Setting password for root user in Yocto

By default, if you have not made any modifications to 'EXTRA_IMAGE_FEATURES' variables, "debug-tweaks" option is set.

$ bitbake -e rpi-basic-image | grep ^EXTRA_IMAGE_FEATURES
EXTRA_IMAGE_FEATURES="debug-tweaks"

This option makes the image suitable for development and allows you to have an empty root password. So, if you have ssh server running, you no need to type the password.

But for production, this is not a good idea, as it is insecure. We need to add a password for the root user. We need to remove "debug-tweaks" option from the EXTRA_IMAGE_FEATURES. Add the below line in your local.conf or machine.conf file

EXTRA_IMAGE_FEATURES=""

To add the password for the root account you can write the below in your local.conf or machine.conf file:

INHERIT += "extrausers"
EXTRA_USERS_PARAMS = "usermod -p $(openssl passwd 123456) root

The problem with the above approach is any developer can look at the local.conf file and find out the root password.

The other way is to pass an encrypted value of the password to usermod option

To generate an encrypted value, you can use openssl or mkpasswd. I used mkpasswd.

For example to set password:123456

mkpasswd -m sha-512 123456 -s "mypassword"

You can see running multiple times, I get the same output.

Finally, add the generated encrypted password in local.conf file. Note: You need to escape the '$' and any other special characters as that will be interpreted by shell.



Comments

Popular posts from this blog

bb.utils.contains yocto

Difference between RDEPENDS and DEPENDS in Yocto

make config vs oldconfig vs defconfig vs menuconfig vs savedefconfig