* Re: [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication [not found] ` <20220630112644.3682066-1-Shreyas.Karmahe@toshiba-tsip.com> @ 2022-07-01 11:32 ` Jan Kiszka 2022-07-01 11:33 ` Jan Kiszka 0 siblings, 1 reply; 5+ messages in thread From: Jan Kiszka @ 2022-07-01 11:32 UTC (permalink / raw) To: Shreyas.Karmahe, yes, cip-dev Cc: dinesh.kumar, venkata.pyla, kazuhiro3.hayashi On 30.06.22 13:26, Shreyas.Karmahe@toshiba-tsip.com wrote: > From: Shreyas Karmahe <Shreyas.Karmahe@toshiba-tsip.com> > > To enable and configure PAM for Remote and Local MFA Session Verification > > Signed-off-by: Shreyas Karmahe <Shreyas.Karmahe@toshiba-tsip.com> > --- > .../security-customizations/files/postinst | 15 ++++++++++++++- > 1 file changed, 14 insertions(+), 1 deletion(-) > > diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst > index bb7d15b..843ce3c 100644 > --- a/recipes-core/security-customizations/files/postinst > +++ b/recipes-core/security-customizations/files/postinst > @@ -15,7 +15,8 @@ echo "127.0.0.1 $HOSTNAME" >> /etc/hosts > PAM_PWD_FILE="/etc/pam.d/common-password" > pam_cracklib_config="password requisite pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root" > if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then > - sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}" > + > +sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}" > fi > sed -i "0,/^password.*/s/^password.*/${pam_cracklib_config}\n&/" "${PAM_PWD_FILE}" > > @@ -49,3 +50,15 @@ sed -i 's/admin_space_left_action = .*/admin_space_left_action = SYSLOG/' $AUDIT > > # CR2.10: Response to audit processing failures > sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/' $AUDIT_CONF_FILE > + > +# CR2.11: Enable Mutli Factor Authentication for Local and Remote Session > +SSHD_AUTH_CONFIG="/etc/pam.d/common-auth" > +google_authenticator="auth required pam_google_authenticator.so nullok" > +if grep -c "pam_google_authenticator.so" "${SSHD_AUTH_CONFIG}";then > + sed -i '/pam_google_authenticator.so/ s/^#*/#/' "${SSHD_AUTH_CONFIG}" > +fi > +#sed -i "0,/^auth.*/s/^auth.*/${google_authenticator}\n&/" "${SSHD_AUTH_CONFIG}" Dead code? Or forgotten to activate? > +echo "auth required pam_google_authenticator.so nullok" | tee -a "${SSHD_AUTH_CONFIG}" > +# Enable PAM configuration for Remote Session > +sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' "${SSHD_CONFIG}" > +echo "AuthenticationMethods keyboard-interactive" | tee -a "${SSHD_CONFIG}" Jan -- Siemens AG, Technology Competence Center Embedded Linux ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication 2022-07-01 11:32 ` [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication Jan Kiszka @ 2022-07-01 11:33 ` Jan Kiszka 2022-07-04 16:51 ` Shreyas.Karmahe 0 siblings, 1 reply; 5+ messages in thread From: Jan Kiszka @ 2022-07-01 11:33 UTC (permalink / raw) To: Shreyas.Karmahe, yes, cip-dev Cc: dinesh.kumar, venkata.pyla, kazuhiro3.hayashi On 01.07.22 13:32, Jan Kiszka wrote: > On 30.06.22 13:26, Shreyas.Karmahe@toshiba-tsip.com wrote: >> From: Shreyas Karmahe <Shreyas.Karmahe@toshiba-tsip.com> >> >> To enable and configure PAM for Remote and Local MFA Session Verification >> >> Signed-off-by: Shreyas Karmahe <Shreyas.Karmahe@toshiba-tsip.com> >> --- >> .../security-customizations/files/postinst | 15 ++++++++++++++- >> 1 file changed, 14 insertions(+), 1 deletion(-) >> >> diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst >> index bb7d15b..843ce3c 100644 >> --- a/recipes-core/security-customizations/files/postinst >> +++ b/recipes-core/security-customizations/files/postinst >> @@ -15,7 +15,8 @@ echo "127.0.0.1 $HOSTNAME" >> /etc/hosts >> PAM_PWD_FILE="/etc/pam.d/common-password" >> pam_cracklib_config="password requisite pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root" >> if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then >> - sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}" >> + >> +sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}" And an accidental change here? >> fi >> sed -i "0,/^password.*/s/^password.*/${pam_cracklib_config}\n&/" "${PAM_PWD_FILE}" >> >> @@ -49,3 +50,15 @@ sed -i 's/admin_space_left_action = .*/admin_space_left_action = SYSLOG/' $AUDIT >> >> # CR2.10: Response to audit processing failures >> sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/' $AUDIT_CONF_FILE >> + >> +# CR2.11: Enable Mutli Factor Authentication for Local and Remote Session >> +SSHD_AUTH_CONFIG="/etc/pam.d/common-auth" >> +google_authenticator="auth required pam_google_authenticator.so nullok" >> +if grep -c "pam_google_authenticator.so" "${SSHD_AUTH_CONFIG}";then >> + sed -i '/pam_google_authenticator.so/ s/^#*/#/' "${SSHD_AUTH_CONFIG}" >> +fi >> +#sed -i "0,/^auth.*/s/^auth.*/${google_authenticator}\n&/" "${SSHD_AUTH_CONFIG}" > > Dead code? Or forgotten to activate? > >> +echo "auth required pam_google_authenticator.so nullok" | tee -a "${SSHD_AUTH_CONFIG}" >> +# Enable PAM configuration for Remote Session >> +sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' "${SSHD_CONFIG}" >> +echo "AuthenticationMethods keyboard-interactive" | tee -a "${SSHD_CONFIG}" > Jan -- Siemens AG, Technology Competence Center Embedded Linux ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication 2022-07-01 11:33 ` Jan Kiszka @ 2022-07-04 16:51 ` Shreyas.Karmahe 2022-07-05 10:02 ` Jan Kiszka 0 siblings, 1 reply; 5+ messages in thread From: Shreyas.Karmahe @ 2022-07-04 16:51 UTC (permalink / raw) To: jan.kiszka, yes, cip-dev; +Cc: dinesh.kumar, Venkata.Pyla, kazuhiro3.hayashi Hi Jan, I have resend the patch again by removing the commented line from postinst file from security-customizations. The commenting line is dead code only and used for debugging purpose. Kindly review the following resend patch v2-0001-security-customizations-postinst-Add-configuratio.patch Kind Regards, Shreyas -----Original Message----- From: Jan Kiszka <jan.kiszka@siemens.com> Sent: Friday, July 1, 2022 5:04 PM To: karmahe shreyas(TSIP) <Shreyas.Karmahe@toshiba-tsip.com>; yes@arc11.toshiba.co.jp; cip-dev@lists.cip-project.org Cc: dinesh kumar(TSIP) <dinesh.kumar@toshiba-tsip.com>; pyla venkata(TSIP TMIEC ODG Porting) <Venkata.Pyla@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 □SWC◯ACT) <kazuhiro3.hayashi@toshiba.co.jp> Subject: Re: [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication On 01.07.22 13:32, Jan Kiszka wrote: > On 30.06.22 13:26, Shreyas.Karmahe@toshiba-tsip.com wrote: >> From: Shreyas Karmahe <Shreyas.Karmahe@toshiba-tsip.com> >> >> To enable and configure PAM for Remote and Local MFA Session >> Verification >> >> Signed-off-by: Shreyas Karmahe <Shreyas.Karmahe@toshiba-tsip.com> >> --- >> .../security-customizations/files/postinst | 15 ++++++++++++++- >> 1 file changed, 14 insertions(+), 1 deletion(-) >> >> diff --git a/recipes-core/security-customizations/files/postinst >> b/recipes-core/security-customizations/files/postinst >> index bb7d15b..843ce3c 100644 >> --- a/recipes-core/security-customizations/files/postinst >> +++ b/recipes-core/security-customizations/files/postinst >> @@ -15,7 +15,8 @@ echo "127.0.0.1 $HOSTNAME" >> /etc/hosts >> PAM_PWD_FILE="/etc/pam.d/common-password" >> pam_cracklib_config="password requisite pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root" >> if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then >> - sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}" >> + >> +sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}" And an accidental change here? >> fi >> sed -i "0,/^password.*/s/^password.*/${pam_cracklib_config}\n&/" "${PAM_PWD_FILE}" >> >> @@ -49,3 +50,15 @@ sed -i 's/admin_space_left_action = >> .*/admin_space_left_action = SYSLOG/' $AUDIT >> >> # CR2.10: Response to audit processing failures sed -i >> 's/disk_error_action = .*/disk_error_action = SYSLOG/' >> $AUDIT_CONF_FILE >> + >> +# CR2.11: Enable Mutli Factor Authentication for Local and Remote >> +Session SSHD_AUTH_CONFIG="/etc/pam.d/common-auth" >> +google_authenticator="auth required pam_google_authenticator.so nullok" >> +if grep -c "pam_google_authenticator.so" "${SSHD_AUTH_CONFIG}";then >> + sed -i '/pam_google_authenticator.so/ s/^#*/#/' "${SSHD_AUTH_CONFIG}" >> +fi >> +#sed -i "0,/^auth.*/s/^auth.*/${google_authenticator}\n&/" "${SSHD_AUTH_CONFIG}" > > Dead code? Or forgotten to activate? > >> +echo "auth required pam_google_authenticator.so nullok" | tee -a "${SSHD_AUTH_CONFIG}" >> +# Enable PAM configuration for Remote Session sed -i >> +'s/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' "${SSHD_CONFIG}" >> +echo "AuthenticationMethods keyboard-interactive" | tee -a "${SSHD_CONFIG}" > Jan -- Siemens AG, Technology Competence Center Embedded Linux ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication 2022-07-04 16:51 ` Shreyas.Karmahe @ 2022-07-05 10:02 ` Jan Kiszka 2022-07-07 10:46 ` Shreyas.Karmahe 0 siblings, 1 reply; 5+ messages in thread From: Jan Kiszka @ 2022-07-05 10:02 UTC (permalink / raw) To: Shreyas.Karmahe, yes, cip-dev Cc: dinesh.kumar, Venkata.Pyla, kazuhiro3.hayashi On 04.07.22 18:51, Shreyas.Karmahe@toshiba-tsip.com wrote: > Hi Jan, > > I have resend the patch again by removing the commented line from postinst file from security-customizations. > The commenting line is dead code only and used for debugging purpose. > Kindly review the following resend patch > > v2-0001-security-customizations-postinst-Add-configuratio.patch Please read both of my replies and address the other one as well. Thanks, Jan > > Kind Regards, > Shreyas > -----Original Message----- > From: Jan Kiszka <jan.kiszka@siemens.com> > Sent: Friday, July 1, 2022 5:04 PM > To: karmahe shreyas(TSIP) <Shreyas.Karmahe@toshiba-tsip.com>; yes@arc11.toshiba.co.jp; cip-dev@lists.cip-project.org > Cc: dinesh kumar(TSIP) <dinesh.kumar@toshiba-tsip.com>; pyla venkata(TSIP TMIEC ODG Porting) <Venkata.Pyla@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 □SWC◯ACT) <kazuhiro3.hayashi@toshiba.co.jp> > Subject: Re: [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication > > On 01.07.22 13:32, Jan Kiszka wrote: >> On 30.06.22 13:26, Shreyas.Karmahe@toshiba-tsip.com wrote: >>> From: Shreyas Karmahe <Shreyas.Karmahe@toshiba-tsip.com> >>> >>> To enable and configure PAM for Remote and Local MFA Session >>> Verification >>> >>> Signed-off-by: Shreyas Karmahe <Shreyas.Karmahe@toshiba-tsip.com> >>> --- >>> .../security-customizations/files/postinst | 15 ++++++++++++++- >>> 1 file changed, 14 insertions(+), 1 deletion(-) >>> >>> diff --git a/recipes-core/security-customizations/files/postinst >>> b/recipes-core/security-customizations/files/postinst >>> index bb7d15b..843ce3c 100644 >>> --- a/recipes-core/security-customizations/files/postinst >>> +++ b/recipes-core/security-customizations/files/postinst >>> @@ -15,7 +15,8 @@ echo "127.0.0.1 $HOSTNAME" >> /etc/hosts >>> PAM_PWD_FILE="/etc/pam.d/common-password" >>> pam_cracklib_config="password requisite pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root" >>> if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then >>> - sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}" >>> + >>> +sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}" > > And an accidental change here? > >>> fi >>> sed -i "0,/^password.*/s/^password.*/${pam_cracklib_config}\n&/" "${PAM_PWD_FILE}" >>> >>> @@ -49,3 +50,15 @@ sed -i 's/admin_space_left_action = >>> .*/admin_space_left_action = SYSLOG/' $AUDIT >>> >>> # CR2.10: Response to audit processing failures sed -i >>> 's/disk_error_action = .*/disk_error_action = SYSLOG/' >>> $AUDIT_CONF_FILE >>> + >>> +# CR2.11: Enable Mutli Factor Authentication for Local and Remote >>> +Session SSHD_AUTH_CONFIG="/etc/pam.d/common-auth" >>> +google_authenticator="auth required pam_google_authenticator.so nullok" >>> +if grep -c "pam_google_authenticator.so" "${SSHD_AUTH_CONFIG}";then >>> + sed -i '/pam_google_authenticator.so/ s/^#*/#/' "${SSHD_AUTH_CONFIG}" >>> +fi >>> +#sed -i "0,/^auth.*/s/^auth.*/${google_authenticator}\n&/" "${SSHD_AUTH_CONFIG}" >> >> Dead code? Or forgotten to activate? >> >>> +echo "auth required pam_google_authenticator.so nullok" | tee -a "${SSHD_AUTH_CONFIG}" >>> +# Enable PAM configuration for Remote Session sed -i >>> +'s/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' "${SSHD_CONFIG}" >>> +echo "AuthenticationMethods keyboard-interactive" | tee -a "${SSHD_CONFIG}" >> > > Jan > > -- > Siemens AG, Technology > Competence Center Embedded Linux -- Siemens AG, Technology Competence Center Embedded Linux ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication 2022-07-05 10:02 ` Jan Kiszka @ 2022-07-07 10:46 ` Shreyas.Karmahe 0 siblings, 0 replies; 5+ messages in thread From: Shreyas.Karmahe @ 2022-07-07 10:46 UTC (permalink / raw) To: jan.kiszka, yes, cip-dev; +Cc: dinesh.kumar, Venkata.Pyla, kazuhiro3.hayashi Hi Jan, I have created new patch that has only contain configuration for libpam-google-authenticator for Multi-Factor Authentication and kept it for review. My apology as last time I missed out one of your comment and these patch has addressed all unnecessarily spaces and lines that included it last time. Please review and let me know your comments Kind Regards, Shreyas -----Original Message----- From: Jan Kiszka <jan.kiszka@siemens.com> Sent: Tuesday, July 5, 2022 3:33 PM To: karmahe shreyas(TSIP TMIEC ODG Porting) <Shreyas.Karmahe@toshiba-tsip.com>; yes@arc11.toshiba.co.jp; cip-dev@lists.cip-project.org Cc: dinesh kumar(TSIP) <dinesh.kumar@toshiba-tsip.com>; pyla venkata(TSIP TMIEC ODG Porting) <Venkata.Pyla@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 □SWC◯ACT) <kazuhiro3.hayashi@toshiba.co.jp> Subject: Re: [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication On 04.07.22 18:51, Shreyas.Karmahe@toshiba-tsip.com wrote: > Hi Jan, > > I have resend the patch again by removing the commented line from postinst file from security-customizations. > The commenting line is dead code only and used for debugging purpose. > Kindly review the following resend patch > > v2-0001-security-customizations-postinst-Add-configuratio.patch Please read both of my replies and address the other one as well. Thanks, Jan > > Kind Regards, > Shreyas > -----Original Message----- > From: Jan Kiszka <jan.kiszka@siemens.com> > Sent: Friday, July 1, 2022 5:04 PM > To: karmahe shreyas(TSIP) <Shreyas.Karmahe@toshiba-tsip.com>; > yes@arc11.toshiba.co.jp; cip-dev@lists.cip-project.org > Cc: dinesh kumar(TSIP) <dinesh.kumar@toshiba-tsip.com>; pyla > venkata(TSIP TMIEC ODG Porting) <Venkata.Pyla@toshiba-tsip.com>; > hayashi kazuhiro(林 和宏 □SWC◯ACT) <kazuhiro3.hayashi@toshiba.co.jp> > Subject: Re: [isar-cip-core] postinst:Added lines to verify Local and > Remote Multi-factor Authentication > > On 01.07.22 13:32, Jan Kiszka wrote: >> On 30.06.22 13:26, Shreyas.Karmahe@toshiba-tsip.com wrote: >>> From: Shreyas Karmahe <Shreyas.Karmahe@toshiba-tsip.com> >>> >>> To enable and configure PAM for Remote and Local MFA Session >>> Verification >>> >>> Signed-off-by: Shreyas Karmahe <Shreyas.Karmahe@toshiba-tsip.com> >>> --- >>> .../security-customizations/files/postinst | 15 ++++++++++++++- >>> 1 file changed, 14 insertions(+), 1 deletion(-) >>> >>> diff --git a/recipes-core/security-customizations/files/postinst >>> b/recipes-core/security-customizations/files/postinst >>> index bb7d15b..843ce3c 100644 >>> --- a/recipes-core/security-customizations/files/postinst >>> +++ b/recipes-core/security-customizations/files/postinst >>> @@ -15,7 +15,8 @@ echo "127.0.0.1 $HOSTNAME" >> /etc/hosts >>> PAM_PWD_FILE="/etc/pam.d/common-password" >>> pam_cracklib_config="password requisite pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root" >>> if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then >>> - sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}" >>> + >>> +sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}" > > And an accidental change here? > >>> fi >>> sed -i "0,/^password.*/s/^password.*/${pam_cracklib_config}\n&/" "${PAM_PWD_FILE}" >>> >>> @@ -49,3 +50,15 @@ sed -i 's/admin_space_left_action = >>> .*/admin_space_left_action = SYSLOG/' $AUDIT >>> >>> # CR2.10: Response to audit processing failures sed -i >>> 's/disk_error_action = .*/disk_error_action = SYSLOG/' >>> $AUDIT_CONF_FILE >>> + >>> +# CR2.11: Enable Mutli Factor Authentication for Local and Remote >>> +Session SSHD_AUTH_CONFIG="/etc/pam.d/common-auth" >>> +google_authenticator="auth required pam_google_authenticator.so nullok" >>> +if grep -c "pam_google_authenticator.so" "${SSHD_AUTH_CONFIG}";then >>> + sed -i '/pam_google_authenticator.so/ s/^#*/#/' "${SSHD_AUTH_CONFIG}" >>> +fi >>> +#sed -i "0,/^auth.*/s/^auth.*/${google_authenticator}\n&/" "${SSHD_AUTH_CONFIG}" >> >> Dead code? Or forgotten to activate? >> >>> +echo "auth required pam_google_authenticator.so nullok" | tee -a "${SSHD_AUTH_CONFIG}" >>> +# Enable PAM configuration for Remote Session sed -i >>> +'s/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' "${SSHD_CONFIG}" >>> +echo "AuthenticationMethods keyboard-interactive" | tee -a "${SSHD_CONFIG}" >> > > Jan > > -- > Siemens AG, Technology > Competence Center Embedded Linux -- Siemens AG, Technology Competence Center Embedded Linux ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-07-07 10:46 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <yes>
[not found] ` <20220630112644.3682066-1-Shreyas.Karmahe@toshiba-tsip.com>
2022-07-01 11:32 ` [isar-cip-core] postinst:Added lines to verify Local and Remote Multi-factor Authentication Jan Kiszka
2022-07-01 11:33 ` Jan Kiszka
2022-07-04 16:51 ` Shreyas.Karmahe
2022-07-05 10:02 ` Jan Kiszka
2022-07-07 10:46 ` Shreyas.Karmahe
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox