mirror of
https://dev.iopsys.eu/feed/iopsys.git
synced 2025-12-10 07:44:50 +01:00
usermngr: add UCI support for passwdqc parameters
This commit is contained in:
Mohd Husaam Mehdi
Vivek Dutta
parent
d75d3bc3ed
commit
ffd8352d38
3 changed files with 85 additions and 20 deletions
|
|
@ -1,3 +1,17 @@
|
|||
config security_policy 'security_policy'
|
||||
option enabled '1'
|
||||
option fail_delay '3'
|
||||
option faillock_attempts '6'
|
||||
option faillock_lockout_time '300'
|
||||
|
||||
config passwdqc 'passwdqc'
|
||||
option enabled '1'
|
||||
option min 'disabled,disabled,disabled,disabled,8'
|
||||
option max '20'
|
||||
option passphrase '0'
|
||||
option retry '3'
|
||||
option enforce 'everyone'
|
||||
|
||||
config users 'users'
|
||||
option enabled '1'
|
||||
option loglevel '3'
|
||||
|
|
|
|||
|
|
@ -54,33 +54,72 @@ update_auth() {
|
|||
rm -f "$tmp_file"
|
||||
touch "$tmp_file"
|
||||
|
||||
write_line "$tmp_file" "auth optional pam_faildelay.so delay=$faildelay_usec"
|
||||
write_line "$tmp_file" "auth required pam_faillock.so preauth deny=$faillock_attempts even_deny_root unlock_time=$faillock_lockout_time"
|
||||
if [ "$enabled" != "0" ]; then
|
||||
write_line "$tmp_file" "auth optional pam_faildelay.so delay=$faildelay_usec"
|
||||
write_line "$tmp_file" "auth required pam_faillock.so preauth deny=$faillock_attempts even_deny_root unlock_time=$faillock_lockout_time"
|
||||
fi
|
||||
|
||||
write_line "$tmp_file" "auth sufficient pam_unix.so nullok_secure"
|
||||
write_line "$tmp_file" "auth [default=die] pam_faillock.so authfail audit deny=$faillock_attempts even_deny_root unlock_time=$faillock_lockout_time"
|
||||
write_line "$tmp_file" ""
|
||||
|
||||
if [ "$enabled" != "0" ]; then
|
||||
write_line "$tmp_file" "auth [default=die] pam_faillock.so authfail audit deny=$faillock_attempts even_deny_root unlock_time=$faillock_lockout_time"
|
||||
write_line "$tmp_file" ""
|
||||
fi
|
||||
|
||||
write_line "$tmp_file" "auth requisite pam_deny.so"
|
||||
write_line "$tmp_file" "auth required pam_permit.so"
|
||||
|
||||
compare_and_replace "$tmp_file" "$pam_file"
|
||||
}
|
||||
|
||||
build_pam_passwdqc_line() {
|
||||
local base="password requisite pam_passwdqc.so"
|
||||
local k v line
|
||||
|
||||
for line in $(uci show users.passwdqc 2>/dev/null); do
|
||||
case "$line" in
|
||||
users.passwdqc=*) continue ;;
|
||||
users.passwdqc.enabled=*) continue ;;
|
||||
esac
|
||||
|
||||
k="${line%%=*}"
|
||||
k="${k#users.passwdqc.}"
|
||||
v="${line#*=}"
|
||||
v="${v%\'}"
|
||||
v="${v#\'}"
|
||||
base="$base $k=$v"
|
||||
done
|
||||
|
||||
echo "$base"
|
||||
}
|
||||
|
||||
# NOTE:
|
||||
# for some reason setting min 8 makes passwdqc accept minimum 12 letter password with this configuration
|
||||
# if we set it to 12 then we need atleast 16 characters and so on
|
||||
# passphrase = 0 means no space separated words
|
||||
# passphrase = N means the number of words required for a passphrase or 0 to disable the support for user-chosen passphrases.
|
||||
# rest can be figured out from passwdqc man page
|
||||
update_password() {
|
||||
# Write /etc/pam.d/common-password
|
||||
local tmp_file pam_file
|
||||
local tmp_file pam_file enabled line
|
||||
tmp_file="/tmp/common-password"
|
||||
pam_file="/etc/pam.d/common-password"
|
||||
enabled=1
|
||||
|
||||
rm -f "$tmp_file"
|
||||
touch "$tmp_file"
|
||||
|
||||
# for some reason setting to 8 makes passwdqc accept minimum 12 letter password with this configuration
|
||||
# if we set it to 12 then we need atleast 16 characters and so on
|
||||
# passphrase = 0 means no space separated words
|
||||
# rest can be figured out from passwdqc man page
|
||||
write_line "$tmp_file" "password requisite pam_passwdqc.so min=disabled,disabled,disabled,disabled,8 max=20 passphrase=0 retry=3 enforce=everyone"
|
||||
# Check if section exists
|
||||
if uci -q get users.passwdqc >/dev/null 2>&1; then
|
||||
# if enabled is not present it is assumed to be 0
|
||||
enabled=$(uci -q get users.passwdqc.enabled || echo "0")
|
||||
if [ "$enabled" != "0" ]; then
|
||||
line="$(build_pam_passwdqc_line)"
|
||||
write_line "$tmp_file" "$line"
|
||||
fi
|
||||
fi
|
||||
|
||||
write_line "$tmp_file" "password [success=1 default=ignore] pam_unix.so obscure sha512"
|
||||
write_line "$tmp_file" ""
|
||||
write_line "$tmp_file" ""
|
||||
write_line "$tmp_file" "password requisite pam_deny.so"
|
||||
write_line "$tmp_file" "password required pam_permit.so"
|
||||
|
||||
|
|
@ -96,7 +135,10 @@ update_account() {
|
|||
rm -f "$tmp_file"
|
||||
touch "$tmp_file"
|
||||
|
||||
write_line "$tmp_file" "account required pam_faillock.so"
|
||||
if [ "$enabled" != "0" ]; then
|
||||
write_line "$tmp_file" "account required pam_faillock.so"
|
||||
fi
|
||||
|
||||
write_line "$tmp_file" "account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so"
|
||||
write_line "$tmp_file" ""
|
||||
write_line "$tmp_file" "account requisite pam_deny.so"
|
||||
|
|
@ -106,22 +148,19 @@ update_account() {
|
|||
}
|
||||
|
||||
handle_security_policy() {
|
||||
local enable faildelay faillock_lockout_time faillock_attempts faildelay_usec
|
||||
local enabled faildelay faillock_lockout_time faillock_attempts faildelay_usec
|
||||
|
||||
# Read UCI values
|
||||
enable="$(uci -q get users.security_policy.enable)"
|
||||
enabled="$(uci -q get users.security_policy.enabled)"
|
||||
faildelay="$(uci -q get users.security_policy.fail_delay)"
|
||||
faillock_lockout_time="$(uci -q get users.security_policy.faillock_lockout_time)"
|
||||
faillock_attempts="$(uci -q get users.security_policy.faillock_attempts)"
|
||||
|
||||
# if it is not enabled we do not touch the pam files
|
||||
[ "$enable" = "1" ] || return
|
||||
|
||||
# if any .so files are missing, then we cannot setup security
|
||||
if ! check_required_modules; then
|
||||
return
|
||||
fi
|
||||
|
||||
|
||||
[ -n "$faildelay" ] || faildelay=3
|
||||
[ -n "$faillock_attempts" ] || faillock_attempts=6
|
||||
[ -n "$faillock_lockout_time" ] || faillock_lockout_time=300
|
||||
|
|
|
|||
|
|
@ -1,11 +1,23 @@
|
|||
#!/bin/sh
|
||||
|
||||
# Create default security_policy section if missing
|
||||
if ! uci -q get users.security_policy; then
|
||||
uci -q set users.security_policy='security_policy'
|
||||
uci -q set users.security_policy.enable='1'
|
||||
uci -q set users.security_policy.enabled='1'
|
||||
uci -q set users.security_policy.fail_delay='3'
|
||||
uci -q set users.security_policy.faillock_attempts='6'
|
||||
uci -q set users.security_policy.faillock_lockout_time='300'
|
||||
fi
|
||||
|
||||
# Create default passwdqc section if missing
|
||||
if ! uci -q get users.passwdqc; then
|
||||
uci -q set users.passwdqc='passwdqc'
|
||||
uci -q set users.passwdqc.enabled='1'
|
||||
uci -q set users.passwdqc.min='disabled,disabled,disabled,disabled,8'
|
||||
uci -q set users.passwdqc.max='20'
|
||||
uci -q set users.passwdqc.passphrase='0'
|
||||
uci -q set users.passwdqc.retry='3'
|
||||
uci -q set users.passwdqc.enforce='everyone'
|
||||
fi
|
||||
|
||||
exit 0
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue