diff --git a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh index 9c4bd4964..9853aa238 100755 --- a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh +++ b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh @@ -1,31 +1,43 @@ #!/bin/bash -export TEXTDOMAIN=Linux-PAM +# SEE ALSO: /etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh sourced from... +# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh +# ...invoked by customized /etc/xdg/lxsession/LXDE-pi/autostart -. gettext.sh +# For Localisation: +#export TEXTDOMAIN=Linux-PAM +#. gettext.sh +# https://github.com/raspberrypi-ui/pam/blob/master/etc/profile.d/sshpwd.sh +# https://github.com/raspberrypi-ui/pprompt/blob/master/sshpwd.sh # bash syntax "function check_user_pwd() {" was removed, as it prevented all # lightdm/graphical logins (incl autologin) on Raspbian: #1252 -> PR #1253 check_user_pwd() { + + # 1. 'sudo su -' invokes this script as root: + [ $(id -un) = "root" ] || return 1 # FORCE ERROR IF RUN BY NON-root + # *BUT* overall bash script still returns exit code 0 ("success") + # as needed by Ubuntu 20.04 graphical logins, etc! + + # 2. Graphical Logins invoke this script as the user logging in: (USELESSLY) + #[ $(id -un) = "$1" ] || [ $(id -un) = "root" ] || return 1 + # SO FORMERLY: this could also be run by non-root accounts e.g. iiab-admin + # if sudo access set with "%wheel ALL= NOPASSWD: ALL" in /etc/sudoers per + # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/admin-user.yml + # BUT: warning popups did not result on most OS's, much as mentioned here: + # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/main.yml#L38-L44 + # $meth (hashing method) is typically '6' which implies 5000 rounds # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password - meth=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2) - salt=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f3) - hash=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f4) + meth=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2) + salt=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f3) + hash=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f4) [ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ] } -# Credit to the folks at the Raspberry Pi Foundation -check_hash() { - if ! id -u iiab-admin > /dev/null 2>&1 ; then return 0 ; fi - if grep -q "^PasswordAuthentication\s*no" /etc/ssh/sshd_config ; then return 0 ; fi - if check_user_pwd "iiab-admin" "{{ iiab_admin_published_pwd }}"; then - echo - echo $(/usr/bin/gettext "SSH is enabled and the published password for user 'iiab-admin' is in use.") - echo $(/usr/bin/gettext "THIS IS A SECURITY RISK - please run 'sudo passwd iiab-admin' to change it.") - echo - fi -} - -systemctl is-active {{ sshd_service }} > /dev/null && check_hash -unset check_hash +if check_user_pwd "iiab-admin" "g0adm1n"; then + echo + echo $(/usr/bin/gettext "The published password for user 'iiab-admin' is in use.") + echo $(/usr/bin/gettext "THIS IS A SECURITY RISK - please run 'sudo passwd iiab-admin' to change it.") + echo +fi