sched/nsh: Remove Hard-coded Default Password

[Abhishekmishra2808]

Summary

This PR introduces build-time generation of the /etc/passwd file for the ROMFS image when authentication is enabled.

Instead of relying on a static etc/passwd file embedded in the source tree, the passwd entry is now generated during the build using the configuration values:

• CONFIG_ETC_ROMFS_PASSWD_USER
• CONFIG_ETC_ROMFS_PASSWD_PASSWORD
• CONFIG_ETC_ROMFS_PASSWD_UID
• CONFIG_ETC_ROMFS_PASSWD_GID
• CONFIG_ETC_ROMFS_PASSWD_HOME

The generated passwd entry is written into the ROMFS staging directory and included in the firmware image.

Behavior

Authentication disabled

• No passwd generation occurs.
• System behavior remains unchanged.

Authentication enabled

• The build generates /etc/passwd automatically.
• The password is hashed before being stored in the ROMFS image.
• The plaintext password is never embedded in the firmware.

Password missing

• If CONFIG_ETC_ROMFS_GENPASSWD=y but the password is empty, the build fails with an explicit error.

This ensures that credentials are always explicitly configured when authentication is enabled and prevents firmware images from being built with empty passwords.

Security Improvement

Previously /etc/passwd could be included as a static file in the ROMFS source tree.
With this change, the credentials are generated at build time and must be explicitly configured, avoiding implicit or default credentials in firmware images.

Testing

Generated passwd entry

Plaintext password check

(no output)

Build failure when password is empty

[acassis]

@Abhishekmishra2808 the Documentation and the boardshould be (each one) in a separated. Normally we separate the logic implementation from the board support and Documentation.

[cederom]

Thank you @Abhishekmishra2808 :-)

• I have updated description from "critical security vulnerability" to "improve security", as setting password is optional and user controllable, so it was always matter or user choice and decision what the password would be.. here we want to remove the default, correct?
• Do you use AI for code and description generation?

[Abhishekmishra2808]

Hi @cederom ,
Yes, the goal is to remove the default password from the defconfigs and avoid having any hardcoded credentials. Password generation should be explicitly enabled and configured by the user when needed.

I used AI tools only to help refine wording and improve clarity in the description, but the implementation, debugging, and testing were done by me.

[Abhishekmishra2808]

@acassis I have fixed the changes suggested by you, and CI was failing because password generation was enabled in the defconfig files without setting a password. I have now removed CONFIG_ETC_ROMFS_GENPASSWD from the affected defconfigs so that password generation is not enabled by default. This ensures there is no default password while allowing users to explicitly enable and configure it if needed.

[cederom]

Thank you @Abhishekmishra2808 :-)

• Thanks for updating the PR description to closed match the change, it looks a lot better now :-)
• Please update "tools/mkpasswd: replace mkpasswd.py with C host tool" git commit title and body.
  • It does not match the content, it touches more things.
  • We did not have this tool before so we cannot reference it out of nowhere.
  • Looks like you were working directly from a master of your clone, and had your local changes over there, thus confusion. I can see you use working branch for the PR already, very good! This is why clone master should always resemble upstream master and then you work on your local branch to have a solid reference point :-)
• Please update "sched: Remove hard-coded default password and add build-time generation" git commit title and body.
  • This is BOARD functionality but not SCHED as @xiaoxiang781216 noted :-)
  • Please describe other changes introduced in this commit.
• As there is one functional change you can put all passwd related changes into one single commit. But we prefer having incremental changes, like tools/mkpasswd introduction into one commit, boards changes separate commit, documentation changes separate commit, etc :-)

[Abhishekmishra2808]

@cederom! I've addressed the feedback

• Moved the passwd generation config from sched/Kconfig to boards/Kconfig.
• Renamed the option to CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE.
• Updated references in boards/Board.mk and cmake/nuttx_add_romfs.cmake.
• Split the changes into three commits: (noted this for future :) )
  1. tools/mkpasswd: add host tool for build-time passwd hashing
  2. boards: add CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE
  3. Documentation: describe build-time passwd generation

Documentation and commit messages were updated to clarify that /etc/passwd entries are generated at build time using TEA hashing.

Please let me know if anything else should be adjusted.

[simbit18]

@Abhishekmishra2808 please fix

../nuttx/tools/checkpatch.sh -c -u -m -g b3656d34b6f895076e5b91a8d167a23a870196ed..HEAD
❌ Commit subject missing colon (e.g. 'subsystem: msg')
❌ Missing Signed-off-by
❌ Commit subject missing colon (e.g. 'subsystem: msg')
❌ Missing Signed-off-by
Used config files:
    1: .codespellrc
Some checks failed. For contributing guidelines, see:
  https://github.com/apache/nuttx/blob/master/CONTRIBUTING.md
Error: Process completed with exit code 1.

[Abhishekmishra2808]

@simbit18 @acassis I have fixed the signed commit msg error, and now this PR is ready for the final review.

[Abhishekmishra2808]

CI turned red agaim ! :-(
@acassis, Is there something missing from my end or its failing on the main ?

[acassis]

CI turned red agaim ! :-( @acassis, Is there something missing from my end or its failing on the main ?

@Abhishekmishra2808 not, everything is fine, the error in the ESP32 is not related to this PR

[cederom]

Yup, CI needs a fix, will show up soon, guys are working on this already :-) #18501 (comment)

[acassis]

@Abhishekmishra2808 after the esp32 fix, please update your upstream branch and rebase your branch to it.

[cederom]

Very cool, thank you @Abhishekmishra2808, lets just wait with merge until CI is fixed :-)

@xiaoxiang781216 sources updated could you please take a look? :-)

[simbit18]

@Abhishekmishra2808 One question:
Has this change been tested on a board with Make and CMake?

[Abhishekmishra2808]

@simbit18
Yes, tested on both build systems:
Make:

• sim:nsh - baseline, no passwd feature
• sim:login with BOARD_ETC_ROMFS_PASSWD_ENABLE=y - passwd file generated at build time: admin:8Tv+Hbmr3pLVb5HHZgd26D:0:0:/
• stm32f4discovery:nsh - cross-compile with arm-none-eabi-gcc

CMake:

• sim:nsh -baseline CMake/Ninja build
• sim:login with BOARD_ETC_ROMFS_PASSWD_ENABLE=y - CMake passwd generation path

All 5 builds completed successfully. The mkpasswd host tool compiles and produces the correct 5-field passwd entry format, and empty passwords are correctly rejected at build time.

[acassis]

@Abhishekmishra2808 please update your upstream branch and rebase your branch to upstream