[elbe-devel] [PATCH v3 0/7] elbe: switch to hashed passwords in XML

Holger Dengler holger at hdengler.de
Thu Jun 30 08:00:00 CEST 2022 

This is the v3 of the hashed password series. All patches in this series are
already reviewed, only patch 6/7 requires a review. The documentation is not
part of this series and will be covered in another series.

The Elbe XML uses plain-text passwords for root and user in the XML. At
first glance, this is not a problem, since the Elbe builds are in most cases
part of an automation and the plain-text passwords have to be generated and
documented anyway. But the XML is on the one hand also copied into the
target RFS ('/etc/elbe_base.xml') and on the other hand is part of the build
output. In both cases, an included plain-text password can be a security
risk if these results are not handled with due care. Removing the plain-text
passwords from the XML file could be a possible solution. However, to keep
the ability to rebuild the target RFS with the build output XMLs, a hashed
password must be included in the XML.

The main idea is to replace the plain text passwords in the XML with hashed
ones. With this change, the build results will be at an equivalent security
level as the password database in the target RFS ("/etc/shadow"). And it
will still be possible to rebuild the target RFS based on the build output
XMLs (e.g. source.xml).

But removing the plain-text password for root conflicts with another feature
of Elbe, the 'login' action. It is used for running post-build tests, such
as a root login on the target system. This action requires a plain text
password for root in the XML file. The solution is to specify the plain-text
password in the login element. If nothing is specified, the default is
"root".

In more detail:
---------------
- Patch 1-2/7 use a batch-mode aware tool to set the passwords. They are a
  preparation for later patches, because the 'chpasswd' command is also able
  to process hashed passwords.
- Patch 3/7 uses the value of the "login" element as password.
- Patch 4/7 replaces the "passwd" element for root with "passwd_hased". It
  also includes the change in RFS processing.
- Patch 5/7 replaces the "passwd" attribute for adduser with "passwd_hased".
  It also includes the change in fintuning processing.
- Patch 6/7 converts legacy XMLs in XML preprocessing. Plain-text password
  are replaced with hashed ones.
- Patch 7/7 converts legacy XMLs in XML preprocessing. If the XML has a
  "login" and "passwd" element, the value of "passwd" is moved to the
  "login".

Comment to the used hash method (sha512_crypt):
-----------------------------------------------
After testing a lot of releases of Debian and Ubuntu, it seems, that this
method is supported by all releases, which are currently supported by Elbe.
After a discussion with Bastian, we decided to stay with sha512_crypt at the
moment for the XML preprocessing. If other methods should be used in the
current version, the hashed passwords must be generated manually and added
to the XML before submitting it.

Changes since v2:
- rebase to origin/master (no merge conflicts)
- pick all Reviewed-by tags
- drop the "passwd" sub-command
- replace library crypt with passlib

Changes since v1:
- different approach
- a value in "login" element is used as plain-text password for root login
- schema: remove plain-text password element for root
- schema: remove plain-text password attribute for adduser
- no changes to the example/tests XML required

The series is also available on github:
To github.com:hdengler/elbe.git
 + 6d981dd45...6e2646838 tip3 -> tip3 (forced update)

Holger Dengler (7):
  rfs: use chpasswd for root password
  finetuning: use chpasswd for user password
  commands: check-build: move password to login value
  schema: switch to hashed password for root
  schema: switch to hashed passwords for users
  preprocess: migrate root and user passwords
  preprocess: migrate login action

 elbepack/commands/check-build.py |  5 ++---
 elbepack/finetuning.py           |  7 +++----
 elbepack/rfs.py                  |  6 +++---
 elbepack/xmlpreprocess.py        | 24 ++++++++++++++++++++++++
 schema/dbsfed.xsd                | 12 +++++++-----
 5 files changed, 39 insertions(+), 15 deletions(-)

-- 
2.36.1

More information about the elbe-devel mailing list