X-Original-To: alpine-devel@lists.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.alpinelinux.org (Postfix) with ESMTPS id 18948DC0128 for ; Sat, 29 Jun 2013 15:49:06 +0000 (UTC) Received: from compute1.internal (compute1.nyi.mail.srv.osa [10.202.2.41]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id B1DF7205C4 for ; Sat, 29 Jun 2013 11:49:05 -0400 (EDT) Received: from frontend2.nyi.mail.srv.osa ([10.202.2.161]) by compute1.internal (MEProxy); Sat, 29 Jun 2013 11:49:05 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=date:from:to:subject:message-id :mime-version:content-type:in-reply-to; s=smtpout; bh=nVEqbb95td v1znyE9UyGI4eVjtM=; b=rhK/2pBsHwiVFpnlnU3uwCP44fJ3PLi0eDYE3A0xwW VeOS24rR9gOHjGmS08QuqvtZD+ypO6GiioaLn+DZaKHo1rUowzqGoVBMDUeo4y1V EYltmLfFFaV95oKPcLjQjv4t3pzSNwARol2WQHeVex/CYsSC36mToWnY0tGdXB68 k= X-Sasl-enc: yGIHgEWB4E50XVlcArdKNDAPmjaBUdTpi3UybklQpLzh 1372520945 Received: from localhost (unknown [69.86.161.244]) by mail.messagingengine.com (Postfix) with ESMTPA id 78BC4680294 for ; Sat, 29 Jun 2013 11:49:05 -0400 (EDT) Date: Sat, 29 Jun 2013 11:49:05 -0400 From: Dubiousjim To: alpine-devel@lists.alpinelinux.org Subject: [alpine-devel] Re: [PATCH 8/8] main/syslinux: hooks for bootloader password Message-ID: <20130629154905.GA1776@zen> Mail-Followup-To: alpine-devel@lists.alpinelinux.org X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20130628163549.69d54b33@ncopa-desktop.alpinelinux.org> <20130628164000.GC1712@zen.nyu.edu> User-Agent: Mutt/1.5.21 (2010-09-15) On Fri, Jun 28, 2013 at 01:21:57PM -0500, William Pitcock wrote: > On Thu, Jun 27, 2013 at 2:32 AM, Dubiousjim wrote: > > > > Dubiousjim (8): > > main/syslinux: fix/refactor initramfs > > main/syslinux: use more specific COM32 (instead of KERNEL) for > > mboot.c32 > > main/syslinux: use more specific LINUX (instead of KERNEL) for kernels > > main/syslinux: reorganize menu layout > > main/syslinux: add reboot entry > > main/syslinux: add Hardware Detection Tool entry > > main/syslinux: don't create backup when no changes > > main/syslinux: hooks for bootloader password > > > > main/syslinux/APKBUILD | 1 + > > main/syslinux/update-extlinux | 76 ++++++++++++++++++++++++++++---------- > > main/syslinux/update-extlinux.conf | 9 +++++ > > 3 files changed, 66 insertions(+), 20 deletions(-) > > Acked-by: William Pitcock > > William Thanks William. > On Fri, Jun 28, 2013 at 04:54:53PM +0200, Natanael Copa wrote: > > On Thu, 27 Jun 2013 03:32:21 -0400 > > Dubiousjim wrote: > > > > + install -D -m755 utils/sha1pass "$pkgdir"/usr/sbin/sha1pass || return 1 > > > > I had a look at this script but i don't like it. > > 1) IMHO its useless use of perl. A tiny C app using crypt(3) would do > > the same job with less lines and without perl. > > 2) it requires that password is specified on command line. I think it > > should at least optionally be able to read it from stdin. > > > > Looks like it supports sha256/sha512 passwords. Maybe we could use > > cryptpw instead? > > > > Could you please test if the cryptpw generated passwd works? If so, > > then we don't install sha1pass which does things bad. I looked into this. BusyBox cryptpw and mkpasswd are aliases for essentially the same code, however mkpasswd has sane input (a "Password:" prompt, and doesn't echo what you type to the terminal), whereas cryptpw doesn't. Weird that cryptpw would work like that. Anyway, those utilities use the crypt(3) call, which on uClibc can generate DES and MD5 passwords. syslinux honors MD5. It also honors SHA1, but I think not sha256 or sha512. So we could omit installing the perl utility from syslinux, and just put a comment in the config file describing how to generate an MD5 password with mkpasswd, and that sha1 passwords are also honored. I guess it'd be possible to generate the latter using openssl, but it'll require some elbow grease and I haven't tested how to do it. (Whereas generating MD5 passwords in the right format using openssl is also straightforward.) My understanding is that MD5 would be rather weak for blocking access to one's hardware. But a meliorating factor is that an attacker who doesn't yet have access to the hardware (or network access and root) won't be able to see the MD5 hash. In any case, I propose to replace the use of the sha1pass utility from syslinux with the instructions on how to generate an MD5 password with mkpasswd. While testing that, I discovered also that HDT is no longer working on my machine. I did verify that I was using the latest version from syslinux, and that this wasn't due to interaction with the password protection, or any other obvious factors. I don't know what's wrong there. But it used to work on my machine, and maybe it will work on others' machines now, and hopefully it will work on my machine again in the future. I don't think there's anything amiss with the menu entry I've added to extlinux.conf enabling the use of HDT which is breaking things here. For that reason, and also because the set of patches I've proposed are inter-connected, maybe we should just push what I've offered about HDT, and I'll start a background thread in my mind/browsing to find out how to get HDT working again locally. Is that tolerable? -- Dubiousjim dubiousjim@gmail.com --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---