[isar-cip-core] security-customizations/postinst:Add configuration for MFA


Jan Kiszka
 

On 07.07.22 12:33, Shreyas.Karmahe@... wrote:
From: Shreyas Karmahe <Shreyas.Karmahe@...>

It configures libpam-google-authenticator for achieving the IEC requirement
for Multi-Factor Authentication.

Signed-off-by: Shreyas Karmahe <Shreyas.Karmahe@...>
---
recipes-core/security-customizations/files/postinst | 11 +++++++++++
1 file changed, 11 insertions(+)

diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst
index 3699ba2..9ba8540 100644
--- a/recipes-core/security-customizations/files/postinst
+++ b/recipes-core/security-customizations/files/postinst
@@ -49,3 +49,14 @@ sed -i 's/admin_space_left_action = .*/admin_space_left_action = SYSLOG/' $AUDIT

# CR2.10: Response to audit processing failures
sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/' $AUDIT_CONF_FILE
+
+# CR2.11: Enable Mutli Factor Authentication for Local and Remote Session
+SSHD_AUTH_CONFIG="/etc/pam.d/common-auth"
+google_authenticator="auth required pam_google_authenticator.so nullok"
+if grep -c "pam_google_authenticator.so" "${SSHD_AUTH_CONFIG}";then
+ sed -i '/pam_google_authenticator.so/ s/^#*/#/' "${SSHD_AUTH_CONFIG}"
+fi
+echo "auth required pam_google_authenticator.so nullok" | tee -a "${SSHD_AUTH_CONFIG}"
+# Enable PAM configuration for Remote Session
+sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' "${SSHD_CONFIG}"
+echo "AuthenticationMethods keyboard-interactive" | tee -a "${SSHD_CONFIG}"
Applied, thanks!

Jan

--
Siemens AG, Technology
Competence Center Embedded Linux


Jan Kiszka
 

On 07.07.22 12:55, Jan Kiszka wrote:
On 07.07.22 12:33, Shreyas.Karmahe@... wrote:
From: Shreyas Karmahe <Shreyas.Karmahe@...>

It configures libpam-google-authenticator for achieving the IEC requirement
for Multi-Factor Authentication.

Signed-off-by: Shreyas Karmahe <Shreyas.Karmahe@...>
---
recipes-core/security-customizations/files/postinst | 11 +++++++++++
1 file changed, 11 insertions(+)

diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst
index 3699ba2..9ba8540 100644
--- a/recipes-core/security-customizations/files/postinst
+++ b/recipes-core/security-customizations/files/postinst
@@ -49,3 +49,14 @@ sed -i 's/admin_space_left_action = .*/admin_space_left_action = SYSLOG/' $AUDIT

# CR2.10: Response to audit processing failures
sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/' $AUDIT_CONF_FILE
+
+# CR2.11: Enable Mutli Factor Authentication for Local and Remote Session
+SSHD_AUTH_CONFIG="/etc/pam.d/common-auth"
+google_authenticator="auth required pam_google_authenticator.so nullok"
+if grep -c "pam_google_authenticator.so" "${SSHD_AUTH_CONFIG}";then
+ sed -i '/pam_google_authenticator.so/ s/^#*/#/' "${SSHD_AUTH_CONFIG}"
+fi
+echo "auth required pam_google_authenticator.so nullok" | tee -a "${SSHD_AUTH_CONFIG}"
+# Enable PAM configuration for Remote Session
+sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' "${SSHD_CONFIG}"
+echo "AuthenticationMethods keyboard-interactive" | tee -a "${SSHD_CONFIG}"
Applied, thanks!
As discussed in the other thread: This one is missing a DEBIAN_DEPENDS
for libpam-google-authenticator. I'm dropping this again (was only in
next) so that you can send a v3.

Jan

--
Siemens AG, Technology
Competence Center Embedded Linux