OpenWrt/LEDE Project

  • Status Waiting on reporter
  • Percent Complete
    0%
  • Task Type Bug Report
  • Category Kernel
  • Assigned To No-one
  • Operating System All
  • Severity High
  • Priority Very Low
  • Reported Version openwrt-21.02
  • Due in Version Undecided
  • Due Date Undecided
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by thiscantbeserious - 19.05.2021

FS#3816 - 21.02-SNAPSHOT - Building with LXC-Support breaks passwd (and something else?)

Device: EspressoBin v5 Non-EMMC
Version: OpenWrt 21.02-SNAPSHOT, r0-bbbc01e

Nailed it down by starting from a fresh config a few times and cleaning up the build-chain.

As soon as I include LXC-Support from make menuconfig → utilities → LXC passwd seems broken (encryption?).

LuCi reports that it isn’t able to change the password - if I ssh into the box, use passwd it seemingly succeeds (it does set something) but afterwards login fails both via SSH and passwd.

Even if I build without LuCi the same is happening. dmesg shows nothing ... out of the ordinary - despite the Kernel being build with debug-flags.

Any clue how to debug that further? I’m pretty new to building OpenWRT myself.

 


thiscantbeserious commented on 19.05.2021 13:07

Tried the following workarounds - did nothing:

https://forum.openwrt.org/t/unable-to-logon-via-luci-able-via-ssh/25408/9

Everything seems correct. Setting password again - keeping logged in going to LuCi webinterface:

Wed May 19 13:00:01 2021 authpriv.info dropbear[4810]: Child connection from 192.168.1.177:1254
Wed May 19 13:00:03 2021 authpriv.warn dropbear[4810]: User account 'root' is locked

thiscantbeserious commented on 19.05.2021 13:15

Going further trying to do ssh -vvvv root@192.168.1.1

debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: C:\\Users\\ssa/.ssh/id_xmss
debug3: no such identity: C:\\Users\\ssa/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
debug3: failed to open file:C:/dev/tty error:2
debug1: read_passphrase: can't open /dev/tty: No such file or directory
root@192.168.1.1's password:
debug3: send packet: type 50
debug2: we sent a password packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
debug3: failed to open file:C:/dev/tty error:2
debug1: read_passphrase: can't open /dev/tty: No such file or directory
root@192.168.1.1's password:

thiscantbeserious commented on 19.05.2021 13:17

root@OpenWrt:~# cat /etc/shadow
root:$2a$13$ohwy/vIGFw/CTEqf/nQEX.Jme/dAqDCA4XyMXAhcUcL.8pmJX17MS:18766:0:99999:7:::
daemon:*:0:0:99999:7:::
ftp:*:0:0:99999:7:::
network:*:0:0:99999:7:::
nobody:*:0:0:99999:7:::
dnsmasq:x:0:0:99999:7:::
sshd:x:0:0:99999:7:::
root@OpenWrt:~#

root@OpenWrt:~# cat /etc/passwd
root:$2a$13$o6uIc/eMlyw.1X2CnT.yF.1Zca4PIZD1vcEYD9IcpKB.GHws0unpW:0:0:root:/root:/bin/ash
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
ntp:x:123:123:ntp:/var/run/ntp:/bin/false
dnsmasq:x:453:453:dnsmasq:/var/run/dnsmasq:/bin/false
docker:x:65536:65536:docker:/var/run/docker:/bin/false
logd:x:514:514:logd:/var/run/logd:/bin/false
ubus:x:81:81:ubus:/var/run/ubus:/bin/false
root@OpenWrt:~#

and

root@OpenWrt:~# ls -la /etc/shadow
-rw-r–r– 1 root root 226 May 19 13:05 /etc/shadow

thiscantbeserious commented on 19.05.2021 13:17

Maybe its related to docker?

Will have to try ...

thiscantbeserious commented on 19.05.2021 13:20

Will try a fresh config with the following manually set in .config:

https://forum.openwrt.org/t/request-for-lxc-support-in-mvebu/58767/18

Admin
Jo-Philipp Wich commented on 19.05.2021 13:48
root:$2a$13$o6uIc/e...

This is a bcrypt hash which is not supported by musl libc unless you disable the crpyt size hack option during build. Normally, the builtin busybox `passwd` applet will only generate MD5 hashes (starting with "$1$..."). Did you maybe include something like the full shadow suite in your build? This could explain your troubles.

You can likely solve the issue by rebuilding with the following option enabled in menuconfig:

[*] Advanced configuration options (for developers)
→ [*] Toolchain Options
→ [*] Include crypt() support for SHA256, SHA512 and Blowfish ciphers

thiscantbeserious commented on 19.05.2021 14:23

Many thanks for the explanation!

Already guessed something was wrong in regards to encryption ... will try your tip.

I certainly didn't enable the full shadow suite build myself.

Maybe some of the utility settings for lxc, docker, dockerd or docker compose enables it?

At least I'm now confident starting from scratch for any board for the basic build ...

Edit:

→ [*] Include crypt() support for SHA256, SHA512 and Blowfish ciphers

Sadly doesn't seem to fix the issue from a first try :/

Edit 2:

Went ahead manually enabling full shadow suite, then enabling all the above in the kernel_menuconfig ... I guess it's something else.

thiscantbeserious commented on 20.05.2021 08:17

Minimal case to reproduce this on mvebu on 21.02:

 
1. git checkout -b openwrt-21.02 --depth 1 https://github.com/openwrt/openwrt.git
2. ./scripts/fetch update -a
3. ./scripts/fetch install -a
4. make menuconfig
5. Target System: Marvell EBU Armada
6. Subtarget: Marvell Armada 3700LP (ARM64)
7. Target Profile: Marvell ESPRESSObin Non-eMMC
8. Utilities -> lxc -> Configuration:

[*] Enable kernel support for LXC
[*] Enable busybox support for lxc-create tool
[*] Enable support for seccomp in LXC
[*] Enable networking support for LXC containers

9. Utilities -> lxc:

[*] lxc-checkconfig
[*] lxc-ls
[*] lxc-start
[*] lxc-stop

10. LuCI -> Collections -> [*] luci
11. Save & Exit
12. make
13. flash resulting openwrt-mvebu-cortexa53-globalscale_espressobin-ext4-sdcard.img.gz via balenaEtcher to SD-Card
14. boot via SD-Card 

Result:

passwd cant be changed via LuCI, if you change it via SSH it will save something (?) and you can't login afterwards

BusyBox v1.33.1 () built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 21.02-SNAPSHOT, r0-bbbc01e
 -----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@OpenWrt:~# passwd
Changing password for root
Enter the new password (minimum of 5 characters)
Please use a combination of upper and lower case letters and numbers.
New password:
Re-enter new password:
passwd: password changed.

Even enabling most encryption options for the Kernel itself and the above Advanced Setting for sha256, sha516 and bcrypt support for crypt() does not fix it.

It's also not related to the ssh-client (tried two different machines/clients).

I'm as clueless as I was before. Will try the same on master next.

 
rchmsr commented on 11.06.2021 07:31

I observe the same issue on x86-64, build for APU device.
As described, can't change password on LuCi.
After changing on console, I am not able anymore to login to LuCi.
However, I have access through serial console and SSH as I deploy a SSH key with my build.

Any ideas how I can help tracking the issue down?

Project Manager
Baptiste Jonglez commented on 18.06.2021 05:49

It does not look like the regular busybox passwd, please provide the output of:

# passwd –help
# which passwd
# ls -lh /bin/passwd
# ls -lh $(which passwd)

I would suspect this option is responsible, try without it:

[*] "Enable busybox support for lxc-create tool"

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing