Yup, clearly uses PAM and pam-unix.so. The systems integration ("putting together the distro") was done using
buildroot.
I would suggest you modify one of the firmwares'
/etc/shadow, replacing the password hashes.
You can generate new password hashes for testing via
openssl passwd -1 -noverify passwordbut for actual use, I recommend using
openssl passwd -1which uses a standard password prompt to read and verify the password. (When the password is supplied on the command line, other processes running as the same user account or with root privileges can see the password via
/proc/PID/cmdline, whereas pipes and socket pairs are impossible (outside the kernel) to eavesdrop without causing glitches and errors.)
Personally, my nose twitches a bit: there is something fishy here, either incompetence or malice. If this was my responsibility, I'd (
have to) spin a new firmware image from scratch, to ensure there are no hidden traps, and would fully document the process, plus whatever proprietary/custom stuff is added on top, for the next guy after me to have a solid basis of starting from. (But they also call me a paranoid perfectionist, who spends way too much time on things.) If you also have information on how these devices are actually used, you might be able to help optimize the workflow by choosing better components and/or configuration for the system, too. Things have a tendency of evolving a lot in four years in the open source world.
Most likely innocent explanation is that whatever post-customization/installation is done to the image involves direct editing of
/etc/shadow (instead of doing it properly via
passwd or
chpasswd); and if so, it should be replaced by doing it via
passwd or
chpasswd instead, because direct editing easily leads to – as we see here! – malformed entries. (Not doing this "right" from the get go is perfectly innocent and acceptable, because it takes
quite a lot of experience in systems integration to know this kind of small details, as they stem from practical experience and not theory.)
The malicious explanation is that these entries were modified via a script (running
sed -e '/^csdev:/ s/PATTERN/REPLACEMENT/' -e '/^gve6776696577:/ s/PATTERN/REPLACEMENT/' /etc/shadow as root) to deliberately make them inoperable but innocuous-looking for some reason. The fact that there are no system logs could be a deliberate design choice in systems integration if the devices have limited storage space – these logs often take a lot of room –, but it could also be done deliberately to ensure no signs of malicious tampering would be left. Pity that people doing this do not realize these things never hit the company or the bosses, only other people doing the same job. It's like trying to get back at bad bosses who eat lunch outside the company by spiking the sodas in the employee cafeteria with emetics: only hurts people in the same situation trying to do the job, and not the higher-ups at all. No boss, no matter how horrible, has ever been fired because their underling made an exit bomb.