-
Notifications
You must be signed in to change notification settings - Fork 1.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add support for Password Hardening (#10323)
- Why I did it New security feature for enforcing strong passwords when login or changing passwords of existing users into the switch. - How I did it By using mainly Linux package named pam-cracklib that support the enforcement of user passwords, the daemon named hostcfgd, will support add/modify password policies that enforce and strengthen the user passwords. - How to verify it Manually Verification- 1. Enable the feature, using the new sonic-cli command passw-hardening or manually add the password hardening table like shown in HLD by using redis-cli command 2. Change password policies manually like in step 1. Notes: password hardening CLI can be found in sonic-utilities repo- P.R: Add support for Password Hardening sonic-utilities#2121 code config path: config/plugins/sonic-passwh_yang.py code show path: show/plugins/sonic-passwh_yang.py 3. Create a new user (using adduser command) or modify an existing password by using passwd command in the terminal. And it will now request a strong password instead of default linux policies. Automatic Verification - Unitest: This PR contained unitest that cover: 1. test default init values of the feature in PAM files 2. test all the types of classes policies supported by the feature in PAM files 3. test aging policy configuration in PAM files
- Loading branch information
1 parent
ab87fb8
commit f17d55d
Showing
12 changed files
with
2,155 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
#THIS IS AN AUTO-GENERATED FILE | ||
# | ||
# /etc/pam.d/common-password - password-related modules common to all services | ||
# | ||
# This file is included from other service-specific PAM config files, | ||
# and should contain a list of modules that define the services to be | ||
# used to change user passwords. The default is pam_unix. | ||
|
||
# Explanation of pam_unix options: | ||
# The "yescrypt" option enables | ||
#hashed passwords using the yescrypt algorithm, introduced in Debian | ||
#11. Without this option, the default is Unix crypt. Prior releases | ||
#used the option "sha512"; if a shadow password hash will be shared | ||
#between Debian 11 and older releases replace "yescrypt" with "sha512" | ||
#for compatibility . The "obscure" option replaces the old | ||
#`OBSCURE_CHECKS_ENAB' option in login.defs. See the pam_unix manpage | ||
#for other options. | ||
|
||
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. | ||
# To take advantage of this, it is recommended that you configure any | ||
# local modules either before or after the default block, and use | ||
# pam-auth-update to manage selection of other modules. See | ||
# pam-auth-update(8) for details. | ||
|
||
# here are the per-package modules (the "Primary" block) | ||
|
||
{% if passw_policies %} | ||
{% if passw_policies['state'] == 'enabled' %} | ||
password requisite pam_cracklib.so retry=3 maxrepeat=0 {% if passw_policies['len_min'] %}minlen={{passw_policies['len_min']}}{% endif %} {% if passw_policies['upper_class'] %}ucredit=-1{% else %}ucredit=0{% endif %} {% if passw_policies['lower_class'] %}lcredit=-1{% else %}lcredit=0{% endif %} {% if passw_policies['digits_class'] %}dcredit=-1{% else %}dcredit=0{% endif %} {% if passw_policies['special_class'] %}ocredit=-1{% else %}ocredit=0{% endif %} {% if passw_policies['reject_user_passw_match'] %}reject_username{% endif %} enforce_for_root | ||
|
||
password required pam_pwhistory.so {% if passw_policies['history_cnt'] %}remember={{passw_policies['history_cnt']}}{% endif %} use_authtok enforce_for_root | ||
{% endif %} | ||
{% endif %} | ||
|
||
password [success=1 default=ignore] pam_unix.so obscure yescrypt | ||
# here's the fallback if no module succeeds | ||
password requisite pam_deny.so | ||
# prime the stack with a positive return value if there isn't one already; | ||
# this avoids us returning an error just because nothing sets a success code | ||
# since the modules above will each just jump around | ||
password required pam_permit.so | ||
# and here are more per-package modules (the "Additional" block) | ||
# end of pam-auth-update config |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.