external/iiab
1
0
Fork 0
mirror of https://github.com/iiab/iiab.git synced 2025-02-15 04:32:11 +00:00
Code Issues Releases Wiki Activity

Update profile_ssh_warn.sh

Browse source
This commit is contained in:
A Holt 2018-10-15 02:46:20 -04:00 committed by GitHub
parent 837f5953fd
commit 1cc054b720
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 22 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
roles/iiab-admin/templates/profile_ssh_warn.sh
View file

@ -1,19 +1,27 @@
#!/bin/bash
# credit to the folks at raspberry pi foundatioon
check_hash ()
{
if ! id -u iiab-admin > /dev/null 2>&1 ; then return 0 ; fi
if grep -q "^PasswordAuthentication\s*no" /etc/ssh/sshd_config ; then return 0 ; fi
SHADOW="$(sudo -n grep -E '^iiab-admin:' /etc/shadow 2>/dev/null)"
test -n "${SHADOW}" || return 0
if echo $SHADOW | grep -q "iiab-admin:!" ; then return 0 ; fi
SHADOW_PW=$(echo $SHADOW | cut -d: -f2)
if [ "$SHADOW_PW" != '{{ iiab_admin_passw_hash }}' ]; then return 0 ; fi
echo
echo "SSH is enabled and the default password for the 'iiab-admin' user is unchanged."
echo "This is a security risk - please login as the 'iiab-admin' user and type 'passwd' to change password."
echo
function check_user_pwd() {
# $meth (hashing method) is typically '6' which implies 5000 rounds
# of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password
meth=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2)
salt=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f3)
hash=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f4)
[ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ]
}
# credit to the folks at raspberry pi foundatioon
check_hash () {
if ! id -u iiab-admin > /dev/null 2>&1 ; then return 0 ; fi
if grep -q "^PasswordAuthentication\s*no" /etc/ssh/sshd_config ; then return 0 ; fi
#SHADOW="$(sudo -n grep -E '^iiab-admin:' /etc/shadow 2>/dev/null)"
#test -n "${SHADOW}" || return 0
#if echo $SHADOW | grep -q "iiab-admin:!" ; then return 0 ; fi
#SHADOW_PW=$(echo $SHADOW | cut -d: -f2)
#if [ "$SHADOW_PW" != '{{ iiab_admin_passw_hash }}' ]; then return 0 ; fi
if check_user_pwd "iiab-admin" "g0adm1n"; then
echo -e "\nSSH is enabled and the default password for the 'iiab-admin' user is unchanged."
echo -e "This is a security risk - please login as user 'iiab-admin' and run 'passwd' to change its password.\n"
fi
}
systemctl is-active {{ sshd_service }} > /dev/null && check_hash