From 799f47b950ccc5db63575ad2c2cc148473aa1b20 Mon Sep 17 00:00:00 2001
From: A Holt <holta@users.noreply.github.com>
Date: Tue, 20 Sep 2022 21:02:18 -0400
Subject: [PATCH 1/8] sshpwd-lxde-iiab.sh.j2: sudo to verify /etc/shadow

---
 roles/iiab-admin/templates/sshpwd-lxde-iiab.sh.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh.j2 b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh.j2
index 23d0816ec..e61f4dfec 100755
--- a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh.j2
+++ b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh.j2
@@ -26,7 +26,7 @@ check_user_pwd() {
 
     # 2021-08-28: New OS's use 'yescrypt' so use Perl instead of Python (#2949)
     # This also helps avoid parsing the (NEW) 4th sub-field in $y$j9T$SALT$HASH
-    field2=$(grep "^$1:" /etc/shadow | cut -d: -f2)
+    field2=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2)
     [[ $(perl -e "print crypt('$2', '$field2')") == $field2 ]]
 
     # # $meth (hashing method) is typically '6' which implies 5000 rounds

From 8ed159b5c2c181bed53128d32bc1b7dbfeab2f3d Mon Sep 17 00:00:00 2001
From: A Holt <holta@users.noreply.github.com>
Date: Tue, 20 Sep 2022 21:08:38 -0400
Subject: [PATCH 2/8] sshpwd-profile-iiab.sh.j2: sudo to verify /etc/shadow

---
 roles/iiab-admin/templates/sshpwd-profile-iiab.sh.j2 | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh.j2 b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh.j2
index 24d87886c..7cea14c41 100755
--- a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh.j2
+++ b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh.j2
@@ -16,7 +16,8 @@
 check_user_pwd() {
     #[ $(id -un) = "root" ] || return 2
     #[ $(id -un) = "root" ] || [ $(id -un) = "iiab-admin" ] || return 2
-    [ -r /etc/shadow ] || return 2    # FORCE ERROR if /etc/shadow not readable
+
+    #[ -r /etc/shadow ] || return 2   # FORCE ERROR if /etc/shadow not readable
     # *BUT* overall bash script still returns exit code 0 ("success").
 
     #id -u $1 > /dev/null 2>&1 || return 2    # Not needed if return 1 is good
@@ -25,7 +26,7 @@ check_user_pwd() {
 
     # 2021-08-28: New OS's use 'yescrypt' so use Perl instead of Python (#2949)
     # This also helps avoid parsing the (NEW) 4th sub-field in $y$j9T$SALT$HASH
-    field2=$(grep "^$1:" /etc/shadow | cut -d: -f2)
+    field2=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2) || return 2    # TRY TO FORCE ERROR if /etc/shadow not readable even with sudo
     [[ $(perl -e "print crypt('$2', '$field2')") == $field2 ]]
 
     # # $meth (hashing method) is typically '6' which implies 5000 rounds

From bdbdefa129e0a98eeb0834df0e5f811c3adf10a4 Mon Sep 17 00:00:00 2001
From: A Holt <holta@users.noreply.github.com>
Date: Tue, 20 Sep 2022 21:37:57 -0400
Subject: [PATCH 3/8] sshpwd-lxde-iiab.sh.j2: 'sudo -n' avoids pwd prompts

---
 roles/iiab-admin/templates/sshpwd-lxde-iiab.sh.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh.j2 b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh.j2
index e61f4dfec..e755bd638 100755
--- a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh.j2
+++ b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh.j2
@@ -26,7 +26,7 @@ check_user_pwd() {
 
     # 2021-08-28: New OS's use 'yescrypt' so use Perl instead of Python (#2949)
     # This also helps avoid parsing the (NEW) 4th sub-field in $y$j9T$SALT$HASH
-    field2=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2)
+    field2=$(sudo -n grep "^$1:" /etc/shadow | cut -d: -f2)
     [[ $(perl -e "print crypt('$2', '$field2')") == $field2 ]]
 
     # # $meth (hashing method) is typically '6' which implies 5000 rounds

From 763c6258c7af5daa50baca3c31f82cff1916e5ed Mon Sep 17 00:00:00 2001
From: A Holt <holta@users.noreply.github.com>
Date: Tue, 20 Sep 2022 21:38:52 -0400
Subject: [PATCH 4/8] sshpwd-profile-iiab.sh.j2: 'sudo -n' avoids pwd prompts

---
 roles/iiab-admin/templates/sshpwd-profile-iiab.sh.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh.j2 b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh.j2
index 7cea14c41..1dc7d0c2f 100755
--- a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh.j2
+++ b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh.j2
@@ -26,7 +26,7 @@ check_user_pwd() {
 
     # 2021-08-28: New OS's use 'yescrypt' so use Perl instead of Python (#2949)
     # This also helps avoid parsing the (NEW) 4th sub-field in $y$j9T$SALT$HASH
-    field2=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2) || return 2    # TRY TO FORCE ERROR if /etc/shadow not readable even with sudo
+    field2=$(sudo -n grep "^$1:" /etc/shadow | cut -d: -f2) || return 2    # TRY TO FORCE ERROR if /etc/shadow not readable even with sudo
     [[ $(perl -e "print crypt('$2', '$field2')") == $field2 ]]
 
     # # $meth (hashing method) is typically '6' which implies 5000 rounds

From 1aafc818a474230f8e69004683bb2ee0d3131e5f Mon Sep 17 00:00:00 2001
From: A Holt <holta@users.noreply.github.com>
Date: Wed, 21 Sep 2022 00:22:44 -0400
Subject: [PATCH 5/8] sshpwd-profile-iiab.sh.j2: Explain 'sudo -s' exception

---
 roles/iiab-admin/templates/sshpwd-profile-iiab.sh.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh.j2 b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh.j2
index 1dc7d0c2f..7443f00ce 100755
--- a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh.j2
+++ b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh.j2
@@ -26,7 +26,7 @@ check_user_pwd() {
 
     # 2021-08-28: New OS's use 'yescrypt' so use Perl instead of Python (#2949)
     # This also helps avoid parsing the (NEW) 4th sub-field in $y$j9T$SALT$HASH
-    field2=$(sudo -n grep "^$1:" /etc/shadow | cut -d: -f2) || return 2    # TRY TO FORCE ERROR if /etc/shadow not readable even with sudo
+    field2=$(sudo -n grep "^$1:" /etc/shadow | cut -d: -f2)    # sets field2 to "" if sudo -s fails to read /etc/shadow
     [[ $(perl -e "print crypt('$2', '$field2')") == $field2 ]]
 
     # # $meth (hashing method) is typically '6' which implies 5000 rounds

From 2b47baa85dadc9aac7562947cda4fe5a2d764be1 Mon Sep 17 00:00:00 2001
From: A Holt <holta@users.noreply.github.com>
Date: Wed, 21 Sep 2022 00:25:41 -0400
Subject: [PATCH 6/8] sshpwd-lxde-iiab.sh.j2: Explain 'sudo -s' exception

---
 roles/iiab-admin/templates/sshpwd-lxde-iiab.sh.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh.j2 b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh.j2
index e755bd638..f28fe8639 100755
--- a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh.j2
+++ b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh.j2
@@ -26,7 +26,7 @@ check_user_pwd() {
 
     # 2021-08-28: New OS's use 'yescrypt' so use Perl instead of Python (#2949)
     # This also helps avoid parsing the (NEW) 4th sub-field in $y$j9T$SALT$HASH
-    field2=$(sudo -n grep "^$1:" /etc/shadow | cut -d: -f2)
+    field2=$(sudo -n grep "^$1:" /etc/shadow | cut -d: -f2)    # sets field2 to "" if sudo -s fails to read /etc/shadow
     [[ $(perl -e "print crypt('$2', '$field2')") == $field2 ]]
 
     # # $meth (hashing method) is typically '6' which implies 5000 rounds

From 3132f79e16e55d795a10da8b50ee7074fe0d0a8b Mon Sep 17 00:00:00 2001
From: A Holt <holta@users.noreply.github.com>
Date: Wed, 21 Sep 2022 00:30:09 -0400
Subject: [PATCH 7/8] Update sshpwd-profile-iiab.sh.j2

---
 roles/iiab-admin/templates/sshpwd-profile-iiab.sh.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh.j2 b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh.j2
index 7443f00ce..aead6273a 100755
--- a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh.j2
+++ b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh.j2
@@ -26,7 +26,7 @@ check_user_pwd() {
 
     # 2021-08-28: New OS's use 'yescrypt' so use Perl instead of Python (#2949)
     # This also helps avoid parsing the (NEW) 4th sub-field in $y$j9T$SALT$HASH
-    field2=$(sudo -n grep "^$1:" /etc/shadow | cut -d: -f2)    # sets field2 to "" if sudo -s fails to read /etc/shadow
+    field2=$(sudo -n grep "^$1:" /etc/shadow | cut -d: -f2)    # Sets field2 to "" if sudo -s fails to read /etc/shadow
     [[ $(perl -e "print crypt('$2', '$field2')") == $field2 ]]
 
     # # $meth (hashing method) is typically '6' which implies 5000 rounds

From e94c65f6ab82fd8e0ef3b88907ae41a15475d223 Mon Sep 17 00:00:00 2001
From: A Holt <holta@users.noreply.github.com>
Date: Wed, 21 Sep 2022 00:30:37 -0400
Subject: [PATCH 8/8] Update sshpwd-lxde-iiab.sh.j2

---
 roles/iiab-admin/templates/sshpwd-lxde-iiab.sh.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh.j2 b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh.j2
index f28fe8639..e41dde542 100755
--- a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh.j2
+++ b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh.j2
@@ -26,7 +26,7 @@ check_user_pwd() {
 
     # 2021-08-28: New OS's use 'yescrypt' so use Perl instead of Python (#2949)
     # This also helps avoid parsing the (NEW) 4th sub-field in $y$j9T$SALT$HASH
-    field2=$(sudo -n grep "^$1:" /etc/shadow | cut -d: -f2)    # sets field2 to "" if sudo -s fails to read /etc/shadow
+    field2=$(sudo -n grep "^$1:" /etc/shadow | cut -d: -f2)    # Sets field2 to "" if sudo -s fails to read /etc/shadow
     [[ $(perl -e "print crypt('$2', '$field2')") == $field2 ]]
 
     # # $meth (hashing method) is typically '6' which implies 5000 rounds