Re: [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication

Jan Kiszka

On 04.07.22 18:51, Shreyas.Karmahe@... wrote:
Hi Jan,

I have resend the patch again by removing the commented line from postinst file from security-customizations.
The commenting line is dead code only and used for debugging purpose.
Kindly review the following resend patch

Please read both of my replies and address the other one as well.


Kind Regards,
-----Original Message-----
From: Jan Kiszka <jan.kiszka@...>
Sent: Friday, July 1, 2022 5:04 PM
To: karmahe shreyas(TSIP) <Shreyas.Karmahe@...>; yes@...; cip-dev@...
Cc: dinesh kumar(TSIP) <dinesh.kumar@...>; pyla venkata(TSIP TMIEC ODG Porting) <Venkata.Pyla@...>; hayashi kazuhiro(林 和宏 □SWC◯ACT) <kazuhiro3.hayashi@...>
Subject: Re: [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication

On 01.07.22 13:32, Jan Kiszka wrote:
On 30.06.22 13:26, Shreyas.Karmahe@... wrote:
From: Shreyas Karmahe <Shreyas.Karmahe@...>

To enable and configure PAM for Remote and Local MFA Session

Signed-off-by: Shreyas Karmahe <Shreyas.Karmahe@...>
.../security-customizations/files/postinst | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/recipes-core/security-customizations/files/postinst
index bb7d15b..843ce3c 100644
--- a/recipes-core/security-customizations/files/postinst
+++ b/recipes-core/security-customizations/files/postinst
@@ -15,7 +15,8 @@ echo " $HOSTNAME" >> /etc/hosts
pam_cracklib_config="password requisite retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root"
if grep -c "" "${PAM_PWD_FILE}";then
- sed -i '/ s/^#*/#/' "${PAM_PWD_FILE}"
+sed -i '/ s/^#*/#/' "${PAM_PWD_FILE}"
And an accidental change here?

sed -i "0,/^password.*/s/^password.*/${pam_cracklib_config}\n&/" "${PAM_PWD_FILE}"

@@ -49,3 +50,15 @@ sed -i 's/admin_space_left_action =
.*/admin_space_left_action = SYSLOG/' $AUDIT

# CR2.10: Response to audit processing failures sed -i
's/disk_error_action = .*/disk_error_action = SYSLOG/'
+# CR2.11: Enable Mutli Factor Authentication for Local and Remote
+Session SSHD_AUTH_CONFIG="/etc/pam.d/common-auth"
+google_authenticator="auth required nullok"
+if grep -c "" "${SSHD_AUTH_CONFIG}";then
+ sed -i '/ s/^#*/#/' "${SSHD_AUTH_CONFIG}"
+#sed -i "0,/^auth.*/s/^auth.*/${google_authenticator}\n&/" "${SSHD_AUTH_CONFIG}"
Dead code? Or forgotten to activate?

+echo "auth required nullok" | tee -a "${SSHD_AUTH_CONFIG}"
+# Enable PAM configuration for Remote Session sed -i
+'s/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' "${SSHD_CONFIG}"
+echo "AuthenticationMethods keyboard-interactive" | tee -a "${SSHD_CONFIG}"

Siemens AG, Technology
Competence Center Embedded Linux

Siemens AG, Technology
Competence Center Embedded Linux

Join { to automatically receive all group messages.