From 029778139b5437cc41f454ed41965e7b595fcda9 Mon Sep 17 00:00:00 2001 From: root Date: Sat, 28 Aug 2021 22:16:03 -0400 Subject: [PATCH] Check passwds hashed w/ 'yescrypt' etc too, in /etc/shadow --- roles/iiab-admin/templates/sshpwd-lxde-iiab.sh | 17 +++++++++++------ .../iiab-admin/templates/sshpwd-profile-iiab.sh | 17 +++++++++++------ 2 files changed, 22 insertions(+), 12 deletions(-) diff --git a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh index 972ee3d88..fe7e8ae1b 100755 --- a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh +++ b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh @@ -24,12 +24,17 @@ check_user_pwd() { # (read access to /etc/shadow is otherwise restricted to just root and # group www-data i.e. Apache, NGINX get special access). SEE: #2431, #2561 - # $meth (hashing method) is typically '6' which implies 5000 rounds - # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password - meth=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2) - salt=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f3) - hash=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f4) - [ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ] + # 2021-08-28: New OS's use 'yescrypt' so use Perl instead of Python (#2949) + # This also helps avoid parsing the (NEW) 4th sub-field in $y$j9T$SALT$HASH + field2=$(grep "^$1:" /etc/shadow | cut -d: -f2) + [[ $(perl -e "print crypt('$2', '$field2')") == $field2 ]] + + # # $meth (hashing method) is typically '6' which implies 5000 rounds + # # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password + # meth=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2) + # salt=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f3) + # hash=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f4) + # [ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ] } #grep -q "^PasswordAuthentication\s\+no\b" /etc/ssh/sshd_config && return diff --git a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh index 259da8139..5dc3e92f1 100755 --- a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh +++ b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh @@ -23,12 +23,17 @@ check_user_pwd() { # enough when user does not exist. Or uncomment to FORCE ERROR CODE 2. # Either way, overall bash script still returns exit code 0 ("success"). - # $meth (hashing method) is typically '6' which implies 5000 rounds - # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password - meth=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2) - salt=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f3) - hash=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f4) - [ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ] + # 2021-08-28: New OS's use 'yescrypt' so use Perl instead of Python (#2949) + # This also helps avoid parsing the (NEW) 4th sub-field in $y$j9T$SALT$HASH + field2=$(grep "^$1:" /etc/shadow | cut -d: -f2) + [[ $(perl -e "print crypt('$2', '$field2')") == $field2 ]] + + # # $meth (hashing method) is typically '6' which implies 5000 rounds + # # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password + # meth=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2) + # salt=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f3) + # hash=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f4) + # [ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ] } # 2020-10-13 https://github.com/iiab/iiab/issues/2561 RECAP: Above was blocking