diff --git a/src/sonic-host-services-data/templates/common-password.j2 b/src/sonic-host-services-data/templates/common-password.j2 index 36efd33b7b73..a580eb3854ac 100644 --- a/src/sonic-host-services-data/templates/common-password.j2 +++ b/src/sonic-host-services-data/templates/common-password.j2 @@ -26,18 +26,18 @@ {% if passw_policies %} {% if passw_policies['state'] == 'enabled' %} -password requisite pam_cracklib.so retry=3 maxrepeat=0 {% if passw_policies['len_min'] %}minlen={{passw_policies['len_min']}}{% endif %} {% if passw_policies['upper_class'] %} ucredit=-1 {% endif %} {% if passw_policies['lower_class'] %} lcredit=-1 {% endif %} {% if passw_policies['digit_class'] %} dcredit=-1 {% endif %} {% if passw_policies['special_class'] %} ocredit=-1 {% endif %} {% if passw_policies['reject_user_passw_match'] %} reject_username {% endif %} enforce_for_root +password requisite pam_cracklib.so retry=3 maxrepeat=0 {% if passw_policies['len_min'] %}minlen={{passw_policies['len_min']}}{% endif %} {% if passw_policies['upper_class'] %}ucredit=-1{% endif %} {% if passw_policies['lower_class'] %}lcredit=-1{% endif %} {% if passw_policies['digits_class'] %}dcredit=-1{% endif %} {% if passw_policies['special_class'] %}ocredit=-1{% endif %} {% if passw_policies['reject_user_passw_match'] %}reject_username{% endif %} enforce_for_root -password required pam_pwhistory.so {% if passw_policies['history_ctr'] %}remember={{passw_policies['history_ctr']}}{% endif %} use_authtok +password required pam_pwhistory.so {% if passw_policies['history_cnt'] %}remember={{passw_policies['history_cnt']}}{% endif %} use_authtok {% endif %} {% endif %} -password [success=1 default=ignore] pam_unix.so obscure yescrypt +password [success=1 default=ignore] pam_unix.so obscure yescrypt # here's the fallback if no module succeeds -password requisite pam_deny.so +password requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around -password required pam_permit.so +password required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config diff --git a/src/sonic-host-services/scripts/hostcfgd b/src/sonic-host-services/scripts/hostcfgd index 198123e34524..579bdc5ec560 100755 --- a/src/sonic-host-services/scripts/hostcfgd +++ b/src/sonic-host-services/scripts/hostcfgd @@ -540,8 +540,8 @@ class AaaCfg(object): data['lower_class'] = is_true(data['lower_class']) if 'upper_class' in data: data['upper_class'] = is_true(data['upper_class']) - if 'digit_class' in data: - data['digit_class'] = is_true(data['digit_class']) + if 'digits_class' in data: + data['digits_class'] = is_true(data['digits_class']) if 'special_class' in data: data['special_class'] = is_true(data['special_class']) diff --git a/src/sonic-host-services/tests/hostcfgd/hostcfgd_passwh_test.py b/src/sonic-host-services/tests/hostcfgd/hostcfgd_passwh_test.py index e1b92401abeb..4e271840b5fc 100755 --- a/src/sonic-host-services/tests/hostcfgd/hostcfgd_passwh_test.py +++ b/src/sonic-host-services/tests/hostcfgd/hostcfgd_passwh_test.py @@ -182,4 +182,4 @@ def test_hostcfgd_passwh_classes(self, test_name, test_data): None """ - self.check_config(test_name, test_data, "enable_digit_class") \ No newline at end of file + self.check_config(test_name, test_data, "enable_digits_class") \ No newline at end of file diff --git a/src/sonic-host-services/tests/hostcfgd/sample_output/PASSWORD_HARDENING_default_values/common-password b/src/sonic-host-services/tests/hostcfgd/sample_output/PASSWORD_HARDENING_default_values/common-password index 11efc43374a3..0da639249c94 100644 --- a/src/sonic-host-services/tests/hostcfgd/sample_output/PASSWORD_HARDENING_default_values/common-password +++ b/src/sonic-host-services/tests/hostcfgd/sample_output/PASSWORD_HARDENING_default_values/common-password @@ -25,12 +25,12 @@ # here are the per-package modules (the "Primary" block) -password [success=1 default=ignore] pam_unix.so obscure yescrypt +password [success=1 default=ignore] pam_unix.so obscure yescrypt # here's the fallback if no module succeeds -password requisite pam_deny.so +password requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around -password required pam_permit.so +password required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config \ No newline at end of file diff --git a/src/sonic-host-services/tests/hostcfgd/sample_output/PASSWORD_HARDENING_enable_digit_class/common-password b/src/sonic-host-services/tests/hostcfgd/sample_output/PASSWORD_HARDENING_enable_digit_class/common-password deleted file mode 100644 index 0648437f708a..000000000000 --- a/src/sonic-host-services/tests/hostcfgd/sample_output/PASSWORD_HARDENING_enable_digit_class/common-password +++ /dev/null @@ -1,39 +0,0 @@ -#THIS IS AN AUTO-GENERATED FILE -# -# /etc/pam.d/common-password - password-related modules common to all services -# -# This file is included from other service-specific PAM config files, -# and should contain a list of modules that define the services to be -# used to change user passwords. The default is pam_unix. - -# Explanation of pam_unix options: -# The "yescrypt" option enables -#hashed passwords using the yescrypt algorithm, introduced in Debian -#11. Without this option, the default is Unix crypt. Prior releases -#used the option "sha512"; if a shadow password hash will be shared -#between Debian 11 and older releases replace "yescrypt" with "sha512" -#for compatibility . The "obscure" option replaces the old -#`OBSCURE_CHECKS_ENAB' option in login.defs. See the pam_unix manpage -#for other options. - -# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. -# To take advantage of this, it is recommended that you configure any -# local modules either before or after the default block, and use -# pam-auth-update to manage selection of other modules. See -# pam-auth-update(8) for details. - -# here are the per-package modules (the "Primary" block) - -password requisite pam_cracklib.so retry=3 maxrepeat=0 minlen=8 dcredit=-1 enforce_for_root - -password required pam_pwhistory.so remember=0 use_authtok - -password [success=1 default=ignore] pam_unix.so obscure yescrypt -# here's the fallback if no module succeeds -password requisite pam_deny.so -# prime the stack with a positive return value if there isn't one already; -# this avoids us returning an error just because nothing sets a success code -# since the modules above will each just jump around -password required pam_permit.so -# and here are more per-package modules (the "Additional" block) -# end of pam-auth-update config \ No newline at end of file diff --git a/src/sonic-host-services/tests/hostcfgd/sample_output/PASSWORD_HARDENING_enable_digit_class/login.defs b/src/sonic-host-services/tests/hostcfgd/sample_output/PASSWORD_HARDENING_enable_digit_class/login.defs deleted file mode 100644 index db8baa4d2bf8..000000000000 --- a/src/sonic-host-services/tests/hostcfgd/sample_output/PASSWORD_HARDENING_enable_digit_class/login.defs +++ /dev/null @@ -1,340 +0,0 @@ -# -# /etc/login.defs - Configuration control definitions for the login package. -# -# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. -# If unspecified, some arbitrary (and possibly incorrect) value will -# be assumed. All other items are optional - if not specified then -# the described action or option will be inhibited. -# -# Comment lines (lines beginning with "#") and blank lines are ignored. -# -# Modified for Linux. --marekm - -# REQUIRED for useradd/userdel/usermod -# Directory where mailboxes reside, _or_ name of file, relative to the -# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, -# MAIL_DIR takes precedence. -# -# Essentially: -# - MAIL_DIR defines the location of users mail spool files -# (for mbox use) by appending the username to MAIL_DIR as defined -# below. -# - MAIL_FILE defines the location of the users mail spool files as the -# fully-qualified filename obtained by prepending the user home -# directory before $MAIL_FILE -# -# NOTE: This is no more used for setting up users MAIL environment variable -# which is, starting from shadow 4.0.12-1 in Debian, entirely the -# job of the pam_mail PAM modules -# See default PAM configuration files provided for -# login, su, etc. -# -# This is a temporary situation: setting these variables will soon -# move to /etc/default/useradd and the variables will then be -# no more supported -MAIL_DIR /var/mail -#MAIL_FILE .mail - -# -# Enable logging and display of /var/log/faillog login failure info. -# This option conflicts with the pam_tally PAM module. -# -FAILLOG_ENAB yes - -# -# Enable display of unknown usernames when login failures are recorded. -# -# WARNING: Unknown usernames may become world readable. -# See #290803 and #298773 for details about how this could become a security -# concern -LOG_UNKFAIL_ENAB no - -# -# Enable logging of successful logins -# -LOG_OK_LOGINS no - -# -# Enable "syslog" logging of su activity - in addition to sulog file logging. -# SYSLOG_SG_ENAB does the same for newgrp and sg. -# -SYSLOG_SU_ENAB yes -SYSLOG_SG_ENAB yes - -# -# If defined, all su activity is logged to this file. -# -#SULOG_FILE /var/log/sulog - -# -# If defined, file which maps tty line to TERM environment parameter. -# Each line of the file is in a format something like "vt100 tty01". -# -#TTYTYPE_FILE /etc/ttytype - -# -# If defined, login failures will be logged here in a utmp format -# last, when invoked as lastb, will read /var/log/btmp, so... -# -FTMP_FILE /var/log/btmp - -# -# If defined, the command name to display when running "su -". For -# example, if this is defined as "su" then a "ps" will display the -# command is "-su". If not defined, then "ps" would display the -# name of the shell actually being run, e.g. something like "-sh". -# -SU_NAME su - -# -# If defined, file which inhibits all the usual chatter during the login -# sequence. If a full pathname, then hushed mode will be enabled if the -# user's name or shell are found in the file. If not a full pathname, then -# hushed mode will be enabled if the file exists in the user's home directory. -# -HUSHLOGIN_FILE .hushlogin -#HUSHLOGIN_FILE /etc/hushlogins - -# -# *REQUIRED* The default PATH settings, for superuser and normal users. -# -# (they are minimal, add the rest in the shell startup files) -ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin -ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games - -# -# Terminal permissions -# -# TTYGROUP Login tty will be assigned this group ownership. -# TTYPERM Login tty will be set to this permission. -# -# If you have a "write" program which is "setgid" to a special group -# which owns the terminals, define TTYGROUP to the group number and -# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign -# TTYPERM to either 622 or 600. -# -# In Debian /usr/bin/bsd-write or similar programs are setgid tty -# However, the default and recommended value for TTYPERM is still 0600 -# to not allow anyone to write to anyone else console or terminal - -# Users can still allow other people to write them by issuing -# the "mesg y" command. - -TTYGROUP tty -TTYPERM 0600 - -# -# Login configuration initializations: -# -# ERASECHAR Terminal ERASE character ('\010' = backspace). -# KILLCHAR Terminal KILL character ('\025' = CTRL/U). -# UMASK Default "umask" value. -# -# The ERASECHAR and KILLCHAR are used only on System V machines. -# -# UMASK is the default umask value for pam_umask and is used by -# useradd and newusers to set the mode of the new home directories. -# 022 is the "historical" value in Debian for UMASK -# 027, or even 077, could be considered better for privacy -# There is no One True Answer here : each sysadmin must make up his/her -# mind. -# -# If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value -# for private user groups, i. e. the uid is the same as gid, and username is -# the same as the primary group name: for these, the user permissions will be -# used as group permissions, e. g. 022 will become 002. -# -# Prefix these values with "0" to get octal, "0x" to get hexadecimal. -# -ERASECHAR 0177 -KILLCHAR 025 -UMASK 022 - -# -# Password aging controls: -# -# PASS_MAX_DAYS Maximum number of days a password may be used. -# PASS_MIN_DAYS Minimum number of days allowed between password changes. -# PASS_WARN_AGE Number of days warning given before a password expires. -# -PASS_MAX_DAYS 99999 -PASS_MIN_DAYS 0 -PASS_WARN_AGE 7 - -# -# Min/max values for automatic uid selection in useradd -# -UID_MIN 1000 -UID_MAX 60000 -# System accounts -#SYS_UID_MIN 100 -#SYS_UID_MAX 999 - -# -# Min/max values for automatic gid selection in groupadd -# -GID_MIN 1000 -GID_MAX 60000 -# System accounts -#SYS_GID_MIN 100 -#SYS_GID_MAX 999 - -# -# Max number of login retries if password is bad. This will most likely be -# overriden by PAM, since the default pam_unix module has it's own built -# in of 3 retries. However, this is a safe fallback in case you are using -# an authentication module that does not enforce PAM_MAXTRIES. -# -LOGIN_RETRIES 5 - -# -# Max time in seconds for login -# -LOGIN_TIMEOUT 60 - -# -# Which fields may be changed by regular users using chfn - use -# any combination of letters "frwh" (full name, room number, work -# phone, home phone). If not defined, no changes are allowed. -# For backward compatibility, "yes" = "rwh" and "no" = "frwh". -# -CHFN_RESTRICT rwh - -# -# Should login be allowed if we can't cd to the home directory? -# Default in no. -# -DEFAULT_HOME yes - -# -# If defined, this command is run when removing a user. -# It should remove any at/cron/print jobs etc. owned by -# the user to be removed (passed as the first argument). -# -#USERDEL_CMD /usr/sbin/userdel_local - -# -# If set to yes, userdel will remove the user's group if it contains no -# more members, and useradd will create by default a group with the name -# of the user. -# -# Other former uses of this variable such as setting the umask when -# user==primary group are not used in PAM environments, such as Debian -# -USERGROUPS_ENAB yes - -# -# Instead of the real user shell, the program specified by this parameter -# will be launched, although its visible name (argv[0]) will be the shell's. -# The program may do whatever it wants (logging, additional authentification, -# banner, ...) before running the actual shell. -# -# FAKE_SHELL /bin/fakeshell - -# -# If defined, either full pathname of a file containing device names or -# a ":" delimited list of device names. Root logins will be allowed only -# upon these devices. -# -# This variable is used by login and su. -# -#CONSOLE /etc/consoles -#CONSOLE console:tty01:tty02:tty03:tty04 - -# -# List of groups to add to the user's supplementary group set -# when logging in on the console (as determined by the CONSOLE -# setting). Default is none. -# -# Use with caution - it is possible for users to gain permanent -# access to these groups, even when not logged in on the console. -# How to do it is left as an exercise for the reader... -# -# This variable is used by login and su. -# -#CONSOLE_GROUPS floppy:audio:cdrom - -# -# If set to "yes", new passwords will be encrypted using the MD5-based -# algorithm compatible with the one used by recent releases of FreeBSD. -# It supports passwords of unlimited length and longer salt strings. -# Set to "no" if you need to copy encrypted passwords to other systems -# which don't understand the new algorithm. Default is "no". -# -# This variable is deprecated. You should use ENCRYPT_METHOD. -# -#MD5_CRYPT_ENAB no - -# -# If set to MD5 , MD5-based algorithm will be used for encrypting password -# If set to SHA256, SHA256-based algorithm will be used for encrypting password -# If set to SHA512, SHA512-based algorithm will be used for encrypting password -# If set to DES, DES-based algorithm will be used for encrypting password (default) -# Overrides the MD5_CRYPT_ENAB option -# -# Note: It is recommended to use a value consistent with -# the PAM modules configuration. -# -ENCRYPT_METHOD SHA512 - -# -# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. -# -# Define the number of SHA rounds. -# With a lot of rounds, it is more difficult to brute forcing the password. -# But note also that it more CPU resources will be needed to authenticate -# users. -# -# If not specified, the libc will choose the default number of rounds (5000). -# The values must be inside the 1000-999999999 range. -# If only one of the MIN or MAX values is set, then this value will be used. -# If MIN > MAX, the highest value will be used. -# -# SHA_CRYPT_MIN_ROUNDS 5000 -# SHA_CRYPT_MAX_ROUNDS 5000 - -################# OBSOLETED BY PAM ############## -# # -# These options are now handled by PAM. Please # -# edit the appropriate file in /etc/pam.d/ to # -# enable the equivelants of them. -# -############### - -#MOTD_FILE -#DIALUPS_CHECK_ENAB -#LASTLOG_ENAB -#MAIL_CHECK_ENAB -#OBSCURE_CHECKS_ENAB -#PORTTIME_CHECKS_ENAB -#SU_WHEEL_ONLY -#CRACKLIB_DICTPATH -#PASS_CHANGE_TRIES -#PASS_ALWAYS_WARN -#ENVIRON_FILE -#NOLOGINS_FILE -#ISSUE_FILE -#PASS_MIN_LEN -#PASS_MAX_LEN -#ULIMIT -#ENV_HZ -#CHFN_AUTH -#CHSH_AUTH -#FAIL_DELAY - -################# OBSOLETED ####################### -# # -# These options are no more handled by shadow. # -# # -# Shadow utilities will display a warning if they # -# still appear. # -# # -################################################### - -# CLOSE_SESSIONS -# LOGIN_STRING -# NO_PASSWORD_CONSOLE -# QMAIL_DIR - - - diff --git a/src/sonic-host-services/tests/hostcfgd/sample_output/PASSWORD_HARDENING_enable_feature/common-password b/src/sonic-host-services/tests/hostcfgd/sample_output/PASSWORD_HARDENING_enable_feature/common-password index 099e46336f22..cf8d40b15c75 100644 --- a/src/sonic-host-services/tests/hostcfgd/sample_output/PASSWORD_HARDENING_enable_feature/common-password +++ b/src/sonic-host-services/tests/hostcfgd/sample_output/PASSWORD_HARDENING_enable_feature/common-password @@ -24,16 +24,16 @@ # here are the per-package modules (the "Primary" block) -password requisite pam_cracklib.so retry=3 maxrepeat=0 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 reject_username enforce_for_root +password requisite pam_cracklib.so retry=3 maxrepeat=0 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 reject_username enforce_for_root password required pam_pwhistory.so remember=10 use_authtok -password [success=1 default=ignore] pam_unix.so obscure yescrypt +password [success=1 default=ignore] pam_unix.so obscure yescrypt # here's the fallback if no module succeeds -password requisite pam_deny.so +password requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around -password required pam_permit.so +password required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config \ No newline at end of file diff --git a/src/sonic-host-services/tests/hostcfgd/test_passwh_vectors.py b/src/sonic-host-services/tests/hostcfgd/test_passwh_vectors.py index c95183b6ddfc..4b7a20e9f053 100644 --- a/src/sonic-host-services/tests/hostcfgd/test_passwh_vectors.py +++ b/src/sonic-host-services/tests/hostcfgd/test_passwh_vectors.py @@ -13,12 +13,12 @@ "state": "disabled", "expiration": "180", "expiration_warning": "15", - "history_ctr": "10", + "history_cnt": "10", "len_min": "8", "reject_user_passw_match": "True", "lower_class": "True", "upper_class": "True", - "digit_class": "True", + "digits_class": "True", "special_class": "True" } }, @@ -52,12 +52,12 @@ "state": "enabled", "expiration": "180", "expiration_warning": "15", - "history_ctr": "10", + "history_cnt": "10", "len_min": "8", "reject_user_passw_match": "True", "lower_class": "True", "upper_class": "True", - "digit_class": "True", + "digits_class": "True", "special_class": "True" } }, @@ -85,18 +85,18 @@ } } }, - "enable_digit_class":{ + "enable_digits_class":{ "PASSW_HARDENING": { "POLICIES":{ "state": "enabled", "expiration": "0", "expiration_warning": "0", - "history_ctr": "0", + "history_cnt": "0", "len_min": "8", "reject_user_passw_match": "False", "lower_class": "False", "upper_class": "False", - "digit_class": "True", + "digits_class": "True", "special_class": "False" } }, @@ -130,12 +130,12 @@ "state": "enabled", "expiration": "0", "expiration_warning": "0", - "history_ctr": "0", + "history_cnt": "0", "len_min": "8", "reject_user_passw_match": "False", "lower_class": "True", "upper_class": "False", - "digit_class": "False", + "digits_class": "False", "special_class": "False" } }, @@ -169,12 +169,12 @@ "state": "enabled", "expiration": "0", "expiration_warning": "0", - "history_ctr": "0", + "history_cnt": "0", "len_min": "8", "reject_user_passw_match": "False", "lower_class": "False", "upper_class": "True", - "digit_class": "False", + "digits_class": "False", "special_class": "False" } }, @@ -208,12 +208,12 @@ "state": "enabled", "expiration": "0", "expiration_warning": "0", - "history_ctr": "0", + "history_cnt": "0", "len_min": "8", "reject_user_passw_match": "False", "lower_class": "False", "upper_class": "False", - "digit_class": "False", + "digits_class": "False", "special_class": "True" } },