Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for Password Hardening #10323

Merged
merged 25 commits into from
Jun 29, 2022
Merged

Add support for Password Hardening #10323

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
2a59875
Password Hardening Feature
davidpil2002 Mar 1, 2022
440307d
fix password hardening comments from the pull request
davidpil2002 Mar 2, 2022
fb5764e
Merge branch 'master' into dev-password-hardening
davidpil2002 Mar 7, 2022
7a7fc90
small fix about passw hardening P.R
davidpil2002 Mar 8, 2022
9563886
move init_cfg.json.j2 changes to separate pull request with YANG model
davidpil2002 Mar 8, 2022
49d1195
modify age calculation & fix some values in the common-password.j2 file
davidpil2002 Mar 10, 2022
eff356a
fix digits class name case
davidpil2002 Mar 16, 2022
5ab7c2b
fix unitest hostcfgd_passwh_test.py by adding enable_digits_class sample
davidpil2002 Mar 24, 2022
a5959f5
Merge branch 'master' into dev-password-hardening
davidpil2002 Mar 24, 2022
a4d452b
add mock table to passw hardening unitest in result of changes in com…
davidpil2002 Mar 27, 2022
93072bd
fix credit disabled, by setting 0 instead to be clear
davidpil2002 Mar 28, 2022
3a8b5fd
removed unused import
davidpil2002 Mar 29, 2022
424bf9b
Merge branch 'master' into dev-password-hardening
davidpil2002 Apr 17, 2022
e9c9edf
passw-hardening, fix unitest mocks tables
davidpil2002 Apr 18, 2022
b611fa1
Merge branch 'master' into dev-password-hardening
davidpil2002 Apr 25, 2022
8e507e8
[passw-hardening] remove misstype line in hostcfgd
davidpil2002 Apr 27, 2022
e4bface
[password-hardening] move passw logic from AaaCfg class to PasswHarde…
davidpil2002 Apr 28, 2022
458691c
[password-hardening]fix few comments from PR: https://github.com/Azur…
davidpil2002 May 1, 2022
3b5f7a1
Merge branch 'Azure:master' into dev-password-hardening
davidpil2002 May 29, 2022
010e023
Merge branch 'Azure:master' into dev-password-hardening
davidpil2002 May 30, 2022
eb977ca
[ci] Publish logs when building image job is canceled by timeout. (#1…
liushilongbuaa May 30, 2022
0f423af
[CODEOWNERS]: update code owners for various repos (#10980)
lguohan May 30, 2022
8c4ef50
[Ci]: Fix the target directory not empty issue when publishing artifa…
xumia May 30, 2022
2967247
[password-hardening]install cracklib from debian repo list instead do…
davidpil2002 May 31, 2022
a2ec817
Merge branch 'master' into dev-password-hardening
davidpil2002 May 31, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions files/build_templates/sonic_debian_extension.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -267,6 +267,10 @@ fi
sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/sonic-device-data_*.deb || \
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f

# Install cracklib (and its dependencies via 'apt-get -y install -f')
liuh-80 marked this conversation as resolved.
Show resolved Hide resolved
sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/libpam-cracklib_*.deb || \
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why not just apt-get? I do not understand this. the package is already in bullseye.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the package in bullseye is an older version than the version that I used.
I don't think the feature will be broken if we used an older version, but I think it is better to save it.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://packages.debian.org/bullseye/libpam-cracklib

can you double check, think it is the same version.

Copy link
Contributor Author

@davidpil2002 davidpil2002 May 31, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I double-checked, you are correct, probably confused with the buster version.
I pushed a commit that is doing just apt-get install, instead download & dpkg Debian pkg

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lguohan
can you approve the pull request now?

sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f

# Install pam-tacplus and nss-tacplus
sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/libtac2_*.deb || \
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
Expand Down
9 changes: 9 additions & 0 deletions rules/cracklib.deb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
SPATH := $($(LIBPAM_CRACKLIB)_SRC_PATH)
DEP_FILES := $(SONIC_COMMON_FILES_LIST) rules/cracklib.mk rules/cracklib.dep
DEP_FILES += $(SONIC_COMMON_BASE_FILES_LIST)
DEP_FILES += $(shell git ls-files $(SPATH))

$(SOCAT)_CACHE_MODE := GIT_CONTENT_SHA
$(SOCAT)_DEP_FLAGS := $(SONIC_COMMON_FLAGS_LIST)
$(SOCAT)_DEP_FILES := $(DEP_FILES)

10 changes: 10 additions & 0 deletions rules/cracklib.mk
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
# CRACKLIB packages

PAM_CRACKLIB_VERSION = 1.4.0-9+deb11u1
export PAM_CRACKLIB_VERSION

LIBPAM_CRACKLIB = libpam-cracklib_$(PAM_CRACKLIB_VERSION)_$(CONFIGURED_ARCH).deb

$(LIBPAM_CRACKLIB)_URL = "http://http.us.debian.org/debian/pool/main/p/pam/$(LIBPAM_CRACKLIB)"

SONIC_ONLINE_DEBS += $(LIBPAM_CRACKLIB)
1 change: 1 addition & 0 deletions slave.mk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -965,6 +965,7 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
$(addprefix $(IMAGE_DISTRO_DEBS_PATH)/,$(INITRAMFS_TOOLS) \
$(LINUX_KERNEL) \
$(SONIC_DEVICE_DATA) \
$(LIBPAM_CRACKLIB) \
$(IFUPDOWN2) \
$(KDUMP_TOOLS) \
$(NTP) \
Expand Down
43 changes: 43 additions & 0 deletions src/sonic-host-services-data/templates/common-password.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
#THIS IS AN AUTO-GENERATED FILE
#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords. The default is pam_unix.

# Explanation of pam_unix options:
# The "yescrypt" option enables
#hashed passwords using the yescrypt algorithm, introduced in Debian
#11. Without this option, the default is Unix crypt. Prior releases
#used the option "sha512"; if a shadow password hash will be shared
#between Debian 11 and older releases replace "yescrypt" with "sha512"
#for compatibility . The "obscure" option replaces the old
#`OBSCURE_CHECKS_ENAB' option in login.defs. See the pam_unix manpage
#for other options.

# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)

{% if passw_policies %}
{% if passw_policies['state'] == 'enabled' %}
password requisite pam_cracklib.so retry=3 maxrepeat=0 {% if passw_policies['len_min'] %}minlen={{passw_policies['len_min']}}{% endif %} {% if passw_policies['upper_class'] %}ucredit=-1{% endif %} {% if passw_policies['lower_class'] %}lcredit=-1{% endif %} {% if passw_policies['digits_class'] %}dcredit=-1{% endif %} {% if passw_policies['special_class'] %}ocredit=-1{% endif %} {% if passw_policies['reject_user_passw_match'] %}reject_username{% endif %} enforce_for_root

password required pam_pwhistory.so {% if passw_policies['history_cnt'] %}remember={{passw_policies['history_cnt']}}{% endif %} use_authtok
{% endif %}
{% endif %}

password [success=1 default=ignore] pam_unix.so obscure yescrypt
liuh-80 marked this conversation as resolved.
Show resolved Hide resolved
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
Loading