iiab/roles/iiab-admin/templates/iiab-pwdwarn-wayfire.j2

#!/bin/bash

# SEE ALSO: /etc/profile.d/sshpwd-profile-iiab.sh sourced from...
# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-profile-iiab.sh

# CAUTION: popup warnings still don't appear on most OS's, as mentioned here:
# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/pwd-warnings.yml#L19-L25

# For Localization/Translation: (use /usr/bin/gettext below if later nec!)
#export TEXTDOMAIN=pprompt-iiab
#. gettext.sh
# https://github.com/raspberrypi-ui/pam/blob/master/etc/profile.d/sshpwd.sh
# https://github.com/raspberrypi-ui/pprompt/blob/master/sshpwd.sh

# bash syntax "function check_user_pwd() {" was removed, as it prevented all
# lightdm/graphical logins (incl autologin) on Raspbian: #1252 -> PR #1253
check_user_pwd() {
    #id -u $1 > /dev/null 2>&1 || return 2    # Not needed if return 1 is good
    # enough when user does not exist.  Or uncomment to FORCE ERROR CODE 2.
    # Either way, overall bash script still returns exit code 0 ("success")

    # sudo works below (unlike in sshpwd-profile-iiab.sh) b/c RasPiOS ships w/
    # /etc/sudoers.d/010_pi-nopasswd containing "pi ALL=(ALL) NOPASSWD: ALL"
    # (read access to /etc/shadow is otherwise restricted to just root and
    # group www-data i.e. Apache, NGINX get special access).  SEE: #2431, #2561

    # 2021-08-28: New OS's use 'yescrypt' so use Perl instead of Python (#2949)
    # This also helps avoid parsing the (NEW) 4th sub-field in $y$j9T$SALT$HASH

    # 2022-09-21 #3368: Sets field2 to "" if sudo -n fails to read /etc/shadow
    # 2022-10-18 #3404: Redirect stderr to /dev/null, as RasPiOS might one day
    # force an annoying pop-up, as Mint did (due to sshpwd-profile-iiab.sh.j2)
    field2=$(sudo -n grep "^$1:" /etc/shadow 2>/dev/null | cut -d: -f2)
    [[ $(perl -e "print crypt('$2', '$field2')") == $field2 ]]

    # # $meth (hashing method) is typically '6' which implies 5000 rounds
    # # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password
    # meth=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2)
    # salt=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f3)
    # hash=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f4)
    # [ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ]
}

# grep -q "^PasswordAuthentication\s\+no\b" /etc/ssh/sshd_config && return
# systemctl is-active ssh || return    # #3444: Or use Ansible var sshd_service

if check_user_pwd "{{ iiab_admin_user }}" "{{ iiab_admin_published_pwd }}" ; then    # iiab-admin g0adm1n
    zenity --warning --width=600 --text="Published password in use by user '{{ iiab_admin_user }}'.\n\nTHIS IS A SECURITY RISK - please change its password using IIAB's Admin Console (http://box.lan/admin) -> Utilities -> Change Password.\n\nSee 'What are the default passwords?' at http://FAQ.IIAB.IO"
    #zenity --warning --width=600 --text="SSH is enabled and the published password is in use by user '{{ iiab_admin_user }}'.\n\nTHIS IS A SECURITY RISK - please change its password using IIAB's Admin Console (http://box.lan/admin) -> Utilities -> Change Password.\n\nSee 'What are the default passwords?' at http://FAQ.IIAB.IO"
fi
fix whitespace on moved files 2017-09-19 18:00:46 +00:00			`#!/bin/bash`
Update lxde_ssh_warn.sh 2018-10-15 06:46:15 +00:00
Update sshpwd-lxde-iiab.sh 2020-10-11 04:10:47 +00:00			`# SEE ALSO: /etc/profile.d/sshpwd-profile-iiab.sh sourced from...`
			`# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-profile-iiab.sh`
For Raspbian Desktop changes of 2018-11-13 2019-03-08 00:42:23 +00:00
Refine iiab-admin role for Admin Console etc 2020-10-16 18:00:30 +00:00			`# CAUTION: popup warnings still don't appear on most OS's, as mentioned here:`
			`# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/pwd-warnings.yml#L19-L25`

Update sshpwd-lxde-iiab.sh 2020-10-11 04:10:47 +00:00			`# For Localization/Translation: (use /usr/bin/gettext below if later nec!)`
			`#export TEXTDOMAIN=pprompt-iiab`
			`#. gettext.sh`
			`# https://github.com/raspberrypi-ui/pam/blob/master/etc/profile.d/sshpwd.sh`
			`# https://github.com/raspberrypi-ui/pprompt/blob/master/sshpwd.sh`
For Raspbian Desktop changes of 2018-11-13 2019-03-08 00:42:23 +00:00
			`# bash syntax "function check_user_pwd() {" was removed, as it prevented all`
			`# lightdm/graphical logins (incl autologin) on Raspbian: #1252 -> PR #1253`
Update lxde_ssh_warn.sh 2018-10-26 21:17:19 +00:00			`check_user_pwd() {`
Update sshpwd-lxde-iiab.sh 2020-10-14 00:30:27 +00:00			`#id -u $1 > /dev/null 2>&1 \|\| return 2 # Not needed if return 1 is good`
			`# enough when user does not exist. Or uncomment to FORCE ERROR CODE 2.`
			`# Either way, overall bash script still returns exit code 0 ("success")`
Update sshpwd-lxde-iiab.sh 2020-10-11 04:10:47 +00:00
Cleaner RasPiOS comments in 2-common, iiab-admin, jupyterhub, kalite, kolibri 2022-06-30 15:10:13 +00:00			`# sudo works below (unlike in sshpwd-profile-iiab.sh) b/c RasPiOS ships w/`
Update sshpwd-lxde-iiab.sh 2020-10-14 00:58:13 +00:00			`# /etc/sudoers.d/010_pi-nopasswd containing "pi ALL=(ALL) NOPASSWD: ALL"`
			`# (read access to /etc/shadow is otherwise restricted to just root and`
			`# group www-data i.e. Apache, NGINX get special access). SEE: #2431, #2561`

Check passwds hashed w/ 'yescrypt' etc too, in /etc/shadow 2021-08-29 02:16:03 +00:00			`# 2021-08-28: New OS's use 'yescrypt' so use Perl instead of Python (#2949)`
			`# This also helps avoid parsing the (NEW) 4th sub-field in $y$j9T$SALT$HASH`
Refine pwd warnings, avoiding Mint 21 pop-up 2022-10-18 22:47:52 +00:00
			`# 2022-09-21 #3368: Sets field2 to "" if sudo -n fails to read /etc/shadow`
Clarify useless pop-up risk on RasPiOS like Mint, due to sudo -n 2022-10-18 23:02:19 +00:00			`# 2022-10-18 #3404: Redirect stderr to /dev/null, as RasPiOS might one day`
			`# force an annoying pop-up, as Mint did (due to sshpwd-profile-iiab.sh.j2)`
Refine pwd warnings, avoiding Mint 21 pop-up 2022-10-18 22:47:52 +00:00			`field2=$(sudo -n grep "^$1:" /etc/shadow 2>/dev/null \| cut -d: -f2)`
Check passwds hashed w/ 'yescrypt' etc too, in /etc/shadow 2021-08-29 02:16:03 +00:00			`[[ $(perl -e "print crypt('$2', '$field2')") == $field2 ]]`

			`# # $meth (hashing method) is typically '6' which implies 5000 rounds`
			`# # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password`
			`# meth=$(sudo grep "^$1:" /etc/shadow \| cut -d: -f2 \| cut -d$ -f2)`
			`# salt=$(sudo grep "^$1:" /etc/shadow \| cut -d: -f2 \| cut -d$ -f3)`
			`# hash=$(sudo grep "^$1:" /etc/shadow \| cut -d: -f2 \| cut -d$ -f4)`
			`# [ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ]`
Update lxde_ssh_warn.sh 2018-10-15 06:46:15 +00:00			`}`

iiab-admin/templates/sshpwd-lxde-iiab.sh.j2: Fix {{ sshd_service }} 2022-12-25 13:28:12 +00:00			`# grep -q "^PasswordAuthentication\s\+no\b" /etc/ssh/sshd_config && return`
			`# systemctl is-active ssh \|\| return # #3444: Or use Ansible var sshd_service`
initial checkin -- May 27, 2017 2017-05-27 18:09:50 +00:00
Update sshpwd-lxde-iiab.sh 2020-10-13 09:51:12 +00:00			`if check_user_pwd "{{ iiab_admin_user }}" "{{ iiab_admin_published_pwd }}" ; then # iiab-admin g0adm1n`
Update sshpwd-lxde-iiab.sh 2020-10-11 04:10:47 +00:00			`zenity --warning --width=600 --text="Published password in use by user '{{ iiab_admin_user }}'.\n\nTHIS IS A SECURITY RISK - please change its password using IIAB's Admin Console (http://box.lan/admin) -> Utilities -> Change Password.\n\nSee 'What are the default passwords?' at http://FAQ.IIAB.IO"`
			`#zenity --warning --width=600 --text="SSH is enabled and the published password is in use by user '{{ iiab_admin_user }}'.\n\nTHIS IS A SECURITY RISK - please change its password using IIAB's Admin Console (http://box.lan/admin) -> Utilities -> Change Password.\n\nSee 'What are the default passwords?' at http://FAQ.IIAB.IO"`
			`fi`