Automatically Setting a Root Password in Yocto Recipes
- 01 Oct 2021
- 2 Minutes to read
- Print
- DarkLight
- PDF
Automatically Setting a Root Password in Yocto Recipes
- Updated on 01 Oct 2021
- 2 Minutes to read
- Print
- DarkLight
- PDF
Article Summary
Share feedback
Thanks for sharing your feedback!
Introduction
This article discusses how to set a root password within Yocto metadata so that images are built with a root password included. We show how to do this with both a cleartext password as well as encrypted version of the password.
In local.conf, or in your image recipe, you need to add the following line:
inherit extrausers
This includes the extrausers bbclass, which brings in a set of utilities that are run during the image build process to modify the users configuration.
Next, you add some program calls into a special variable named EXTRA_USERS_PARAMS. These program calls are made to the users settings in sequence. To set the root password, you need to add a call to usermod.
Setting a Clear Text Root Password
Here is how to set a root password that is in clear text (not encrypted) in the configuration. This might be fine if you can restrict access to the metadata to trusted people only.
To EXTRA_USERS_PARAMS you add a call to usermod with the following options:
usermod -P <cleartext password> root
For example, if we were to set the password to technexion for the root user, we would do the following:
EXTRA_USERS_PARAMS = " \
usermod -P technexion root \
"
Putting this together:
inherit extrausers
EXTRA_USERS_PARAMS = " \
usermod -P technexion root \
"
You can add many commands to the EXTRA_USERS_PARAMS variable. You can even add additional users to your image by adding a call to useradd to EXTRA_USERS_PARAMS. Keep in mind that you need to add a semicolon to separate between the commands. Here, we add a user named scorpion without a password:
inherit extrausers
EXTRA_USERS_PARAMS = " \
usermod -P technexion root; \
useradd -p '' scorpion \
"
Warning
When setting the password in cleartext, make sure to use an uppercase P (-P) option in usermod when setting the root password. This tells the usermod command that the password is in cleartext.
Setting an Encrypted Version of the Password
You can also set the password using an an encrypted version of the password in the metadata. This can be a more secure way of setting the password.
Generate the password using mkpasswd
First, you need to generate the password. This can be done using the mkpasswd command as follows:
mkpasswd -m sha-512 <your-clear-password> -s "seed-between-8-and-16-chars-long"
Note
In Ubuntu, mkpasswd is part of the whois package:
sudo apt install whois
So, to generate the a password using technexion in cleartext and a seed of 11223344:
mkpasswd -m sha-512 technexion -s "11223344"
This results in the following output:
$6$11223344$JKoE0Gu2kAO1TM0ItsAnbfropz/fKdIEUQs6Z.ik9WBMUc.Mdt5u46plMon05riuZIl2qisG.nswnlhzoQqNt/
This output becomes the password argument for the usermod command, but with a few changes. The password option for encrypted passwords makes use of the lowercase p (-p). Also, all special characters that could be interpreted by a shell script need to be escaped. Thus:
EXTRA_USERS_PARAMS = " \
usermod -p '\$6\$11223344\$JKoE0Gu2kAO1TM0ItsAnbfropz/fKdIEUQs6Z.ik9WBMUc.Mdt5u46plMon05riuZIl2qisG.nswnlhzoQqNt/' root; \
useradd -p '' scorpion \
"
Warning
When setting the password encrypted, make sure to use an lowercase p (-p) option in usermod when setting the root password. This tells the usermod command that the password is in cleartext.
Do not forget to enclose the password in single quotes (' ').
Video Tutorial
In the following video, we go through all of the above steps, as well as the effects of this on these commands on the target's /etc/shadow file:
Example Code
Example code for this can be found in the meta-scorpion project on Github.
https://github.com/TechNexion-customization/meta-scorpion
Was this article helpful?
