Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#3816 - 21.02-SNAPSHOT - Building with LXC-Support breaks passwd (and something else?) #8881

Open
openwrt-bot opened this issue May 19, 2021 · 10 comments
Labels
flyspray kernel pull request/issue with Linux kernel related changes release/21.02 pull request/issue targeted (also) for OpenWrt 21.02 release

Comments

@openwrt-bot
Copy link

thiscantbeserious:

Device: EspressoBin v5 Non-EMMC
Version: OpenWrt 21.02-SNAPSHOT, r0-bbbc01e

Nailed it down by starting from a fresh config a few times and cleaning up the build-chain.

As soon as I include LXC-Support from make menuconfig -> utilities -> LXC passwd seems broken (encryption?).

LuCi reports that it isn't able to change the password - if I ssh into the box, use passwd it seemingly succeeds (it does set something) but afterwards login fails both via SSH and passwd.

Even if I build without LuCi the same is happening. dmesg shows nothing ... out of the ordinary - despite the Kernel being build with debug-flags.

Any clue how to debug that further? I'm pretty new to building OpenWRT myself.

@openwrt-bot
Copy link
Author

thiscantbeserious:

Tried the following workarounds - did nothing:

https://forum.openwrt.org/t/unable-to-logon-via-luci-able-via-ssh/25408/9

Everything seems correct. Setting password again - keeping logged in going to LuCi webinterface:

Wed May 19 13:00:01 2021 authpriv.info dropbear[4810]: Child connection from 192.168.1.177:1254
Wed May 19 13:00:03 2021 authpriv.warn dropbear[4810]: User account 'root' is locked

@openwrt-bot
Copy link
Author

thiscantbeserious:

Going further trying to do ssh -vvvv root@192.168.1.1

debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: C:\Users\ssa/.ssh/id_xmss
debug3: no such identity: C:\Users\ssa/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
debug3: failed to open file:C:/dev/tty error:2
debug1: read_passphrase: can't open /dev/tty: No such file or directory
root@192.168.1.1's password:
debug3: send packet: type 50
debug2: we sent a password packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
debug3: failed to open file:C:/dev/tty error:2
debug1: read_passphrase: can't open /dev/tty: No such file or directory
root@192.168.1.1's password:

@openwrt-bot
Copy link
Author

thiscantbeserious:

root@OpenWrt:# cat /etc/shadow
root:$2a$13$ohwy/vIGFw/CTEqf/nQEX.Jme/dAqDCA4XyMXAhcUcL.8pmJX17MS:18766:0:99999:7:::
daemon::0:0:99999:7:::
ftp:
:0:0:99999:7:::
network::0:0:99999:7:::
nobody:
:0:0:99999:7:::
dnsmasq:x:0:0:99999:7:::
sshd:x:0:0:99999:7:::
root@OpenWrt:
#

root@OpenWrt:# cat /etc/passwd
root:$2a$13$o6uIc/eMlyw.1X2CnT.yF.1Zca4PIZD1vcEYD9IcpKB.GHws0unpW:0:0:root:/root:/bin/ash
daemon::1:1:daemon:/var:/bin/false
ftp:
:55:55:ftp:/home/ftp:/bin/false
network::101:101:network:/var:/bin/false
nobody:
:65534:65534:nobody:/var:/bin/false
ntp:x:123:123:ntp:/var/run/ntp:/bin/false
dnsmasq:x:453:453:dnsmasq:/var/run/dnsmasq:/bin/false
docker:x:65536:65536:docker:/var/run/docker:/bin/false
logd:x:514:514:logd:/var/run/logd:/bin/false
ubus:x:81:81:ubus:/var/run/ubus:/bin/false
root@OpenWrt:
#

and

root@OpenWrt:~# ls -la /etc/shadow
-rw-r--r-- 1 root root 226 May 19 13:05 /etc/shadow

@openwrt-bot
Copy link
Author

thiscantbeserious:

Maybe its related to docker?

Will have to try ...

@openwrt-bot
Copy link
Author

thiscantbeserious:

Will try a fresh config with the following manually set in .config:

https://forum.openwrt.org/t/request-for-lxc-support-in-mvebu/58767/18

@openwrt-bot
Copy link
Author

jow-:

root:$2a$13$o6uIc/e...

This is a bcrypt hash which is not supported by musl libc unless you disable the crpyt size hack option during build. Normally, the builtin busybox passwd applet will only generate MD5 hashes (starting with "$1$..."). Did you maybe include something like the full shadow suite in your build? This could explain your troubles.

You can likely solve the issue by rebuilding with the following option enabled in menuconfig:

[] Advanced configuration options (for developers)
-> [
] Toolchain Options
-> [*] Include crypt() support for SHA256, SHA512 and Blowfish ciphers

@openwrt-bot
Copy link
Author

thiscantbeserious:

Many thanks for the explanation!

Already guessed something was wrong in regards to encryption ... will try your tip.

I certainly didn't enable the full shadow suite build myself.

Maybe some of the utility settings for lxc, docker, dockerd or docker compose enables it?

At least I'm now confident starting from scratch for any board for the basic build ...

Edit:

→ [*] Include crypt() support for SHA256, SHA512 and Blowfish ciphers

Sadly doesn't seem to fix the issue from a first try :/

Edit 2:

Went ahead manually enabling full shadow suite, then enabling all the above in the kernel_menuconfig ... I guess it's something else.

@openwrt-bot
Copy link
Author

thiscantbeserious:

Minimal case to reproduce this on mvebu on 21.02:

1. git checkout -b openwrt-21.02 --depth 1 https://github.com/openwrt/openwrt.git 2. ./scripts/fetch update -a 3. ./scripts/fetch install -a 4. make menuconfig 5. Target System: Marvell EBU Armada 6. Subtarget: Marvell Armada 3700LP (ARM64) 7. Target Profile: Marvell ESPRESSObin Non-eMMC 8. Utilities -> lxc -> Configuration:

[] Enable kernel support for LXC
[
] Enable busybox support for lxc-create tool
[] Enable support for seccomp in LXC
[
] Enable networking support for LXC containers

  1. Utilities -> lxc:

[] lxc-checkconfig
[
] lxc-ls
[] lxc-start
[
] lxc-stop

  1. LuCI -> Collections -> [*] luci
  2. Save & Exit
  3. make
  4. flash resulting openwrt-mvebu-cortexa53-globalscale_espressobin-ext4-sdcard.img.gz via balenaEtcher to SD-Card
  5. boot via SD-Card

Result:

passwd cant be changed via LuCI, if you change it via SSH it will save something (?) and you can't login afterwards

BusyBox v1.33.1 () built-in shell (ash)

| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -| || | | || || |
|
_____|| |
||||___||| |____|
|
| W I R E L E S S F R E E D O M

OpenWrt 21.02-SNAPSHOT, r0-bbbc01e

=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.

root@OpenWrt:~# passwd
Changing password for root
Enter the new password (minimum of 5 characters)
Please use a combination of upper and lower case letters and numbers.
New password:
Re-enter new password:
passwd: password changed.

Even enabling most encryption options for the Kernel itself and the above Advanced Setting for sha256, sha516 and bcrypt support for crypt() does not fix it.

It's also not related to the ssh-client (tried two different machines/clients).

I'm as clueless as I was before. Will try the same on master next.

@openwrt-bot
Copy link
Author

rchmsr:

I observe the same issue on x86-64, build for APU device.
As described, can't change password on LuCi.
After changing on console, I am not able anymore to login to LuCi.
However, I have access through serial console and SSH as I deploy a SSH key with my build.

Any ideas how I can help tracking the issue down?

@openwrt-bot
Copy link
Author

bjonglez:

It does not look like the regular busybox passwd, please provide the output of:

# passwd --help
# which passwd

ls -lh /bin/passwd

ls -lh $(which passwd)

I would suspect this option is responsible, try without it:

[*] "Enable busybox support for lxc-create tool"

@aparcar aparcar added release/21.02 pull request/issue targeted (also) for OpenWrt 21.02 release kernel pull request/issue with Linux kernel related changes labels Feb 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
flyspray kernel pull request/issue with Linux kernel related changes release/21.02 pull request/issue targeted (also) for OpenWrt 21.02 release
Projects
None yet
Development

No branches or pull requests

2 participants