Re: [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication

Re: [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication

[Jan Kiszka]

On 30.06.22 13:26, Shreyas.Karmahe@toshiba-tsip.com wrote:
> From: Shreyas Karmahe <Shreyas.Karmahe@toshiba-tsip.com>
> 
> To enable and configure PAM for Remote and Local MFA Session Verification
> 
> Signed-off-by: Shreyas Karmahe <Shreyas.Karmahe@toshiba-tsip.com>
> ---
>  .../security-customizations/files/postinst        | 15 ++++++++++++++-
>  1 file changed, 14 insertions(+), 1 deletion(-)
> 
> diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst
> index bb7d15b..843ce3c 100644
> --- a/recipes-core/security-customizations/files/postinst
> +++ b/recipes-core/security-customizations/files/postinst
> @@ -15,7 +15,8 @@ echo "127.0.0.1 $HOSTNAME" >> /etc/hosts
>  PAM_PWD_FILE="/etc/pam.d/common-password"
>  pam_cracklib_config="password  requisite    pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1  difok=3 gecoscheck=1 reject_username  enforce_for_root"
>  if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then
> -        sed -i '/pam_cracklib.so/ s/^#*/#/'  "${PAM_PWD_FILE}"
> +        
> +sed -i '/pam_cracklib.so/ s/^#*/#/'  "${PAM_PWD_FILE}"
>  fi
>  sed -i "0,/^password.*/s/^password.*/${pam_cracklib_config}\n&/" "${PAM_PWD_FILE}"
>  
> @@ -49,3 +50,15 @@ sed -i 's/admin_space_left_action = .*/admin_space_left_action = SYSLOG/' $AUDIT
>  
>  # CR2.10: Response to audit processing failures
>  sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/' $AUDIT_CONF_FILE
> +
> +# CR2.11: Enable Mutli Factor Authentication for Local and Remote Session
> +SSHD_AUTH_CONFIG="/etc/pam.d/common-auth"
> +google_authenticator="auth required pam_google_authenticator.so nullok"
> +if grep -c "pam_google_authenticator.so" "${SSHD_AUTH_CONFIG}";then
> +		sed -i '/pam_google_authenticator.so/ s/^#*/#/'  "${SSHD_AUTH_CONFIG}"
> +fi
> +#sed -i "0,/^auth.*/s/^auth.*/${google_authenticator}\n&/" "${SSHD_AUTH_CONFIG}"

Dead code? Or forgotten to activate?

> +echo "auth required pam_google_authenticator.so nullok" | tee -a "${SSHD_AUTH_CONFIG}"
> +# Enable PAM configuration for Remote Session
> +sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' "${SSHD_CONFIG}"
> +echo "AuthenticationMethods keyboard-interactive" | tee -a "${SSHD_CONFIG}"

Jan

-- 
Siemens AG, Technology
Competence Center Embedded Linux

Re: [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication

[Jan Kiszka]

On 01.07.22 13:32, Jan Kiszka wrote:
> On 30.06.22 13:26, Shreyas.Karmahe@toshiba-tsip.com wrote:
>> From: Shreyas Karmahe <Shreyas.Karmahe@toshiba-tsip.com>
>>
>> To enable and configure PAM for Remote and Local MFA Session Verification
>>
>> Signed-off-by: Shreyas Karmahe <Shreyas.Karmahe@toshiba-tsip.com>
>> ---
>>  .../security-customizations/files/postinst        | 15 ++++++++++++++-
>>  1 file changed, 14 insertions(+), 1 deletion(-)
>>
>> diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst
>> index bb7d15b..843ce3c 100644
>> --- a/recipes-core/security-customizations/files/postinst
>> +++ b/recipes-core/security-customizations/files/postinst
>> @@ -15,7 +15,8 @@ echo "127.0.0.1 $HOSTNAME" >> /etc/hosts
>>  PAM_PWD_FILE="/etc/pam.d/common-password"
>>  pam_cracklib_config="password  requisite    pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1  difok=3 gecoscheck=1 reject_username  enforce_for_root"
>>  if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then
>> -        sed -i '/pam_cracklib.so/ s/^#*/#/'  "${PAM_PWD_FILE}"
>> +        
>> +sed -i '/pam_cracklib.so/ s/^#*/#/'  "${PAM_PWD_FILE}"

And an accidental change here?

>>  fi
>>  sed -i "0,/^password.*/s/^password.*/${pam_cracklib_config}\n&/" "${PAM_PWD_FILE}"
>>  
>> @@ -49,3 +50,15 @@ sed -i 's/admin_space_left_action = .*/admin_space_left_action = SYSLOG/' $AUDIT
>>  
>>  # CR2.10: Response to audit processing failures
>>  sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/' $AUDIT_CONF_FILE
>> +
>> +# CR2.11: Enable Mutli Factor Authentication for Local and Remote Session
>> +SSHD_AUTH_CONFIG="/etc/pam.d/common-auth"
>> +google_authenticator="auth required pam_google_authenticator.so nullok"
>> +if grep -c "pam_google_authenticator.so" "${SSHD_AUTH_CONFIG}";then
>> +		sed -i '/pam_google_authenticator.so/ s/^#*/#/'  "${SSHD_AUTH_CONFIG}"
>> +fi
>> +#sed -i "0,/^auth.*/s/^auth.*/${google_authenticator}\n&/" "${SSHD_AUTH_CONFIG}"
> 
> Dead code? Or forgotten to activate?
> 
>> +echo "auth required pam_google_authenticator.so nullok" | tee -a "${SSHD_AUTH_CONFIG}"
>> +# Enable PAM configuration for Remote Session
>> +sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' "${SSHD_CONFIG}"
>> +echo "AuthenticationMethods keyboard-interactive" | tee -a "${SSHD_CONFIG}"
> 

Jan

-- 
Siemens AG, Technology
Competence Center Embedded Linux

Re: [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication

[Shreyas.Karmahe]

Hi Jan,

I have resend the patch again by removing the commented line from postinst file from security-customizations.
The commenting line is dead code only and used for debugging purpose.
Kindly review the following resend patch 

v2-0001-security-customizations-postinst-Add-configuratio.patch

Kind Regards, 
Shreyas
-----Original Message-----
From: Jan Kiszka <jan.kiszka@siemens.com> 
Sent: Friday, July 1, 2022 5:04 PM
To: karmahe shreyas(ＴＳＩＰ) <Shreyas.Karmahe@toshiba-tsip.com>; yes@arc11.toshiba.co.jp; cip-dev@lists.cip-project.org
Cc: dinesh kumar(ＴＳＩＰ) <dinesh.kumar@toshiba-tsip.com>; pyla venkata(ＴＳＩＰ TMIEC ODG Porting) <Venkata.Pyla@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 □ＳＷＣ◯ＡＣＴ) <kazuhiro3.hayashi@toshiba.co.jp>
Subject: Re: [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication

On 01.07.22 13:32, Jan Kiszka wrote:
> On 30.06.22 13:26, Shreyas.Karmahe@toshiba-tsip.com wrote:
>> From: Shreyas Karmahe <Shreyas.Karmahe@toshiba-tsip.com>
>>
>> To enable and configure PAM for Remote and Local MFA Session 
>> Verification
>>
>> Signed-off-by: Shreyas Karmahe <Shreyas.Karmahe@toshiba-tsip.com>
>> ---
>>  .../security-customizations/files/postinst        | 15 ++++++++++++++-
>>  1 file changed, 14 insertions(+), 1 deletion(-)
>>
>> diff --git a/recipes-core/security-customizations/files/postinst 
>> b/recipes-core/security-customizations/files/postinst
>> index bb7d15b..843ce3c 100644
>> --- a/recipes-core/security-customizations/files/postinst
>> +++ b/recipes-core/security-customizations/files/postinst
>> @@ -15,7 +15,8 @@ echo "127.0.0.1 $HOSTNAME" >> /etc/hosts  
>> PAM_PWD_FILE="/etc/pam.d/common-password"
>>  pam_cracklib_config="password  requisite    pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1  difok=3 gecoscheck=1 reject_username  enforce_for_root"
>>  if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then
>> -        sed -i '/pam_cracklib.so/ s/^#*/#/'  "${PAM_PWD_FILE}"
>> +        
>> +sed -i '/pam_cracklib.so/ s/^#*/#/'  "${PAM_PWD_FILE}"

And an accidental change here?

>>  fi
>>  sed -i "0,/^password.*/s/^password.*/${pam_cracklib_config}\n&/" "${PAM_PWD_FILE}"
>>  
>> @@ -49,3 +50,15 @@ sed -i 's/admin_space_left_action = 
>> .*/admin_space_left_action = SYSLOG/' $AUDIT
>>  
>>  # CR2.10: Response to audit processing failures  sed -i 
>> 's/disk_error_action = .*/disk_error_action = SYSLOG/' 
>> $AUDIT_CONF_FILE
>> +
>> +# CR2.11: Enable Mutli Factor Authentication for Local and Remote 
>> +Session SSHD_AUTH_CONFIG="/etc/pam.d/common-auth"
>> +google_authenticator="auth required pam_google_authenticator.so nullok"
>> +if grep -c "pam_google_authenticator.so" "${SSHD_AUTH_CONFIG}";then
>> +		sed -i '/pam_google_authenticator.so/ s/^#*/#/'  "${SSHD_AUTH_CONFIG}"
>> +fi
>> +#sed -i "0,/^auth.*/s/^auth.*/${google_authenticator}\n&/" "${SSHD_AUTH_CONFIG}"
> 
> Dead code? Or forgotten to activate?
> 
>> +echo "auth required pam_google_authenticator.so nullok" | tee -a "${SSHD_AUTH_CONFIG}"
>> +# Enable PAM configuration for Remote Session sed -i 
>> +'s/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' "${SSHD_CONFIG}"
>> +echo "AuthenticationMethods keyboard-interactive" | tee -a "${SSHD_CONFIG}"
> 

Jan

--
Siemens AG, Technology
Competence Center Embedded Linux

Re: [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication

[Jan Kiszka]

On 04.07.22 18:51, Shreyas.Karmahe@toshiba-tsip.com wrote:
> Hi Jan,
> 
> I have resend the patch again by removing the commented line from postinst file from security-customizations.
> The commenting line is dead code only and used for debugging purpose.
> Kindly review the following resend patch 
> 
> v2-0001-security-customizations-postinst-Add-configuratio.patch

Please read both of my replies and address the other one as well.

Thanks,
Jan

> 
> Kind Regards, 
> Shreyas
> -----Original Message-----
> From: Jan Kiszka <jan.kiszka@siemens.com> 
> Sent: Friday, July 1, 2022 5:04 PM
> To: karmahe shreyas(ＴＳＩＰ) <Shreyas.Karmahe@toshiba-tsip.com>; yes@arc11.toshiba.co.jp; cip-dev@lists.cip-project.org
> Cc: dinesh kumar(ＴＳＩＰ) <dinesh.kumar@toshiba-tsip.com>; pyla venkata(ＴＳＩＰ TMIEC ODG Porting) <Venkata.Pyla@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 □ＳＷＣ◯ＡＣＴ) <kazuhiro3.hayashi@toshiba.co.jp>
> Subject: Re: [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication
> 
> On 01.07.22 13:32, Jan Kiszka wrote:
>> On 30.06.22 13:26, Shreyas.Karmahe@toshiba-tsip.com wrote:
>>> From: Shreyas Karmahe <Shreyas.Karmahe@toshiba-tsip.com>
>>>
>>> To enable and configure PAM for Remote and Local MFA Session 
>>> Verification
>>>
>>> Signed-off-by: Shreyas Karmahe <Shreyas.Karmahe@toshiba-tsip.com>
>>> ---
>>>  .../security-customizations/files/postinst        | 15 ++++++++++++++-
>>>  1 file changed, 14 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/recipes-core/security-customizations/files/postinst 
>>> b/recipes-core/security-customizations/files/postinst
>>> index bb7d15b..843ce3c 100644
>>> --- a/recipes-core/security-customizations/files/postinst
>>> +++ b/recipes-core/security-customizations/files/postinst
>>> @@ -15,7 +15,8 @@ echo "127.0.0.1 $HOSTNAME" >> /etc/hosts  
>>> PAM_PWD_FILE="/etc/pam.d/common-password"
>>>  pam_cracklib_config="password  requisite    pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1  difok=3 gecoscheck=1 reject_username  enforce_for_root"
>>>  if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then
>>> -        sed -i '/pam_cracklib.so/ s/^#*/#/'  "${PAM_PWD_FILE}"
>>> +        
>>> +sed -i '/pam_cracklib.so/ s/^#*/#/'  "${PAM_PWD_FILE}"
> 
> And an accidental change here?
> 
>>>  fi
>>>  sed -i "0,/^password.*/s/^password.*/${pam_cracklib_config}\n&/" "${PAM_PWD_FILE}"
>>>  
>>> @@ -49,3 +50,15 @@ sed -i 's/admin_space_left_action = 
>>> .*/admin_space_left_action = SYSLOG/' $AUDIT
>>>  
>>>  # CR2.10: Response to audit processing failures  sed -i 
>>> 's/disk_error_action = .*/disk_error_action = SYSLOG/' 
>>> $AUDIT_CONF_FILE
>>> +
>>> +# CR2.11: Enable Mutli Factor Authentication for Local and Remote 
>>> +Session SSHD_AUTH_CONFIG="/etc/pam.d/common-auth"
>>> +google_authenticator="auth required pam_google_authenticator.so nullok"
>>> +if grep -c "pam_google_authenticator.so" "${SSHD_AUTH_CONFIG}";then
>>> +		sed -i '/pam_google_authenticator.so/ s/^#*/#/'  "${SSHD_AUTH_CONFIG}"
>>> +fi
>>> +#sed -i "0,/^auth.*/s/^auth.*/${google_authenticator}\n&/" "${SSHD_AUTH_CONFIG}"
>>
>> Dead code? Or forgotten to activate?
>>
>>> +echo "auth required pam_google_authenticator.so nullok" | tee -a "${SSHD_AUTH_CONFIG}"
>>> +# Enable PAM configuration for Remote Session sed -i 
>>> +'s/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' "${SSHD_CONFIG}"
>>> +echo "AuthenticationMethods keyboard-interactive" | tee -a "${SSHD_CONFIG}"
>>
> 
> Jan
> 
> --
> Siemens AG, Technology
> Competence Center Embedded Linux


-- 
Siemens AG, Technology
Competence Center Embedded Linux

Re: [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication

[Shreyas.Karmahe]

Hi Jan,

I have created new patch that has only contain configuration for libpam-google-authenticator for Multi-Factor Authentication and kept it for review.
My apology as last time I missed out one of your comment and these patch has addressed all unnecessarily spaces and lines that included it last time.
Please review and let me know your comments

Kind Regards,
Shreyas

-----Original Message-----
From: Jan Kiszka <jan.kiszka@siemens.com> 
Sent: Tuesday, July 5, 2022 3:33 PM
To: karmahe shreyas(ＴＳＩＰ TMIEC ODG Porting) <Shreyas.Karmahe@toshiba-tsip.com>; yes@arc11.toshiba.co.jp; cip-dev@lists.cip-project.org
Cc: dinesh kumar(ＴＳＩＰ) <dinesh.kumar@toshiba-tsip.com>; pyla venkata(ＴＳＩＰ TMIEC ODG Porting) <Venkata.Pyla@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 □ＳＷＣ◯ＡＣＴ) <kazuhiro3.hayashi@toshiba.co.jp>
Subject: Re: [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication

On 04.07.22 18:51, Shreyas.Karmahe@toshiba-tsip.com wrote:
> Hi Jan,
> 
> I have resend the patch again by removing the commented line from postinst file from security-customizations.
> The commenting line is dead code only and used for debugging purpose.
> Kindly review the following resend patch
> 
> v2-0001-security-customizations-postinst-Add-configuratio.patch

Please read both of my replies and address the other one as well.

Thanks,
Jan

> 
> Kind Regards,
> Shreyas
> -----Original Message-----
> From: Jan Kiszka <jan.kiszka@siemens.com>
> Sent: Friday, July 1, 2022 5:04 PM
> To: karmahe shreyas(ＴＳＩＰ) <Shreyas.Karmahe@toshiba-tsip.com>; 
> yes@arc11.toshiba.co.jp; cip-dev@lists.cip-project.org
> Cc: dinesh kumar(ＴＳＩＰ) <dinesh.kumar@toshiba-tsip.com>; pyla 
> venkata(ＴＳＩＰ TMIEC ODG Porting) <Venkata.Pyla@toshiba-tsip.com>; 
> hayashi kazuhiro(林 和宏 □ＳＷＣ◯ＡＣＴ) <kazuhiro3.hayashi@toshiba.co.jp>
> Subject: Re: [isar-cip-core] postinst:Added lines to verify Local and 
> Remote Multi-factor Authentication
> 
> On 01.07.22 13:32, Jan Kiszka wrote:
>> On 30.06.22 13:26, Shreyas.Karmahe@toshiba-tsip.com wrote:
>>> From: Shreyas Karmahe <Shreyas.Karmahe@toshiba-tsip.com>
>>>
>>> To enable and configure PAM for Remote and Local MFA Session 
>>> Verification
>>>
>>> Signed-off-by: Shreyas Karmahe <Shreyas.Karmahe@toshiba-tsip.com>
>>> ---
>>>  .../security-customizations/files/postinst        | 15 ++++++++++++++-
>>>  1 file changed, 14 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/recipes-core/security-customizations/files/postinst
>>> b/recipes-core/security-customizations/files/postinst
>>> index bb7d15b..843ce3c 100644
>>> --- a/recipes-core/security-customizations/files/postinst
>>> +++ b/recipes-core/security-customizations/files/postinst
>>> @@ -15,7 +15,8 @@ echo "127.0.0.1 $HOSTNAME" >> /etc/hosts 
>>> PAM_PWD_FILE="/etc/pam.d/common-password"
>>>  pam_cracklib_config="password  requisite    pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1  difok=3 gecoscheck=1 reject_username  enforce_for_root"
>>>  if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then
>>> -        sed -i '/pam_cracklib.so/ s/^#*/#/'  "${PAM_PWD_FILE}"
>>> +        
>>> +sed -i '/pam_cracklib.so/ s/^#*/#/'  "${PAM_PWD_FILE}"
> 
> And an accidental change here?
> 
>>>  fi
>>>  sed -i "0,/^password.*/s/^password.*/${pam_cracklib_config}\n&/" "${PAM_PWD_FILE}"
>>>  
>>> @@ -49,3 +50,15 @@ sed -i 's/admin_space_left_action = 
>>> .*/admin_space_left_action = SYSLOG/' $AUDIT
>>>  
>>>  # CR2.10: Response to audit processing failures  sed -i 
>>> 's/disk_error_action = .*/disk_error_action = SYSLOG/'
>>> $AUDIT_CONF_FILE
>>> +
>>> +# CR2.11: Enable Mutli Factor Authentication for Local and Remote 
>>> +Session SSHD_AUTH_CONFIG="/etc/pam.d/common-auth"
>>> +google_authenticator="auth required pam_google_authenticator.so nullok"
>>> +if grep -c "pam_google_authenticator.so" "${SSHD_AUTH_CONFIG}";then
>>> +		sed -i '/pam_google_authenticator.so/ s/^#*/#/'  "${SSHD_AUTH_CONFIG}"
>>> +fi
>>> +#sed -i "0,/^auth.*/s/^auth.*/${google_authenticator}\n&/" "${SSHD_AUTH_CONFIG}"
>>
>> Dead code? Or forgotten to activate?
>>
>>> +echo "auth required pam_google_authenticator.so nullok" | tee -a "${SSHD_AUTH_CONFIG}"
>>> +# Enable PAM configuration for Remote Session sed -i 
>>> +'s/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' "${SSHD_CONFIG}"
>>> +echo "AuthenticationMethods keyboard-interactive" | tee -a "${SSHD_CONFIG}"
>>
> 
> Jan
> 
> --
> Siemens AG, Technology
> Competence Center Embedded Linux


--
Siemens AG, Technology
Competence Center Embedded Linux