Authentication improvements

board/common/busybox_defconfig

@@ -1,7 +1,7 @@
 #
 # Automatically generated make config: don't edit
-# Busybox version: 1.35.0
-# Mon Dec 12 13:47:01 2022
+# Busybox version: 1.36.0
+# Fri Jul  7 17:59:34 2023
 #
 CONFIG_HAVE_DOT_CONFIG=y
 
@@ -93,6 +93,9 @@ CONFIG_FEATURE_BUFFERS_USE_MALLOC=y
 # CONFIG_FEATURE_BUFFERS_GO_IN_BSS is not set
 CONFIG_PASSWORD_MINLEN=6
 CONFIG_MD5_SMALL=1
+CONFIG_SHA1_SMALL=3
+CONFIG_SHA1_HWACCEL=y
+CONFIG_SHA256_HWACCEL=y
 CONFIG_SHA3_SMALL=1
 CONFIG_FEATURE_NON_POSIX_CP=y
 # CONFIG_FEATURE_VERBOSE_CP_MESSAGE is not set
@@ -123,6 +126,9 @@ CONFIG_LAST_SUPPORTED_WCHAR=0
 # CONFIG_UNICODE_BIDI_SUPPORT is not set
 # CONFIG_UNICODE_NEUTRAL_TABLE is not set
 # CONFIG_UNICODE_PRESERVE_BROKEN is not set
+# CONFIG_LOOP_CONFIGURE is not set
+# CONFIG_NO_LOOP_CONFIGURE is not set
+CONFIG_TRY_LOOP_CONFIGURE=y
 
 #
 # Applets
@@ -338,6 +344,7 @@ CONFIG_FEATURE_TR_CLASSES=y
 CONFIG_FEATURE_TR_EQUIV=y
 CONFIG_TRUE=y
 CONFIG_TRUNCATE=y
+CONFIG_TSORT=y
 CONFIG_TTY=y
 CONFIG_UNAME=y
 CONFIG_UNAME_OSNAME="GNU/Linux"
@@ -526,13 +533,13 @@ CONFIG_USE_BB_CRYPT_SHA=y
 CONFIG_ADDGROUP=y
 CONFIG_FEATURE_ADDUSER_TO_GROUP=y
 CONFIG_ADDUSER=y
-# CONFIG_FEATURE_CHECK_NAMES is not set
+CONFIG_FEATURE_CHECK_NAMES=y
 CONFIG_LAST_ID=60000
 CONFIG_FIRST_SYSTEM_ID=100
 CONFIG_LAST_SYSTEM_ID=999
 # CONFIG_CHPASSWD is not set
 CONFIG_FEATURE_DEFAULT_PASSWD_ALGO="md5"
-# CONFIG_CRYPTPW is not set
+CONFIG_CRYPTPW=y
 CONFIG_MKPASSWD=y
 CONFIG_DELUSER=y
 CONFIG_DELGROUP=y
@@ -831,10 +838,12 @@ CONFIG_READAHEAD=y
 CONFIG_RFKILL=y
 CONFIG_RUNLEVEL=y
 CONFIG_RX=y
+CONFIG_SEEDRNG=y
 CONFIG_SETFATTR=y
 CONFIG_SETSERIAL=y
 CONFIG_STRINGS=y
 CONFIG_TIME=y
+CONFIG_TREE=y
 CONFIG_TS=y
 CONFIG_TTYSIZE=y
 CONFIG_UBIATTACH=y
@@ -1007,6 +1016,7 @@ CONFIG_UDHCPC=y
 CONFIG_FEATURE_UDHCPC_ARPING=y
 CONFIG_FEATURE_UDHCPC_SANITIZEOPT=y
 CONFIG_UDHCPC_DEFAULT_SCRIPT="/usr/share/udhcpc/default.script"
+CONFIG_UDHCPC6_DEFAULT_SCRIPT="/usr/share/udhcpc/default6.script"
 CONFIG_UDHCPC6=y
 CONFIG_FEATURE_UDHCPC6_RFC3646=y
 CONFIG_FEATURE_UDHCPC6_RFC4704=y
@@ -1141,6 +1151,7 @@ CONFIG_ASH_IDLE_TIMEOUT=y
 CONFIG_ASH_ECHO=y
 CONFIG_ASH_PRINTF=y
 CONFIG_ASH_TEST=y
+CONFIG_ASH_SLEEP=y
 CONFIG_ASH_HELP=y
 CONFIG_ASH_GETOPTS=y
 CONFIG_ASH_CMDCMD=y

board/common/post-build.sh

@@ -34,13 +34,18 @@ rm -f "$TARGET_DIR/etc/os-release"
 
 echo "Infix by KernelKit $GIT_VERSION -- $(date +"%b %e %H:%M %Z %Y")" > "$TARGET_DIR/etc/version"
 
-# Allow pdmenu (setup) and bash to be a login shells, bash
-# is added automatically when selected in menuyconfig, but
-# not when BusyBox provides a symlink (for ash).
+# Allow pdmenu (setup) and bash to be login shells, bash is added
+# automatically when selected in menuyconfig, but not when BusyBox
+# provides a symlink (for ash).  The /bin/{true,false} are old UNIX
+# beart means of disabling a user.
 grep -qsE '^/usr/bin/pdmenu$$' "$TARGET_DIR/etc/shells" \
         || echo "/usr/bin/pdmenu" >> "$TARGET_DIR/etc/shells"
 grep -qsE '^/bin/bash$$' "$TARGET_DIR/etc/shells" \
         || echo "/bin/bash" >> "$TARGET_DIR/etc/shells"
+grep -qsE '^/bin/true$$' "$TARGET_DIR/etc/shells" \
+        || echo "/bin/true" >> "$TARGET_DIR/etc/shells"
+grep -qsE '^/bin/false$$' "$TARGET_DIR/etc/shells" \
+        || echo "/bin/false" >> "$TARGET_DIR/etc/shells"
 
 # Menuconfig support for modifying Qemu args in release tarballs
 cp "$BR2_EXTERNAL_INFIX_PATH/board/common/qemu/qemu.sh" "$BINARIES_DIR/"

board/common/rootfs/etc/profile.d/convenience.sh

@@ -15,6 +15,5 @@ alias ipb='ip -br'
 alias ipaddr='ip addr'
 alias iplink='ip link'
 alias bridge='bridge --color=auto'
-alias cli='klish'
 
 alias docker=podman

board/netconf/post-build.sh

@@ -7,3 +7,7 @@ if [ -L "$TARGET_DIR/var/lib/avahi-autoipd" ]; then
 	rm    "$TARGET_DIR/var/lib/avahi-autoipd"
 	mkdir "$TARGET_DIR/var/lib/avahi-autoipd"
 fi
+
+# Allow clish (symlink to /usr/bin/klish) to be a login shell
+grep -qsE '^//bin/clish$$' "$TARGET_DIR/etc/shells" \
+        || echo "/bin/clish" >> "$TARGET_DIR/etc/shells"

board/netconf/rootfs/bin/clish

@@ -0,0 +1 @@
+../usr/bin/klish

board/netconf/rootfs/etc/profile.d/alias.sh

@@ -0,0 +1 @@
+alias cli='clish'

package/confd/sysrepo.conf

@@ -1,5 +1,3 @@
-run [S] /lib/infix/clean-etc --
-
 run name:bootstrap log:prio:user.notice \
 	[S] /lib/infix/cfg-bootstrap -- Bootstrapping YANG models
 service name:sysrepo log \

package/klish-plugin-sysrepo/klish-plugin-sysrepo.hash

@@ -1,4 +1,3 @@
 # Locally calculated
 sha256  9d9d33b873917ca5d0bdcc47a36d2fd385971ab0c045d1472fcadf95ee5bcf5b  LICENCE
-sha256  515fa2a3c66b41d6ab5ec93d61cdd32097115b2f46e39c522659b84d555eebf5  klish-plugin-sysrepo-cdd3eb51a7f7ee0ed5bd925fa636061d3b1b85fb-br1.tar.gz
-
+sha256  96ab24ea3c0aaf491db18930fca2ef30276d949c17996f3a595d36789ee0187d  klish-plugin-sysrepo-56c5bdd6a851c5472ee9efd654603df89f337795-br1.tar.gz

package/klish-plugin-sysrepo/klish-plugin-sysrepo.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-KLISH_PLUGIN_SYSREPO_VERSION = cdd3eb51a7f7ee0ed5bd925fa636061d3b1b85fb
+KLISH_PLUGIN_SYSREPO_VERSION = 56c5bdd6a851c5472ee9efd654603df89f337795
 KLISH_PLUGIN_SYSREPO_SITE = https://src.libcode.org/pkun/klish-plugin-sysrepo.git
 KLISH_PLUGIN_SYSREPO_SITE_METHOD = git
 KLISH_PLUGIN_SYSREPO_LICENSE = BSD-3

patches/busybox/0001-adduser-clarify-adduser-D-behavior-and-add-d-for-SSH.patch

@@ -0,0 +1,97 @@
+From 7e93dca4dab6bdbb39fd7f7c0f436839a1eb626e Mon Sep 17 00:00:00 2001
+From: Joachim Wiberg <troglobit@gmail.com>
+Date: Wed, 5 Jul 2023 22:38:56 +0200
+Subject: [PATCH 1/2] adduser: clarify adduser -D behavior and add -d for SSH
+ key login
+Organization: Addiva Elektronik
+
+Clarify that -D locks the account (!), then add -d to create an account
+for which password login is disabled (*) but the user can log in with
+SSH keys.
+
+This also adjusts the long option --disabled-password, which was mapped
+to -D, probably mistakenly.  With this change BusyBox adduser behaves
+the same as Debian's --disabled-login and --disabled-password.
+
+Fixes #10981
+
+Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
+---
+ loginutils/adduser.c | 24 ++++++++++++++----------
+ 1 file changed, 14 insertions(+), 10 deletions(-)
+
+diff --git a/loginutils/adduser.c b/loginutils/adduser.c
+index d3c795afa..cf6a0264a 100644
+--- a/loginutils/adduser.c
++++ b/loginutils/adduser.c
+@@ -62,7 +62,8 @@
+ //usage:     "\n	-s SHELL	Login shell"
+ //usage:     "\n	-G GRP		Group"
+ //usage:     "\n	-S		Create a system user"
+-//usage:     "\n	-D		Don't assign a password"
++//usage:     "\n	-D		Don't assign a password (locked account)"
++//usage:     "\n	-d		Like -D but allow login using SSH keys"
+ //usage:     "\n	-H		Don't create home directory"
+ //usage:     "\n	-u UID		User id"
+ //usage:     "\n	-k SKEL		Skeleton directory (/etc/skel)"
+@@ -82,10 +83,11 @@
+ #define OPT_SHELL          (1 << 2)
+ #define OPT_GID            (1 << 3)
+ #define OPT_DONT_SET_PASS  (1 << 4)
+-#define OPT_SYSTEM_ACCOUNT (1 << 5)
+-#define OPT_DONT_MAKE_HOME (1 << 6)
+-#define OPT_UID            (1 << 7)
+-#define OPT_SKEL           (1 << 8)
++#define OPT_DISABLED_PASS  (1 << 5)
++#define OPT_SYSTEM_ACCOUNT (1 << 6)
++#define OPT_DONT_MAKE_HOME (1 << 7)
++#define OPT_UID            (1 << 8)
++#define OPT_SKEL           (1 << 9)
+
+ /* remix */
+ /* recoded such that the uid may be passed in *p */
+@@ -168,7 +170,8 @@ static const char adduser_longopts[] ALIGN1 =
+ 		"gecos\0"               Required_argument "g"
+ 		"shell\0"               Required_argument "s"
+ 		"ingroup\0"             Required_argument "G"
+-		"disabled-password\0"   No_argument       "D"
++		"disabled-password\0"   No_argument       "d"
++		"disabled-login\0"      No_argument       "D"
+ 		"empty-password\0"      No_argument       "D"
+ 		"system\0"              No_argument       "S"
+ 		"no-create-home\0"      No_argument       "H"
+@@ -202,10 +205,10 @@ int adduser_main(int argc UNUSED_PARAM, char **argv)
+ 	pw.pw_dir = NULL;
+
+ 	opts = getopt32long(argv, "^"
+-			"h:g:s:G:DSHu:k:"
++			"h:g:s:G:DdSHu:k:"
+ 			/* at least one and at most two non-option args */
+ 			/* disable interactive passwd for system accounts */
+-			"\0" "-1:?2:SD",
++			"\0" "-1:?2:SDd",
+ 			adduser_longopts,
+ 			&pw.pw_dir, &pw.pw_gecos, &pw.pw_shell,
+ 			&usegroup, &uid, &skel
+@@ -263,7 +266,8 @@ int adduser_main(int argc UNUSED_PARAM, char **argv)
+ 	 * 8. unix date when login expires (i.e. when it may no longer be used)
+ 	 */
+ 	/* fields:     2 3  4 5     6 78 */
+-	p = xasprintf("!:%u:0:99999:7:::", (unsigned)(time(NULL)) / (24*60*60));
++	p = xasprintf("%c:%u:0:99999:7:::", (opts & OPT_DISABLED_PASS) ? '*' : '!',
++			(unsigned)(time(NULL)) / (24*60*60));
+ 	/* ignore errors: if file is missing we suppose admin doesn't want it */
+ 	update_passwd(bb_path_shadow_file, pw.pw_name, p, NULL);
+ 	if (ENABLE_FEATURE_CLEAN_UP)
+@@ -305,7 +309,7 @@ int adduser_main(int argc UNUSED_PARAM, char **argv)
+ 		}
+ 	}
+
+-	if (!(opts & OPT_DONT_SET_PASS)) {
++	if (!(opts & (OPT_DONT_SET_PASS | OPT_DISABLED_PASS))) {
+ 		/* interactively set passwd */
+ 		passwd_wrapper(pw.pw_name);
+ 	}
+-- 
+2.34.1
+

patches/busybox/0002-login-add-support-for-shadow-passwords.patch

@@ -0,0 +1,55 @@
+From 2a1462d9f6a117cf1a5ae531d36143bd0a55d533 Mon Sep 17 00:00:00 2001
+From: Joachim Wiberg <troglobit@gmail.com>
+Date: Wed, 5 Jul 2023 23:48:14 +0200
+Subject: [PATCH 2/2] login: add support for shadow passwords
+Organization: Addiva Elektronik
+
+login, on fallback from PAM, or when PAM support is not enabled, checks
+pw->pw_passwd for locked ("!") or passwordless ("*") accounts.  However,
+on systems with shadow passwords the first character will always be "x".
+
+This patch adds shadow password support from the passwd tool, letting
+the user end up in "Login incorrect" rather than the "login: bad salt"
+case, which could be used by an attacker to guess the state of accounts.
+
+Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
+---
+ loginutils/login.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/loginutils/login.c b/loginutils/login.c
+index b02be2176..0e7f20844 100644
+--- a/loginutils/login.c
++++ b/loginutils/login.c
+@@ -345,6 +345,11 @@ int login_main(int argc UNUSED_PARAM, char **argv)
+ #endif
+ #if ENABLE_LOGIN_SESSION_AS_CHILD
+ 	pid_t child_pid;
++#endif
++#if ENABLE_FEATURE_SHADOWPASSWDS
++	/* Using _r function to avoid pulling in static buffers */
++	struct spwd spw, *result = NULL;
++	char buffer[256];
+ #endif
+ 	IF_FEATURE_UTMP(pid_t my_pid;)
+
+@@ -493,6 +498,16 @@ int login_main(int argc UNUSED_PARAM, char **argv)
+ 			goto fake_it;
+ 		}
+
++#if ENABLE_FEATURE_SHADOWPASSWDS
++		if (getspnam_r(pw->pw_name, &spw, buffer, sizeof(buffer), &result)
++		    || !result || strcmp(result->sp_namp, pw->pw_name)) {
++			strcpy(username, "UNKNOWN");
++			goto fake_it;
++		} else {
++			pw->pw_passwd = result->sp_pwdp;
++		}
++#endif
++
+ 		if (pw->pw_passwd[0] == '!' || pw->pw_passwd[0] == '*')
+ 			goto auth_failed;
+
+-- 
+2.34.1
+