diff options
author | John Klug <john.klug@multitech.com> | 2019-12-10 13:41:57 -0600 |
---|---|---|
committer | John Klug <john.klug@multitech.com> | 2019-12-10 13:41:57 -0600 |
commit | 65662db674cb3529331dc5db83be9bd9220f072d (patch) | |
tree | c90bfda38d3a1bcbdcb2d758a97fa4eb16113912 | |
parent | b3c010190ffcc295dcc45781abfb1e66e1eb4c46 (diff) | |
download | mts-id-eeprom-65662db674cb3529331dc5db83be9bd9220f072d.tar.gz mts-id-eeprom-65662db674cb3529331dc5db83be9bd9220f072d.tar.bz2 mts-id-eeprom-65662db674cb3529331dc5db83be9bd9220f072d.zip |
Read password from stdin0.5.0
-rw-r--r-- | configure.in | 2 | ||||
-rw-r--r-- | src/hashpwd.cpp | 43 | ||||
-rwxr-xr-x | src/ubpasswd.sh | 23 |
3 files changed, 59 insertions, 9 deletions
diff --git a/configure.in b/configure.in index c1f2416..ed7e154 100644 --- a/configure.in +++ b/configure.in @@ -1,5 +1,5 @@ AC_INIT([src/eeprom_main.c]) -AM_INIT_AUTOMAKE([mts-id-eeprom], [0.4.7]) +AM_INIT_AUTOMAKE([mts-id-eeprom], [0.5.0]) AM_CONFIG_HEADER([config.h]) AC_PROG_CC diff --git a/src/hashpwd.cpp b/src/hashpwd.cpp index 6bc322c..1ea3e2c 100644 --- a/src/hashpwd.cpp +++ b/src/hashpwd.cpp @@ -153,6 +153,7 @@ void usage(void) " -V version" << endl << " -v verbose" << endl << " -d did Device ID (serial #)" << endl << + " -i Read password from standard input" << endl << " -m mac Ethernet mac address" << endl << " -p password" << endl << " -u uuid UUID (base 16)" << endl << @@ -163,17 +164,20 @@ void usage(void) } int main(int argc, char **argv) { - int opt = 0, p = 0, d = 0, m = 0, u=0; + int opt = 0, p = 0, d = 0, m = 0, u=0, iopt = 0; + char c; unsigned long long fudge = 0; short unsigned int prefix; string did, mac, pwd, salt, uuid; + int supplied_password = 0; - while ((opt = getopt(argc,argv,"Vd:m:p:u:v")) != EOF) + while ((opt = getopt(argc,argv,"Vd:im:p:u:v")) != EOF) switch(opt) { case 'V': cout << MYVERSION << endl; exit(0); case 'v': v = 1; cout << " verbose" <<endl; break; case 'd': d = 1; did = optarg ; (v==1) && cout << "device-id is " << did << endl; break; + case 'i': iopt = 1; (v==1) && cout << "Reading password from stdin " << endl; break; case 'm': m = 1; mac = optarg ; (v==1) && cout << "Ethernet mac is " << mac << endl; break; case 'p': p = 1; pwd = optarg ; (v==1) && cout << "User defined password is \"" << pwd << "\"" << endl; break; case 'u': u = 1; uuid = optarg ; (v==1) && cout << "UUID is \"" << uuid << "\"" << endl; break; @@ -187,6 +191,15 @@ int main(int argc, char **argv) { cout << " argv[" << i << "]=\"" << argv[i] << "\"" << endl; } + if (p && iopt) { + cout << "Cannot have both a command line password and standard input password" << endl; + usage(); + } + + if (p || iopt) + supplied_password = 1; + + if ((p && d) || (p && m)) { cout << "Must use either a supplied password or Device ID and Ethernet MAC address, but not all three." << endl; usage(); @@ -212,13 +225,33 @@ int main(int argc, char **argv) { (v == 1) && cout << "prefix is " << prefixStream.str() << endl; + if(iopt) { + while(1) + { + cin.get(c); + if (cin.eof()) + break; + pwd.push_back(c); + } + } + + // Dump password in hex + if(v == 1) { + cout.width(2); + cout.fill(0); + cout << hex; + cout << right; + for(unsigned int i=0; i<pwd.length(); i++) + cout << hex << right << (int)pwd[i]; + cout << endl; + } string passwd_str; string passwd0, passwdnew; SHA256_CTX sha256; unsigned char hash[SHA256_DIGEST_LENGTH]; - if(!p) { + if(!(p || iopt)) { if (m) passwd0 = did + "|" + mac; else if (u) @@ -227,7 +260,7 @@ int main(int argc, char **argv) { while (1) { unsigned char append[9]; - (v == 1) && cout << "pwdinput: " << passwdnew << endl; + (v == 1) && cout << "pwdinput: " << passwdnew << endl; SHA256_Init(&sha256); SHA256_Update(&sha256,passwdnew.c_str(),passwdnew.length()); @@ -264,7 +297,7 @@ int main(int argc, char **argv) { cout << "pass=" << pwd << endl; - passwd_str = prefixStream.str() + pwd + salt; + passwd_str = prefixStream.str() + pwd + salt; SHA256_Init(&sha256); SHA256_Update(&sha256,passwd_str.c_str(),passwd_str.length()); diff --git a/src/ubpasswd.sh b/src/ubpasswd.sh index 98347fb..e3509ab 100755 --- a/src/ubpasswd.sh +++ b/src/ubpasswd.sh @@ -11,6 +11,11 @@ # user list. The first user in this list that is found in # /etc/shadow is changed. root is only changed if mtadm # or admin is not found. +# +# -p option (pass password through stdin) is more secure +# because another user on the system could use ps to acquire +# the password. +# ADMINLIST="mtadm admin" MTS=/sys/devices/platform/mts-io @@ -24,7 +29,7 @@ if ! [[ -x /sbin/mts-hashpwd ]] ; then exit 1 fi usage() { - echo "mts-ubpasswd [-c] [-d] [-n] [-i] [-m] [-u] [-r] [-f] [-s salt] [password]" + echo "mts-ubpasswd [-c] [-d] [-n] [-i] [-m] [-u] [-r] [-f] [-p] [-s salt] [password]" echo " -c clear the U-Boot password" echo " -d debug" echo " -n dryrun for setting password" @@ -35,6 +40,7 @@ usage() { echo " is currently required" echo " -f returns true if U-Boot password" echo " feature is available." + echo " -p read password from standard input" echo " -s salt is user supplied salt" echo " password is a user supplied password" echo "A salt not supplied is generated." @@ -50,7 +56,8 @@ usage() { ((debug=0)) ((upwd=0)) ((dryrun=0)) -while getopts ":cdfimnrs:u" opt; do +((stdp=0)) +while getopts ":cdfimnprs:u" opt; do case $opt in c) u-boot setenv mtsp @@ -93,6 +100,9 @@ while getopts ":cdfimnrs:u" opt; do n) ((dryrun=1)) ;; + p) + ((stdp=1)) + ;; u) ((ubonly=1)) ;; @@ -119,10 +129,17 @@ done ((debug)) && echo OPTIND is $OPTIND ((sc=OPTIND-1)) shift $sc +if (($# == 1)) && ((stdp == 1)) ; then + "Cannot use -p option with password on the command line" + usage +fi if (($# == 1)) ; then ((debug)) && echo "User set password is \"$1\"" ((upwd = 1)) pass="$1" +elif ((stdp == 1)) ; then + ((upwd = 1)) + read -r pass fi ((debug)) && echo hassalt is $hassalt, salt is \"$salt\" @@ -204,7 +221,7 @@ if ((upwd == 0)) ; then fi result=$(/sbin/mts-hashpwd ${pwdsrc} ${salt}) else - result=$(/sbin/mts-hashpwd -p "${pass}" ${salt}) + result=$(echo -n "$pass" | /sbin/mts-hashpwd -i ${salt}) fi if ! [[ $result =~ ^pass=([^$'\n']+)$'\n'password_hash=([^$'\n']+) ]] ; then echo "/sbin/mts-hashpwd failed: ${result}" |