my Yocto build. In the book the sample
> code:
> > >
> > > useradd -p `openssl passwd ${DEV_PASSWORD}`
> developer; \
> > >
> > > uses openssl to generate the encrypted password string to
> pass to useradd. I have never been able to get this to work. When I run the openssl
> > > command on the cmd line I get a different value every time,
> this seems wrong, How can the password code compare against it if every encode
> > > produces a different value?
> > >
> > > I am getting the user added to the system, the home directory
> shows up and the user is in the passwd and group files. I just can't login to the
> > > account.
> > >
> > > I've obviously got something confused, any help would be
> appreciated.
> > >
> > > Greg Wilson-Lindberg
> > >
> >
> > --
> > -----
> > Rudolf J Streif
> > CEO/CTO ibeeto
> > +1.855.442.3396 x700____
> >
> > -- ____
> >
> > -----____
> >
> > Rudolf J Streif____
> >
> > CEO/CTO ibeeto____
> >
> > +1.855.442.3396 x700____
> >
> > -- ____
> >
> > -----____
> >
> > Rudolf J Streif____
> >
> > CEO/CTO ibeeto____
> >
> > +1.855.442.3396 x700____
> >
> > -- ____
> >
> > -----____
> >
> > Rudolf J Streif____
> >
> > CEO/CTO ibeeto____
> >
> > +1.855.442.3396 x700____
> >
> >
> >
> > --
> > Rudolf J Streif
> > CEO/CTO
> > ibeeto, Streif Enterprises Inc.
> >
> >
> >
> > --
> > Rudolf J Streif
> > CEO/CTO
> > ibeeto, Streif Enterprises Inc.
> >
More information about the yocto
mailing list