Re: [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication


Hi Jan,

I have resend the patch again by removing the commented line from postinst file from security-customizations.
The commenting line is dead code only and used for debugging purpose.
Kindly review the following resend patch


Kind Regards,

-----Original Message-----
From: Jan Kiszka <jan.kiszka@...>
Sent: Friday, July 1, 2022 5:04 PM
To: karmahe shreyas(TSIP) <Shreyas.Karmahe@...>; yes@...; cip-dev@...
Cc: dinesh kumar(TSIP) <dinesh.kumar@...>; pyla venkata(TSIP TMIEC ODG Porting) <Venkata.Pyla@...>; hayashi kazuhiro(林 和宏 □SWC◯ACT) <kazuhiro3.hayashi@...>
Subject: Re: [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication

On 01.07.22 13:32, Jan Kiszka wrote:
On 30.06.22 13:26, Shreyas.Karmahe@... wrote:
From: Shreyas Karmahe <Shreyas.Karmahe@...>

To enable and configure PAM for Remote and Local MFA Session

Signed-off-by: Shreyas Karmahe <Shreyas.Karmahe@...>
.../security-customizations/files/postinst | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/recipes-core/security-customizations/files/postinst
index bb7d15b..843ce3c 100644
--- a/recipes-core/security-customizations/files/postinst
+++ b/recipes-core/security-customizations/files/postinst
@@ -15,7 +15,8 @@ echo " $HOSTNAME" >> /etc/hosts
pam_cracklib_config="password requisite retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root"
if grep -c "" "${PAM_PWD_FILE}";then
- sed -i '/ s/^#*/#/' "${PAM_PWD_FILE}"
+sed -i '/ s/^#*/#/' "${PAM_PWD_FILE}"
And an accidental change here?

sed -i "0,/^password.*/s/^password.*/${pam_cracklib_config}\n&/" "${PAM_PWD_FILE}"

@@ -49,3 +50,15 @@ sed -i 's/admin_space_left_action =
.*/admin_space_left_action = SYSLOG/' $AUDIT

# CR2.10: Response to audit processing failures sed -i
's/disk_error_action = .*/disk_error_action = SYSLOG/'
+# CR2.11: Enable Mutli Factor Authentication for Local and Remote
+Session SSHD_AUTH_CONFIG="/etc/pam.d/common-auth"
+google_authenticator="auth required nullok"
+if grep -c "" "${SSHD_AUTH_CONFIG}";then
+ sed -i '/ s/^#*/#/' "${SSHD_AUTH_CONFIG}"
+#sed -i "0,/^auth.*/s/^auth.*/${google_authenticator}\n&/" "${SSHD_AUTH_CONFIG}"
Dead code? Or forgotten to activate?

+echo "auth required nullok" | tee -a "${SSHD_AUTH_CONFIG}"
+# Enable PAM configuration for Remote Session sed -i
+'s/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' "${SSHD_CONFIG}"
+echo "AuthenticationMethods keyboard-interactive" | tee -a "${SSHD_CONFIG}"

Siemens AG, Technology
Competence Center Embedded Linux

Join { to automatically receive all group messages.