Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for Password Hardening #10323

Merged
merged 25 commits into from
Jun 29, 2022

Conversation

davidpil2002
Copy link
Contributor

@davidpil2002 davidpil2002 commented Mar 22, 2022

Why I did it

New security feature for enforcing strong passwords when login or changing passwords of existing users into the switch.

How I did it

By using mainly Linux package named pam-cracklib that support the enforcement of user passwords, the daemon named hostcfgd, will support add/modify password policies that enforce and strengthen the user passwords.

How to verify it

Manually Verification-

  1. Enable the feature, using the new sonic-cli command passw-hardening or manually add the password hardening table like shown in HLD by using redis-cli command

  2. Change password policies manually like in step 1.
    Notes:
    password hardening CLI can be found in sonic-utilities repo-
    P.R: Add support for Password Hardening sonic-utilities#2121
    code config path: config/plugins/sonic-passwh_yang.py
    code show path: show/plugins/sonic-passwh_yang.py

  3. Create a new user (using adduser command) or modify an existing password by using passwd command in the terminal. And it will now request a strong password instead of default linux policies.

Automatic Verification - Unitest:
This P.R contained unitest that cover:

  1. test default init values of the feature in PAM files
  2. test all the types of classes policies supported by the feature in PAM files
  3. test aging policy configuration in PAM files

Which release branch to backport (provide reason below if selected)

The coded should be merge in master and should be release ~May

  • 201811
  • 201911
  • 202006
  • 202012
  • 202106
  • 202111
  • 202205

Description for the changelog

Link to config_db schema for YANG module changes

Yang model can be found:
#10322
HLD:
https://github.com/Azure/SONiC/blob/master/doc/passw_hardening/hld_password_hardening.md

A picture of a cute animal (not mandatory but encouraged)

@lgtm-com
Copy link

lgtm-com bot commented Mar 22, 2022

This pull request introduces 1 alert when merging eff356a into f8e1104 - view on LGTM.com

new alerts:

  • 1 for Unused import

@davidpil2002 davidpil2002 changed the title Dev password hardening Password Hardening Feature Mar 23, 2022
dgsudharsan
dgsudharsan previously approved these changes Mar 24, 2022
@lgtm-com
Copy link

lgtm-com bot commented Mar 24, 2022

This pull request introduces 1 alert when merging 5ab7c2b into 147d631 - view on LGTM.com

new alerts:

  • 1 for Unused import

@lgtm-com
Copy link

lgtm-com bot commented Mar 27, 2022

This pull request introduces 1 alert when merging a4d452b into cc938e7 - view on LGTM.com

new alerts:

  • 1 for Unused import

@lgtm-com
Copy link

lgtm-com bot commented Mar 28, 2022

This pull request introduces 1 alert when merging 93072bd into cc938e7 - view on LGTM.com

new alerts:

  • 1 for Unused import

@dgsudharsan
Copy link
Collaborator

@davidpil2002 Can you please fix LGTM alert?

@davidpil2002
Copy link
Contributor Author

/azpw run Azure.sonic-buildimage

@mssonicbld
Copy link
Collaborator

/AzurePipelines run Azure.sonic-buildimage

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@davidpil2002
Copy link
Contributor Author

@davidpil2002 Can you please fix LGTM alert?

done

@davidpil2002
Copy link
Contributor Author

/azpw run Azure.sonic-buildimage

@mssonicbld
Copy link
Collaborator

/AzurePipelines run Azure.sonic-buildimage

files/build_templates/sonic_debian_extension.j2 Outdated Show resolved Hide resolved
src/sonic-host-services/scripts/hostcfgd Outdated Show resolved Hide resolved
src/sonic-host-services/scripts/hostcfgd Outdated Show resolved Hide resolved
src/sonic-host-services/scripts/hostcfgd Show resolved Hide resolved
src/sonic-host-services/scripts/hostcfgd Outdated Show resolved Hide resolved
src/sonic-host-services/scripts/hostcfgd Show resolved Hide resolved
src/sonic-host-services/scripts/hostcfgd Outdated Show resolved Hide resolved
@@ -266,6 +266,10 @@ fi
sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/sonic-device-data_*.deb || \
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f

# Install cracklib (and its dependencies via 'apt-get -y install -f')
sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/libpam-cracklib_*.deb || \
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why not just apt-get? I do not understand this. the package is already in bullseye.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the package in bullseye is an older version than the version that I used.
I don't think the feature will be broken if we used an older version, but I think it is better to save it.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://packages.debian.org/bullseye/libpam-cracklib

can you double check, think it is the same version.

Copy link
Contributor Author

@davidpil2002 davidpil2002 May 31, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I double-checked, you are correct, probably confused with the buster version.
I pushed a commit that is doing just apt-get install, instead download & dpkg Debian pkg

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lguohan
can you approve the pull request now?

davidpil2002 and others added 5 commits May 30, 2022 10:41
…cts sonic-net#10972

Why I did it
Fix the target directory not empty issue when publishing artifacts.
Some of the artifacts are published to $(Build.ArtifactStagingDirectory)/target/ before source code checked out.
Copy link
Contributor Author

@davidpil2002 davidpil2002 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fix comment about cracklib pkg

@zhangyanzhao zhangyanzhao requested a review from lguohan June 1, 2022 23:56
@davidpil2002
Copy link
Contributor Author

/azpw run Azure.sonic-buildimage

@mssonicbld
Copy link
Collaborator

/AzurePipelines run Azure.sonic-buildimage

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@liuh-80
Copy link
Contributor

liuh-80 commented Jun 29, 2022

/azp run

@azure-pipelines
Copy link

You have several pipelines (over 10) configured to build pull requests in this repository. Specify which pipelines you would like to run by using /azp run [pipelines] command. You can specify multiple pipelines using a comma separated list.

@liuh-80
Copy link
Contributor

liuh-80 commented Jun 29, 2022

/AzurePipelines run Azure.sonic-buildimage

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

Copy link
Contributor

@liuh-80 liuh-80 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This feature will be runtime optional, this is acceptable according to offline sync, approved.

@liat-grozovik liat-grozovik merged commit 8b7d069 into sonic-net:master Jun 29, 2022
yxieca pushed a commit that referenced this pull request Jun 30, 2022
- Why I did it
New security feature for enforcing strong passwords when login or changing passwords of existing users into the switch.

- How I did it
By using mainly Linux package named pam-cracklib that support the enforcement of user passwords, the daemon named hostcfgd, will support add/modify password policies that enforce and strengthen the user passwords.

- How to verify it
Manually Verification-
1. Enable the feature, using the new sonic-cli command passw-hardening or manually add the password hardening table like shown in HLD by using redis-cli command

2. Change password policies manually like in step 1.
Notes:
password hardening CLI can be found in sonic-utilities repo-
P.R: Add support for Password Hardening sonic-utilities#2121
code config path: config/plugins/sonic-passwh_yang.py
code show path: show/plugins/sonic-passwh_yang.py

3. Create a new user (using adduser command) or modify an existing password by using passwd command in the terminal. And it will now request a strong password instead of default linux policies.

Automatic Verification - Unitest:
This PR contained unitest that cover:
1. test default init values of the feature in PAM files
2. test all the types of classes policies supported by the feature in PAM files
3. test aging policy configuration in PAM files
skbarista pushed a commit to skbarista/sonic-buildimage that referenced this pull request Aug 17, 2022
- Why I did it
New security feature for enforcing strong passwords when login or changing passwords of existing users into the switch.

- How I did it
By using mainly Linux package named pam-cracklib that support the enforcement of user passwords, the daemon named hostcfgd, will support add/modify password policies that enforce and strengthen the user passwords.

- How to verify it
Manually Verification-
1. Enable the feature, using the new sonic-cli command passw-hardening or manually add the password hardening table like shown in HLD by using redis-cli command

2. Change password policies manually like in step 1.
Notes:
password hardening CLI can be found in sonic-utilities repo-
P.R: Add support for Password Hardening sonic-utilities#2121
code config path: config/plugins/sonic-passwh_yang.py
code show path: show/plugins/sonic-passwh_yang.py

3. Create a new user (using adduser command) or modify an existing password by using passwd command in the terminal. And it will now request a strong password instead of default linux policies.

Automatic Verification - Unitest:
This PR contained unitest that cover:
1. test default init values of the feature in PAM files
2. test all the types of classes policies supported by the feature in PAM files
3. test aging policy configuration in PAM files
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants