From 4ce8f873d8cc917c49e9ed18ef27b534d84b8bf3 Mon Sep 17 00:00:00 2001 From: A Holt Date: Tue, 13 Oct 2020 20:58:13 -0400 Subject: [PATCH] Update sshpwd-lxde-iiab.sh --- roles/iiab-admin/templates/sshpwd-lxde-iiab.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh index 28c2fc67e..b1fd88644 100755 --- a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh +++ b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh @@ -16,6 +16,11 @@ check_user_pwd() { # enough when user does not exist. Or uncomment to FORCE ERROR CODE 2. # Either way, overall bash script still returns exit code 0 ("success") + # sudo works below (unlike in sshpwd-profile-iiab.sh) b/c RaspiOS ships w/ + # /etc/sudoers.d/010_pi-nopasswd containing "pi ALL=(ALL) NOPASSWD: ALL" + # (read access to /etc/shadow is otherwise restricted to just root and + # group www-data i.e. Apache, NGINX get special access). SEE: #2431, #2561 + # $meth (hashing method) is typically '6' which implies 5000 rounds # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password meth=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2)