[baseimage]: Improve password hashing for default user account

build_debian.sh

@@ -3,26 +3,22 @@
 ## an ONIE installer image.
 ##
 ## USAGE:
-##   ./build_debian USERNAME PASSWORD_ENCRYPTED
-## PARAMETERS:
+##   USERNAME=username PASSWORD=password ./build_debian
+## ENVIRONMENT:
 ##   USERNAME
 ##          The name of the default admin user
-##   PASSWORD_ENCRYPTED
-##          The encrypted password, expected by chpasswd command
+##   PASSWORD
+##          The password, expected by chpasswd command
 
 ## Default user
-USERNAME=$1
 [ -n "$USERNAME" ] || {
-    echo "Error: no or empty USERNAME argument"
+    echo "Error: no or empty USERNAME"
     exit 1
 }
 
-## Password for the default user, customizable by environment variable
-## By default it is an empty password
-## You may get a crypted password by: perl -e 'print crypt("YourPaSsWoRd", "salt"),"\n"'
-PASSWORD_ENCRYPTED=$2
-[ -n "$PASSWORD_ENCRYPTED" ] || {
-    echo "Error: no or empty PASSWORD_ENCRYPTED argument"
+## Password for the default user
+[ -n "$PASSWORD" ] || {
+    echo "Error: no or empty PASSWORD"
     exit 1
 }
 
@@ -178,7 +174,7 @@ sudo cp files/docker/docker.service.conf $_
 ## Note: user should be in the group with the same name, and also in sudo/docker group
 sudo LANG=C chroot $FILESYSTEM_ROOT useradd -G sudo,docker $USERNAME -c "$DEFAULT_USERINFO" -m -s /bin/bash
 ## Create password for the default user
-echo $USERNAME:$PASSWORD_ENCRYPTED | sudo LANG=C chroot $FILESYSTEM_ROOT chpasswd -e
+echo "$USERNAME:$PASSWORD" | sudo LANG=C chroot $FILESYSTEM_ROOT chpasswd
 
 ## Pre-install hardware drivers
 sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install      \

slave.mk

@@ -76,10 +76,14 @@ endif
 
 ifeq ($(USERNAME),)
 override USERNAME := $(DEFAULT_USERNAME)
+else
+$(warning USERNAME given on command line: could be visible to other users)
 endif
 
 ifeq ($(PASSWORD),)
 override PASSWORD := $(DEFAULT_PASSWORD)
+else
+$(warning PASSWORD given on command line: could be visible to other users)
 endif
 
 ifeq ($(SONIC_BUILD_JOBS),)
@@ -100,8 +104,8 @@ $(info "CONFIGURED_PLATFORM"             : "$(if $(PLATFORM),$(PLATFORM),$(CONFI
 $(info "SONIC_CONFIG_PRINT_DEPENDENCIES" : "$(SONIC_CONFIG_PRINT_DEPENDENCIES)")
 $(info "SONIC_BUILD_JOBS"                : "$(SONIC_BUILD_JOBS)")
 $(info "SONIC_CONFIG_MAKE_JOBS"          : "$(SONIC_CONFIG_MAKE_JOBS)")
-$(info "DEFAULT_USERNAME"                : "$(DEFAULT_USERNAME)")
-$(info "DEFAULT_PASSWORD"                : "$(DEFAULT_PASSWORD)")
+$(info "USERNAME"                        : "$(USERNAME)")
+$(info "PASSWORD"                        : "$(PASSWORD)")
 $(info "ENABLE_DHCP_GRAPH_SERVICE"       : "$(ENABLE_DHCP_GRAPH_SERVICE)")
 $(info "SHUTDOWN_BGP_ON_START"           : "$(SHUTDOWN_BGP_ON_START)")
 $(info "ENABLE_PFCWD_ON_START"           : "$(ENABLE_PFCWD_ON_START)")
@@ -484,8 +488,14 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
 
 	DIRTY_SUFFIX="$(shell date +%Y%m%d\.%H%M%S)"
 	export DIRTY_SUFFIX
-	./build_debian.sh "$(USERNAME)" "$(shell perl -e 'print crypt("$(PASSWORD)", "salt"),"\n"')" $(LOG)
-	TARGET_MACHINE=$($*_MACHINE) IMAGE_TYPE=$($*_IMAGE_TYPE) ./build_image.sh $(LOG)
+
+	USERNAME="$(USERNAME)" \
+	PASSWORD="$(PASSWORD)" \
+		./build_debian.sh $(LOG)
+
+	TARGET_MACHINE=$($*_MACHINE) \
+	IMAGE_TYPE=$($*_IMAGE_TYPE) \
+		./build_image.sh $(LOG)
 
 	$(foreach docker, $($*_DOCKERS), \
 		rm -f $($(docker)_CONTAINER_NAME).sh