Re: [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication

Home Messages Hashtags Subgroups

#8651

Re: [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication

Shreyas.Karmahe@... #8651 Hi Jan, I have resend the patch again by removing the commented line from postinst file from security-customizations. The commenting line is dead code only and used for debugging purpose. Kindly review the following resend patch v2-0001-security-customizations-postinst-Add-configuratio.patch Kind Regards, Shreyas toggle quoted message Show quoted text -----Original Message----- From: Jan Kiszka <jan.kiszka@...> Sent: Friday, July 1, 2022 5:04 PM To: karmahe shreyas(ＴＳＩＰ) <Shreyas.Karmahe@...>; yes@...; cip-dev@... Cc: dinesh kumar(ＴＳＩＰ) <dinesh.kumar@...>; pyla venkata(ＴＳＩＰ TMIEC ODG Porting) <Venkata.Pyla@...>; hayashi kazuhiro(林和宏 □ＳＷＣ◯ＡＣＴ) <kazuhiro3.hayashi@...> Subject: Re: [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication On 01.07.22 13:32, Jan Kiszka wrote: On 30.06.22 13:26, Shreyas.Karmahe@... wrote: From: Shreyas Karmahe <Shreyas.Karmahe@...> To enable and configure PAM for Remote and Local MFA Session Verification Signed-off-by: Shreyas Karmahe <Shreyas.Karmahe@...> --- .../security-customizations/files/postinst \| 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst index bb7d15b..843ce3c 100644 --- a/recipes-core/security-customizations/files/postinst +++ b/recipes-core/security-customizations/files/postinst @@ -15,7 +15,8 @@ echo "127.0.0.1 $HOSTNAME" >> /etc/hosts PAM_PWD_FILE="/etc/pam.d/common-password" pam_cracklib_config="password requisite pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root" if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then - sed -i '/pam_cracklib.so/ s/^#/#/' "${PAM_PWD_FILE}" + +sed -i '/pam_cracklib.so/ s/^#/#/' "${PAM_PWD_FILE}" And an accidental change here? fi sed -i "0,/^password./s/^password./${pam_cracklib_config}\n&/" "${PAM_PWD_FILE}" @@ -49,3 +50,15 @@ sed -i 's/admin_space_left_action = ./admin_space_left_action = SYSLOG/' $AUDIT # CR2.10: Response to audit processing failures sed -i 's/disk_error_action = ./disk_error_action = SYSLOG/' $AUDIT_CONF_FILE + +# CR2.11: Enable Mutli Factor Authentication for Local and Remote +Session SSHD_AUTH_CONFIG="/etc/pam.d/common-auth" +google_authenticator="auth required pam_google_authenticator.so nullok" +if grep -c "pam_google_authenticator.so" "${SSHD_AUTH_CONFIG}";then + sed -i '/pam_google_authenticator.so/ s/^#/#/' "${SSHD_AUTH_CONFIG}" +fi +#sed -i "0,/^auth./s/^auth.*/${google_authenticator}\n&/" "${SSHD_AUTH_CONFIG}" Dead code? Or forgotten to activate? +echo "auth required pam_google_authenticator.so nullok" \| tee -a "${SSHD_AUTH_CONFIG}" +# Enable PAM configuration for Remote Session sed -i +'s/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' "${SSHD_CONFIG}" +echo "AuthenticationMethods keyboard-interactive" \| tee -a "${SSHD_CONFIG}" Jan -- Siemens AG, Technology Competence Center Embedded Linux
More

View All 5 Messages In Topic

#8651

Join {cip-dev@lists.cip-project.org to automatically receive all group messages.

Home Hashtags Subgroups Terms