Password Hardening Feature #1
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
davidpil2002
force-pushed
the
dev-password-hardening
branch
3 times, most recently
from
6724ff2
to
f645338
Compare
dgsudharsan
suggested changes
Feb 25, 2022
dgsudharsan
suggested changes
Feb 25, 2022
|
Can you please change the hostcfgd based on configdbconnector. Below is the optimization we did which will be raised to the community shortly |
dgsudharsan
suggested changes
Feb 26, 2022
...sonic-host-services/tests/hostcfgd/sample_output/PASSWORD_HARDENING_default_values/login.old
Outdated
Show resolved
Hide resolved
...sonic-host-services/tests/hostcfgd/sample_output/PASSWORD_HARDENING_enable_feature/login.old
Outdated
Show resolved
Hide resolved
davidpil2002
force-pushed
the
dev-password-hardening
branch
4 times, most recently
from
78852c4
to
1842bc8
Compare
davidpil2002
force-pushed
the
dev-password-hardening
branch
from
1842bc8
to
2a59875
Compare
dgsudharsan
suggested changes
Mar 2, 2022
davidpil2002
force-pushed
the
dev-password-hardening
branch
from
d78afa5
to
9563886
Compare
dgsudharsan
suggested changes
Mar 10, 2022
dgsudharsan
suggested changes
Mar 15, 2022
dgsudharsan
approved these changes
Mar 22, 2022
…e/sonic-buildimage/pull/10323/files about verification when reading files and add exception
davidpil2002
pushed a commit
that referenced
this pull request
May 15, 2022
…net#10291) #### Why I did it Fix issue: Non compliant leaf list in config_db schema: sonic-net#9801 #### How I did it The basic flow of DPB is like: 1. Transfer config db json value to YANG json value, name it “yangIn” 2. Validate “yangIn” by libyang 3. Generate a YANG json value to represent the target configuration, name it “yangTarget” 4. Do diff between “yangIn” and “yangTarget” 5. Apply the diff to CONFIG DB json and save it back to DB The fix: • For step #1, If value of a leaf-list field string type, transfer it to a list by splitting it with “,” the purpose here is to make step#2 happy. We also need to save <table_name>.<key>.<field_name> to a set named “leaf_list_with_string_value_set”. • For step#5, loop “leaf_list_with_string_value_set” and change those fields back to a string. #### How to verify it 1. Manual test 2. Changed sample config DB and unit test passed
Signed-off-by: Guohan Lu <lguohan@gmail.com>
…cts sonic-net#10972 Why I did it Fix the target directory not empty issue when publishing artifacts. Some of the artifacts are published to $(Build.ArtifactStagingDirectory)/target/ before source code checked out.
davidpil2002
pushed a commit
that referenced
this pull request
Feb 9, 2023
- Why I did it To improve ASIC FW upgrade logging and have information about the cause of FW update failure in the log. - How I did it Added syslog logger support In case the FW update has failed the update tool will give the cause of the failure in the output in the last line, starting with "Fail". When running the tool, in case of a failed update, we will parse the output to retrieve the cause and log it. Device #1: ---------- Device Type: ConnectX6DX Part Number: MCX623106AN-CDA_Ax Description: ConnectX-6 Dx EN adapter card; 100GbE; Dual-port QSFP56; PCIe 4.0/3.0 x16; PSID: MT_0000000359 PCI Device Name: /dev/mst/mt4125_pciconf0 Base GUID: 0c42a103007d22d4 Base MAC: 0c42a17d22d4 Versions: Current Available FW 22.32.0498 22.32.0498 PXE 3.6.0500 3.6.0500 UEFI 14.25.0015 14.25.0015 Status: Forced update required --------- Found 1 device(s) requiring firmware update... Device #1: Updating FW ... FSMST_INITIALIZE - OK Writing Boot image component - OK Fail : The Digest in the signature is wrong - How to verify it mlnx-fw-upgrade.sh --upgrade
davidpil2002
pushed a commit
that referenced
this pull request
Oct 19, 2023
…bors over iBGP Session (sonic-net#16705) What I did: Enable Sending BGP Community over internal neighbors over iBGP Session Microsoft ADO: 25268695 Why I did: Without this change BGP community send by e-BGP Peers are not carry-forward to other e-BGP peers. str2-xxxx-lc1-2# show bgp ipv6 20c0:a801::/64 BGP routing table entry for 20c0:a801::/64, version 52141 Paths: (1 available, best #1, table default) Not advertised to any peer 65000 65500 2603:10e2:400::6 from 2603:10e2:400::6 (3.3.3.6) Origin IGP, localpref 100, valid, internal, best (First path received) Last update: Tue Sep 26 16:08:26 2023 str2-xxxx-lc1-2# show ip bgp 192.168.35.128/25 BGP routing table entry for 192.168.35.128/25, version 52688 Paths: (1 available, best #1, table default) Not advertised to any peer 65000 65502 3.3.3.6 from 3.3.3.6 (3.3.3.6) Origin IGP, localpref 100, valid, internal, best (First path received) Last update: Tue Sep 26 15:45:51 2023 After the change str2-xxxx-lc2-2(config)# router bgp 65100 str2-xxxx-lc2-2(config-router)# address-family ipv4 str2-xxxx-lc2-2(config-router-af)# neighbor INTERNAL_PEER_V4 send-community str2-xxxx-lc2-2(config-router-af)# exit str2-xxxx-lc2-2(config-router)# address-family ipv6 str2-xxxx-lc2-2(config-router-af)# neighbor INTERNAL_PEER_V6 send-community str2-xxxx-lc1-2# show bgp ipv6 20c0:a801::/64 BGP routing table entry for 20c0:a801::/64, version 52400 Paths: (1 available, best #1, table default) Not advertised to any peer 65000 65500 2603:10e2:400::6 from 2603:10e2:400::6 (3.3.3.6) Origin IGP, localpref 100, valid, internal, best (First path received) **Community: 1111:1111** Last update: Tue Sep 26 16:10:19 2023 str2-xxxx-lc1-2# show ip bgp 192.168.35.128/25 BGP routing table entry for 192.168.35.128/25, version 52947 Paths: (1 available, best #1, table default) Not advertised to any peer 65000 65502 3.3.3.6 from 3.3.3.6 (3.3.3.6) Origin IGP, localpref 100, valid, internal, best (First path received) **Community: 1111:1111** Last update: Tue Sep 26 16:10:09 2023 Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
davidpil2002
pushed a commit
that referenced
this pull request
Nov 23, 2023
…kernel 6.1 and bookworm (sonic-net#16954) * sonic-platform-modules-cel: broadcom: adapt for kernel 6.1 and bookworm The i2c_driver->remove API declaration has been updated to return void instead of int, as part of cleanup patches in 6.1. More details can be referred from here: [1]. Update the remove API definition in the modules accordingly and cleanup variables that go unused from the remove API. Update python build commands for bookworm. The packaging based on calling setup.py is deprecated and using build module/pip utility is the recommended method for python packaging/installation. Further details can be referred to from here: [2], [3]. The build module is picky about the package information file, which needs to be either setup.py or pyproject.toml. Additionally, fix formatting inconsistencies in debian/changelog reported by `dh_installchangelogs` during the build. Tested the changes by compiling the changes as below: make sonic-slave-bash NOBUSTER=1 NOBULLSEYE=1 sudo dpkg -i target/debs/bookworm/linux-headers-6.1.0-11-2-*.deb cd platform/broadcom/sonic-platform-modules-cel KVERSION=6.1.0-11-2-amd64 dpkg-buildpackage Also verified the python scripts under the sonic-platform-modules-cel with pyflakes to ensure no new errors are flagged (with exception of unused modules). References: [1] - torvalds/linux@ed5c2f5f [2] - https://blog.ganssle.io/articles/2021/10/setup-py-deprecated.htm [3] - 0b20a48 (Update Python build commands for Bookworm, 2023-09-07) Signed-off-by: Ramasamy Chandramouli <rachandr@celestica.com> * platform/pddf: i2c: adapt for kernel 6.1 and bookworm * Fixup i2c_driver->remove API due to changes in the function prototype (ref: [1]). * Cleanup `MODULE_SUPPORTED_DEVICE` macros that were cleaned up in the upstream (ref: [2]). * Sanitize python packaging and installation using the `build` module instead of calling the setup.py directly (ref: [3]. [4]). Tested the changes by compiling pddf module as below: make sonic-slave-bash NOBUSTER=1 NOBULLSEYE=1 sudo dpkg -i target/debs/bookworm/linux-headers-6.1.0-11-2-*.deb cd platform/pddf/i2c KVERSION=6.1.0-11-2-amd64 dpkg-buildpackage References: [1] - torvalds/linux@ed5c2f5f [2] - torvalds/linux@6417f031 [2] - https://blog.ganssle.io/articles/2021/10/setup-py-deprecated.htm [3] - 0b20a48 (Update Python build commands for Bookworm, 2023-09-07) Signed-off-by: Ramasamy Chandramouli <rachandr@celestica.com> * platform/broadcom: include platform-modules-cel in builds With pddf modules patched for 6.1, platform-modules-cel can be compiled and included in the final image. Testing by building sonic-broadcom.bin/sonic-broadcom-dnx.bin. Signed-off-by: Ramasamy Chandramouli <rachandr@celestica.com> * pddf/i2c: revert correct rootdir for pip install The pip install directory has been set to test-pkg1/ for testing the build and incorrectly retained as is. Revert this to the correct path $(PACKAGE_PRE_NAME). Signed-off-by: Ramasamy Chandramouli <rachandr@celestica.com> * platform/broadcom: include pddf/modules-cel in the base package Without this change, the modules were built but not packaged in the final .bin. The final sonic-broadcom.bin has been tested for bootup on Celestica's Silverstone platform. admin@sonic:~$ uname -a Linux sonic 6.1.0-11-2-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-4 (2023-08-08) x86_64 GNU/Linux admin@sonic:~$ show platform summary Platform: x86_64-cel_silverstone-r0 HwSKU: Silverstone ASIC: broadcom ASIC Count: 1 Serial Number: R4009B2F062504LK200024 Model Number: N/A Hardware Revision: N/A admin@sonic:~$ show version | head SONiC Software Version: SONiC.g0aad6c67c-rachandr SONiC OS Version: 12 Distribution: Debian 12.2 Kernel: 6.1.0-11-2-amd64 Build commit: 0aad6c67c Build date: Thu Oct 26 07:13:47 UTC 2023 Built by: rachandr@AZUHPS14 Platform: x86_64-cel_silverstone-r0 Signed-off-by: Ramasamy Chandramouli <rachandr@celestica.com> --------- Signed-off-by: Ramasamy Chandramouli <rachandr@celestica.com>
davidpil2002
pushed a commit
that referenced
this pull request
Dec 17, 2023
…bors over iBGP Session (sonic-net#16705) What I did: Enable Sending BGP Community over internal neighbors over iBGP Session Microsoft ADO: 25268695 Why I did: Without this change BGP community send by e-BGP Peers are not carry-forward to other e-BGP peers. str2-xxxx-lc1-2# show bgp ipv6 20c0:a801::/64 BGP routing table entry for 20c0:a801::/64, version 52141 Paths: (1 available, best #1, table default) Not advertised to any peer 65000 65500 2603:10e2:400::6 from 2603:10e2:400::6 (3.3.3.6) Origin IGP, localpref 100, valid, internal, best (First path received) Last update: Tue Sep 26 16:08:26 2023 str2-xxxx-lc1-2# show ip bgp 192.168.35.128/25 BGP routing table entry for 192.168.35.128/25, version 52688 Paths: (1 available, best #1, table default) Not advertised to any peer 65000 65502 3.3.3.6 from 3.3.3.6 (3.3.3.6) Origin IGP, localpref 100, valid, internal, best (First path received) Last update: Tue Sep 26 15:45:51 2023 After the change str2-xxxx-lc2-2(config)# router bgp 65100 str2-xxxx-lc2-2(config-router)# address-family ipv4 str2-xxxx-lc2-2(config-router-af)# neighbor INTERNAL_PEER_V4 send-community str2-xxxx-lc2-2(config-router-af)# exit str2-xxxx-lc2-2(config-router)# address-family ipv6 str2-xxxx-lc2-2(config-router-af)# neighbor INTERNAL_PEER_V6 send-community str2-xxxx-lc1-2# show bgp ipv6 20c0:a801::/64 BGP routing table entry for 20c0:a801::/64, version 52400 Paths: (1 available, best #1, table default) Not advertised to any peer 65000 65500 2603:10e2:400::6 from 2603:10e2:400::6 (3.3.3.6) Origin IGP, localpref 100, valid, internal, best (First path received) **Community: 1111:1111** Last update: Tue Sep 26 16:10:19 2023 str2-xxxx-lc1-2# show ip bgp 192.168.35.128/25 BGP routing table entry for 192.168.35.128/25, version 52947 Paths: (1 available, best #1, table default) Not advertised to any peer 65000 65502 3.3.3.6 from 3.3.3.6 (3.3.3.6) Origin IGP, localpref 100, valid, internal, best (First path received) **Community: 1111:1111** Last update: Tue Sep 26 16:10:09 2023 Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
davidpil2002
pushed a commit
that referenced
this pull request
Dec 17, 2023
…bors over iBGP Session (sonic-net#16705) What I did: Enable Sending BGP Community over internal neighbors over iBGP Session Microsoft ADO: 25268695 Why I did: Without this change BGP community send by e-BGP Peers are not carry-forward to other e-BGP peers. str2-xxxx-lc1-2# show bgp ipv6 20c0:a801::/64 BGP routing table entry for 20c0:a801::/64, version 52141 Paths: (1 available, best #1, table default) Not advertised to any peer 65000 65500 2603:10e2:400::6 from 2603:10e2:400::6 (3.3.3.6) Origin IGP, localpref 100, valid, internal, best (First path received) Last update: Tue Sep 26 16:08:26 2023 str2-xxxx-lc1-2# show ip bgp 192.168.35.128/25 BGP routing table entry for 192.168.35.128/25, version 52688 Paths: (1 available, best #1, table default) Not advertised to any peer 65000 65502 3.3.3.6 from 3.3.3.6 (3.3.3.6) Origin IGP, localpref 100, valid, internal, best (First path received) Last update: Tue Sep 26 15:45:51 2023 After the change str2-xxxx-lc2-2(config)# router bgp 65100 str2-xxxx-lc2-2(config-router)# address-family ipv4 str2-xxxx-lc2-2(config-router-af)# neighbor INTERNAL_PEER_V4 send-community str2-xxxx-lc2-2(config-router-af)# exit str2-xxxx-lc2-2(config-router)# address-family ipv6 str2-xxxx-lc2-2(config-router-af)# neighbor INTERNAL_PEER_V6 send-community str2-xxxx-lc1-2# show bgp ipv6 20c0:a801::/64 BGP routing table entry for 20c0:a801::/64, version 52400 Paths: (1 available, best #1, table default) Not advertised to any peer 65000 65500 2603:10e2:400::6 from 2603:10e2:400::6 (3.3.3.6) Origin IGP, localpref 100, valid, internal, best (First path received) **Community: 1111:1111** Last update: Tue Sep 26 16:10:19 2023 str2-xxxx-lc1-2# show ip bgp 192.168.35.128/25 BGP routing table entry for 192.168.35.128/25, version 52947 Paths: (1 available, best #1, table default) Not advertised to any peer 65000 65502 3.3.3.6 from 3.3.3.6 (3.3.3.6) Origin IGP, localpref 100, valid, internal, best (First path received) **Community: 1111:1111** Last update: Tue Sep 26 16:10:09 2023 Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Why I did it
New security feature for enforcing strong passwords when login or changing passwords of existing users into the switch.
How I did it
Using mainly Linux pkg named cracklib that support the enforcement of user passwords, The daemon named hostcfgd, will support add/modify password policies that enforce and strengthen the user passwords.
How to verify it
Manually -
Unitest:
The P.R contain unitest that cover:
Which release branch to backport (provide reason below if selected)
The feature should be released in May, currently will be pushed to master
Description for the changelog
A picture of a cute animal (not mandatory but encouraged)