2017-09-19 18:00:46 +00:00
|
|
|
#!/bin/bash
|
2017-05-27 18:09:50 +00:00
|
|
|
|
2019-03-08 00:42:04 +00:00
|
|
|
export TEXTDOMAIN=Linux-PAM
|
|
|
|
|
|
|
|
|
|
. gettext.sh
|
|
|
|
|
|
2018-10-26 21:24:22 +00:00
|
|
|
# bash syntax "function check_user_pwd() {" was removed, as it prevented all
|
|
|
|
|
# lightdm/graphical logins (incl autologin) on Raspbian: #1252 -> PR #1253
|
|
|
|
|
check_user_pwd() {
|
2018-10-15 06:46:20 +00:00
|
|
|
# $meth (hashing method) is typically '6' which implies 5000 rounds
|
|
|
|
|
# of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password
|
|
|
|
|
meth=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2)
|
|
|
|
|
salt=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f3)
|
|
|
|
|
hash=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f4)
|
|
|
|
|
[ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ]
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-08 00:42:04 +00:00
|
|
|
# Credit to the folks at the Raspberry Pi Foundation
|
2018-10-26 21:24:22 +00:00
|
|
|
check_hash() {
|
2018-10-15 06:46:20 +00:00
|
|
|
if ! id -u iiab-admin > /dev/null 2>&1 ; then return 0 ; fi
|
|
|
|
|
if grep -q "^PasswordAuthentication\s*no" /etc/ssh/sshd_config ; then return 0 ; fi
|
2018-10-15 07:31:13 +00:00
|
|
|
if check_user_pwd "iiab-admin" "{{ iiab_admin_published_pwd }}"; then
|
2019-03-08 00:42:04 +00:00
|
|
|
echo
|
|
|
|
|
echo $(/usr/bin/gettext "SSH is enabled and the published password for user 'iiab-admin' is in use.")
|
|
|
|
|
echo $(/usr/bin/gettext "THIS IS A SECURITY RISK - please run 'sudo passwd iiab-admin' to change it.")
|
|
|
|
|
echo
|
|
|
|
|
fi
|
2017-05-27 18:09:50 +00:00
|
|
|
}
|
|
|
|
|
|
2017-05-29 16:06:09 +00:00
|
|
|
systemctl is-active {{ sshd_service }} > /dev/null && check_hash
|
2017-05-27 18:09:50 +00:00
|
|
|
unset check_hash
|
