diff --git a/roles/iiab-admin/templates/lxde_ssh_warn.sh b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh similarity index 50% rename from roles/iiab-admin/templates/lxde_ssh_warn.sh rename to roles/iiab-admin/templates/sshpwd-lxde-iiab.sh index db073878c..ea17af847 100755 --- a/roles/iiab-admin/templates/lxde_ssh_warn.sh +++ b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh @@ -1,5 +1,11 @@ #!/bin/bash +export TEXTDOMAIN=pprompt-iiab + +. gettext.sh + +# bash syntax "function check_user_pwd() {" was removed, as it prevented all +# lightdm/graphical logins (incl autologin) on Raspbian: #1252 -> PR #1253 check_user_pwd() { # $meth (hashing method) is typically '6' which implies 5000 rounds # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password @@ -9,24 +15,14 @@ check_user_pwd() { [ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ] } -# credit to the folks at raspberry pi foundatioon +# Credit to the folks at the Raspberry Pi Foundation check_hash() { if ! id -u iiab-admin > /dev/null 2>&1 ; then return 0 ; fi if grep -q "^PasswordAuthentication\s*no" /etc/ssh/sshd_config ; then return 0 ; fi - #test -x /usr/bin/mkpasswd || return 0 - #SHADOW="$(sudo -n grep -E '^iiab-admin:' /etc/shadow 2>/dev/null)" - #test -n "${SHADOW}" || return 0 - #if echo $SHADOW | grep -q "iiab-admin:!" ; then return 0 ; fi - #SHADOW_PW=$(echo $SHADOW | cut -d: -f2) - #if [ "$SHADOW_PW" != "\$6\$iiab51\$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop." ]; then return 0 ; fi - #if echo "${SHADOW}" | grep -q "${HASH}"; then if check_user_pwd "iiab-admin" "{{ iiab_admin_published_pwd }}"; then - zenity --warning --text="SSH is enabled and the published password for user 'iiab-admin' is in use.\nTHIS IS A SECURITY RISK - please change its password using IIAB's Admin Console (http://box/admin) -> Utilities -> Change Password." + zenity --warning --width=600 --text="SSH is enabled and the default password for user 'iiab-admin' is in use.\n\nTHIS IS A SECURITY RISK - please change its password using IIAB's Admin Console (http://box.lan/admin) -> Utilities -> Change Password.\n\nSee 'What are the default passwords?' at http://FAQ.IIAB.IO" fi } -#if service ssh status | grep -q running; then -# check_hash -#fi systemctl is-active {{ sshd_service }} > /dev/null && check_hash unset check_hash