I am setting root password for my linux using the following in local.conf file:
INHERIT += "extrausers"
EXTRA_USERS_PARAMS = "usermod -p '\$6\$...'"
This works correctly, as expected.
But now, I found that in linux 5.10, to authenticate a user, I cannot check /etc/shadow, instead I need to use the libpam module. So, I did the following to add libpam to my linux image:
In my intramfs recipe I added libpam to PACKAGE_INSTALL.
Added pam in DISTRO_FEATURES_append
Now, when I flash this new image, the root user does not have any password. Adding libpam is somehow removing the password set using extrausers...
Is there a way to set the password in the image using libpam? Or is there something I am doing wrong when using extrausers and adding libpam to my image?
Since I couldn't get an answer here and on github issues of libpam I gave up trying to make libpam work for me.
I decided to use the /etc/shadow file. I removed extrausers and instead set the password manually into the shadow file using the following:
ROOTFS_POSTINSTALL_COMMAND += "set_root_password;"
set_root_password () {
sed -e "s/root::/root:\$6\$...:/" -i ${IMAGE_ROOTFS}/etc/shadow
}
Now I don't need to use libpam and can keep authenticating users to my redfish server using the shadow file.
Related
I've generated the iso image successfully. However, it asks me for the login information.
For "qemux86-64 login", I just leave the username empty and password empty since I didn't create any login passwords when I create the image. It won't let me login. Then I tried username "root", it showed me this:
Login as root
Then I added
inherit extrausers
EXTRA_USERS_PARAMS = "useradd -P 1234*56 nokola;
to extrausers.bbclass in meta directory. However, I still cannot login and it showed me "log in incorrect".
login as user
Is there anything I am missing or getting wrong?
I was building Yocto image followed the user manual, however after running bitbake, there's no .iso/.hddimg in the /home/nikola/yocto_build/poky/build/tmp/deploy/images/qemux86-64 directory. (nikola is my username)
Here's the configuration:
OS: Ubuntu 14.04 LTS
Hardware:
Intel Atom E3950 processor; 8GB Memory; 500GB HDD
Manual: https://www.intel.com/content/dam/www/public/us/en/documents/release-notes/atom-soc-celeron-n3350-pentium-n4200-bsp-for-yocto-project-mr3-release-notes.pdf?asset=14076
Add the below line in your build/conf/local.conf file and compile again then it will come.
IMAGE_FSTYPES += "iso"
for more images types click the link yocto-image-types
nikola said
Then I tried username "root", it showed me this (png image)
In that png, 2nd line in red shows that the login (root, no password) did actually succeed. root#qemux86-64:~#
You could enter commands there e.g. whoami or "ls -lt /", they will execute.
I'm adding a package in buildroot. Notably fcron-3.2.1. The documentation says to put this in the package makefile (fcron.mk) :
LIBFOO_USERS
Lists the users to create for this package, if it
installs a program you want to run as a specific user (e.g. as a
daemon, or as a cron-job). The syntax is similar in spirit to the
makedevs one, and is described in the Chapter 24, Makeusers syntax
documentation. This variable is optional.
So my fcron.mk file looks like this :
#############################################################
#
# fcron
#
#############################################################
FCRON_VERSION = 3.2.1
FCRON_OVERRIDE_SRCDIR = ../fcron-3.2.1
FCRON_OVERRIDE_RSYNC = YES
FCRON_INSTALL_STAGING = YES
FCRON_INSTALL_TARGET = YES
FCRON_SITE_METHOD = local
FCRON_CONF_OPTS = --enable-shared
FCRON_SITE = www.nomad-digital.com
define FCRON_USERS
fcron -1 fcron -1 * - - - Fcron daemon
endef
$(eval $(autotools-package))
When I try to install in buildroot, I get the following error.
>>> fcron custom Installing to staging directory
Checking if group fcron exists ... no.
Would you like to add fcron in /etc/passwd with the following command ?
groupadd fcron
If you use NYS, ldap, etc, you should add the group manually (say no here)
Please answer with 'y' or 'n' (default: 'y'): y
groupadd: Permission denied
groupadd cannot lock /etc/group; try again later.
Group "fcron" does not exists : please create it or choose another groupname with configure script.
I have a feeling that I'm trying to create a user on the host machine not in my buildroot image, but even when I answer with 'n' above, it still does not pass and just says to please create a user. AM I createing the required user and group correctly in buildroot?
It is the fcron build system that tries to add the user and group to the host, since it apparently doesn't consider installation in a staging directory. You need to tell the fcron build system NOT to add the user and group during installation. If this is not immediately obvious from the fcron configuration options, you can look how distributions solve it, they will have the same problem. Possibly you will need to patch its Makefile.am and set FCRON_AUTORECONF = YES in fcron.mk.
I am trying to find out how to create a new user in OpenShift enterprise.
According to the documentation (on https://docs.openshift.com/enterprise/3.0/architecture/core_concepts/projects_and_users.html):
Regular users are created automatically in the system upon first login...
This sounds illogical. How does a user login if they dont have a username and password?
Can someone please clarify this - I'm sure there must be some command for creating a new user, but it is not clear.
Thanks
The OpenShift master-config (/etc/openshift/master/master-config.yaml) describes the configuration about authentication. By default the master-config shows something like this for the authentication-part:
identityProviders:
- challenge: true
login: true
name: anypassword
provider:
apiVersion: v1
kind: AllowAllPasswordIdentityProvider
This means that every user with every password can authenticate. By performing oc get users as system:admin you'll see all the users.
This configuration is not recommended. You're able to configure another form of authentication (htpasswd, ldap, github, ...).
I'm using htpasswd. So than you have to create a file (with htpasswd) which will contain your username + encrypted password. After that you'll need to edit your master-config.yaml. You have to tell it to use HTPasswdPasswordIdentityProvider and link to your file.
You can find those steps here. Don't forget to restart your OpenShift master after performing those steps: sudo service openshift-master restart (origin-master for origin).
After creating users you can assign roles to users
Log in with the default admin (system:admin) and assign roles.
I am creating a script for simply adding a user if OpenShift using HTPasswdPasswordIdentityProvider
wget https://github.com/stedolan/jq/releases/download/jq-1.5/jq-linux64
mv jq-linux64 jq && chmod 755 jq
FILE=$(cat /etc/origin/master/master-config.yaml | python -c 'import sys, yaml, json; y=yaml.load(sys.stdin.read()); print json.dumps(y,indent=4, sort_keys=True)' | ./jq '.oauthConfig.identityProviders[0].provider.file')
FILE=$(sed -e 's/^"//' -e 's/"$//' <<<"$FILE")
htpasswd $FILE user1
Ok, so I'm trying to configure and install svnserve on my Ubuntu server. So far so good, up to the point where I try to configure sasl (to prevent plain-text passwords).
So; I installed svnserve and made it run as a daemon (also installed it as a startup script with the command svnserve -d -r /var/svn).
My repository is in /var/svn and has following configuration (to be found in /var/svn/myrepo/conf/svnserve.conf) (I left comments out):
[general]
anon-access = none
auth-access = write
realm = my_repo
[sasl]
use-sasl = true
min-encryption = 128
max-encryption = 256
Over to sasl, I created a svn.conf file in /usr/lib/sasl2/:
pwcheck_method: auxprop
auxprop_plugin: sasldb
sasldb_path: /etc/my_sasldb
mech_list: DIGEST-MD5
I created it in that folder as the article at this link suggested: http://svnbook.red-bean.com/nightly/en/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.sasl (and also because it existed and was listed as a result when I executed locate sasl).
Right after that I executed this command:
saslpasswd2 -c -f /etc/my_sasldb -u my_repo USERNAME
Which also asked me for a password twice, which I supplied. All going great.
When issuing the following command:
sasldblistusers2 -f /etc/my_sasldb
I get the - correct, as far as I can see - result:
USERNAME#my_repo: userPassword
Restarted svnserve, also restarted the whole server, and tried to connect.
This was the result from my TortoiseSVN client:
Authentication error from server: SASL(-13): user not found: unable to canonify
user and get auxprops
I have no clue at all in what I'm doing wrong. I've been scouring the web for the past few hours, but haven't found anything but that I might need to move the svn.conf file to another location - for example, the install location of subversion itself. which svn results in /usr/bin/svn, thus I moved the svn.conf to /usr/bin (although that doesn't feel right to me).
Still doesn't work, even after a new reboot.
I'm running out of ideas. Anyone else?
EDIT
I tried changing this (according to what some other forums on the internet told me to do): in the file /etc/default/saslauthd, I changed
START=no
MECHANISMS="pam"
to
START=yes
MECHANISMS="sasldb"
(Actually I had already changed START=no to START=yes before, but I forgot to mention it). But still no luck (I did reboot the whole server).
It looks like svnserve uses default values for SASL...
Check /etc/sasl2/svn.conf to be readable by the svnserver process owner.
If /etc/sasl2/svn.conf is owned by user root, group root and --rw------, svnserve uses the default values.
You will not be warned by any log file entry..
see section 4 of https://svn.apache.org/repos/asf/subversion/trunk/notes/sasl.txt:
This file must be named svn.conf, and must be readable by the svnserve process.
(it took me more than 3 days to understand both svnserve-sasl-ldap and this pitfall at the same time..)
I recommend to install the package cyrus-sasl2-doc and to read the section Cyrus SASL for System Administrators carefully.
I expect this is caused by the SASL API for the call
result = sasl_server_new(SVN_RA_SVN_SASL_NAME,
hostname, b->realm,
localaddrport, remoteaddrport,
NULL, SASL_SUCCESS_DATA,
&sasl_ctx);
if (result != SASL_OK)
{
svn_error_t *err = svn_error_create(SVN_ERR_RA_NOT_AUTHORIZED, NULL,
sasl_errstring(result, NULL, NULL));
SVN_ERR(write_failure(conn, pool, &err));
return svn_ra_svn__flush(conn, pool);
}
as you may see, handling the access failure by svnserve is not foreseen, only Ok or error is expected...
I looked in /var/log/messages and found
localhost svnserve: unable to open Berkeley db /etc/sasldb2: No such file or directory
When I created the sasldb to the above file and got the permissions right, it worked. Looks like it ignores or does not use the sasl database path.
There was another suggestion that rebooting solved the problem but that option was not available to me.
I have a copy of a repo on my localhost with a saved username / password for the SVN repo.
The problem is that I changed my svn password (and would like to keep it that way) but every time I try to svn commit, it is asking for my GNOME keyring password (which I enter correctly). This is odd in the first place because I never had it ask me this before.
Then, after entering my password to the keyring, I get this error message:
svn: OPTIONS of 'PATH_TO_CHANGED_FILES': authorization failed: Could not authenticate to server: rejected Basic challenge (REPO_URL)
This is happening on 2 repos that I have but a 3rd one is just fine.
When I disable authentication on the server, everything commits just fine and if I try to update / commit from another server, it also works just fine.
I tried adding the following lines to my ~/.subversion/servers:
store-passwords = no
store-plaintext-passwords = no
And I also tried adding the following lines to my ~/.subversion/config:
store-passwords = no
store-auth-creds = no
But those config file changes do nothing.
Is there a way for my localhost svn to forget the username and passwords I have entered for these repos (they were saved before) so I can get back to everything?
I was able to solve this by deleting the keyring file for MATE. It is a bit of a brute way of doing it but it worked. You can delete the keyring file for MATE with the following command:
rm ~/.config/mate/keyrings/*.keyring
I don't know, how to remove stored data from keyring (old pass for repo), but you can try to replace it.
Use in console any SVN command, which will require authentication with additional options
Global options:
--username ARG : specify a username ARG
--password ARG : specify a password ARG
and test repo-communication in usual way after it
About keyring pass-request:
Check settings in ~/.subversion/config, [auth] section for password-stores =
Check settings in ~/.subversion/servers, [global] section for
store-passwords =
store-plaintext-passwords =