X-Original-To: alpine-devel@lists.alpinelinux.org
Delivered-To: alpine-devel@mail.alpinelinux.org
Received: from ncopa-laptop.res.nor.wtbts.net (3.203.202.84.customer.cdi.no [84.202.203.3])
	(using SSLv3 with cipher ECDHE-RSA-AES128-SHA (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: nc@alpinelinux.org)
	by mail.alpinelinux.org (Postfix) with ESMTPSA id 44F09DC0128;
	Sat, 29 Jun 2013 21:35:48 +0000 (UTC)
Date: Sat, 29 Jun 2013 23:35:44 +0200
From: Natanael Copa <ncopa@alpinelinux.org>
To: Dubiousjim <dubiousjim@gmail.com>
Cc: alpine-devel@lists.alpinelinux.org
Subject: Re: [alpine-devel] Re: [PATCH 8/8] main/syslinux: hooks for
 bootloader password
Message-ID: <20130629233544.1f55a640@ncopa-laptop.res.nor.wtbts.net>
In-Reply-To: <20130629154905.GA1776@zen>
References: <20130628164000.GC1712@zen.nyu.edu>
	<20130629154905.GA1776@zen>
X-Mailer: Claws Mail 3.9.2 (GTK+ 2.24.17; i686-pc-linux-gnu)
X-Mailinglist: alpine-devel
Precedence: list
List-Id: Alpine Development <alpine-devel.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-devel+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-devel@lists.alpinelinux.org>
List-Help: <mailto:alpine-devel+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-devel+subscribe@lists.alpinelinux.org?subject=subscribe>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Sat, 29 Jun 2013 11:49:05 -0400
Dubiousjim <dubiousjim@gmail.com> wrote:

> On Fri, Jun 28, 2013 at 01:21:57PM -0500, William Pitcock wrote:
> > On Thu, Jun 27, 2013 at 2:32 AM, Dubiousjim <dubiousjim@gmail.com>
> > wrote:
> > >
> > > Dubiousjim (8):
> > >   main/syslinux: fix/refactor initramfs
> > >   main/syslinux: use more specific COM32 (instead of KERNEL) for
> > >     mboot.c32
> > >   main/syslinux: use more specific LINUX (instead of KERNEL) for
> > > kernels main/syslinux: reorganize menu layout
> > >   main/syslinux: add reboot entry
> > >   main/syslinux: add Hardware Detection Tool entry
> > >   main/syslinux: don't create backup when no changes
> > >   main/syslinux: hooks for bootloader password
> > >
> > >  main/syslinux/APKBUILD             |  1 +
> > >  main/syslinux/update-extlinux      | 76
> > > ++++++++++++++++++++++++++++----------
> > > main/syslinux/update-extlinux.conf |  9 +++++ 3 files changed, 66
> > > insertions(+), 20 deletions(-)
> > 
> > Acked-by: William Pitcock <nenolod@dereferenced.org>
> > 
> > William
> 
> Thanks William.
> 
> > On Fri, Jun 28, 2013 at 04:54:53PM +0200, Natanael Copa wrote:
> > > On Thu, 27 Jun 2013 03:32:21 -0400
> > > Dubiousjim <dubiousjim@gmail.com> wrote:
> > 
> > > > +	install -D -m755 utils/sha1pass
> > > > "$pkgdir"/usr/sbin/sha1pass || return 1
> > > 
> > > I had a look at this script but i don't like it.
> > > 1) IMHO its useless use of perl. A tiny C app using crypt(3)
> > > would do the same job with less lines and without perl.
> > > 2) it requires that password is specified on command line. I
> > > think it should at least optionally be able to read it from stdin.
> > > 
> > > Looks like it supports sha256/sha512 passwords. Maybe we could use
> > > cryptpw instead?
> > > 
> > > Could you please test if the cryptpw generated passwd works? If
> > > so, then we don't install sha1pass which does things bad.
> 
> I looked into this. BusyBox cryptpw and mkpasswd are aliases for
> essentially the same code, however mkpasswd has sane input (a
> "Password:" prompt, and doesn't echo what you type to the terminal),
> whereas cryptpw doesn't. Weird that cryptpw would work like that.

ah, i was not aware of mkpasswd. This is exactly what I was looking for.
> 
> Anyway, those utilities use the crypt(3) call, which on uClibc can
> generate DES and MD5 passwords.

we patched uclibc for Alpine Linux to do sha512 by default.

> syslinux honors MD5. It also honors
> SHA1, but I think not sha256 or sha512.

after a quick look i got the impression of support for:

sha1:
http://git.kernel.org/cgit/boot/syslinux/syslinux.git/tree/com32/menu/passwd.c#n20

md5:
http://git.kernel.org/cgit/boot/syslinux/syslinux.git/tree/com32/menu/passwd.c#n50

sha256:
http://git.kernel.org/cgit/boot/syslinux/syslinux.git/tree/com32/menu/passwd.c#n59

sha512:
http://git.kernel.org/cgit/boot/syslinux/syslinux.git/tree/com32/menu/passwd.c#n68

> So we could omit installing the perl utility from syslinux, and just
> put a comment in the config file describing how to generate an MD5
> password with mkpasswd, and that sha1 passwords are also honored. 

I would have expected mkpasswd -m sha1 to work but it doesnt. (I'm not
too sad for that...) If syslinux supports $6$<salt>$<sha512hash> then
mkpasswd should 'just work'. If not, then i think could backport (or
add) sha512 support to syslinux.

> I guess it'd be possible to generate the latter using openssl, but
> it'll require some elbow grease and I haven't tested how to do it.
> (Whereas generating MD5 passwords in the right format using openssl
> is also straightforward.)

I bet its possible but I suspect its too complicated for deadly humans.
Lets stick to mkpasswd if possible.

> My understanding is that MD5 would be rather weak for blocking access
> to one's hardware. But a meliorating factor is that an attacker who
> doesn't yet have access to the hardware (or network access and root)
> won't be able to see the MD5 hash. In any case, I propose to replace
> the use of the sha1pass utility from syslinux with the instructions
> on how to generate an MD5 password with mkpasswd.

Yeah, I think MD5 would be 'good enough' for this usecase but its a
general good thing to avoid it nowdays.

> While testing that, I discovered also that HDT is no longer working on
> my machine. I did verify that I was using the latest version from
> syslinux, and that this wasn't due to interaction with the password
> protection, or any other obvious factors. I don't know what's wrong
> there. But it used to work on my machine, and maybe it will work on
> others' machines now, and hopefully it will work on my machine again
> in the future. I don't think there's anything amiss with the menu
> entry I've added to extlinux.conf enabling the use of HDT which is
> breaking things here. For that reason, and also because the set of
> patches I've proposed are inter-connected, maybe we should just push
> what I've offered about HDT, and I'll start a background thread in my
> mind/browsing to find out how to get HDT working again locally. Is
> that tolerable?

Yes, I'll push the patches (monday probably) as is, maybe with the
'mkpasswd' comment for 8/8 patch.

I have been thinking that there are many nice things in syslinux we
could use better but never had the time or energy to take a look at it.
I'm very happy for those patches :)

Thanks!


-nc


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---