cip-dev@lists.cip-project.org | [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication

Home Messages Hashtags Subgroups

Date Date 1 - 5 of 5

[isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication

Jan Kiszka #8631 On 30.06.22 13:26, Shreyas.Karmahe@... wrote: From: Shreyas Karmahe <Shreyas.Karmahe@...> To enable and configure PAM for Remote and Local MFA Session Verification Signed-off-by: Shreyas Karmahe <Shreyas.Karmahe@...> --- .../security-customizations/files/postinst \| 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst index bb7d15b..843ce3c 100644 --- a/recipes-core/security-customizations/files/postinst +++ b/recipes-core/security-customizations/files/postinst @@ -15,7 +15,8 @@ echo "127.0.0.1 $HOSTNAME" >> /etc/hosts PAM_PWD_FILE="/etc/pam.d/common-password" pam_cracklib_config="password requisite pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root" if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then - sed -i '/pam_cracklib.so/ s/^#/#/' "${PAM_PWD_FILE}" + +sed -i '/pam_cracklib.so/ s/^#/#/' "${PAM_PWD_FILE}" fi sed -i "0,/^password./s/^password./${pam_cracklib_config}\n&/" "${PAM_PWD_FILE}" @@ -49,3 +50,15 @@ sed -i 's/admin_space_left_action = ./admin_space_left_action = SYSLOG/' $AUDIT # CR2.10: Response to audit processing failures sed -i 's/disk_error_action = ./disk_error_action = SYSLOG/' $AUDIT_CONF_FILE + +# CR2.11: Enable Mutli Factor Authentication for Local and Remote Session +SSHD_AUTH_CONFIG="/etc/pam.d/common-auth" +google_authenticator="auth required pam_google_authenticator.so nullok" +if grep -c "pam_google_authenticator.so" "${SSHD_AUTH_CONFIG}";then + sed -i '/pam_google_authenticator.so/ s/^#/#/' "${SSHD_AUTH_CONFIG}" +fi +#sed -i "0,/^auth./s/^auth.*/${google_authenticator}\n&/" "${SSHD_AUTH_CONFIG}" Dead code? Or forgotten to activate? +echo "auth required pam_google_authenticator.so nullok" \| tee -a "${SSHD_AUTH_CONFIG}" +# Enable PAM configuration for Remote Session +sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' "${SSHD_CONFIG}" +echo "AuthenticationMethods keyboard-interactive" \| tee -a "${SSHD_CONFIG}" Jan -- Siemens AG, Technology Competence Center Embedded Linux
More All Messages By This Member
Jan Kiszka #8632 On 01.07.22 13:32, Jan Kiszka wrote: On 30.06.22 13:26, Shreyas.Karmahe@... wrote: From: Shreyas Karmahe <Shreyas.Karmahe@...> To enable and configure PAM for Remote and Local MFA Session Verification Signed-off-by: Shreyas Karmahe <Shreyas.Karmahe@...> --- .../security-customizations/files/postinst \| 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst index bb7d15b..843ce3c 100644 --- a/recipes-core/security-customizations/files/postinst +++ b/recipes-core/security-customizations/files/postinst @@ -15,7 +15,8 @@ echo "127.0.0.1 $HOSTNAME" >> /etc/hosts PAM_PWD_FILE="/etc/pam.d/common-password" pam_cracklib_config="password requisite pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root" if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then - sed -i '/pam_cracklib.so/ s/^#/#/' "${PAM_PWD_FILE}" + +sed -i '/pam_cracklib.so/ s/^#/#/' "${PAM_PWD_FILE}" And an accidental change here? fi sed -i "0,/^password./s/^password./${pam_cracklib_config}\n&/" "${PAM_PWD_FILE}" @@ -49,3 +50,15 @@ sed -i 's/admin_space_left_action = ./admin_space_left_action = SYSLOG/' $AUDIT # CR2.10: Response to audit processing failures sed -i 's/disk_error_action = ./disk_error_action = SYSLOG/' $AUDIT_CONF_FILE + +# CR2.11: Enable Mutli Factor Authentication for Local and Remote Session +SSHD_AUTH_CONFIG="/etc/pam.d/common-auth" +google_authenticator="auth required pam_google_authenticator.so nullok" +if grep -c "pam_google_authenticator.so" "${SSHD_AUTH_CONFIG}";then + sed -i '/pam_google_authenticator.so/ s/^#/#/' "${SSHD_AUTH_CONFIG}" +fi +#sed -i "0,/^auth./s/^auth.*/${google_authenticator}\n&/" "${SSHD_AUTH_CONFIG}" Dead code? Or forgotten to activate? +echo "auth required pam_google_authenticator.so nullok" \| tee -a "${SSHD_AUTH_CONFIG}" +# Enable PAM configuration for Remote Session +sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' "${SSHD_CONFIG}" +echo "AuthenticationMethods keyboard-interactive" \| tee -a "${SSHD_CONFIG}" Jan -- Siemens AG, Technology Competence Center Embedded Linux
More All Messages By This Member
Shreyas.Karmahe@... #8651 Hi Jan, I have resend the patch again by removing the commented line from postinst file from security-customizations. The commenting line is dead code only and used for debugging purpose. Kindly review the following resend patch v2-0001-security-customizations-postinst-Add-configuratio.patch Kind Regards, Shreyas toggle quoted message Show quoted text -----Original Message----- From: Jan Kiszka <jan.kiszka@...> Sent: Friday, July 1, 2022 5:04 PM To: karmahe shreyas(ＴＳＩＰ) <Shreyas.Karmahe@...>; yes@...; cip-dev@... Cc: dinesh kumar(ＴＳＩＰ) <dinesh.kumar@...>; pyla venkata(ＴＳＩＰ TMIEC ODG Porting) <Venkata.Pyla@...>; hayashi kazuhiro(林和宏 □ＳＷＣ◯ＡＣＴ) <kazuhiro3.hayashi@...> Subject: Re: [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication On 01.07.22 13:32, Jan Kiszka wrote: On 30.06.22 13:26, Shreyas.Karmahe@... wrote: From: Shreyas Karmahe <Shreyas.Karmahe@...> To enable and configure PAM for Remote and Local MFA Session Verification Signed-off-by: Shreyas Karmahe <Shreyas.Karmahe@...> --- .../security-customizations/files/postinst \| 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst index bb7d15b..843ce3c 100644 --- a/recipes-core/security-customizations/files/postinst +++ b/recipes-core/security-customizations/files/postinst @@ -15,7 +15,8 @@ echo "127.0.0.1 $HOSTNAME" >> /etc/hosts PAM_PWD_FILE="/etc/pam.d/common-password" pam_cracklib_config="password requisite pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root" if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then - sed -i '/pam_cracklib.so/ s/^#/#/' "${PAM_PWD_FILE}" + +sed -i '/pam_cracklib.so/ s/^#/#/' "${PAM_PWD_FILE}" And an accidental change here? fi sed -i "0,/^password./s/^password./${pam_cracklib_config}\n&/" "${PAM_PWD_FILE}" @@ -49,3 +50,15 @@ sed -i 's/admin_space_left_action = ./admin_space_left_action = SYSLOG/' $AUDIT # CR2.10: Response to audit processing failures sed -i 's/disk_error_action = ./disk_error_action = SYSLOG/' $AUDIT_CONF_FILE + +# CR2.11: Enable Mutli Factor Authentication for Local and Remote +Session SSHD_AUTH_CONFIG="/etc/pam.d/common-auth" +google_authenticator="auth required pam_google_authenticator.so nullok" +if grep -c "pam_google_authenticator.so" "${SSHD_AUTH_CONFIG}";then + sed -i '/pam_google_authenticator.so/ s/^#/#/' "${SSHD_AUTH_CONFIG}" +fi +#sed -i "0,/^auth./s/^auth.*/${google_authenticator}\n&/" "${SSHD_AUTH_CONFIG}" Dead code? Or forgotten to activate? +echo "auth required pam_google_authenticator.so nullok" \| tee -a "${SSHD_AUTH_CONFIG}" +# Enable PAM configuration for Remote Session sed -i +'s/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' "${SSHD_CONFIG}" +echo "AuthenticationMethods keyboard-interactive" \| tee -a "${SSHD_CONFIG}" Jan -- Siemens AG, Technology Competence Center Embedded Linux
More
Jan Kiszka #8681 On 04.07.22 18:51, Shreyas.Karmahe@... wrote: Hi Jan, I have resend the patch again by removing the commented line from postinst file from security-customizations. The commenting line is dead code only and used for debugging purpose. Kindly review the following resend patch v2-0001-security-customizations-postinst-Add-configuratio.patch Please read both of my replies and address the other one as well. Thanks, Jan Kind Regards, Shreyas -----Original Message----- From: Jan Kiszka <jan.kiszka@...> Sent: Friday, July 1, 2022 5:04 PM To: karmahe shreyas(ＴＳＩＰ) <Shreyas.Karmahe@...>; yes@...; cip-dev@... Cc: dinesh kumar(ＴＳＩＰ) <dinesh.kumar@...>; pyla venkata(ＴＳＩＰ TMIEC ODG Porting) <Venkata.Pyla@...>; hayashi kazuhiro(林和宏 □ＳＷＣ◯ＡＣＴ) <kazuhiro3.hayashi@...> Subject: Re: [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication On 01.07.22 13:32, Jan Kiszka wrote: On 30.06.22 13:26, Shreyas.Karmahe@... wrote: From: Shreyas Karmahe <Shreyas.Karmahe@...> To enable and configure PAM for Remote and Local MFA Session Verification Signed-off-by: Shreyas Karmahe <Shreyas.Karmahe@...> --- .../security-customizations/files/postinst \| 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst index bb7d15b..843ce3c 100644 --- a/recipes-core/security-customizations/files/postinst +++ b/recipes-core/security-customizations/files/postinst @@ -15,7 +15,8 @@ echo "127.0.0.1 $HOSTNAME" >> /etc/hosts PAM_PWD_FILE="/etc/pam.d/common-password" pam_cracklib_config="password requisite pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root" if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then - sed -i '/pam_cracklib.so/ s/^#/#/' "${PAM_PWD_FILE}" + +sed -i '/pam_cracklib.so/ s/^#/#/' "${PAM_PWD_FILE}" And an accidental change here? fi sed -i "0,/^password./s/^password./${pam_cracklib_config}\n&/" "${PAM_PWD_FILE}" @@ -49,3 +50,15 @@ sed -i 's/admin_space_left_action = ./admin_space_left_action = SYSLOG/' $AUDIT # CR2.10: Response to audit processing failures sed -i 's/disk_error_action = ./disk_error_action = SYSLOG/' $AUDIT_CONF_FILE + +# CR2.11: Enable Mutli Factor Authentication for Local and Remote +Session SSHD_AUTH_CONFIG="/etc/pam.d/common-auth" +google_authenticator="auth required pam_google_authenticator.so nullok" +if grep -c "pam_google_authenticator.so" "${SSHD_AUTH_CONFIG}";then + sed -i '/pam_google_authenticator.so/ s/^#/#/' "${SSHD_AUTH_CONFIG}" +fi +#sed -i "0,/^auth./s/^auth.*/${google_authenticator}\n&/" "${SSHD_AUTH_CONFIG}" Dead code? Or forgotten to activate? +echo "auth required pam_google_authenticator.so nullok" \| tee -a "${SSHD_AUTH_CONFIG}" +# Enable PAM configuration for Remote Session sed -i +'s/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' "${SSHD_CONFIG}" +echo "AuthenticationMethods keyboard-interactive" \| tee -a "${SSHD_CONFIG}" Jan -- Siemens AG, Technology Competence Center Embedded Linux -- Siemens AG, Technology Competence Center Embedded Linux
More All Messages By This Member
Shreyas.Karmahe@... #8716 Hi Jan, I have created new patch that has only contain configuration for libpam-google-authenticator for Multi-Factor Authentication and kept it for review. My apology as last time I missed out one of your comment and these patch has addressed all unnecessarily spaces and lines that included it last time. Please review and let me know your comments Kind Regards, Shreyas toggle quoted message Show quoted text -----Original Message----- From: Jan Kiszka <jan.kiszka@...> Sent: Tuesday, July 5, 2022 3:33 PM To: karmahe shreyas(ＴＳＩＰ TMIEC ODG Porting) <Shreyas.Karmahe@...>; yes@...; cip-dev@... Cc: dinesh kumar(ＴＳＩＰ) <dinesh.kumar@...>; pyla venkata(ＴＳＩＰ TMIEC ODG Porting) <Venkata.Pyla@...>; hayashi kazuhiro(林和宏 □ＳＷＣ◯ＡＣＴ) <kazuhiro3.hayashi@...> Subject: Re: [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication On 04.07.22 18:51, Shreyas.Karmahe@... wrote: Hi Jan, I have resend the patch again by removing the commented line from postinst file from security-customizations. The commenting line is dead code only and used for debugging purpose. Kindly review the following resend patch v2-0001-security-customizations-postinst-Add-configuratio.patch Please read both of my replies and address the other one as well. Thanks, Jan Kind Regards, Shreyas -----Original Message----- From: Jan Kiszka <jan.kiszka@...> Sent: Friday, July 1, 2022 5:04 PM To: karmahe shreyas(ＴＳＩＰ) <Shreyas.Karmahe@...>; yes@...; cip-dev@... Cc: dinesh kumar(ＴＳＩＰ) <dinesh.kumar@...>; pyla venkata(ＴＳＩＰ TMIEC ODG Porting) <Venkata.Pyla@...>; hayashi kazuhiro(林和宏 □ＳＷＣ◯ＡＣＴ) <kazuhiro3.hayashi@...> Subject: Re: [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication On 01.07.22 13:32, Jan Kiszka wrote: On 30.06.22 13:26, Shreyas.Karmahe@... wrote: From: Shreyas Karmahe <Shreyas.Karmahe@...> To enable and configure PAM for Remote and Local MFA Session Verification Signed-off-by: Shreyas Karmahe <Shreyas.Karmahe@...> --- .../security-customizations/files/postinst \| 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst index bb7d15b..843ce3c 100644 --- a/recipes-core/security-customizations/files/postinst +++ b/recipes-core/security-customizations/files/postinst @@ -15,7 +15,8 @@ echo "127.0.0.1 $HOSTNAME" >> /etc/hosts PAM_PWD_FILE="/etc/pam.d/common-password" pam_cracklib_config="password requisite pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root" if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then - sed -i '/pam_cracklib.so/ s/^#/#/' "${PAM_PWD_FILE}" + +sed -i '/pam_cracklib.so/ s/^#/#/' "${PAM_PWD_FILE}" And an accidental change here? fi sed -i "0,/^password./s/^password./${pam_cracklib_config}\n&/" "${PAM_PWD_FILE}" @@ -49,3 +50,15 @@ sed -i 's/admin_space_left_action = ./admin_space_left_action = SYSLOG/' $AUDIT # CR2.10: Response to audit processing failures sed -i 's/disk_error_action = ./disk_error_action = SYSLOG/' $AUDIT_CONF_FILE + +# CR2.11: Enable Mutli Factor Authentication for Local and Remote +Session SSHD_AUTH_CONFIG="/etc/pam.d/common-auth" +google_authenticator="auth required pam_google_authenticator.so nullok" +if grep -c "pam_google_authenticator.so" "${SSHD_AUTH_CONFIG}";then + sed -i '/pam_google_authenticator.so/ s/^#/#/' "${SSHD_AUTH_CONFIG}" +fi +#sed -i "0,/^auth./s/^auth.*/${google_authenticator}\n&/" "${SSHD_AUTH_CONFIG}" Dead code? Or forgotten to activate? +echo "auth required pam_google_authenticator.so nullok" \| tee -a "${SSHD_AUTH_CONFIG}" +# Enable PAM configuration for Remote Session sed -i +'s/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' "${SSHD_CONFIG}" +echo "AuthenticationMethods keyboard-interactive" \| tee -a "${SSHD_CONFIG}" Jan -- Siemens AG, Technology Competence Center Embedded Linux -- Siemens AG, Technology Competence Center Embedded Linux
More

1 - 5 of 5

1

Previous Topic Next Topic

Home Hashtags Subgroups Terms