[elbe-devel] [PATCH v3 6/7] preprocess: migrate root and user passwords
Kurt Kanzenbach
kurt at linutronix.de
Tue Jan 24 12:21:03 CET 2023
Holger!
On Thu Jun 30 2022, Holger Dengler wrote:
> Support legacy XMLs by adding a preprocessing for plain-text passwords
> for root and users. The plain-text password elements or attributes will
> be replaced with their hashed variants.
>
> XMLs with only hashed passwords will not be changed by the
> preprocessing.
>
> Signed-off-by: Holger Dengler <holger at hdengler.de>
> ---
> elbepack/xmlpreprocess.py | 20 ++++++++++++++++++++
> 1 file changed, 20 insertions(+)
>
> diff --git a/elbepack/xmlpreprocess.py b/elbepack/xmlpreprocess.py
> index f3c2f2a7f..0daa7b497 100644
> --- a/elbepack/xmlpreprocess.py
> +++ b/elbepack/xmlpreprocess.py
> @@ -14,6 +14,7 @@ from optparse import OptionGroup
> from itertools import islice
> from urllib.error import HTTPError,URLError
> from urllib.request import urlopen
> +from passlib.hash import sha512_crypt
>
> from lxml import etree
> from lxml.etree import XMLParser, parse, Element
> @@ -251,6 +252,23 @@ def preprocess_mirrors(xml):
> option.text = opt
> options.append(option)
>
> +
> +def preprocess_passwd(xml):
> + """Preprocess plain-text passwords. Plain-text passwords for root and
> + adduser will be replaced with their hashed values.
> + """
> +
> + # migrate root password
> + for passwd in xml.iterfind(".//target/passwd"):
> + passwd.tag = "passwd_hashed"
> + passwd.text = '%s' % sha512_crypt.hash(passwd.text)
> +
> + # migrate user passwords
> + for adduser in xml.iterfind(".//target/finetuning/adduser[@passwd]"):
> + passwd = adduser.attrib['passwd']
> + adduser.attrib['passwd_hashed'] = sha512_crypt.hash(passwd)
This generates hashes with rounds=656000. This takes up to 20 seconds
for a login on an imx6. The machine is using one Cpu core to just
calculate hashes...
|>>> print(sha512_crypt.hash("root"))
|$6$rounds=656000$8qZf5ztNihauoIno$vfnyfyrkedR/Gql686qHNlQ0RTb8DLLfYPRDGOzPAkeydeLJZJgWXzXCkBTmENQJRmvMlHw61dUWh11hFLjfV0
Can we please use some meaningful defaults?
Thanks,
Kurt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 861 bytes
Desc: not available
URL: <http://lists.linutronix.de/pipermail/elbe-devel/attachments/20230124/90066816/attachment.sig>
More information about the elbe-devel
mailing list