From 7cb881f4bf9f79475617b6fafffb4ba4d58ecdd7 Mon Sep 17 00:00:00 2001 From: A Holt Date: Sun, 11 Oct 2020 00:10:47 -0400 Subject: [PATCH] Update sshpwd-lxde-iiab.sh --- .../iiab-admin/templates/sshpwd-lxde-iiab.sh | 28 +++++++++++-------- 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh index 2d10f45d1..ae7915236 100755 --- a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh +++ b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh @@ -1,12 +1,20 @@ #!/bin/bash -export TEXTDOMAIN=pprompt-iiab +# SEE ALSO: /etc/profile.d/sshpwd-profile-iiab.sh sourced from... +# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-profile-iiab.sh -. gettext.sh +# For Localization/Translation: (use /usr/bin/gettext below if later nec!) +#export TEXTDOMAIN=pprompt-iiab +#. gettext.sh +# https://github.com/raspberrypi-ui/pam/blob/master/etc/profile.d/sshpwd.sh +# https://github.com/raspberrypi-ui/pprompt/blob/master/sshpwd.sh # bash syntax "function check_user_pwd() {" was removed, as it prevented all # lightdm/graphical logins (incl autologin) on Raspbian: #1252 -> PR #1253 check_user_pwd() { + id -u $1 > /dev/null 2>&1 || return 2 # FORCE ERROR if no such user + # *BUT* overall bash script still returns exit code 0 ("success") + # $meth (hashing method) is typically '6' which implies 5000 rounds # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password meth=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2) @@ -15,14 +23,10 @@ check_user_pwd() { [ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ] } -# Credit to the folks at the Raspberry Pi Foundation -check_hash() { - if ! id -u {{ iiab_admin_user }} > /dev/null 2> &1 ; then return 0 ; fi # iiab-admin - if grep -q "^PasswordAuthentication\s\+no\b" /etc/ssh/sshd_config ; then return 0 ; fi - if check_user_pwd "{{ iiab_admin_user }}" "{{ iiab_admin_published_pwd }}" ; then - zenity --warning --width=600 --text="SSH is enabled and the published password is in use by user '{{ iiab_admin_user }}'.\n\nTHIS IS A SECURITY RISK - please change its password using IIAB's Admin Console (http://box.lan/admin) -> Utilities -> Change Password.\n\nSee 'What are the default passwords?' at http://FAQ.IIAB.IO" - fi -} +#grep -q "^PasswordAuthentication\s\+no\b" /etc/ssh/sshd_config && exit +#systemctl is-active {{ sshd_service }} || exit -systemctl is-active {{ sshd_service }} > /dev/null && check_hash -unset check_hash +if check_user_pwd "{{ iiab_admin_user }}" "{{ iiab_admin_published_pwd }}" ; then # iiab-admin + zenity --warning --width=600 --text="Published password in use by user '{{ iiab_admin_user }}'.\n\nTHIS IS A SECURITY RISK - please change its password using IIAB's Admin Console (http://box.lan/admin) -> Utilities -> Change Password.\n\nSee 'What are the default passwords?' at http://FAQ.IIAB.IO" + #zenity --warning --width=600 --text="SSH is enabled and the published password is in use by user '{{ iiab_admin_user }}'.\n\nTHIS IS A SECURITY RISK - please change its password using IIAB's Admin Console (http://box.lan/admin) -> Utilities -> Change Password.\n\nSee 'What are the default passwords?' at http://FAQ.IIAB.IO" +fi