[isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication


Shreyas.Karmahe@...
 

Hi Jan,

I have created new patch that has only contain configuration for libpam-google-authenticator for Multi-Factor Authentication and kept it for review.
My apology as last time I missed out one of your comment and these patch has addressed all unnecessarily spaces and lines that included it last time.
Please review and let me know your comments

Kind Regards,
Shreyas

-----Original Message-----
From: Jan Kiszka <jan.kiszka@...>
Sent: Tuesday, July 5, 2022 3:33 PM
To: karmahe shreyas(TSIP TMIEC ODG Porting) <Shreyas.Karmahe@...>; yes@...; cip-dev@...
Cc: dinesh kumar(TSIP) <dinesh.kumar@...>; pyla venkata(TSIP TMIEC ODG Porting) <Venkata.Pyla@...>; hayashi kazuhiro(林 和宏 □SWC◯ACT) <kazuhiro3.hayashi@...>
Subject: Re: [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication

On 04.07.22 18:51, Shreyas.Karmahe@... wrote:
Hi Jan,

I have resend the patch again by removing the commented line from postinst file from security-customizations.
The commenting line is dead code only and used for debugging purpose.
Kindly review the following resend patch

v2-0001-security-customizations-postinst-Add-configuratio.patch
Please read both of my replies and address the other one as well.

Thanks,
Jan


Kind Regards,
Shreyas
-----Original Message-----
From: Jan Kiszka <jan.kiszka@...>
Sent: Friday, July 1, 2022 5:04 PM
To: karmahe shreyas(TSIP) <Shreyas.Karmahe@...>;
yes@...; cip-dev@...
Cc: dinesh kumar(TSIP) <dinesh.kumar@...>; pyla
venkata(TSIP TMIEC ODG Porting) <Venkata.Pyla@...>;
hayashi kazuhiro(林 和宏 □SWC◯ACT) <kazuhiro3.hayashi@...>
Subject: Re: [isar-cip-core] postinst:Added lines to verify Local and
Remote Multi-factor Authentication

On 01.07.22 13:32, Jan Kiszka wrote:
On 30.06.22 13:26, Shreyas.Karmahe@... wrote:
From: Shreyas Karmahe <Shreyas.Karmahe@...>

To enable and configure PAM for Remote and Local MFA Session
Verification

Signed-off-by: Shreyas Karmahe <Shreyas.Karmahe@...>
---
.../security-customizations/files/postinst | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/recipes-core/security-customizations/files/postinst
b/recipes-core/security-customizations/files/postinst
index bb7d15b..843ce3c 100644
--- a/recipes-core/security-customizations/files/postinst
+++ b/recipes-core/security-customizations/files/postinst
@@ -15,7 +15,8 @@ echo "127.0.0.1 $HOSTNAME" >> /etc/hosts
PAM_PWD_FILE="/etc/pam.d/common-password"
pam_cracklib_config="password requisite pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root"
if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then
- sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}"
+
+sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}"
And an accidental change here?

fi
sed -i "0,/^password.*/s/^password.*/${pam_cracklib_config}\n&/" "${PAM_PWD_FILE}"

@@ -49,3 +50,15 @@ sed -i 's/admin_space_left_action =
.*/admin_space_left_action = SYSLOG/' $AUDIT

# CR2.10: Response to audit processing failures sed -i
's/disk_error_action = .*/disk_error_action = SYSLOG/'
$AUDIT_CONF_FILE
+
+# CR2.11: Enable Mutli Factor Authentication for Local and Remote
+Session SSHD_AUTH_CONFIG="/etc/pam.d/common-auth"
+google_authenticator="auth required pam_google_authenticator.so nullok"
+if grep -c "pam_google_authenticator.so" "${SSHD_AUTH_CONFIG}";then
+ sed -i '/pam_google_authenticator.so/ s/^#*/#/' "${SSHD_AUTH_CONFIG}"
+fi
+#sed -i "0,/^auth.*/s/^auth.*/${google_authenticator}\n&/" "${SSHD_AUTH_CONFIG}"
Dead code? Or forgotten to activate?

+echo "auth required pam_google_authenticator.so nullok" | tee -a "${SSHD_AUTH_CONFIG}"
+# Enable PAM configuration for Remote Session sed -i
+'s/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' "${SSHD_CONFIG}"
+echo "AuthenticationMethods keyboard-interactive" | tee -a "${SSHD_CONFIG}"
Jan

--
Siemens AG, Technology
Competence Center Embedded Linux

--
Siemens AG, Technology
Competence Center Embedded Linux


Jan Kiszka
 

On 04.07.22 18:51, Shreyas.Karmahe@... wrote:
Hi Jan,

I have resend the patch again by removing the commented line from postinst file from security-customizations.
The commenting line is dead code only and used for debugging purpose.
Kindly review the following resend patch

v2-0001-security-customizations-postinst-Add-configuratio.patch
Please read both of my replies and address the other one as well.

Thanks,
Jan


Kind Regards,
Shreyas
-----Original Message-----
From: Jan Kiszka <jan.kiszka@...>
Sent: Friday, July 1, 2022 5:04 PM
To: karmahe shreyas(TSIP) <Shreyas.Karmahe@...>; yes@...; cip-dev@...
Cc: dinesh kumar(TSIP) <dinesh.kumar@...>; pyla venkata(TSIP TMIEC ODG Porting) <Venkata.Pyla@...>; hayashi kazuhiro(林 和宏 □SWC◯ACT) <kazuhiro3.hayashi@...>
Subject: Re: [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication

On 01.07.22 13:32, Jan Kiszka wrote:
On 30.06.22 13:26, Shreyas.Karmahe@... wrote:
From: Shreyas Karmahe <Shreyas.Karmahe@...>

To enable and configure PAM for Remote and Local MFA Session
Verification

Signed-off-by: Shreyas Karmahe <Shreyas.Karmahe@...>
---
.../security-customizations/files/postinst | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/recipes-core/security-customizations/files/postinst
b/recipes-core/security-customizations/files/postinst
index bb7d15b..843ce3c 100644
--- a/recipes-core/security-customizations/files/postinst
+++ b/recipes-core/security-customizations/files/postinst
@@ -15,7 +15,8 @@ echo "127.0.0.1 $HOSTNAME" >> /etc/hosts
PAM_PWD_FILE="/etc/pam.d/common-password"
pam_cracklib_config="password requisite pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root"
if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then
- sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}"
+
+sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}"
And an accidental change here?

fi
sed -i "0,/^password.*/s/^password.*/${pam_cracklib_config}\n&/" "${PAM_PWD_FILE}"

@@ -49,3 +50,15 @@ sed -i 's/admin_space_left_action =
.*/admin_space_left_action = SYSLOG/' $AUDIT

# CR2.10: Response to audit processing failures sed -i
's/disk_error_action = .*/disk_error_action = SYSLOG/'
$AUDIT_CONF_FILE
+
+# CR2.11: Enable Mutli Factor Authentication for Local and Remote
+Session SSHD_AUTH_CONFIG="/etc/pam.d/common-auth"
+google_authenticator="auth required pam_google_authenticator.so nullok"
+if grep -c "pam_google_authenticator.so" "${SSHD_AUTH_CONFIG}";then
+ sed -i '/pam_google_authenticator.so/ s/^#*/#/' "${SSHD_AUTH_CONFIG}"
+fi
+#sed -i "0,/^auth.*/s/^auth.*/${google_authenticator}\n&/" "${SSHD_AUTH_CONFIG}"
Dead code? Or forgotten to activate?

+echo "auth required pam_google_authenticator.so nullok" | tee -a "${SSHD_AUTH_CONFIG}"
+# Enable PAM configuration for Remote Session sed -i
+'s/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' "${SSHD_CONFIG}"
+echo "AuthenticationMethods keyboard-interactive" | tee -a "${SSHD_CONFIG}"
Jan

--
Siemens AG, Technology
Competence Center Embedded Linux

--
Siemens AG, Technology
Competence Center Embedded Linux


Shreyas.Karmahe@...
 

Hi Jan,

I have resend the patch again by removing the commented line from postinst file from security-customizations.
The commenting line is dead code only and used for debugging purpose.
Kindly review the following resend patch

v2-0001-security-customizations-postinst-Add-configuratio.patch

Kind Regards,
Shreyas

-----Original Message-----
From: Jan Kiszka <jan.kiszka@...>
Sent: Friday, July 1, 2022 5:04 PM
To: karmahe shreyas(TSIP) <Shreyas.Karmahe@...>; yes@...; cip-dev@...
Cc: dinesh kumar(TSIP) <dinesh.kumar@...>; pyla venkata(TSIP TMIEC ODG Porting) <Venkata.Pyla@...>; hayashi kazuhiro(林 和宏 □SWC◯ACT) <kazuhiro3.hayashi@...>
Subject: Re: [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication

On 01.07.22 13:32, Jan Kiszka wrote:
On 30.06.22 13:26, Shreyas.Karmahe@... wrote:
From: Shreyas Karmahe <Shreyas.Karmahe@...>

To enable and configure PAM for Remote and Local MFA Session
Verification

Signed-off-by: Shreyas Karmahe <Shreyas.Karmahe@...>
---
.../security-customizations/files/postinst | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/recipes-core/security-customizations/files/postinst
b/recipes-core/security-customizations/files/postinst
index bb7d15b..843ce3c 100644
--- a/recipes-core/security-customizations/files/postinst
+++ b/recipes-core/security-customizations/files/postinst
@@ -15,7 +15,8 @@ echo "127.0.0.1 $HOSTNAME" >> /etc/hosts
PAM_PWD_FILE="/etc/pam.d/common-password"
pam_cracklib_config="password requisite pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root"
if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then
- sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}"
+
+sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}"
And an accidental change here?

fi
sed -i "0,/^password.*/s/^password.*/${pam_cracklib_config}\n&/" "${PAM_PWD_FILE}"

@@ -49,3 +50,15 @@ sed -i 's/admin_space_left_action =
.*/admin_space_left_action = SYSLOG/' $AUDIT

# CR2.10: Response to audit processing failures sed -i
's/disk_error_action = .*/disk_error_action = SYSLOG/'
$AUDIT_CONF_FILE
+
+# CR2.11: Enable Mutli Factor Authentication for Local and Remote
+Session SSHD_AUTH_CONFIG="/etc/pam.d/common-auth"
+google_authenticator="auth required pam_google_authenticator.so nullok"
+if grep -c "pam_google_authenticator.so" "${SSHD_AUTH_CONFIG}";then
+ sed -i '/pam_google_authenticator.so/ s/^#*/#/' "${SSHD_AUTH_CONFIG}"
+fi
+#sed -i "0,/^auth.*/s/^auth.*/${google_authenticator}\n&/" "${SSHD_AUTH_CONFIG}"
Dead code? Or forgotten to activate?

+echo "auth required pam_google_authenticator.so nullok" | tee -a "${SSHD_AUTH_CONFIG}"
+# Enable PAM configuration for Remote Session sed -i
+'s/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' "${SSHD_CONFIG}"
+echo "AuthenticationMethods keyboard-interactive" | tee -a "${SSHD_CONFIG}"
Jan

--
Siemens AG, Technology
Competence Center Embedded Linux


Jan Kiszka
 

On 01.07.22 13:32, Jan Kiszka wrote:
On 30.06.22 13:26, Shreyas.Karmahe@... wrote:
From: Shreyas Karmahe <Shreyas.Karmahe@...>

To enable and configure PAM for Remote and Local MFA Session Verification

Signed-off-by: Shreyas Karmahe <Shreyas.Karmahe@...>
---
.../security-customizations/files/postinst | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst
index bb7d15b..843ce3c 100644
--- a/recipes-core/security-customizations/files/postinst
+++ b/recipes-core/security-customizations/files/postinst
@@ -15,7 +15,8 @@ echo "127.0.0.1 $HOSTNAME" >> /etc/hosts
PAM_PWD_FILE="/etc/pam.d/common-password"
pam_cracklib_config="password requisite pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root"
if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then
- sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}"
+
+sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}"
And an accidental change here?

fi
sed -i "0,/^password.*/s/^password.*/${pam_cracklib_config}\n&/" "${PAM_PWD_FILE}"

@@ -49,3 +50,15 @@ sed -i 's/admin_space_left_action = .*/admin_space_left_action = SYSLOG/' $AUDIT

# CR2.10: Response to audit processing failures
sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/' $AUDIT_CONF_FILE
+
+# CR2.11: Enable Mutli Factor Authentication for Local and Remote Session
+SSHD_AUTH_CONFIG="/etc/pam.d/common-auth"
+google_authenticator="auth required pam_google_authenticator.so nullok"
+if grep -c "pam_google_authenticator.so" "${SSHD_AUTH_CONFIG}";then
+ sed -i '/pam_google_authenticator.so/ s/^#*/#/' "${SSHD_AUTH_CONFIG}"
+fi
+#sed -i "0,/^auth.*/s/^auth.*/${google_authenticator}\n&/" "${SSHD_AUTH_CONFIG}"
Dead code? Or forgotten to activate?

+echo "auth required pam_google_authenticator.so nullok" | tee -a "${SSHD_AUTH_CONFIG}"
+# Enable PAM configuration for Remote Session
+sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' "${SSHD_CONFIG}"
+echo "AuthenticationMethods keyboard-interactive" | tee -a "${SSHD_CONFIG}"
Jan

--
Siemens AG, Technology
Competence Center Embedded Linux


Jan Kiszka
 

On 30.06.22 13:26, Shreyas.Karmahe@... wrote:
From: Shreyas Karmahe <Shreyas.Karmahe@...>

To enable and configure PAM for Remote and Local MFA Session Verification

Signed-off-by: Shreyas Karmahe <Shreyas.Karmahe@...>
---
.../security-customizations/files/postinst | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst
index bb7d15b..843ce3c 100644
--- a/recipes-core/security-customizations/files/postinst
+++ b/recipes-core/security-customizations/files/postinst
@@ -15,7 +15,8 @@ echo "127.0.0.1 $HOSTNAME" >> /etc/hosts
PAM_PWD_FILE="/etc/pam.d/common-password"
pam_cracklib_config="password requisite pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root"
if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then
- sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}"
+
+sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}"
fi
sed -i "0,/^password.*/s/^password.*/${pam_cracklib_config}\n&/" "${PAM_PWD_FILE}"

@@ -49,3 +50,15 @@ sed -i 's/admin_space_left_action = .*/admin_space_left_action = SYSLOG/' $AUDIT

# CR2.10: Response to audit processing failures
sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/' $AUDIT_CONF_FILE
+
+# CR2.11: Enable Mutli Factor Authentication for Local and Remote Session
+SSHD_AUTH_CONFIG="/etc/pam.d/common-auth"
+google_authenticator="auth required pam_google_authenticator.so nullok"
+if grep -c "pam_google_authenticator.so" "${SSHD_AUTH_CONFIG}";then
+ sed -i '/pam_google_authenticator.so/ s/^#*/#/' "${SSHD_AUTH_CONFIG}"
+fi
+#sed -i "0,/^auth.*/s/^auth.*/${google_authenticator}\n&/" "${SSHD_AUTH_CONFIG}"
Dead code? Or forgotten to activate?

+echo "auth required pam_google_authenticator.so nullok" | tee -a "${SSHD_AUTH_CONFIG}"
+# Enable PAM configuration for Remote Session
+sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' "${SSHD_CONFIG}"
+echo "AuthenticationMethods keyboard-interactive" | tee -a "${SSHD_CONFIG}"
Jan

--
Siemens AG, Technology
Competence Center Embedded Linux