@@ -5,7 +5,7 @@
#
# Zap the root password if empty-root-password feature is not enabled
-ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "empty-root-password", "add_empty_root_password_note", "zap_empty_root_password ",d)}'
+ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "empty-root-password", "", "zap_empty_root_password ",d)}'
# Allow dropbear/openssh to accept logins from accounts with an empty password string if allow-empty-password is enabled
ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "allow-empty-password", "ssh_allow_empty_password ", "",d)}'
@@ -64,6 +64,10 @@ ROOTFS_POSTPROCESS_COMMAND += '${SORT_PASSWD_POSTPROCESS_COMMAND}'
#
ROOTFS_POSTPROCESS_COMMAND += 'rootfs_reproducible'
+# Check and add 'no root password' banner.
+# This needs to done at the end of ROOTFS_POSTPROCESS_COMMAND, thus using :append.
+ROOTFS_POSTPROCESS_COMMAND:append = " add_empty_root_password_note"
+
# Resolve the ID as described in the sysusers.d(5) manual: ID can be a numeric
# uid, a couple uid:gid or uid:groupname or it is '-' meaning leaving it
# automatic or it can be a path. In the latter, the uid/gid matches the
@@ -259,8 +263,12 @@ zap_empty_root_password () {
# This function adds a note to the login banner that the system is configured for root logins without password
#
add_empty_root_password_note () {
- echo "Type 'root' to login with superuser privileges (no password will be asked)." >> ${IMAGE_ROOTFS}/etc/issue
- echo "" >> ${IMAGE_ROOTFS}/etc/issue
+ rootpw="`grep '^root:' ${IMAGE_ROOTFS}/etc/shadow | cut -d':' -f2`"
+ rootpw_lastchanged="`grep "^root:" ${IMAGE_ROOTFS}/etc/shadow | cut -d: -f3`"
+ if [ -z "$rootpw" -a "$rootpw_lastchanged" != "0" ]; then
+ echo "Type 'root' to login with superuser privileges (no password will be asked)." >> ${IMAGE_ROOTFS}/etc/issue
+ echo "" >> ${IMAGE_ROOTFS}/etc/issue
+ fi
}
#