/srv/irclogs.ubuntu.com/2010/01/09/#ubuntu-mobile.txt

=== mcasadevall is now known as NCommander
=== kung|away is now known as kung
=== kung is now known as kung|away
dijeneratehi all14:29
dijeneratedoes anyone here know how to generate a SHA512 password with php that will be accepted by ubuntu?14:29
persiadijenerate: What are you trying to do?  More context may help get an answer.14:32
dijeneratepersia: we have a custom linux based on ubuntu mobile where the first time user setup is done via a web page14:37
persiaSo on first boot, a browser is launched to a local server executing PHP?14:37
dijeneratepersia: exactly14:37
dijeneratepersia: so the problem is, I can currently generate a DES password without a problem14:38
persiaCan't you just use http://php.net/manual/en/function.system.php ?14:38
dijeneratepersia: looking... 1 sec14:38
persiaYes, you'd have to do some privilege escalation, but you get to use the normal tools (e.g. adduser)14:39
persiaErr, maybe useradd would be better.  Hrm.14:39
* persia always gets confused between those two14:40
dijeneratepersia: actually I'm using shell_exec() and have no problems getting the commands executed14:41
persiaSo why do you need to manually construct the hashed password?14:41
persiaCan't you just get a value from the user (or generate one and tell the user), and then use useradd or passwd to generate the hash?14:42
dijeneratepersia: If I use  usr/sbin/useradd username -p encodedpassword the password would have to already be encoded14:42
dijeneratepersia: I don't have mkpasswd installed at the moment14:42
dijeneratepersia: the packages that carry that aren't needed for anything else so they were stripped14:43
persiaDo you have `passwd` installed?14:43
persia(if you have useradd, you probably do)14:43
dijeneratepersia: I do but won't that run as www-data?14:43
dijeneratepersia: it needs to be run as the newly created user14:44
persiaLike I said, you'd have some privilege escalation to do.14:44
persiaBut I don't see how the hash would help you if you're running as www-data anyway.14:44
dijeneratepersia: during first boot www-data has sudo privileges anyway14:44
persia(because you can't write /etc/shadow as www-data, or if you can, other things are wrong)14:44
persiaThen just run it in a root context.14:45
persiaJust after the user is created.14:45
dijeneratepersia: so it can run /usr/sbin/useradd14:45
dijeneratepersia: passwd.. ok looking at the man page for it now14:46
dijeneratepersia: I was under the impression it could only be run for the user that calls it14:46
persiaOr as root for arbitrary logins.  That's to support the "Hi.  I forgot my password.", "OK.  I've just set it to 'k23jn4#(', please try logging in again" use case.14:47
persiaso, for example, one can run `sudo passwd ubuntu` to change the password for the ubuntu user.14:48
dijeneratepersia: of course what ever I use cannot be interactive, it needs to be executable in one line14:48
persiaWell, kinda.14:48
persiaYou need to be able to call some executable that does the right thing, given a set of arguments.14:48
dijeneratepersia: right so I'm looking for the passwd arguments that will allow me to place the password in plaintext inline14:49
persiaOr with some given standard input ($proc=proc_open ...)14:49
persiaBut the thing you execute can be a script that mitigates interactivity.14:49
persiaYou might be able to crib something from http://bazaar.launchpad.net/~ubuntu-core-dev/user-setup/ubuntu/annotate/head:/user-setup-apply (part of the Ubuntu installer)14:50
dijeneratepersia: actually useradd with no password followed by chpasswd may work14:50
persiaLooks like that is using chpasswd or usermod.14:51
dijeneratepersia: 1 sec brb14:51
persiaAnother option would be to set the initial password to nothing an expired, but this only works if you generally don't have internet connectivity during initial setup.14:53
dijeneratepersia: found the solution... /usr/sbin/useradd username15:16
dijeneratepersia: followed by  echo 'username:password' | /usr/sbin/chpasswd -c SHA51215:16
dijeneratepersia: works perfectly15:16
dijeneratepersia: I have an auto-install script that generates my new installation on virgin hardware from a tarball15:17
persiadijenerate: I'll recommend you not do it that way.15:17
dijeneratepersia: and I just need to get it to be auto run from a ubuntu server live usb image15:17
persiaIf you look in the comments on the php system() call page, there's an example of using PHP to feed STDIN15:17
persiaIf you use echo, it shows in the process listing, which may result in information leakage.15:18
persiaNot that it's likely someone else can run ps at this point, but still.15:18
dijeneratepersia: it's local and internal15:18
persiaAre your kiosks not going to end-users?  Just for internal use?15:18
dijeneratepersia: so the user just sees a pretty web page and won't know what goes on beneath15:18
* persia misunderstood the product target15:18
dijeneratepersia: end users but the php permission change after the first time set up15:19
dijeneratepersia: and there is no virtual console available15:19
dijeneratepersia: or recovery menu option in grub15:19
persiaLet me put this another way: you don't want someone to get your device, and hack it, and then complain about exposing the password.15:19
dijeneratepersia: so the only access is direct to the drive from another boot session15:20
persiaIf you use php to feed STDIN, you're still passing plaintext, but not somewhere where it's shown in system accounting.15:20
dijeneratepersia: if they hack their system, our server won't speak to it15:20
dijeneratepersia: these are just dumb terminals15:20
persiaOh, so the account is being set up on a central server based on the client access?15:21
dijeneratepersia: yes15:21
persiaI thought it was a local account.15:21
dijeneratepersia: the same account exists locally for the browser session to run after15:21
dijeneratepersia: but that's just so the usernames match15:22
persiaIf you're doing distributed authentication, then it's even more important that you don't use echo, because otherwise you don't have deniability that your system administrators can know the user passwords.15:22
dijeneratepersia: the passwords expire on the server every 30 days or more frequently for higher security accounts15:22
persiaOK.  You know your constraints better than I.  If you don't want to expose it, the code is referenced above :)15:23
dijeneratepersia: the terminals keep the same password since it's not needed for anything other than the browser session15:23
dijeneratepersia: I understand your points and thanks but we have decided that the best security practice is to never have the server account and the local account match passwords15:24
persiaI agree with that practice.  I'm just not convinced it's complete :)15:25
persiaBut it's not worth either of our time to fuss about it :)15:25
dijeneratepersia: lol15:26
dijeneratehi again... I'm trying to create a bootable ubuntu stick that boots a live cd image but without X11 etc, I want to boot directly to console17:36
dijenerateI have made a bootable stick in the past so my main concern is which iso to use and how to go about modifying it17:36
dijenerateso I can strip X and just have hotplug for network and standard utils like ntpdate, mkfs.ext4 and fdisk and necessary on top of a base install17:37
dijeneratesorry... should have read... as necessary17:38
dijeneratefrom the shell I'd like to be able to access a partition on the same stick so I'd like to be able to alter the start-up config of the live image and it's menu17:39
dijenerateoh, anyone know if it's possible to have a dual booting stick with a live image on one side and DOS on the other, or even if it's possible to add17:40
dijenerateDOS as an option to the live disk/stick's menu?17:41
dijenerateit's needed to run a bios flashing utility17:41
dijenerateanybody alive in here?17:41
dijenerateI guess not...17:53
dijeneratesigh...17:53
=== asac_ is now known as asac
=== kung|away is now known as kung
=== kung is now known as kung|away
=== mcasadevall is now known as NCommander

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!