mirror of
https://github.com/iiab/iiab.git
synced 2025-03-09 15:40:17 +00:00
sshpwd-profile-iiab.sh blocked graphical logins
This commit is contained in:
parent
27b5cabce8
commit
284edb1b34
1 changed files with 31 additions and 19 deletions
|
@ -1,31 +1,43 @@
|
|||
#!/bin/bash
|
||||
|
||||
export TEXTDOMAIN=Linux-PAM
|
||||
# SEE ALSO: /etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh sourced from...
|
||||
# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh
|
||||
# ...invoked by customized /etc/xdg/lxsession/LXDE-pi/autostart
|
||||
|
||||
. gettext.sh
|
||||
# For Localisation:
|
||||
#export TEXTDOMAIN=Linux-PAM
|
||||
#. gettext.sh
|
||||
# https://github.com/raspberrypi-ui/pam/blob/master/etc/profile.d/sshpwd.sh
|
||||
# https://github.com/raspberrypi-ui/pprompt/blob/master/sshpwd.sh
|
||||
|
||||
# bash syntax "function check_user_pwd() {" was removed, as it prevented all
|
||||
# lightdm/graphical logins (incl autologin) on Raspbian: #1252 -> PR #1253
|
||||
check_user_pwd() {
|
||||
|
||||
# 1. 'sudo su -' invokes this script as root:
|
||||
[ $(id -un) = "root" ] || return 1 # FORCE ERROR IF RUN BY NON-root
|
||||
# *BUT* overall bash script still returns exit code 0 ("success")
|
||||
# as needed by Ubuntu 20.04 graphical logins, etc!
|
||||
|
||||
# 2. Graphical Logins invoke this script as the user logging in: (USELESSLY)
|
||||
#[ $(id -un) = "$1" ] || [ $(id -un) = "root" ] || return 1
|
||||
# SO FORMERLY: this could also be run by non-root accounts e.g. iiab-admin
|
||||
# if sudo access set with "%wheel ALL= NOPASSWD: ALL" in /etc/sudoers per
|
||||
# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/admin-user.yml
|
||||
# BUT: warning popups did not result on most OS's, much as mentioned here:
|
||||
# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/main.yml#L38-L44
|
||||
|
||||
# $meth (hashing method) is typically '6' which implies 5000 rounds
|
||||
# of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password
|
||||
meth=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2)
|
||||
salt=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f3)
|
||||
hash=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f4)
|
||||
meth=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2)
|
||||
salt=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f3)
|
||||
hash=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f4)
|
||||
[ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ]
|
||||
}
|
||||
|
||||
# Credit to the folks at the Raspberry Pi Foundation
|
||||
check_hash() {
|
||||
if ! id -u iiab-admin > /dev/null 2>&1 ; then return 0 ; fi
|
||||
if grep -q "^PasswordAuthentication\s*no" /etc/ssh/sshd_config ; then return 0 ; fi
|
||||
if check_user_pwd "iiab-admin" "{{ iiab_admin_published_pwd }}"; then
|
||||
if check_user_pwd "iiab-admin" "g0adm1n"; then
|
||||
echo
|
||||
echo $(/usr/bin/gettext "SSH is enabled and the published password for user 'iiab-admin' is in use.")
|
||||
echo $(/usr/bin/gettext "The published password for user 'iiab-admin' is in use.")
|
||||
echo $(/usr/bin/gettext "THIS IS A SECURITY RISK - please run 'sudo passwd iiab-admin' to change it.")
|
||||
echo
|
||||
fi
|
||||
}
|
||||
|
||||
systemctl is-active {{ sshd_service }} > /dev/null && check_hash
|
||||
unset check_hash
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue