From 029778139b5437cc41f454ed41965e7b595fcda9 Mon Sep 17 00:00:00 2001
From: root <holta@users.noreply.github.com>
Date: Sat, 28 Aug 2021 22:16:03 -0400
Subject: [PATCH 1/5] Check passwds hashed w/ 'yescrypt' etc too, in
 /etc/shadow

---
 roles/iiab-admin/templates/sshpwd-lxde-iiab.sh  | 17 +++++++++++------
 .../iiab-admin/templates/sshpwd-profile-iiab.sh | 17 +++++++++++------
 2 files changed, 22 insertions(+), 12 deletions(-)

diff --git a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh
index 972ee3d88..fe7e8ae1b 100755
--- a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh
+++ b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh
@@ -24,12 +24,17 @@ check_user_pwd() {
     # (read access to /etc/shadow is otherwise restricted to just root and
     # group www-data i.e. Apache, NGINX get special access).  SEE: #2431, #2561
 
-    # $meth (hashing method) is typically '6' which implies 5000 rounds
-    # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password
-    meth=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2)
-    salt=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f3)
-    hash=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f4)
-    [ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ]
+    # 2021-08-28: New OS's use 'yescrypt' so use Perl instead of Python (#2949)
+    # This also helps avoid parsing the (NEW) 4th sub-field in $y$j9T$SALT$HASH
+    field2=$(grep "^$1:" /etc/shadow | cut -d: -f2)
+    [[ $(perl -e "print crypt('$2', '$field2')") == $field2 ]]
+
+    # # $meth (hashing method) is typically '6' which implies 5000 rounds
+    # # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password
+    # meth=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2)
+    # salt=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f3)
+    # hash=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f4)
+    # [ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ]
 }
 
 #grep -q "^PasswordAuthentication\s\+no\b" /etc/ssh/sshd_config && return
diff --git a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh
index 259da8139..5dc3e92f1 100755
--- a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh
+++ b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh
@@ -23,12 +23,17 @@ check_user_pwd() {
     # enough when user does not exist.  Or uncomment to FORCE ERROR CODE 2.
     # Either way, overall bash script still returns exit code 0 ("success").
 
-    # $meth (hashing method) is typically '6' which implies 5000 rounds
-    # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password
-    meth=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2)
-    salt=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f3)
-    hash=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f4)
-    [ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ]
+    # 2021-08-28: New OS's use 'yescrypt' so use Perl instead of Python (#2949)
+    # This also helps avoid parsing the (NEW) 4th sub-field in $y$j9T$SALT$HASH
+    field2=$(grep "^$1:" /etc/shadow | cut -d: -f2)
+    [[ $(perl -e "print crypt('$2', '$field2')") == $field2 ]]
+
+    # # $meth (hashing method) is typically '6' which implies 5000 rounds
+    # # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password
+    # meth=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2)
+    # salt=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f3)
+    # hash=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f4)
+    # [ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ]
 }
 
 # 2020-10-13 https://github.com/iiab/iiab/issues/2561 RECAP: Above was blocking

From cb0f1f171c605468d5d62c047164e364bc4251af Mon Sep 17 00:00:00 2001
From: root <holta@users.noreply.github.com>
Date: Sat, 28 Aug 2021 22:32:46 -0400
Subject: [PATCH 2/5] iiab-admin/tasks/pwd-warnings.yml: Rename templates to
 .j2

---
 roles/iiab-admin/tasks/pwd-warnings.yml                | 10 +++++-----
 .../{sshpwd-lxde-iiab.sh => sshpwd-lxde-iiab.sh.j2}    |  0
 ...shpwd-profile-iiab.sh => sshpwd-profile-iiab.sh.j2} |  0
 3 files changed, 5 insertions(+), 5 deletions(-)
 rename roles/iiab-admin/templates/{sshpwd-lxde-iiab.sh => sshpwd-lxde-iiab.sh.j2} (100%)
 rename roles/iiab-admin/templates/{sshpwd-profile-iiab.sh => sshpwd-profile-iiab.sh.j2} (100%)

diff --git a/roles/iiab-admin/tasks/pwd-warnings.yml b/roles/iiab-admin/tasks/pwd-warnings.yml
index fba510883..d12ef87e0 100644
--- a/roles/iiab-admin/tasks/pwd-warnings.yml
+++ b/roles/iiab-admin/tasks/pwd-warnings.yml
@@ -1,7 +1,7 @@
 - name: Install /etc/profile.d/sshpwd-profile-iiab.sh from template, to issue warnings (during shell/ssh logins) if iiab-admin password is the default
   template:
-    src: sshpwd-profile-iiab.sh
-    dest: /etc/profile.d/
+    src: sshpwd-profile-iiab.sh.j2
+    dest: /etc/profile.d/sshpwd-profile-iiab.sh
     mode: '0644'
 
 - name: Is this LXDE-pi?
@@ -11,8 +11,8 @@
 
 - name: "Likewise for Raspbian, installing: /etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh"
   template:
-    src: sshpwd-lxde-iiab.sh
-    dest: /etc/xdg/lxsession/LXDE-pi/
+    src: sshpwd-lxde-iiab.sh.j2
+    dest: /etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh
     mode: '0755'
   when: lx.stat.isdir is defined and lx.stat.isdir and is_raspbian and is_debuntu
 
@@ -28,4 +28,4 @@
   lineinfile:
     path: /etc/xdg/lxsession/LXDE-pi/autostart
     line: "@/etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh"
-  when: lx.stat.isdir is defined and lx.stat.isdir and is_raspbian and is_debuntu
+  when: lx.stat.isdir is defined and lx.stat.isdir and is_raspbian
diff --git a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh.j2
similarity index 100%
rename from roles/iiab-admin/templates/sshpwd-lxde-iiab.sh
rename to roles/iiab-admin/templates/sshpwd-lxde-iiab.sh.j2
diff --git a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh.j2
similarity index 100%
rename from roles/iiab-admin/templates/sshpwd-profile-iiab.sh
rename to roles/iiab-admin/templates/sshpwd-profile-iiab.sh.j2

From 6d1b98de644c92b7b20830283c23a4bbce72b0a2 Mon Sep 17 00:00:00 2001
From: A Holt <holta@users.noreply.github.com>
Date: Sat, 28 Aug 2021 22:49:05 -0400
Subject: [PATCH 3/5] iiab-admin/tasks/pwd-warnings.yml: Tighten up 'when:
 lx.stat.isdir' (/etc/xdg/lxsession/LXDE-pi)

---
 roles/iiab-admin/tasks/pwd-warnings.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/roles/iiab-admin/tasks/pwd-warnings.yml b/roles/iiab-admin/tasks/pwd-warnings.yml
index d12ef87e0..3e18ca4ec 100644
--- a/roles/iiab-admin/tasks/pwd-warnings.yml
+++ b/roles/iiab-admin/tasks/pwd-warnings.yml
@@ -4,17 +4,17 @@
     dest: /etc/profile.d/sshpwd-profile-iiab.sh
     mode: '0644'
 
-- name: Is this LXDE-pi?
+- name: Is /etc/xdg/lxsession/LXDE-pi a directory?
   stat:
     path: /etc/xdg/lxsession/LXDE-pi
   register: lx
 
-- name: "Likewise for Raspbian, installing: /etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh"
+- name: "If so, install: /etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh"
   template:
     src: sshpwd-lxde-iiab.sh.j2
     dest: /etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh
     mode: '0755'
-  when: lx.stat.isdir is defined and lx.stat.isdir and is_raspbian and is_debuntu
+  when: lx.stat.isdir is defined and lx.stat.isdir    # and is_raspbian
 
 # 2019-03-07: This popup (/etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh) does
 # not actually appear when triggered by /etc/xdg/autostart/pprompt-iiab.desktop
@@ -24,8 +24,8 @@
 # https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html
 # Raspbian's 2016-2018 evolution here: https://github.com/iiab/iiab/issues/1537
 
-- name: Put line in /etc/xdg/lxsession/LXDE-pi/autostart to run the above (raspbian)
+- name: ...and put a line in /etc/xdg/lxsession/LXDE-pi/autostart to trigger popups
   lineinfile:
     path: /etc/xdg/lxsession/LXDE-pi/autostart
     line: "@/etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh"
-  when: lx.stat.isdir is defined and lx.stat.isdir and is_raspbian
+  when: lx.stat.isdir is defined and lx.stat.isdir    # and is_raspbian

From df91dff1bc568ae36f14059a78f355f92b11c515 Mon Sep 17 00:00:00 2001
From: A Holt <holta@users.noreply.github.com>
Date: Sat, 28 Aug 2021 22:52:12 -0400
Subject: [PATCH 4/5] iiab-admin/tasks/pwd-warnings.yml: Verbiage tweak

---
 roles/iiab-admin/tasks/pwd-warnings.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/iiab-admin/tasks/pwd-warnings.yml b/roles/iiab-admin/tasks/pwd-warnings.yml
index 3e18ca4ec..d1379b3fb 100644
--- a/roles/iiab-admin/tasks/pwd-warnings.yml
+++ b/roles/iiab-admin/tasks/pwd-warnings.yml
@@ -9,7 +9,7 @@
     path: /etc/xdg/lxsession/LXDE-pi
   register: lx
 
-- name: "If so, install: /etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh"
+- name: "If so, install from template: /etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh"
   template:
     src: sshpwd-lxde-iiab.sh.j2
     dest: /etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh

From 8152b0d8b37536bf646daabc9025745c140d5e15 Mon Sep 17 00:00:00 2001
From: root <holta@users.noreply.github.com>
Date: Sat, 28 Aug 2021 23:04:10 -0400
Subject: [PATCH 5/5] /etc/profile.d/sshpwd-profile-iiab.sh: Color warning

---
 roles/iiab-admin/templates/sshpwd-profile-iiab.sh.j2 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh.j2 b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh.j2
index 5dc3e92f1..24d87886c 100755
--- a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh.j2
+++ b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh.j2
@@ -52,7 +52,7 @@ check_user_pwd() {
 
 if check_user_pwd "{{ iiab_admin_user }}" "{{ iiab_admin_published_pwd }}" ; then    # iiab-admin g0adm1n
     echo
-    echo "Published password in use by user '{{ iiab_admin_user }}'."
-    echo "THIS IS A SECURITY RISK - please run 'sudo passwd {{ iiab_admin_user }}' to change it."
+    echo -e "\e[41;1mPublished password in use by user '{{ iiab_admin_user }}'.\e[0m"
+    echo -e "\e[100;1mTHIS IS A SECURITY RISK - please run 'sudo passwd {{ iiab_admin_user }}' to change it.\e[0m"
     echo
 fi