From 7daab083bbabb53a8514c6eed76a614224f0e427 Mon Sep 17 00:00:00 2001 From: David Pilnik Date: Wed, 6 Dec 2023 15:37:10 +0200 Subject: [PATCH 1/2] password-hardening: Add support to disable expiration date like in Linux (PAM) --- scripts/hostcfgd | 18 +++++++----------- .../login.defs | 4 ++-- 2 files changed, 9 insertions(+), 13 deletions(-) diff --git a/scripts/hostcfgd b/scripts/hostcfgd index 12f2fd1b..914fd1af 100644 --- a/scripts/hostcfgd +++ b/scripts/hostcfgd @@ -45,8 +45,8 @@ SSH_MAX_VALUES={"authentication_retries": 100, "login_timeout": 600, "ports": 65 SSH_CONFIG_NAMES={"authentication_retries": "MaxAuthTries" , "login_timeout": "LoginGraceTime"} ACCOUNT_NAME = 0 # index of account name -AGE_DICT = { 'MAX_DAYS': {'REGEX_DAYS': r'^PASS_MAX_DAYS[ \t]*(?P\d*)', 'DAYS': 'max_days', 'CHAGE_FLAG': '-M '}, - 'WARN_DAYS': {'REGEX_DAYS': r'^PASS_WARN_AGE[ \t]*(?P\d*)', 'DAYS': 'warn_days', 'CHAGE_FLAG': '-W '} +AGE_DICT = { 'MAX_DAYS': {'REGEX_DAYS': r'^PASS_MAX_DAYS[ \t]*(?P-?\d*)', 'DAYS': 'max_days', 'CHAGE_FLAG': '-M '}, + 'WARN_DAYS': {'REGEX_DAYS': r'^PASS_WARN_AGE[ \t]*(?P-?\d*)', 'DAYS': 'warn_days', 'CHAGE_FLAG': '-W '} } PAM_LIMITS_CONF_TEMPLATE = "/usr/share/sonic/templates/pam_limits.j2" LIMITS_CONF_TEMPLATE = "/usr/share/sonic/templates/limits.conf.j2" @@ -722,15 +722,11 @@ class PasswHardening(object): if passw_policies: if 'state' in passw_policies: if passw_policies['state'] == 'enabled': - if 'expiration' in passw_policies: - if int(self.passw_policies['expiration']) != 0: # value '0' meaning age policy is disabled - # the logic is to modify the expiration time according the last updated modificatiion - # - curr_expiration = int(passw_policies['expiration']) - - if 'expiration_warning' in passw_policies: - if int(self.passw_policies['expiration_warning']) != 0: # value '0' meaning age policy is disabled - curr_expiration_warning = int(passw_policies['expiration_warning']) + # Special values of expiration/expiration warning + # 0: meaning password will be expired/warning immediately. + # -1: meaning password expired/warning never. + curr_expiration = int(passw_policies.get('expiration')) + curr_expiration_warning = int(passw_policies.get('expiration_warning')) if self.is_passwd_aging_expire_update(curr_expiration, 'MAX_DAYS'): # Set aging policy for existing users diff --git a/tests/hostcfgd/sample_output/PASSWORD_HARDENING_enable_digits_class/login.defs b/tests/hostcfgd/sample_output/PASSWORD_HARDENING_enable_digits_class/login.defs index db8baa4d..dbc72814 100644 --- a/tests/hostcfgd/sample_output/PASSWORD_HARDENING_enable_digits_class/login.defs +++ b/tests/hostcfgd/sample_output/PASSWORD_HARDENING_enable_digits_class/login.defs @@ -157,9 +157,9 @@ UMASK 022 # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_WARN_AGE Number of days warning given before a password expires. # -PASS_MAX_DAYS 99999 +PASS_MAX_DAYS 0 PASS_MIN_DAYS 0 -PASS_WARN_AGE 7 +PASS_WARN_AGE 0 # # Min/max values for automatic uid selection in useradd From 69f7cc5d041a9dfc1509180c9fcf195373b1cce9 Mon Sep 17 00:00:00 2001 From: David Pilnik Date: Sun, 18 Feb 2024 09:37:13 +0200 Subject: [PATCH 2/2] password-hardening: Fix default return of dict to -1 instead None --- scripts/hostcfgd | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/hostcfgd b/scripts/hostcfgd index 914fd1af..7864dd0b 100644 --- a/scripts/hostcfgd +++ b/scripts/hostcfgd @@ -725,8 +725,8 @@ class PasswHardening(object): # Special values of expiration/expiration warning # 0: meaning password will be expired/warning immediately. # -1: meaning password expired/warning never. - curr_expiration = int(passw_policies.get('expiration')) - curr_expiration_warning = int(passw_policies.get('expiration_warning')) + curr_expiration = int(passw_policies.get('expiration', -1)) + curr_expiration_warning = int(passw_policies.get('expiration_warning', -1)) if self.is_passwd_aging_expire_update(curr_expiration, 'MAX_DAYS'): # Set aging policy for existing users