From 4ce8f873d8cc917c49e9ed18ef27b534d84b8bf3 Mon Sep 17 00:00:00 2001
From: A Holt <holta@users.noreply.github.com>
Date: Tue, 13 Oct 2020 20:58:13 -0400
Subject: [PATCH] Update sshpwd-lxde-iiab.sh

---
 roles/iiab-admin/templates/sshpwd-lxde-iiab.sh | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh
index 28c2fc67e..b1fd88644 100755
--- a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh
+++ b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh
@@ -16,6 +16,11 @@ check_user_pwd() {
     # enough when user does not exist.  Or uncomment to FORCE ERROR CODE 2.
     # Either way, overall bash script still returns exit code 0 ("success")
 
+    # sudo works below (unlike in sshpwd-profile-iiab.sh) b/c RaspiOS ships w/
+    # /etc/sudoers.d/010_pi-nopasswd containing "pi ALL=(ALL) NOPASSWD: ALL"
+    # (read access to /etc/shadow is otherwise restricted to just root and
+    # group www-data i.e. Apache, NGINX get special access).  SEE: #2431, #2561
+
     # $meth (hashing method) is typically '6' which implies 5000 rounds
     # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password
     meth=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2)