Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Password Hardening HLD #874

Merged
merged 16 commits into from
Feb 8, 2022
Merged

Password Hardening HLD #874

merged 16 commits into from
Feb 8, 2022

Conversation

davidpil2002
Copy link
Contributor

@davidpil2002 davidpil2002 commented Sep 30, 2021

@ghost
Copy link

ghost commented Sep 30, 2021

CLA assistant check
All CLA requirements met.

@lguohan lguohan requested a review from liuh-80 November 12, 2021 01:50
Copy link
Contributor

@liuh-80 liuh-80 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have following concern and questions:

  1. What's the responsbility of PASSWH? If this daemon only for read hardening setting from config DB and update PAM config file, then there already hostcfgd for this, not necessary add a new daemon. And if this daemon also will handle the password history to config DB storage, I think there will be security risk.

  2. According to the design, password history will store in DB, if that means config DB, then because currently there is no ACL for config DB, so password history can be access by anyone, this will be a security risk, but if the password history stored by pam_pwhistory it self, It think it's OK.

@davidpil2002
Copy link
Contributor Author

Hi,
In continue of your concerns and questions,

regarding question 1:
The feature should run in the host, we had a discussion if is better to integrate the feature to the current hostcfg daemon or to create a daemon to manage this feature only. For now, we think it's better to have it separate, that because the feature can be enabled by a compilation flag, meaning that the feature is not always exposed to the user, but we can discuss about it in the meeting. (in addition, the feature will use the STATE_DB as well).

Regarding concern 2, the "old passwords" (passwords history), the meaning of saving the password history is to save only have many old passwords the feature can save, not to save the passwords itself. The passwords will be saved like you commented by pw_history in /etc/security/opasswd or similar file with just root permission access.
Thanks
David

…stead creating a new daemon and remove the STATE_DB
liuh-80
liuh-80 previously approved these changes Dec 13, 2021
Copy link
Contributor

@liuh-80 liuh-80 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Found some minor issue in latest document.

doc/passw_hardening/hld_password_hardening.md Show resolved Hide resolved
doc/passw_hardening/hld_password_hardening.md Outdated Show resolved Hide resolved
doc/passw_hardening/hld_password_hardening.md Outdated Show resolved Hide resolved
doc/passw_hardening/hld_password_hardening.md Show resolved Hide resolved
doc/passw_hardening/hld_password_hardening.md Show resolved Hide resolved
doc/passw_hardening/hld_password_hardening.md Show resolved Hide resolved
doc/passw_hardening/hld_password_hardening.md Outdated Show resolved Hide resolved
doc/passw_hardening/hld_password_hardening.md Outdated Show resolved Hide resolved
doc/passw_hardening/hld_password_hardening.md Show resolved Hide resolved
doc/passw_hardening/hld_password_hardening.md Outdated Show resolved Hide resolved
liuh-80
liuh-80 previously approved these changes Dec 20, 2021
range 1..30;
}
}
leaf history {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

history_cnt?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks, I will update this one

…in yang model and HLD, add bash example using expiration time
@davidpil2002
Copy link
Contributor Author

Hi @liuh-80,

How are you doing?
I answered the questions above.
In addition, I had an HLD review with the community and added the changes suggested in the commit: cbe88dd
can you approve this HLD, or pls let me know if you have any more comments.

Thanks,
David

description
"First Revision";
}
typedef feature_state {
Copy link
Contributor

@liuh-80 liuh-80 Jan 19, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please follow sonic yang model guideline, every definition should inside top level container, in this case, should inside sonic-passwh

https://github.com/Azure/SONiC/blob/master/doc/mgmt/SONiC_YANG_Model_Guidelines.md

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done, I moved the "typedef feature_state" inside the container.

@davidpil2002
Copy link
Contributor Author

@liuh-80 @liat-grozovik
can you help to merge to master?

@liat-grozovik
Copy link
Collaborator

@venkatmahalingam can you please approve from your side? you had comments and i wish to merge once we agree they were handled.

@davidpil2002
Copy link
Contributor Author

Hi @venkatmahalingam,

this is a kind reminder to reply to the Liat Q in the comment above.
Thanks,

@liat-grozovik liat-grozovik merged commit 66277d7 into sonic-net:master Feb 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants