From: Michael Prokop Date: Mon, 10 Jun 2013 14:33:30 +0000 (+0200) Subject: support new boot option encpasswd to provide hashed password, refactor passwd/ssh... X-Git-Tag: v0.11.0~1 X-Git-Url: http://git.grml.org/?p=grml-autoconfig.git;a=commitdiff_plain;h=eb16ae771b32a813e5d9738caccf753e14800502 support new boot option encpasswd to provide hashed password, refactor passwd/ssh code accordingly Share code and features between passwd, ssh and encpasswd boot options. To match the behaviour with the ssh boot option the passwd boot option now also sets the password for user root - and not only for user 'grml'. See http://openwall.info/wiki/john/sample-hashes for sample hashes. Thanks: Peter Palfrader for the idea --- diff --git a/autoconfig.functions b/autoconfig.functions index 254daa0..22abae3 100755 --- a/autoconfig.functions +++ b/autoconfig.functions @@ -110,6 +110,28 @@ checkgrmlsmall(){ grep -q small /etc/grml_version 2>>$DEBUG && return 0 || return 1 } +# if no password is set return a random password +set_passwd() { + [ -n "$PASSWD" ] && return 0 + + if [ -x /usr/bin/apg ] ; then + PASSWD="$(apg -M NL -a 0 -m 8 -x 12 -n 1)" + elif [ -x /usr/bin/gpw ] ; then + PASSWD="$(gpw 1)" + elif [ -x /usr/bin/pwgen ] ; then + PASSWD="$(pwgen -1 8)" + elif [ -x /usr/bin/hexdump ] ; then + PASSWD="$(dd if=/dev/urandom bs=14 count=1 2>/dev/null | hexdump | awk '{print $3 $4}')" + elif [ -n "$RANDOM" ] ; then + PASSWD="grml${RANDOM}" + else + PASSWD='' + eerror "Empty passphrase and neither apg, gpw, pwgen, hexdump nor \$RANDOM available. Skipping." + eend 1 + return 1 + fi +} + ### }}} # {{{ filesystems (proc, pts, sys) and fixes @@ -1072,44 +1094,31 @@ fi # {{{ autostart of ssh config_ssh(){ if checkbootparam 'ssh' ; then - SSH_PASSWD='' - SSH_PASSWD="$(getbootparam 'ssh' 2>>$DEBUG)" + local PASSWD + PASSWD="$(getbootparam 'ssh' 2>>$DEBUG)" + config_userlocal einfo "Bootoption ssh found, trying to set password for root and user $localuser" [ -z "$localuser" ] && eend 1 - eindent - if [ -z "$SSH_PASSWD" ] ; then - if [ -x /usr/bin/apg ] ; then - SSH_PASSWD="$(apg -M NL -a 0 -m 8 -x 12 -n 1)" - elif [ -x /usr/bin/gpw ] ; then - SSH_PASSWD="$(gpw 1)" - elif [ -x /usr/bin/pwgen ] ; then - SSH_PASSWD="$(pwgen -1 8)" - elif [ -x /usr/bin/hexdump ] ; then - SSH_PASSWD="$(dd if=/dev/urandom bs=14 count=1 2>/dev/null | hexdump | awk '{print $3 $4}')" - elif [ -n "$RANDOM" ] ; then - SSH_PASSWD="grml${RANDOM}" - else - SSH_PASSWD='' - eerror "Empty passphrase and neither pwgen nor hexdump nor \$RANDOM found. Skipping." - eend 1 - fi - if [ -n "$SSH_PASSWD" ] ; then - ewarn "No given password for ssh found. Using random password: $SSH_PASSWD" ; eend 0 - fi + eindent + if [ -z "$PASSWD" ] ; then + set_passwd && ewarn "No given password for found. Using random password: $PASSWD" && eend 0 fi eoutdent - # finally check if we have a password we can use: - if [ -n "$SSH_PASSWD" ] ; then - # chpasswd sucks, seriously. + if [ -n "$PASSWD" ] ; then chpass_options="" if chpasswd --help 2>&1 | grep -q -- '-m,' ; then chpass_options="-m" fi - echo "$localuser:$SSH_PASSWD" | chpasswd $chpass_options - echo "root:$SSH_PASSWD" | chpasswd $chpass_options + + echo "$localuser:$PASSWD" | chpasswd $chpass_options + echo "root:$PASSWD" | chpasswd $chpass_options + + eindent + ewarn "Warning: please change the password for root and user $localuser as soon as possible!" + eoutdent fi einfo "Starting secure shell server in background for root and user $localuser" @@ -1117,9 +1126,6 @@ if checkbootparam 'ssh' ; then /etc/init.d/ssh start >>$DEBUG 2>>$DEBUG & eend $? - eindent - ewarn "Warning: please change the password for root and user $localuser as soon as possible!" - eoutdent fi } @@ -1198,21 +1204,63 @@ fi } # }}} -# {{{ set password for default user +# {{{ set password for root and default user config_passwd(){ if checkbootparam 'passwd' >>$DEBUG 2>&1; then + local PASSWD PASSWD="$(getbootparam 'passwd' 2>>$DEBUG)" + config_userlocal - einfo "Bootoption passwd found, change password for user '$localuser'." + einfo "Bootoption passwd found, trying to set password for root and user $localuser" [ -z "$localuser" ] && eend 1 - if [ -n "$PASSWD" ] ; then - echo "$localuser:$PASSWD" | chpasswd -m ; eend $? - else - eerror "No given password for ssh found. Autostart of SSH will not work." ; eend 1 - fi + eindent - ewarn "Warning: please change the password for user grml set via bootparameter as soon as possible!" + if [ -z "$PASSWD" ] ; then + set_passwd && ewarn "No given password for found. Using random password: $PASSWD" && eend 0 + fi eoutdent + + if [ -n "$PASSWD" ] ; then + chpass_options="" + if chpasswd --help 2>&1 | grep -q -- '-m,' ; then + chpass_options="-m" + fi + + echo "$localuser:$PASSWD" | chpasswd $chpass_options + echo "root:$PASSWD" | chpasswd $chpass_options + + eindent + ewarn "Warning: please change the password for root and user $localuser as soon as possible!" + eoutdent + fi + +fi + +if checkbootparam 'encpasswd' >>$DEBUG 2>&1; then + local PASSWD + PASSWD="$(getbootparam 'encpasswd' 2>>$DEBUG)" + + if [ -z "$PASSWD" ] ; then + eerror "No hashed password found, can not set password." + eend 1 + return + fi + + config_userlocal + einfo "Bootoption encpasswd found, trying to set hashed password for root and user $localuser" + [ -z "$localuser" ] && eend 1 + + if [ -n "$PASSWD" ] ; then + chpass_options="-e" + + echo "$localuser:$PASSWD" | chpasswd $chpass_options + echo "root:$PASSWD" | chpasswd $chpass_options + + eindent + ewarn "Warning: please change the password for root and user $localuser as soon as possible!" + eoutdent + fi + fi } # }}}