2017-09-19 18:00:46 +00:00
#!/bin/bash
2018-10-15 06:46:15 +00:00
function check_user_pwd( ) {
# $meth (hashing method) is typically '6' which implies 5000 rounds
# of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password
meth = $( sudo grep " ^ $1 : " /etc/shadow | cut -d: -f2 | cut -d$ -f2)
salt = $( sudo grep " ^ $1 : " /etc/shadow | cut -d: -f2 | cut -d$ -f3)
hash = $( sudo grep " ^ $1 : " /etc/shadow | cut -d: -f2 | cut -d$ -f4)
[ $( python3 -c " import crypt; print(crypt.crypt(' $2 ', '\$ $meth \$ $salt ')) " ) = = " \$ $meth \$ $salt \$ $hash " ]
}
2017-05-27 18:09:50 +00:00
# credit to the folks at raspberry pi foundatioon
2018-10-15 06:46:15 +00:00
check_hash ( ) {
2017-06-09 23:25:56 +00:00
if ! id -u iiab-admin > /dev/null 2>& 1 ; then return 0 ; fi
2017-05-27 18:09:50 +00:00
if grep -q "^PasswordAuthentication\s*no" /etc/ssh/sshd_config ; then return 0 ; fi
2018-10-15 06:46:15 +00:00
#test -x /usr/bin/mkpasswd || return 0
#SHADOW="$(sudo -n grep -E '^iiab-admin:' /etc/shadow 2>/dev/null)"
#test -n "${SHADOW}" || return 0
#if echo $SHADOW | grep -q "iiab-admin:!" ; then return 0 ; fi
#SHADOW_PW=$(echo $SHADOW | cut -d: -f2)
#if [ "$SHADOW_PW" != "\$6\$iiab51\$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop." ]; then return 0 ; fi
#if echo "${SHADOW}" | grep -q "${HASH}"; then
2018-10-15 07:32:22 +00:00
if check_user_pwd "iiab-admin" "{{ iiab_admin_published_pwd }}" ; then
zenity --warning --text= "SSH is enabled and the default password for user 'iiab-admin' is in use.\nThis is a security risk - please change its password using IIAB's Admin Console (http://box/admin) -> Utilities -> Change Password."
2017-05-27 18:09:50 +00:00
fi
}
2018-10-15 06:46:15 +00:00
#if service ssh status | grep -q running; then
# check_hash
#fi
systemctl is-active { { sshd_service } } > /dev/null && check_hash
2017-05-27 18:09:50 +00:00
unset check_hash
