From 284edb1b34f254b6b392278e480898306f812be3 Mon Sep 17 00:00:00 2001 From: A Holt Date: Fri, 9 Oct 2020 06:40:39 -0400 Subject: [PATCH 01/18] sshpwd-profile-iiab.sh blocked graphical logins --- .../templates/sshpwd-profile-iiab.sh | 50 ++++++++++++------- 1 file changed, 31 insertions(+), 19 deletions(-) diff --git a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh index 9c4bd4964..9853aa238 100755 --- a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh +++ b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh @@ -1,31 +1,43 @@ #!/bin/bash -export TEXTDOMAIN=Linux-PAM +# SEE ALSO: /etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh sourced from... +# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh +# ...invoked by customized /etc/xdg/lxsession/LXDE-pi/autostart -. gettext.sh +# For Localisation: +#export TEXTDOMAIN=Linux-PAM +#. gettext.sh +# https://github.com/raspberrypi-ui/pam/blob/master/etc/profile.d/sshpwd.sh +# https://github.com/raspberrypi-ui/pprompt/blob/master/sshpwd.sh # bash syntax "function check_user_pwd() {" was removed, as it prevented all # lightdm/graphical logins (incl autologin) on Raspbian: #1252 -> PR #1253 check_user_pwd() { + + # 1. 'sudo su -' invokes this script as root: + [ $(id -un) = "root" ] || return 1 # FORCE ERROR IF RUN BY NON-root + # *BUT* overall bash script still returns exit code 0 ("success") + # as needed by Ubuntu 20.04 graphical logins, etc! + + # 2. Graphical Logins invoke this script as the user logging in: (USELESSLY) + #[ $(id -un) = "$1" ] || [ $(id -un) = "root" ] || return 1 + # SO FORMERLY: this could also be run by non-root accounts e.g. iiab-admin + # if sudo access set with "%wheel ALL= NOPASSWD: ALL" in /etc/sudoers per + # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/admin-user.yml + # BUT: warning popups did not result on most OS's, much as mentioned here: + # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/main.yml#L38-L44 + # $meth (hashing method) is typically '6' which implies 5000 rounds # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password - meth=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2) - salt=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f3) - hash=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f4) + meth=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2) + salt=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f3) + hash=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f4) [ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ] } -# Credit to the folks at the Raspberry Pi Foundation -check_hash() { - if ! id -u iiab-admin > /dev/null 2>&1 ; then return 0 ; fi - if grep -q "^PasswordAuthentication\s*no" /etc/ssh/sshd_config ; then return 0 ; fi - if check_user_pwd "iiab-admin" "{{ iiab_admin_published_pwd }}"; then - echo - echo $(/usr/bin/gettext "SSH is enabled and the published password for user 'iiab-admin' is in use.") - echo $(/usr/bin/gettext "THIS IS A SECURITY RISK - please run 'sudo passwd iiab-admin' to change it.") - echo - fi -} - -systemctl is-active {{ sshd_service }} > /dev/null && check_hash -unset check_hash +if check_user_pwd "iiab-admin" "g0adm1n"; then + echo + echo $(/usr/bin/gettext "The published password for user 'iiab-admin' is in use.") + echo $(/usr/bin/gettext "THIS IS A SECURITY RISK - please run 'sudo passwd iiab-admin' to change it.") + echo +fi From 09dce33dd83b51339263d01c272c244a0caebc7a Mon Sep 17 00:00:00 2001 From: A Holt Date: Fri, 9 Oct 2020 07:16:10 -0400 Subject: [PATCH 02/18] Update sshpwd-profile-iiab.sh --- roles/iiab-admin/templates/sshpwd-profile-iiab.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh index 9853aa238..1984f0515 100755 --- a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh +++ b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh @@ -2,7 +2,8 @@ # SEE ALSO: /etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh sourced from... # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh -# ...invoked by customized /etc/xdg/lxsession/LXDE-pi/autostart +# ...invoked by /etc/xdg/lxsession/LXDE-pi/autostart which is customized by... +# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/main.yml#L46-L50 # For Localisation: #export TEXTDOMAIN=Linux-PAM From fd4a8463f60815cc960f75cd1a8539329b905aed Mon Sep 17 00:00:00 2001 From: A Holt Date: Sat, 10 Oct 2020 13:13:45 -0400 Subject: [PATCH 03/18] Softcode {{ iiab_admin_user }} for iiab-admin's published password? Unclear this is a good idea. As what was an accurate warning is now misleading, as a result of this commit. But I suppose it doesn't hurt, e.g. if other administrative accounts also have this same published password. --- roles/iiab-admin/templates/sshpwd-profile-iiab.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh index 1984f0515..c3ebe7858 100755 --- a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh +++ b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh @@ -36,9 +36,9 @@ check_user_pwd() { [ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ] } -if check_user_pwd "iiab-admin" "g0adm1n"; then +if check_user_pwd "{{ iiab_admin_user }}" "g0adm1n"; then # iiab-admin echo - echo $(/usr/bin/gettext "The published password for user 'iiab-admin' is in use.") - echo $(/usr/bin/gettext "THIS IS A SECURITY RISK - please run 'sudo passwd iiab-admin' to change it.") + echo $(/usr/bin/gettext "The published password for user '{{ iiab_admin_user }}' is in use.") + echo $(/usr/bin/gettext "THIS IS A SECURITY RISK - please run 'sudo passwd {{ iiab_admin_user }}' to change it.") echo fi From c1e1a98321080c515d81ed7df6e49036c30f4a8b Mon Sep 17 00:00:00 2001 From: A Holt Date: Sat, 10 Oct 2020 13:16:51 -0400 Subject: [PATCH 04/18] Clarify roles/iiab-admin/tasks/admin-user.yml --- roles/iiab-admin/tasks/admin-user.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/iiab-admin/tasks/admin-user.yml b/roles/iiab-admin/tasks/admin-user.yml index 2d1dd0c99..76ea76ff5 100644 --- a/roles/iiab-admin/tasks/admin-user.yml +++ b/roles/iiab-admin/tasks/admin-user.yml @@ -1,6 +1,6 @@ - name: Create user {{ iiab_admin_user }} for Admin Console; set password from iiab_admin_pwd_hash if newly creating account user: - name: "{{ iiab_admin_user }}" + name: "{{ iiab_admin_user }}" # iiab-admin password: "{{ iiab_admin_pwd_hash }}" update_password: on_create shell: /bin/bash From db219d9a20c91e7151d344be09148c43a9b99f26 Mon Sep 17 00:00:00 2001 From: A Holt Date: Sat, 10 Oct 2020 13:30:49 -0400 Subject: [PATCH 05/18] Update sshpwd-lxde-iiab.sh --- roles/iiab-admin/templates/sshpwd-lxde-iiab.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh index ea17af847..c8f2c39b2 100755 --- a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh +++ b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh @@ -17,10 +17,10 @@ check_user_pwd() { # Credit to the folks at the Raspberry Pi Foundation check_hash() { - if ! id -u iiab-admin > /dev/null 2>&1 ; then return 0 ; fi - if grep -q "^PasswordAuthentication\s*no" /etc/ssh/sshd_config ; then return 0 ; fi - if check_user_pwd "iiab-admin" "{{ iiab_admin_published_pwd }}"; then - zenity --warning --width=600 --text="SSH is enabled and the default password for user 'iiab-admin' is in use.\n\nTHIS IS A SECURITY RISK - please change its password using IIAB's Admin Console (http://box.lan/admin) -> Utilities -> Change Password.\n\nSee 'What are the default passwords?' at http://FAQ.IIAB.IO" + if ! id -u {{ iiab_admin_user }} > /dev/null 2> &1 ; then return 0 ; fi # iiab-admin + if grep -q "^PasswordAuthentication\s\+no\b" /etc/ssh/sshd_config ; then return 0 ; fi + if check_user_pwd "{{ iiab_admin_user }}" "{{ iiab_admin_published_pwd }}" ; then + zenity --warning --width=600 --text="SSH is enabled and the default password is in use by user '{{ iiab_admin_user }}'.\n\nTHIS IS A SECURITY RISK - please change its password using IIAB's Admin Console (http://box.lan/admin) -> Utilities -> Change Password.\n\nSee 'What are the default passwords?' at http://FAQ.IIAB.IO" fi } From 492e7e7590a00a74e61b89c2af464a741485538c Mon Sep 17 00:00:00 2001 From: A Holt Date: Sat, 10 Oct 2020 13:34:59 -0400 Subject: [PATCH 06/18] Update sshpwd-profile-iiab.sh --- roles/iiab-admin/templates/sshpwd-profile-iiab.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh index c3ebe7858..7d53cc1f1 100755 --- a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh +++ b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh @@ -38,7 +38,7 @@ check_user_pwd() { if check_user_pwd "{{ iiab_admin_user }}" "g0adm1n"; then # iiab-admin echo - echo $(/usr/bin/gettext "The published password for user '{{ iiab_admin_user }}' is in use.") + echo $(/usr/bin/gettext "The published password is in use by user '{{ iiab_admin_user }}'.") echo $(/usr/bin/gettext "THIS IS A SECURITY RISK - please run 'sudo passwd {{ iiab_admin_user }}' to change it.") echo fi From 7f32deed5c42c5d1018d8c5cbd10733bb550cd60 Mon Sep 17 00:00:00 2001 From: A Holt Date: Sat, 10 Oct 2020 13:35:46 -0400 Subject: [PATCH 07/18] Update sshpwd-lxde-iiab.sh --- roles/iiab-admin/templates/sshpwd-lxde-iiab.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh index c8f2c39b2..2d10f45d1 100755 --- a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh +++ b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh @@ -20,7 +20,7 @@ check_hash() { if ! id -u {{ iiab_admin_user }} > /dev/null 2> &1 ; then return 0 ; fi # iiab-admin if grep -q "^PasswordAuthentication\s\+no\b" /etc/ssh/sshd_config ; then return 0 ; fi if check_user_pwd "{{ iiab_admin_user }}" "{{ iiab_admin_published_pwd }}" ; then - zenity --warning --width=600 --text="SSH is enabled and the default password is in use by user '{{ iiab_admin_user }}'.\n\nTHIS IS A SECURITY RISK - please change its password using IIAB's Admin Console (http://box.lan/admin) -> Utilities -> Change Password.\n\nSee 'What are the default passwords?' at http://FAQ.IIAB.IO" + zenity --warning --width=600 --text="SSH is enabled and the published password is in use by user '{{ iiab_admin_user }}'.\n\nTHIS IS A SECURITY RISK - please change its password using IIAB's Admin Console (http://box.lan/admin) -> Utilities -> Change Password.\n\nSee 'What are the default passwords?' at http://FAQ.IIAB.IO" fi } From 7c64f234d828e82ce0e3d50ebbc5745f96032965 Mon Sep 17 00:00:00 2001 From: A Holt Date: Sat, 10 Oct 2020 13:49:34 -0400 Subject: [PATCH 08/18] sshpwd-profile-iiab.sh: localization stuff unused for now --- roles/iiab-admin/templates/sshpwd-profile-iiab.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh index 7d53cc1f1..e9fbd6123 100755 --- a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh +++ b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh @@ -5,7 +5,7 @@ # ...invoked by /etc/xdg/lxsession/LXDE-pi/autostart which is customized by... # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/main.yml#L46-L50 -# For Localisation: +# For Localization/Translation: (use /usr/bin/gettext below if later nec!) #export TEXTDOMAIN=Linux-PAM #. gettext.sh # https://github.com/raspberrypi-ui/pam/blob/master/etc/profile.d/sshpwd.sh @@ -38,7 +38,7 @@ check_user_pwd() { if check_user_pwd "{{ iiab_admin_user }}" "g0adm1n"; then # iiab-admin echo - echo $(/usr/bin/gettext "The published password is in use by user '{{ iiab_admin_user }}'.") - echo $(/usr/bin/gettext "THIS IS A SECURITY RISK - please run 'sudo passwd {{ iiab_admin_user }}' to change it.") + echo "The published password is in use by user '{{ iiab_admin_user }}'." + echo "THIS IS A SECURITY RISK - please run 'sudo passwd {{ iiab_admin_user }}' to change it." echo fi From a60402461a9fbb25a22ec1377ae5da6b0deefce3 Mon Sep 17 00:00:00 2001 From: A Holt Date: Sat, 10 Oct 2020 14:27:16 -0400 Subject: [PATCH 09/18] iiab-admin/tasks/main.yml: closer to IIAB norms --- roles/iiab-admin/tasks/main.yml | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/roles/iiab-admin/tasks/main.yml b/roles/iiab-admin/tasks/main.yml index 8ccc64068..54275c7cf 100644 --- a/roles/iiab-admin/tasks/main.yml +++ b/roles/iiab-admin/tasks/main.yml @@ -3,20 +3,6 @@ - include_tasks: access.yml -- name: Add 'iiab-admin' variable values to {{ iiab_ini_file }} - ini_file: - dest: "{{ iiab_ini_file }}" - section: iiab-admin - option: "{{ item.option }}" - value: "{{ item.value | string }}" - with_items: - - option: name - value: iiab-admin - - option: description - value: '"Admin User"' - - option: iiab_admin_user - value: "{{ iiab_admin_user }}" - - name: Install /etc/profile.d/sshpwd-profile-iiab.sh from template, to issue warnings (during shell/ssh logins) if iiab-admin password is the default template: src: sshpwd-profile-iiab.sh @@ -61,3 +47,18 @@ path: "{{ iiab_state_file }}" # /etc/iiab/iiab_state.yml regexp: '^iiab_admin_installed' line: 'iiab_admin_installed: True' + + +- name: Add 'iiab-admin' variable values to {{ iiab_ini_file }} + ini_file: + dest: "{{ iiab_ini_file }}" # /etc/iiab/iiab.ini + section: iiab-admin + option: "{{ item.option }}" + value: "{{ item.value | string }}" + with_items: + - option: name + value: iiab-admin + - option: description + value: '"Admin User"' + - option: iiab_admin_user + value: "{{ iiab_admin_user }}" From bb032104597f039d7af71bdcf95de3240d6a9dd3 Mon Sep 17 00:00:00 2001 From: A Holt Date: Sat, 10 Oct 2020 17:15:09 -0400 Subject: [PATCH 10/18] Update sshpwd-profile-iiab.sh --- roles/iiab-admin/templates/sshpwd-profile-iiab.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh index e9fbd6123..b3e2203b0 100755 --- a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh +++ b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh @@ -26,7 +26,7 @@ check_user_pwd() { # if sudo access set with "%wheel ALL= NOPASSWD: ALL" in /etc/sudoers per # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/admin-user.yml # BUT: warning popups did not result on most OS's, much as mentioned here: - # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/main.yml#L38-L44 + # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/main.yml#L24-L30 # $meth (hashing method) is typically '6' which implies 5000 rounds # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password From 83abefea0df2cb57ef3fd4a9cdeeabd159bb2094 Mon Sep 17 00:00:00 2001 From: A Holt Date: Sat, 10 Oct 2020 20:39:50 -0400 Subject: [PATCH 11/18] /etc/sudoers.d/* files should have permission 0440 @tim-moody: if possible make this same change for roles/js-menu/templates/021_apache_set_time.j2 --- roles/www_options/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/www_options/tasks/main.yml b/roles/www_options/tasks/main.yml index b33b5c92b..70df9f95c 100644 --- a/roles/www_options/tasks/main.yml +++ b/roles/www_options/tasks/main.yml @@ -86,7 +86,7 @@ template: src: 020_apache_poweroff.j2 dest: /etc/sudoers.d/020_apache_poweroff - mode: '0755' + mode: '0440' when: apache_allow_sudo | bool - name: Remove {{ apache_user }} (per variable apache_user) permission to poweroff, removing /etc/sudoers.d/020_apache_poweroff From 8584d787048f539eb7d73649770bdc8667e7c359 Mon Sep 17 00:00:00 2001 From: A Holt Date: Sat, 10 Oct 2020 23:15:42 -0400 Subject: [PATCH 12/18] admin-user.yml: skip wheels group (& its NOPASSWD: in /etc/sudoers) --- roles/iiab-admin/tasks/admin-user.yml | 39 ++++++++++++++------------- 1 file changed, 21 insertions(+), 18 deletions(-) diff --git a/roles/iiab-admin/tasks/admin-user.yml b/roles/iiab-admin/tasks/admin-user.yml index 76ea76ff5..1f590f534 100644 --- a/roles/iiab-admin/tasks/admin-user.yml +++ b/roles/iiab-admin/tasks/admin-user.yml @@ -1,25 +1,26 @@ -- name: Create user {{ iiab_admin_user }} for Admin Console; set password from iiab_admin_pwd_hash if newly creating account +- name: Create user {{ iiab_admin_user }} in group sudo for Admin Console; set password from iiab_admin_pwd_hash if newly creating account user: name: "{{ iiab_admin_user }}" # iiab-admin password: "{{ iiab_admin_pwd_hash }}" update_password: on_create shell: /bin/bash + groups: sudo -- name: Create a wheel group - group: - name: wheel - state: present +#- name: Create a wheel group +# group: +# name: wheel +# state: present -- name: Create a sudo group (redhat) - group: - name: sudo - state: present - when: is_redhat | bool +#- name: Create a sudo group (redhat) +# group: +# name: sudo +# state: present +# when: is_redhat | bool -- name: 'Add user {{ iiab_admin_user }} to groups: wheel, sudo' - user: - name: "{{ iiab_admin_user }}" - groups: wheel,sudo +#- name: 'Add user {{ iiab_admin_user }} to groups: wheel, sudo' +# user: +# name: "{{ iiab_admin_user }}" +# groups: wheel,sudo - name: Edit the sudoers file -- first make it editable file: @@ -33,10 +34,12 @@ dest: /etc/sudoers state: present -- name: Lets wheel sudo without password - lineinfile: - line: "%wheel ALL= NOPASSWD: ALL" - dest: /etc/sudoers +#- name: Lets {{ iiab_admin_user }} sudo without password +##- name: Lets wheel sudo without password +# lineinfile: +# line: "{{ iiab_admin_user }} ALL=(ALL) NOPASSWD: ALL" +## line: "%wheel ALL= NOPASSWD: ALL" +# dest: /etc/sudoers - name: Remove the line which requires tty lineinfile: From 7cb881f4bf9f79475617b6fafffb4ba4d58ecdd7 Mon Sep 17 00:00:00 2001 From: A Holt Date: Sun, 11 Oct 2020 00:10:47 -0400 Subject: [PATCH 13/18] Update sshpwd-lxde-iiab.sh --- .../iiab-admin/templates/sshpwd-lxde-iiab.sh | 28 +++++++++++-------- 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh index 2d10f45d1..ae7915236 100755 --- a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh +++ b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh @@ -1,12 +1,20 @@ #!/bin/bash -export TEXTDOMAIN=pprompt-iiab +# SEE ALSO: /etc/profile.d/sshpwd-profile-iiab.sh sourced from... +# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-profile-iiab.sh -. gettext.sh +# For Localization/Translation: (use /usr/bin/gettext below if later nec!) +#export TEXTDOMAIN=pprompt-iiab +#. gettext.sh +# https://github.com/raspberrypi-ui/pam/blob/master/etc/profile.d/sshpwd.sh +# https://github.com/raspberrypi-ui/pprompt/blob/master/sshpwd.sh # bash syntax "function check_user_pwd() {" was removed, as it prevented all # lightdm/graphical logins (incl autologin) on Raspbian: #1252 -> PR #1253 check_user_pwd() { + id -u $1 > /dev/null 2>&1 || return 2 # FORCE ERROR if no such user + # *BUT* overall bash script still returns exit code 0 ("success") + # $meth (hashing method) is typically '6' which implies 5000 rounds # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password meth=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2) @@ -15,14 +23,10 @@ check_user_pwd() { [ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ] } -# Credit to the folks at the Raspberry Pi Foundation -check_hash() { - if ! id -u {{ iiab_admin_user }} > /dev/null 2> &1 ; then return 0 ; fi # iiab-admin - if grep -q "^PasswordAuthentication\s\+no\b" /etc/ssh/sshd_config ; then return 0 ; fi - if check_user_pwd "{{ iiab_admin_user }}" "{{ iiab_admin_published_pwd }}" ; then - zenity --warning --width=600 --text="SSH is enabled and the published password is in use by user '{{ iiab_admin_user }}'.\n\nTHIS IS A SECURITY RISK - please change its password using IIAB's Admin Console (http://box.lan/admin) -> Utilities -> Change Password.\n\nSee 'What are the default passwords?' at http://FAQ.IIAB.IO" - fi -} +#grep -q "^PasswordAuthentication\s\+no\b" /etc/ssh/sshd_config && exit +#systemctl is-active {{ sshd_service }} || exit -systemctl is-active {{ sshd_service }} > /dev/null && check_hash -unset check_hash +if check_user_pwd "{{ iiab_admin_user }}" "{{ iiab_admin_published_pwd }}" ; then # iiab-admin + zenity --warning --width=600 --text="Published password in use by user '{{ iiab_admin_user }}'.\n\nTHIS IS A SECURITY RISK - please change its password using IIAB's Admin Console (http://box.lan/admin) -> Utilities -> Change Password.\n\nSee 'What are the default passwords?' at http://FAQ.IIAB.IO" + #zenity --warning --width=600 --text="SSH is enabled and the published password is in use by user '{{ iiab_admin_user }}'.\n\nTHIS IS A SECURITY RISK - please change its password using IIAB's Admin Console (http://box.lan/admin) -> Utilities -> Change Password.\n\nSee 'What are the default passwords?' at http://FAQ.IIAB.IO" +fi From 941e52f5465f699ccae3753b2c881450f71ab54d Mon Sep 17 00:00:00 2001 From: A Holt Date: Sun, 11 Oct 2020 02:13:50 -0400 Subject: [PATCH 14/18] Update sshpwd-profile-iiab.sh --- .../templates/sshpwd-profile-iiab.sh | 33 +++++++++++-------- 1 file changed, 20 insertions(+), 13 deletions(-) diff --git a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh index b3e2203b0..e7c49bc50 100755 --- a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh +++ b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh @@ -15,18 +15,8 @@ # lightdm/graphical logins (incl autologin) on Raspbian: #1252 -> PR #1253 check_user_pwd() { - # 1. 'sudo su -' invokes this script as root: - [ $(id -un) = "root" ] || return 1 # FORCE ERROR IF RUN BY NON-root + id -u $1 > /dev/null 2>&1 || return 2 # FORCE ERROR if no such user # *BUT* overall bash script still returns exit code 0 ("success") - # as needed by Ubuntu 20.04 graphical logins, etc! - - # 2. Graphical Logins invoke this script as the user logging in: (USELESSLY) - #[ $(id -un) = "$1" ] || [ $(id -un) = "root" ] || return 1 - # SO FORMERLY: this could also be run by non-root accounts e.g. iiab-admin - # if sudo access set with "%wheel ALL= NOPASSWD: ALL" in /etc/sudoers per - # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/admin-user.yml - # BUT: warning popups did not result on most OS's, much as mentioned here: - # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/main.yml#L24-L30 # $meth (hashing method) is typically '6' which implies 5000 rounds # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password @@ -36,9 +26,26 @@ check_user_pwd() { [ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ] } -if check_user_pwd "{{ iiab_admin_user }}" "g0adm1n"; then # iiab-admin +[ $(id -un) = "root" ] || exit # Exit if run by non-root. So non-root logins +# don't block on above permissions to grep /etc/shadow. As it's unreasonable +# to provide sudo privs to every user (with "NOPASSWD:" password-free sudo +# access or not, as required by graphical logins!) iiab/iiab#2561 + +# 2020-10-10 RECAP: logins (graphical or tty) were blocked on above "sudo grep" +# (at least tty logins finally let sudoers in, after entering password twice!) +# EXCEPTION: ALL GRAPHICAL logins to Raspberry Pi OS still work, no matter +# whether sshpwd-lxde-iiab.sh's "sudo grep" displays our popup warning or not! + +#[ $(id -un) = "{{ iiab_admin_user }}" ] || [ $(id -un) = "root" ] || exit +# HISTORICAL: if password-free sudo access is truly nec, it can be set with +# "iiab-admin ALL=(ALL) NOPASSWD: ALL" in /etc/sudoers as seen in the older: +# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/admin-user.yml +# BUT: popup warning still don't result on most OS's, much as mentioned here: +# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/main.yml#L24-L30 + +if check_user_pwd "{{ iiab_admin_user }}" "{{ iiab_admin_published_pwd }}" ; then # iiab-admin echo - echo "The published password is in use by user '{{ iiab_admin_user }}'." + echo "Published password in use by user '{{ iiab_admin_user }}'." echo "THIS IS A SECURITY RISK - please run 'sudo passwd {{ iiab_admin_user }}' to change it." echo fi From 70783743f564c480215ba8dc7daaf09aea01d9c9 Mon Sep 17 00:00:00 2001 From: A Holt Date: Sun, 11 Oct 2020 02:18:39 -0400 Subject: [PATCH 15/18] Update sshpwd-profile-iiab.sh --- roles/iiab-admin/templates/sshpwd-profile-iiab.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh index e7c49bc50..e5bb4a90b 100755 --- a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh +++ b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh @@ -3,7 +3,7 @@ # SEE ALSO: /etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh sourced from... # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh # ...invoked by /etc/xdg/lxsession/LXDE-pi/autostart which is customized by... -# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/main.yml#L46-L50 +# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/main.yml#L32-L36 # For Localization/Translation: (use /usr/bin/gettext below if later nec!) #export TEXTDOMAIN=Linux-PAM From 982caf12a43f8152f58c95d41f37554b37b20e52 Mon Sep 17 00:00:00 2001 From: A Holt Date: Sun, 11 Oct 2020 02:52:44 -0400 Subject: [PATCH 16/18] Update sshpwd-profile-iiab.sh --- roles/iiab-admin/templates/sshpwd-profile-iiab.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh index e5bb4a90b..709d54a9e 100755 --- a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh +++ b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh @@ -40,7 +40,7 @@ check_user_pwd() { # HISTORICAL: if password-free sudo access is truly nec, it can be set with # "iiab-admin ALL=(ALL) NOPASSWD: ALL" in /etc/sudoers as seen in the older: # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/admin-user.yml -# BUT: popup warning still don't result on most OS's, much as mentioned here: +# BUT: popup warnings still don't appear on most OS's, much as mentioned here: # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/main.yml#L24-L30 if check_user_pwd "{{ iiab_admin_user }}" "{{ iiab_admin_published_pwd }}" ; then # iiab-admin From bc61475a8c4d523c762b3829951e0d3603bf16de Mon Sep 17 00:00:00 2001 From: A Holt Date: Sun, 11 Oct 2020 05:28:48 -0400 Subject: [PATCH 17/18] Update sshpwd-lxde-iiab.sh --- roles/iiab-admin/templates/sshpwd-lxde-iiab.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh index ae7915236..28ee6c6dd 100755 --- a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh +++ b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh @@ -23,8 +23,8 @@ check_user_pwd() { [ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ] } -#grep -q "^PasswordAuthentication\s\+no\b" /etc/ssh/sshd_config && exit -#systemctl is-active {{ sshd_service }} || exit +#grep -q "^PasswordAuthentication\s\+no\b" /etc/ssh/sshd_config && return +#systemctl is-active {{ sshd_service }} || return if check_user_pwd "{{ iiab_admin_user }}" "{{ iiab_admin_published_pwd }}" ; then # iiab-admin zenity --warning --width=600 --text="Published password in use by user '{{ iiab_admin_user }}'.\n\nTHIS IS A SECURITY RISK - please change its password using IIAB's Admin Console (http://box.lan/admin) -> Utilities -> Change Password.\n\nSee 'What are the default passwords?' at http://FAQ.IIAB.IO" From b5742d875427f8775dee927290a35554e40cef03 Mon Sep 17 00:00:00 2001 From: A Holt Date: Sun, 11 Oct 2020 05:42:48 -0400 Subject: [PATCH 18/18] Update sshpwd-profile-iiab.sh --- roles/iiab-admin/templates/sshpwd-profile-iiab.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh index 709d54a9e..6eec89801 100755 --- a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh +++ b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh @@ -26,17 +26,17 @@ check_user_pwd() { [ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ] } -[ $(id -un) = "root" ] || exit # Exit if run by non-root. So non-root logins -# don't block on above permissions to grep /etc/shadow. As it's unreasonable +[ $(id -un) = "root" ] || return # MUST be executed as root! Non-root logins +# were blocking on above permissions to grep /etc/shadow. As it's unreasonable # to provide sudo privs to every user (with "NOPASSWD:" password-free sudo # access or not, as required by graphical logins!) iiab/iiab#2561 -# 2020-10-10 RECAP: logins (graphical or tty) were blocked on above "sudo grep" +# 2020-10-10 RECAP: most logins (graphical or tty) blocked on above [sudo] grep # (at least tty logins finally let sudoers in, after entering password twice!) -# EXCEPTION: ALL GRAPHICAL logins to Raspberry Pi OS still work, no matter -# whether sshpwd-lxde-iiab.sh's "sudo grep" displays our popup warning or not! +# EXCEPTION: ALL GRAPHICAL logins to Raspberry Pi OS still worked, no matter +# whether sshpwd-lxde-iiab.sh's "sudo grep" displayed our popup warning or not! -#[ $(id -un) = "{{ iiab_admin_user }}" ] || [ $(id -un) = "root" ] || exit +#[ $(id -un) = "{{ iiab_admin_user }}" ] || [ $(id -un) = "root" ] || return # HISTORICAL: if password-free sudo access is truly nec, it can be set with # "iiab-admin ALL=(ALL) NOPASSWD: ALL" in /etc/sudoers as seen in the older: # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/admin-user.yml