Comments (14)
I've no idea what's going wrong there - the previous tests in the file should ensure that there is a line with a valid password entry in the shadow file, so the grep for the salt shouldn't fail - the only thing likely to make it do so is if you are using non-standard encryption for your password file, and in that case most of the rest of this routine will fail anyway.
Could you please post the output of sudo grep -E '^pi:' /etc/shadow - if you are concerned about security, delete the second half of the line; I only need to see the first 20 or so characters.
from raspberrypi-sys-mods.
Well, it's not my machine, so I can't provide the output you requested. The only thing I can tell is that
sudo grep -E '^pi:' /etc/shadow
returns the line of the pi user, but
SALT=$(echo "${SHADOW}" | sed -n 's/pi:$6$//;s/$.*//p')
returns an empty string.
I'm not sure what exactly the regex pattern does, but if it looks for a ";" char, it's not in the string. The rest appears to match the pattern. It's a valid SHA-512 hash.
from raspberrypi-sys-mods.
No, the regex isn't looking for a semicolon - that just separates two different sed patterns. That sed should extract all the characters between the initial "pi:$6$" and the next "$" - the only way it will return a null string is if the line from the shadow file does not start "pi:$6$" and contain a third $ at some point.
The format of a line in the shadow file is <user>:$<encryption digit>$<salt>$<hash>
If you have a pi user, there will be a line starting "pi:$", so either the encryption used is not SHA-512, indicated by the digit not being a 6, or the following $ separator is missing.
Without the actual line in question, I can't really debug this. All I can say is that it hasn't been reported by anyone else, so the machine in question has probably had something unusual done to its password file, but I can't diagnose what it is by guesswork.
from raspberrypi-sys-mods.
Well, the line starts with:
pi:$6$xxxxxxxx$xxx...
I hope you understand that I can't provide the actual string, especially because it's not my own machine.
For your debugging, if I put that string into the command line, it's empty too:
echo $(echo "pi:$6$xxxxxxxx$xxx..." | sed -n 's/pi:$6$//;s/$.*//p')
Hope you might be able to figure out what the issue could be.
from raspberrypi-sys-mods.
If echoing the string manually from the command line, you need to escape the $ symbols, or the shell mangles them. Try
echo $(echo "pi:\$6\$xxxxxxxx\$xxx..." | sed -n 's/pi:\$6\$//;s/\$.*//p')
instead. That works fine on my Pi, and produces the correct result.
It really doesn't compromise the security of the password file if you only share the first few characters of the hash - can you please just post the line up to a few characters after the third $ sign? For example, here's the equivalent from my file:
pi:$6$k0vFWRoG$bEB...
That is all I need to diagnose the problem; it doesn't reveal anything helpful to a hacker.
I did wonder if it was running in a strange shell which was causing unusual behaviour, but I've just tested on both sh and bash, and it does the same on them here.
from raspberrypi-sys-mods.
Ah - I wonder if you have the characters "\n" or "\t" in the salt (the part of the line between the
from raspberrypi-sys-mods.
How about replacing all of the alphanumericss (a-z, A-Z, 0-9) with "x"s then posting the result? That should be safe.
from raspberrypi-sys-mods.
OK, from the testing I've done this evening, the characters mkpasswd uses in creating a salt, or allows the use of in a salt, should all work fine in these scripts. So I really need to know what the salt you used was (obfuscated as Phil suggests above if it makes you more comfortable), or I can't make any further progress on this.
from raspberrypi-sys-mods.
Sorry that I can't help you much at this point, I only had access today because of this issue. It could be any character that makes it fail. On my own Pi, it works as expected.
Maybe you should check for an empty salt, just to be safe. If someone uses a different algorithm, it will fail for sure.
from raspberrypi-sys-mods.
No-one should be using any algorithm other than SHA-512 - that's the default for Raspbian and all the other options are less secure.
https://fossies.org/linux/whois/mkpasswd.c lists the only valid salt characters as alphanumerics, . and / - all of those work in these scripts.
Closing until I can get more information, or someone can repeat the issue.
from raspberrypi-sys-mods.
Any password entry we can't parse is a changed password, so we shouldn't warn about it. If people change the password back to raspberry but with a different salt or encryption scheme then they are opting out of the warning.
from raspberrypi-sys-mods.
At present, the warning won't be generated if the salt is null anyway.
from raspberrypi-sys-mods.
Well, mkpassword complains because the salt is empty, and that's because the pattern didn't match. See the original post. It took a while to realize where this message came from.
from raspberrypi-sys-mods.
The warning that the system is vulnerable will not be generated if the salt is null.
from raspberrypi-sys-mods.
Related Issues (20)
- Dedicated LTS Raspberry Pi OS image for Compute Modules. HOT 3
- Raspberry Pi OS Image is missing Microsoft Repository HOT 1
- [Bullseye] postinst script contains every auto-added block four times HOT 3
- Post-installation script subprocess returned error exit status 126 HOT 5
- Remove 010_pi-nopasswd HOT 7
- New postinst flush code fails if vfat partition not found HOT 3
- [bullseye] FIRSTBOOT exits prematurely on NOOBS/PINN sd card HOT 4
- `init_config` python module named 'toml' is missing in Raspberry Pi OS lite 64bit HOT 2
- missing license HOT 2
- Introduce the ability to limit rootfs size at first boot HOT 16
- firstboot script hangs if image contains already kernel 6.1
- "imager_custom set_wlan" generates script but does not escape special characters properly HOT 1
- Abstract boot partition path HOT 5
- Exit status of grep HOT 2
- Firstboot fix_partuuid issues
- How to update wifi after first boot? HOT 13
- Serial port symlinks broken in bookworm. HOT 6
- imager_set_custom using uuid which is not always available HOT 1
- Initrd rootfs resize fails on RPi5 HOT 12
- Recent removal of /boot/cmdline.txt link to /boot/firmware/cmdline.txt HOT 9
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from raspberrypi-sys-mods.