1

We are adding password to root user. Following is the addition to the conf files.

INHERIT += "extrausers"
EXTRA_USERS_PARAMS = "usermod -p $(openssl passwd abcd1234) root"

The above two lines perform the job for us. But the problem is everyone reading the configuration file can know that the password is "abcd1234".

Is there any other way to store the password securely in the configuration or what is the best way to deal in case. We have thousands of devices running embedded Linux, if some one able to get the root password he can easily access all the devices as the password is same. What is the best way to deal this situation

mrSaraf
  • 123
  • 1
  • 13
md.jamal
  • 4,067
  • 8
  • 45
  • 108

2 Answers2

4

The Alexander's answer is the best practice.

In case that you really need to have the password in your configuration, you can at least store the encrypted variant (take the output of openssl in your example, but I would use some stronger algorithm), i.e.:

EXTRA_USERS_PARAMS = "\
    usermod -p '\$6\$ca1gxiMTHxfATDYV\$PpXt8OeIiBY8xJX1qh66Sq1oC5tIthrhzo9dq6ILerp.vg7xdkHpLGbM.PKgh./r2J1lkSmHXT2Xhq/ZKr0XF.' root; \
"

Note the escaping of $ (and any other special characters if present), because the encrypted password is interpreted by shell. (There is real password in the example above, but it is a very weak one.)

BTW did I mention that Alexander's answer is the best practice ;-)?

Tomas Novotny
  • 1,771
  • 9
  • 11
  • How did you get this value. When I run 'openssl passwd abcd1234', I get different values each time – md.jamal Feb 13 '19 at 05:52
  • 1
    That's expected: read https://en.wikipedia.org/wiki/Salt_(cryptography). Oh, and I want to stress again that password authentication is not the best practice. – Alexander Kanavin Feb 13 '19 at 10:23
  • 1
    In addition to Alexander's comment: I'm using SHA-512 based method for password hashing. Your `openssl passwd` command defaults to DES-based method. To create SHA-512 on command line: https://unix.stackexchange.com/questions/52108/how-to-create-sha512-password-hashes-on-command-line – Tomas Novotny Feb 13 '19 at 13:10
  • @AlexanderKanavin. How to provide more security when we login physically to root user without network – md.jamal Feb 19 '19 at 03:36
  • I need more details - what do you mean by 'login physically'? What is the scenario? – Alexander Kanavin Feb 19 '19 at 08:51
  • If someone has physical access to the machine. Connect keyboard over USB and display to HDMI, he needs login to root user right – md.jamal Feb 19 '19 at 09:07
  • If that is inside some kind of development lab, I wouldn't bother with a root password. If someone has physical access, they can do anything they want with the hardware anyway. – Alexander Kanavin Apr 01 '19 at 10:17
2

Don't use the password authentication at all; if you are accessing the devices with ssh, some kind of public key authentication (maybe combined with host authentication) is better. Read the 'Authentication' section in man ssh.

Alexander Kanavin
  • 531
  • 2
  • 7