Re: [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication


Jan Kiszka
 

On 01.07.22 13:32, Jan Kiszka wrote:
On 30.06.22 13:26, Shreyas.Karmahe@... wrote:
From: Shreyas Karmahe <Shreyas.Karmahe@...>

To enable and configure PAM for Remote and Local MFA Session Verification

Signed-off-by: Shreyas Karmahe <Shreyas.Karmahe@...>
---
.../security-customizations/files/postinst | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst
index bb7d15b..843ce3c 100644
--- a/recipes-core/security-customizations/files/postinst
+++ b/recipes-core/security-customizations/files/postinst
@@ -15,7 +15,8 @@ echo "127.0.0.1 $HOSTNAME" >> /etc/hosts
PAM_PWD_FILE="/etc/pam.d/common-password"
pam_cracklib_config="password requisite pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root"
if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then
- sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}"
+
+sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}"
And an accidental change here?

fi
sed -i "0,/^password.*/s/^password.*/${pam_cracklib_config}\n&/" "${PAM_PWD_FILE}"

@@ -49,3 +50,15 @@ sed -i 's/admin_space_left_action = .*/admin_space_left_action = SYSLOG/' $AUDIT

# CR2.10: Response to audit processing failures
sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/' $AUDIT_CONF_FILE
+
+# CR2.11: Enable Mutli Factor Authentication for Local and Remote Session
+SSHD_AUTH_CONFIG="/etc/pam.d/common-auth"
+google_authenticator="auth required pam_google_authenticator.so nullok"
+if grep -c "pam_google_authenticator.so" "${SSHD_AUTH_CONFIG}";then
+ sed -i '/pam_google_authenticator.so/ s/^#*/#/' "${SSHD_AUTH_CONFIG}"
+fi
+#sed -i "0,/^auth.*/s/^auth.*/${google_authenticator}\n&/" "${SSHD_AUTH_CONFIG}"
Dead code? Or forgotten to activate?

+echo "auth required pam_google_authenticator.so nullok" | tee -a "${SSHD_AUTH_CONFIG}"
+# Enable PAM configuration for Remote Session
+sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' "${SSHD_CONFIG}"
+echo "AuthenticationMethods keyboard-interactive" | tee -a "${SSHD_CONFIG}"
Jan

--
Siemens AG, Technology
Competence Center Embedded Linux

Join cip-dev@lists.cip-project.org to automatically receive all group messages.