Add support for Password Hardening #10323
Conversation
davidpil2002
requested review from
qiluo-msft,
xumia and
lguohan
as code owners
|
This pull request introduces 1 alert when merging eff356a into f8e1104 - view on LGTM.com new alerts:
|
|
This pull request introduces 1 alert when merging 5ab7c2b into 147d631 - view on LGTM.com new alerts:
|
|
This pull request introduces 1 alert when merging a4d452b into cc938e7 - view on LGTM.com new alerts:
|
|
This pull request introduces 1 alert when merging 93072bd into cc938e7 - view on LGTM.com new alerts:
|
|
@davidpil2002 Can you please fix LGTM alert? |
|
/azpw run Azure.sonic-buildimage |
|
/AzurePipelines run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
done |
|
/azpw run Azure.sonic-buildimage |
|
/AzurePipelines run Azure.sonic-buildimage |
…e/sonic-buildimage/pull/10323/files about verification when reading files and add exception
| @@ -266,6 +266,10 @@ fi | |||
| sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/sonic-device-data_*.deb || \ | |||
| sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f | |||
|
|
|||
| # Install cracklib (and its dependencies via 'apt-get -y install -f') | |||
| sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/libpam-cracklib_*.deb || \ | |||
There was a problem hiding this comment.
why not just apt-get? I do not understand this. the package is already in bullseye.
There was a problem hiding this comment.
the package in bullseye is an older version than the version that I used.
I don't think the feature will be broken if we used an older version, but I think it is better to save it.
There was a problem hiding this comment.
https://packages.debian.org/bullseye/libpam-cracklib
can you double check, think it is the same version.
There was a problem hiding this comment.
I double-checked, you are correct, probably confused with the buster version.
I pushed a commit that is doing just apt-get install, instead download & dpkg Debian pkg
There was a problem hiding this comment.
@lguohan
can you approve the pull request now?
Signed-off-by: Guohan Lu <lguohan@gmail.com>
…cts sonic-net#10972 Why I did it Fix the target directory not empty issue when publishing artifacts. Some of the artifacts are published to $(Build.ArtifactStagingDirectory)/target/ before source code checked out.
|
/azpw run Azure.sonic-buildimage |
|
/AzurePipelines run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run |
|
You have several pipelines (over 10) configured to build pull requests in this repository. Specify which pipelines you would like to run by using /azp run [pipelines] command. You can specify multiple pipelines using a comma separated list. |
|
/AzurePipelines run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
- Why I did it New security feature for enforcing strong passwords when login or changing passwords of existing users into the switch. - How I did it By using mainly Linux package named pam-cracklib that support the enforcement of user passwords, the daemon named hostcfgd, will support add/modify password policies that enforce and strengthen the user passwords. - How to verify it Manually Verification- 1. Enable the feature, using the new sonic-cli command passw-hardening or manually add the password hardening table like shown in HLD by using redis-cli command 2. Change password policies manually like in step 1. Notes: password hardening CLI can be found in sonic-utilities repo- P.R: Add support for Password Hardening sonic-utilities#2121 code config path: config/plugins/sonic-passwh_yang.py code show path: show/plugins/sonic-passwh_yang.py 3. Create a new user (using adduser command) or modify an existing password by using passwd command in the terminal. And it will now request a strong password instead of default linux policies. Automatic Verification - Unitest: This PR contained unitest that cover: 1. test default init values of the feature in PAM files 2. test all the types of classes policies supported by the feature in PAM files 3. test aging policy configuration in PAM files
- Why I did it New security feature for enforcing strong passwords when login or changing passwords of existing users into the switch. - How I did it By using mainly Linux package named pam-cracklib that support the enforcement of user passwords, the daemon named hostcfgd, will support add/modify password policies that enforce and strengthen the user passwords. - How to verify it Manually Verification- 1. Enable the feature, using the new sonic-cli command passw-hardening or manually add the password hardening table like shown in HLD by using redis-cli command 2. Change password policies manually like in step 1. Notes: password hardening CLI can be found in sonic-utilities repo- P.R: Add support for Password Hardening sonic-utilities#2121 code config path: config/plugins/sonic-passwh_yang.py code show path: show/plugins/sonic-passwh_yang.py 3. Create a new user (using adduser command) or modify an existing password by using passwd command in the terminal. And it will now request a strong password instead of default linux policies. Automatic Verification - Unitest: This PR contained unitest that cover: 1. test default init values of the feature in PAM files 2. test all the types of classes policies supported by the feature in PAM files 3. test aging policy configuration in PAM files
Why I did it
New security feature for enforcing strong passwords when login or changing passwords of existing users into the switch.
How I did it
By using mainly Linux package named pam-cracklib that support the enforcement of user passwords, the daemon named hostcfgd, will support add/modify password policies that enforce and strengthen the user passwords.
How to verify it
Manually Verification-
Enable the feature, using the new sonic-cli command
passw-hardeningor manually add the password hardening table like shown in HLD by usingredis-clicommandChange password policies manually like in step 1.
Notes:
password hardening CLI can be found in sonic-utilities repo-
P.R: Add support for Password Hardening sonic-utilities#2121
code config path: config/plugins/sonic-passwh_yang.py
code show path: show/plugins/sonic-passwh_yang.py
Create a new user (using
addusercommand) or modify an existing password by usingpasswdcommand in the terminal. And it will now request a strong password instead of default linux policies.Automatic Verification - Unitest:
This P.R contained unitest that cover:
Which release branch to backport (provide reason below if selected)
The coded should be merge in master and should be release ~May
Description for the changelog
Link to config_db schema for YANG module changes
Yang model can be found:
#10322
HLD:
https://github.com/Azure/SONiC/blob/master/doc/passw_hardening/hld_password_hardening.md
A picture of a cute animal (not mandatory but encouraged)