-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for Password Hardening #10323
Add support for Password Hardening #10323
Conversation
This pull request introduces 1 alert when merging eff356a into f8e1104 - view on LGTM.com new alerts:
|
This pull request introduces 1 alert when merging 5ab7c2b into 147d631 - view on LGTM.com new alerts:
|
This pull request introduces 1 alert when merging a4d452b into cc938e7 - view on LGTM.com new alerts:
|
This pull request introduces 1 alert when merging 93072bd into cc938e7 - view on LGTM.com new alerts:
|
@davidpil2002 Can you please fix LGTM alert? |
/azpw run Azure.sonic-buildimage |
/AzurePipelines run Azure.sonic-buildimage |
Azure Pipelines successfully started running 1 pipeline(s). |
done |
/azpw run Azure.sonic-buildimage |
/AzurePipelines run Azure.sonic-buildimage |
…e/sonic-buildimage/pull/10323/files about verification when reading files and add exception
@@ -266,6 +266,10 @@ fi | |||
sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/sonic-device-data_*.deb || \ | |||
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f | |||
|
|||
# Install cracklib (and its dependencies via 'apt-get -y install -f') | |||
sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/libpam-cracklib_*.deb || \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why not just apt-get? I do not understand this. the package is already in bullseye.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the package in bullseye is an older version than the version that I used.
I don't think the feature will be broken if we used an older version, but I think it is better to save it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://packages.debian.org/bullseye/libpam-cracklib
can you double check, think it is the same version.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I double-checked, you are correct, probably confused with the buster version.
I pushed a commit that is doing just apt-get install, instead download & dpkg Debian pkg
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@lguohan
can you approve the pull request now?
Signed-off-by: Guohan Lu <[email protected]>
…cts sonic-net#10972 Why I did it Fix the target directory not empty issue when publishing artifacts. Some of the artifacts are published to $(Build.ArtifactStagingDirectory)/target/ before source code checked out.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fix comment about cracklib pkg
/azpw run Azure.sonic-buildimage |
/AzurePipelines run Azure.sonic-buildimage |
Azure Pipelines successfully started running 1 pipeline(s). |
/azp run |
You have several pipelines (over 10) configured to build pull requests in this repository. Specify which pipelines you would like to run by using /azp run [pipelines] command. You can specify multiple pipelines using a comma separated list. |
/AzurePipelines run Azure.sonic-buildimage |
Azure Pipelines successfully started running 1 pipeline(s). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This feature will be runtime optional, this is acceptable according to offline sync, approved.
- Why I did it New security feature for enforcing strong passwords when login or changing passwords of existing users into the switch. - How I did it By using mainly Linux package named pam-cracklib that support the enforcement of user passwords, the daemon named hostcfgd, will support add/modify password policies that enforce and strengthen the user passwords. - How to verify it Manually Verification- 1. Enable the feature, using the new sonic-cli command passw-hardening or manually add the password hardening table like shown in HLD by using redis-cli command 2. Change password policies manually like in step 1. Notes: password hardening CLI can be found in sonic-utilities repo- P.R: Add support for Password Hardening sonic-utilities#2121 code config path: config/plugins/sonic-passwh_yang.py code show path: show/plugins/sonic-passwh_yang.py 3. Create a new user (using adduser command) or modify an existing password by using passwd command in the terminal. And it will now request a strong password instead of default linux policies. Automatic Verification - Unitest: This PR contained unitest that cover: 1. test default init values of the feature in PAM files 2. test all the types of classes policies supported by the feature in PAM files 3. test aging policy configuration in PAM files
- Why I did it New security feature for enforcing strong passwords when login or changing passwords of existing users into the switch. - How I did it By using mainly Linux package named pam-cracklib that support the enforcement of user passwords, the daemon named hostcfgd, will support add/modify password policies that enforce and strengthen the user passwords. - How to verify it Manually Verification- 1. Enable the feature, using the new sonic-cli command passw-hardening or manually add the password hardening table like shown in HLD by using redis-cli command 2. Change password policies manually like in step 1. Notes: password hardening CLI can be found in sonic-utilities repo- P.R: Add support for Password Hardening sonic-utilities#2121 code config path: config/plugins/sonic-passwh_yang.py code show path: show/plugins/sonic-passwh_yang.py 3. Create a new user (using adduser command) or modify an existing password by using passwd command in the terminal. And it will now request a strong password instead of default linux policies. Automatic Verification - Unitest: This PR contained unitest that cover: 1. test default init values of the feature in PAM files 2. test all the types of classes policies supported by the feature in PAM files 3. test aging policy configuration in PAM files
Why I did it
New security feature for enforcing strong passwords when login or changing passwords of existing users into the switch.
How I did it
By using mainly Linux package named pam-cracklib that support the enforcement of user passwords, the daemon named hostcfgd, will support add/modify password policies that enforce and strengthen the user passwords.
How to verify it
Manually Verification-
Enable the feature, using the new sonic-cli command
passw-hardening
or manually add the password hardening table like shown in HLD by usingredis-cli
commandChange password policies manually like in step 1.
Notes:
password hardening CLI can be found in sonic-utilities repo-
P.R: Add support for Password Hardening sonic-utilities#2121
code config path: config/plugins/sonic-passwh_yang.py
code show path: show/plugins/sonic-passwh_yang.py
Create a new user (using
adduser
command) or modify an existing password by usingpasswd
command in the terminal. And it will now request a strong password instead of default linux policies.Automatic Verification - Unitest:
This P.R contained unitest that cover:
Which release branch to backport (provide reason below if selected)
The coded should be merge in master and should be release ~May
Description for the changelog
Link to config_db schema for YANG module changes
Yang model can be found:
#10322
HLD:
https://github.com/Azure/SONiC/blob/master/doc/passw_hardening/hld_password_hardening.md
A picture of a cute animal (not mandatory but encouraged)