iiab/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh

#!/bin/bash

# SEE ALSO: /etc/profile.d/sshpwd-profile-iiab.sh sourced from...
# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-profile-iiab.sh

# For Localization/Translation: (use /usr/bin/gettext below if later nec!)
#export TEXTDOMAIN=pprompt-iiab
#. gettext.sh
# https://github.com/raspberrypi-ui/pam/blob/master/etc/profile.d/sshpwd.sh
# https://github.com/raspberrypi-ui/pprompt/blob/master/sshpwd.sh

# bash syntax "function check_user_pwd() {" was removed, as it prevented all
# lightdm/graphical logins (incl autologin) on Raspbian: #1252 -> PR #1253
check_user_pwd() {
    id -u $1 > /dev/null 2>&1 || return 2    # FORCE ERROR if no such user
    # *BUT* overall bash script still returns exit code 0 ("success")

    # $meth (hashing method) is typically '6' which implies 5000 rounds
    # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password
    meth=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2)
    salt=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f3)
    hash=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f4)
    [ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ]
}

#grep -q "^PasswordAuthentication\s\+no\b" /etc/ssh/sshd_config && exit
#systemctl is-active {{ sshd_service }} || exit

if check_user_pwd "{{ iiab_admin_user }}" "{{ iiab_admin_published_pwd }}" ; then    # iiab-admin
    zenity --warning --width=600 --text="Published password in use by user '{{ iiab_admin_user }}'.\n\nTHIS IS A SECURITY RISK - please change its password using IIAB's Admin Console (http://box.lan/admin) -> Utilities -> Change Password.\n\nSee 'What are the default passwords?' at http://FAQ.IIAB.IO"
    #zenity --warning --width=600 --text="SSH is enabled and the published password is in use by user '{{ iiab_admin_user }}'.\n\nTHIS IS A SECURITY RISK - please change its password using IIAB's Admin Console (http://box.lan/admin) -> Utilities -> Change Password.\n\nSee 'What are the default passwords?' at http://FAQ.IIAB.IO"
fi
fix whitespace on moved files 2017-09-19 18:00:46 +00:00			`#!/bin/bash`
Update lxde_ssh_warn.sh 2018-10-15 06:46:15 +00:00
Update sshpwd-lxde-iiab.sh 2020-10-11 04:10:47 +00:00			`# SEE ALSO: /etc/profile.d/sshpwd-profile-iiab.sh sourced from...`
			`# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-profile-iiab.sh`
For Raspbian Desktop changes of 2018-11-13 2019-03-08 00:42:23 +00:00
Update sshpwd-lxde-iiab.sh 2020-10-11 04:10:47 +00:00			`# For Localization/Translation: (use /usr/bin/gettext below if later nec!)`
			`#export TEXTDOMAIN=pprompt-iiab`
			`#. gettext.sh`
			`# https://github.com/raspberrypi-ui/pam/blob/master/etc/profile.d/sshpwd.sh`
			`# https://github.com/raspberrypi-ui/pprompt/blob/master/sshpwd.sh`
For Raspbian Desktop changes of 2018-11-13 2019-03-08 00:42:23 +00:00
			`# bash syntax "function check_user_pwd() {" was removed, as it prevented all`
			`# lightdm/graphical logins (incl autologin) on Raspbian: #1252 -> PR #1253`
Update lxde_ssh_warn.sh 2018-10-26 21:17:19 +00:00			`check_user_pwd() {`
Update sshpwd-lxde-iiab.sh 2020-10-11 04:10:47 +00:00			`id -u $1 > /dev/null 2>&1 \|\| return 2 # FORCE ERROR if no such user`
			`# BUT overall bash script still returns exit code 0 ("success")`

Update lxde_ssh_warn.sh 2018-10-15 06:46:15 +00:00			`# $meth (hashing method) is typically '6' which implies 5000 rounds`
			`# of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password`
			`meth=$(sudo grep "^$1:" /etc/shadow \| cut -d: -f2 \| cut -d$ -f2)`
			`salt=$(sudo grep "^$1:" /etc/shadow \| cut -d: -f2 \| cut -d$ -f3)`
			`hash=$(sudo grep "^$1:" /etc/shadow \| cut -d: -f2 \| cut -d$ -f4)`
			`[ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ]`
			`}`

Update sshpwd-lxde-iiab.sh 2020-10-11 04:10:47 +00:00			`#grep -q "^PasswordAuthentication\s\+no\b" /etc/ssh/sshd_config && exit`
			`#systemctl is-active {{ sshd_service }} \|\| exit`
initial checkin -- May 27, 2017 2017-05-27 18:09:50 +00:00
Update sshpwd-lxde-iiab.sh 2020-10-11 04:10:47 +00:00			`if check_user_pwd "{{ iiab_admin_user }}" "{{ iiab_admin_published_pwd }}" ; then # iiab-admin`
			`zenity --warning --width=600 --text="Published password in use by user '{{ iiab_admin_user }}'.\n\nTHIS IS A SECURITY RISK - please change its password using IIAB's Admin Console (http://box.lan/admin) -> Utilities -> Change Password.\n\nSee 'What are the default passwords?' at http://FAQ.IIAB.IO"`
			`#zenity --warning --width=600 --text="SSH is enabled and the published password is in use by user '{{ iiab_admin_user }}'.\n\nTHIS IS A SECURITY RISK - please change its password using IIAB's Admin Console (http://box.lan/admin) -> Utilities -> Change Password.\n\nSee 'What are the default passwords?' at http://FAQ.IIAB.IO"`
			`fi`