How to securely update configuration for root password in yocto?

Question

We are adding password to root user. Following is the addition to the conf files.

INHERIT += "extrausers"
EXTRA_USERS_PARAMS = "usermod -p $(openssl passwd abcd1234) root"

The above two lines perform the job for us. But the problem is everyone reading the configuration file can know that the password is "abcd1234".

Is there any other way to store the password securely in the configuration or what is the best way to deal in case. We have thousands of devices running embedded Linux, if some one able to get the root password he can easily access all the devices as the password is same. What is the best way to deal this situation

Answer 1

Alexander's answer is the best practice.

In case you really need to have the password in your configuration, you can at least store the encrypted variant (take the output of openssl in your example, but I would use some stronger algorithm, see below), i.e.:

EXTRA_USERS_PARAMS = "\
    usermod -p '\$6\$ca1gxiMTHxfATDYV\$PpXt8OeIiBY8xJX1qh66Sq1oC5tIthrhzo9dq6ILerp.vg7xdkHpLGbM.PKgh./r2J1lkSmHXT2Xhq/ZKr0XF.' root; \
"

Note the escaping of $ (and any other special characters if present), because the encrypted password is interpreted by shell. (There is a real password in the example above, but it is a very weak one.)

You can use the SHA512-based password algorithm using the command:

openssl passwd -6

BTW did I mention that Alexander's answer is the best practice ;-)?

Answer 2

Don't use the password authentication at all; if you are accessing the devices with ssh, some kind of public key authentication (maybe combined with host authentication) is better. Read the 'Authentication' section in man ssh.