diff --git a/roles/iiab-admin/tasks/pwd-warnings.yml b/roles/iiab-admin/tasks/pwd-warnings.yml index fba510883..d1379b3fb 100644 --- a/roles/iiab-admin/tasks/pwd-warnings.yml +++ b/roles/iiab-admin/tasks/pwd-warnings.yml @@ -1,20 +1,20 @@ - name: Install /etc/profile.d/sshpwd-profile-iiab.sh from template, to issue warnings (during shell/ssh logins) if iiab-admin password is the default template: - src: sshpwd-profile-iiab.sh - dest: /etc/profile.d/ + src: sshpwd-profile-iiab.sh.j2 + dest: /etc/profile.d/sshpwd-profile-iiab.sh mode: '0644' -- name: Is this LXDE-pi? +- name: Is /etc/xdg/lxsession/LXDE-pi a directory? stat: path: /etc/xdg/lxsession/LXDE-pi register: lx -- name: "Likewise for Raspbian, installing: /etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh" +- name: "If so, install from template: /etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh" template: - src: sshpwd-lxde-iiab.sh - dest: /etc/xdg/lxsession/LXDE-pi/ + src: sshpwd-lxde-iiab.sh.j2 + dest: /etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh mode: '0755' - when: lx.stat.isdir is defined and lx.stat.isdir and is_raspbian and is_debuntu + when: lx.stat.isdir is defined and lx.stat.isdir # and is_raspbian # 2019-03-07: This popup (/etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh) does # not actually appear when triggered by /etc/xdg/autostart/pprompt-iiab.desktop @@ -24,8 +24,8 @@ # https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html # Raspbian's 2016-2018 evolution here: https://github.com/iiab/iiab/issues/1537 -- name: Put line in /etc/xdg/lxsession/LXDE-pi/autostart to run the above (raspbian) +- name: ...and put a line in /etc/xdg/lxsession/LXDE-pi/autostart to trigger popups lineinfile: path: /etc/xdg/lxsession/LXDE-pi/autostart line: "@/etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh" - when: lx.stat.isdir is defined and lx.stat.isdir and is_raspbian and is_debuntu + when: lx.stat.isdir is defined and lx.stat.isdir # and is_raspbian diff --git a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh.j2 similarity index 74% rename from roles/iiab-admin/templates/sshpwd-lxde-iiab.sh rename to roles/iiab-admin/templates/sshpwd-lxde-iiab.sh.j2 index 972ee3d88..fe7e8ae1b 100755 --- a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh +++ b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh.j2 @@ -24,12 +24,17 @@ check_user_pwd() { # (read access to /etc/shadow is otherwise restricted to just root and # group www-data i.e. Apache, NGINX get special access). SEE: #2431, #2561 - # $meth (hashing method) is typically '6' which implies 5000 rounds - # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password - meth=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2) - salt=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f3) - hash=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f4) - [ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ] + # 2021-08-28: New OS's use 'yescrypt' so use Perl instead of Python (#2949) + # This also helps avoid parsing the (NEW) 4th sub-field in $y$j9T$SALT$HASH + field2=$(grep "^$1:" /etc/shadow | cut -d: -f2) + [[ $(perl -e "print crypt('$2', '$field2')") == $field2 ]] + + # # $meth (hashing method) is typically '6' which implies 5000 rounds + # # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password + # meth=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2) + # salt=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f3) + # hash=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f4) + # [ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ] } #grep -q "^PasswordAuthentication\s\+no\b" /etc/ssh/sshd_config && return diff --git a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh.j2 similarity index 70% rename from roles/iiab-admin/templates/sshpwd-profile-iiab.sh rename to roles/iiab-admin/templates/sshpwd-profile-iiab.sh.j2 index 259da8139..24d87886c 100755 --- a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh +++ b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh.j2 @@ -23,12 +23,17 @@ check_user_pwd() { # enough when user does not exist. Or uncomment to FORCE ERROR CODE 2. # Either way, overall bash script still returns exit code 0 ("success"). - # $meth (hashing method) is typically '6' which implies 5000 rounds - # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password - meth=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2) - salt=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f3) - hash=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f4) - [ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ] + # 2021-08-28: New OS's use 'yescrypt' so use Perl instead of Python (#2949) + # This also helps avoid parsing the (NEW) 4th sub-field in $y$j9T$SALT$HASH + field2=$(grep "^$1:" /etc/shadow | cut -d: -f2) + [[ $(perl -e "print crypt('$2', '$field2')") == $field2 ]] + + # # $meth (hashing method) is typically '6' which implies 5000 rounds + # # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password + # meth=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2) + # salt=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f3) + # hash=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f4) + # [ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ] } # 2020-10-13 https://github.com/iiab/iiab/issues/2561 RECAP: Above was blocking @@ -47,7 +52,7 @@ check_user_pwd() { if check_user_pwd "{{ iiab_admin_user }}" "{{ iiab_admin_published_pwd }}" ; then # iiab-admin g0adm1n echo - echo "Published password in use by user '{{ iiab_admin_user }}'." - echo "THIS IS A SECURITY RISK - please run 'sudo passwd {{ iiab_admin_user }}' to change it." + echo -e "\e[41;1mPublished password in use by user '{{ iiab_admin_user }}'.\e[0m" + echo -e "\e[100;1mTHIS IS A SECURITY RISK - please run 'sudo passwd {{ iiab_admin_user }}' to change it.\e[0m" echo fi