Re: [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication


Shreyas.Karmahe@...
 

Hi Jan,

I have created new patch that has only contain configuration for libpam-google-authenticator for Multi-Factor Authentication and kept it for review.
My apology as last time I missed out one of your comment and these patch has addressed all unnecessarily spaces and lines that included it last time.
Please review and let me know your comments

Kind Regards,
Shreyas

-----Original Message-----
From: Jan Kiszka <jan.kiszka@...>
Sent: Tuesday, July 5, 2022 3:33 PM
To: karmahe shreyas(TSIP TMIEC ODG Porting) <Shreyas.Karmahe@...>; yes@...; cip-dev@...
Cc: dinesh kumar(TSIP) <dinesh.kumar@...>; pyla venkata(TSIP TMIEC ODG Porting) <Venkata.Pyla@...>; hayashi kazuhiro(林 和宏 □SWC◯ACT) <kazuhiro3.hayashi@...>
Subject: Re: [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication

On 04.07.22 18:51, Shreyas.Karmahe@... wrote:
Hi Jan,

I have resend the patch again by removing the commented line from postinst file from security-customizations.
The commenting line is dead code only and used for debugging purpose.
Kindly review the following resend patch

v2-0001-security-customizations-postinst-Add-configuratio.patch
Please read both of my replies and address the other one as well.

Thanks,
Jan


Kind Regards,
Shreyas
-----Original Message-----
From: Jan Kiszka <jan.kiszka@...>
Sent: Friday, July 1, 2022 5:04 PM
To: karmahe shreyas(TSIP) <Shreyas.Karmahe@...>;
yes@...; cip-dev@...
Cc: dinesh kumar(TSIP) <dinesh.kumar@...>; pyla
venkata(TSIP TMIEC ODG Porting) <Venkata.Pyla@...>;
hayashi kazuhiro(林 和宏 □SWC◯ACT) <kazuhiro3.hayashi@...>
Subject: Re: [isar-cip-core] postinst:Added lines to verify Local and
Remote Multi-factor Authentication

On 01.07.22 13:32, Jan Kiszka wrote:
On 30.06.22 13:26, Shreyas.Karmahe@... wrote:
From: Shreyas Karmahe <Shreyas.Karmahe@...>

To enable and configure PAM for Remote and Local MFA Session
Verification

Signed-off-by: Shreyas Karmahe <Shreyas.Karmahe@...>
---
.../security-customizations/files/postinst | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/recipes-core/security-customizations/files/postinst
b/recipes-core/security-customizations/files/postinst
index bb7d15b..843ce3c 100644
--- a/recipes-core/security-customizations/files/postinst
+++ b/recipes-core/security-customizations/files/postinst
@@ -15,7 +15,8 @@ echo "127.0.0.1 $HOSTNAME" >> /etc/hosts
PAM_PWD_FILE="/etc/pam.d/common-password"
pam_cracklib_config="password requisite pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root"
if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then
- sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}"
+
+sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}"
And an accidental change here?

fi
sed -i "0,/^password.*/s/^password.*/${pam_cracklib_config}\n&/" "${PAM_PWD_FILE}"

@@ -49,3 +50,15 @@ sed -i 's/admin_space_left_action =
.*/admin_space_left_action = SYSLOG/' $AUDIT

# CR2.10: Response to audit processing failures sed -i
's/disk_error_action = .*/disk_error_action = SYSLOG/'
$AUDIT_CONF_FILE
+
+# CR2.11: Enable Mutli Factor Authentication for Local and Remote
+Session SSHD_AUTH_CONFIG="/etc/pam.d/common-auth"
+google_authenticator="auth required pam_google_authenticator.so nullok"
+if grep -c "pam_google_authenticator.so" "${SSHD_AUTH_CONFIG}";then
+ sed -i '/pam_google_authenticator.so/ s/^#*/#/' "${SSHD_AUTH_CONFIG}"
+fi
+#sed -i "0,/^auth.*/s/^auth.*/${google_authenticator}\n&/" "${SSHD_AUTH_CONFIG}"
Dead code? Or forgotten to activate?

+echo "auth required pam_google_authenticator.so nullok" | tee -a "${SSHD_AUTH_CONFIG}"
+# Enable PAM configuration for Remote Session sed -i
+'s/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' "${SSHD_CONFIG}"
+echo "AuthenticationMethods keyboard-interactive" | tee -a "${SSHD_CONFIG}"
Jan

--
Siemens AG, Technology
Competence Center Embedded Linux

--
Siemens AG, Technology
Competence Center Embedded Linux

Join cip-dev@lists.cip-project.org to automatically receive all group messages.