!nshlib: Require explicit fixed login password at build time#3557
Open
Abhishekmishra2808 wants to merge 1 commit into
Open
!nshlib: Require explicit fixed login password at build time#3557Abhishekmishra2808 wants to merge 1 commit into
Abhishekmishra2808 wants to merge 1 commit into
Conversation
Abhishekmishra2808
force-pushed
the
nsh-login-empty-password
branch
from
2b8eb4f to
a5ffd53
Compare
Abhishekmishra2808
force-pushed
the
nsh-login-empty-password
branch
from
a5ffd53 to
a7a4722
Compare
Add apps/crypto/pbkdf2, migrate passwd encrypt/verify to modular crypt format with complexity validation, share base64url helpers, and add pbkdf2_test for RFC 6070 vector coverage. Change NSH_LOGIN_USERNAME default to root and remove fixed-login password defaults. BREAKING CHANGE: TEA-encoded /etc/passwd entries no longer verify. Regenerate each entry after upgrading. Pair with the nuttx host mkpasswd changes in apache/nuttx#19209. When CONFIG_NSH_LOGIN_FIXED=y, set CONFIG_NSH_LOGIN_PASSWORD in the board defconfig or menuconfig; there is no default password. Signed-off-by: Abhishek Mishra <mishra.abhishek2808@gmail.com>
Abhishekmishra2808
force-pushed
the
nsh-login-empty-password
branch
from
a7a4722 to
7ab3fa7
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR is the nuttx-apps companion to apache/nuttx#19209, which adds the host
mkpasswdtool and ROMFS/etc/passwdbuild integration. Here, runtime password handling moves from reversible TEA to one-way PBKDF2-HMAC-SHA256 using a modular crypt string stored in/etc/passwd. The change addsapps/crypto/pbkdf2with a small self-contained SHA-256 and HMAC implementation (Mbed TLS PKCS5 is used when available), rewritespasswd_encryptandpasswd_verifywith shared base64url helpers and password complexity checks, and addspbkdf2_testfor RFC 6070 SHA-256 vector coverage. The round-trip portion of that test is skipped automatically when the passwd file is read-only or whenDEV_URANDOMis not enabled. NSH also changes the default fixed-login username torootand removes insecure fixed-login password defaults.BREAKING CHANGE: TEA-encoded
/etc/passwdentries no longer verify after this upgrade. Every entry must be regenerated with NSHpasswdoruseraddonce both nuttx and nuttx-apps are updated. IfCONFIG_NSH_LOGIN_FIXED=yis used,CONFIG_NSH_LOGIN_PASSWORDmust be set explicitly in the board defconfig or menuconfig; there is no default password.Impact
This change modifies existing password file behavior and is not backward compatible with TEA-encoded hashes. Users must regenerate stored passwords. The build flow itself is unchanged in nuttx-apps; the ROMFS build-time password prompt lives in the paired nuttx PR. Documentation updates are included in that nuttx PR rather than here.
Testing
Testing was done on
sim:loginwith NSH console login against a build-time PBKDF2 hash, and login succeeded.Login was also verified on ESP32-C3 using the
esp32c3-devkit:loginconfiguration over USB serial. Check- apache/nuttx#19209pbkdf2_testpassed the RFC 6070 SHA-256 vectors onsim:login, and the passwd encrypt/verify round-trip passed with a writable passwd path at/tmp/passwd, readonly disabled, andDEV_URANDOMenabled.