[isar-cip-core,1/2] cip-core-image-security.bb : Add pam-passwdqc package for bookworm

Commit Message

Sai.Sathujoda@toshiba-tsip.com July 5, 2023, 6:16 a.m. UTC

From: Sai <Sai.Sathujoda@toshiba-tsip.com>

libpam-cracklib is deprecated in Debian 12, so libpam-passwdqc package is used
instead when bookworm is selected with security extensions.

The configuration in the postinst file is also handled with a condition based
on the respective "pam_(passwdqc | cracklib).so" file.

Signed-off-by: Sai <Sai.Sathujoda@toshiba-tsip.com>
---
 recipes-core/images/cip-core-image-security.bb  |  9 ++++++---
 .../security-customizations/files/postinst      | 17 ++++++++++++++---
 2 files changed, 20 insertions(+), 6 deletions(-)

Patch

diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
index 563de89..3421ce5 100644
--- a/recipes-core/images/cip-core-image-security.bb
+++ b/recipes-core/images/cip-core-image-security.bb
@@ -27,7 +27,6 @@  IMAGE_PREINSTALL += " \
 	chrony \
 	tpm2-tools \
 	tpm2-abrmd \
-	libpam-cracklib \
 	acl \
 	audispd-plugins auditd \
 	uuid-runtime \
@@ -41,8 +40,12 @@  IMAGE_PREINSTALL += " \
 "
 
 # Package names based on the distro version
-IMAGE_PREINSTALL:append:buster = " libtss2-esys0"
-IMAGE_PREINSTALL:append:bullseye = " libtss2-esys-3.0.2-0"
+IMAGE_PREINSTALL:append:buster = " libtss2-esys0 \
+                                   libpam-cracklib"
+IMAGE_PREINSTALL:append:bullseye = " libtss2-esys-3.0.2-0 \
+                                     libpam-cracklib"
+IMAGE_PREINSTALL:append:bookworm = " libtss2-esys-3.0.2-0 \
+                                     libpam-passwdqc"
 
 CIP_IMAGE_OPTIONS ?= ""
 require ${CIP_IMAGE_OPTIONS}
diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst
index 77a2713..4581457 100644
--- a/recipes-core/security-customizations/files/postinst
+++ b/recipes-core/security-customizations/files/postinst
@@ -15,11 +15,22 @@  echo "127.0.0.1 $HOSTNAME" >> /etc/hosts
 # CR1.7: Strength of password-based authentication
 # Pam configuration to  enforce password strength
 PAM_PWD_FILE="/etc/pam.d/common-password"
-pam_cracklib_config="password  requisite    pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1  difok=3 gecoscheck=1 reject_username  enforce_for_root"
-if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then
+if grep -c "pam_passwdqc.so" "${PAM_PWD_FILE}";then
+	# Password strength is defined as it should have atleast 8 characters length and with 4 character classes (uppercase, lowercase, digit and other characters)
+	# Same is set in passwdqc configuration with `min=N0,N1,N2,N3,N4`
+	# N0, N1, N3  are disabled, to not to accept password with only one, two or three character classes
+	# N2 is disabled for passphrases since we have no restriction for the minimum length of passphrase.
+	# N4 is set to 8 to accept the passowrd length atleast 8 characters and with four character class combinations.
+        pam_passwdqc_config="password    requisite    pam_passwdqc.so min=disabled,disabled,disabled,disabled,8 similar=deny random=0 enforce=everyone retry=3"
+        sed -i '/pam_passwdqc.so/ s/^#*/#/'  "${PAM_PWD_FILE}"
+        sed -i "0,/^password.*/s/^password.*/${pam_passwdqc_config}\n&/" "${PAM_PWD_FILE}"
+elif grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then
+        pam_cracklib_config="password  requisite    pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1  difok=3 gecoscheck=1 reject_username  enforce_for_root"
         sed -i '/pam_cracklib.so/ s/^#*/#/'  "${PAM_PWD_FILE}"
+        sed -i "0,/^password.*/s/^password.*/${pam_cracklib_config}\n&/" "${PAM_PWD_FILE}"
+else
+        echo "No suitable pam module found to enforce password strength"
 fi
-sed -i "0,/^password.*/s/^password.*/${pam_cracklib_config}\n&/" "${PAM_PWD_FILE}"
 
 # CR1.11: Unsuccessful login attempts
 # Lock user account after unsuccessful login attempts