feat: add type8 and type9 password hashes

This requires the-bastion-mkhash-helper v1.1.0+
ovh · Sep 19, 2023 · a6a25fd · a6a25fd
1 parent 5dc50b3
commit a6a25fd
Show file tree

Hide file tree

Showing 26 changed files with 288 additions and 52 deletions.
diff --git a/.github/workflows/freebsd.yml b/.github/workflows/freebsd.yml
@@ -26,6 +26,7 @@ jobs:
           /opt/bastion/bin/admin/packages-check.sh -i
           /opt/bastion/bin/admin/install-ttyrec.sh -s
           /opt/bastion/bin/admin/install-yubico-piv-checker.sh -s
+          /opt/bastion/bin/admin/install-mkhash-helper.sh -s
           /opt/bastion/bin/admin/install --new-install
           ssh-keygen -t ed25519 -f id_user
           ssh-keygen -t ed25519 -f id_root

diff --git a/bin/admin/install-mkhash-helper.sh b/bin/admin/install-mkhash-helper.sh
@@ -0,0 +1,93 @@
+#! /usr/bin/env bash
+# vim: set filetype=sh ts=4 sw=4 sts=4 et:
+set -e
+
+PROGRAM_NAME=the-bastion-mkhash-helper
+RELEASE_API_URL="https://api.github.com/repos/ovh/$PROGRAM_NAME/releases"
+
+basedir=$(readlink -f "$(dirname "$0")"/../..)
+# shellcheck source=lib/shell/install.inc
+. "$basedir"/lib/shell/install.inc
+
+set_download_url_package() {
+    case "$1" in
+        rpm) set_download_url "/${PROGRAM_NAME}-.+\\.$archre\\.rpm$";;
+        deb) set_download_url "/${PROGRAM_NAME}_.+_$archre\\.deb$";;
+        *) exit 1;;
+    esac
+}
+
+action_static() {
+    set_archre
+    os=$(uname -s | tr '[:upper:]' '[:lower:]')
+
+    set_download_url "/${PROGRAM_NAME}.*_${os}_${archre}\\.tar\\.gz$"
+    prepare_temp_folder
+
+    _download "$url"
+    # we have just one archive file in the current temp directory
+    # shellcheck disable=SC2035
+    tar xzf *.tar.gz
+    action_done
+
+    action_doing "Installing files"
+    for file in $PROGRAM_NAME; do
+        action_detail "/usr/local/bin/$file"
+        install -m 0755 "$file" /usr/local/bin/
+    done
+    action_done
+
+    cd /
+}
+
+# only used when/if the API is down and we're in CI mode
+default_urls() {
+    local ver="1.0.0"
+    local list="
+        -${ver}.aarch64.rpm
+        -${ver}.armv7hnl.rpm
+        -${ver}.armv6l.rpm
+        -${ver}.i386.rpm
+        -${ver}.mips64el.rpm
+        -${ver}.ppc64le.rpm
+        -${ver}.s390x.rpm
+        -${ver}.x86_64.rpm
+        _${ver}_amd64.deb
+        _${ver}_arm64.deb
+        _${ver}_armel.deb
+        _${ver}_armhf.deb
+        _${ver}_darwin_amd64.tar.gz
+        _${ver}_freebsd_386.tar.gz
+        _${ver}_freebsd_amd64.tar.gz
+        _${ver}_freebsd_arm64.tar.gz
+        _${ver}_freebsd_armv5.tar.gz
+        _${ver}_freebsd_armv7.tar.gz
+        _${ver}_i386.deb
+        _${ver}_linux_386.tar.gz
+        _${ver}_linux_amd64.tar.gz
+        _${ver}_linux_arm64.tar.gz
+        _${ver}_linux_armv5.tar.gz
+        _${ver}_linux_armv7.tar.gz
+        _${ver}_linux_mips64le_hardfloat.tar.gz
+        _${ver}_linux_ppc64le.tar.gz
+        _${ver}_linux_s390x.tar.gz
+        _${ver}_mips64el.deb
+        _${ver}_netbsd_386.tar.gz
+        _${ver}_netbsd_amd64.tar.gz
+        _${ver}_netbsd_armv5.tar.gz
+        _${ver}_netbsd_armv7.tar.gz
+        _${ver}_openbsd_386.tar.gz
+        _${ver}_openbsd_amd64.tar.gz
+        _${ver}_openbsd_arm64.tar.gz
+        _${ver}_openbsd_armv5.tar.gz
+        _${ver}_openbsd_armv7.tar.gz
+        _${ver}_ppc64le.deb
+        _${ver}_s390x.deb
+        _${ver}_windows_amd64.tar.gz"
+    for suffix in $list
+    do
+        echo "https://github.com/ovh/$PROGRAM_NAME/releases/download/v${ver}/$PROGRAM_NAME${suffix}"
+    done
+}
+
+install_main "$@"
diff --git a/bin/admin/install-yubico-piv-checker.sh b/bin/admin/install-yubico-piv-checker.sh
@@ -87,7 +87,7 @@ default_urls() {
         _${ver}_windows_amd64.tar.gz"
     for suffix in $list
     do
-        echo "https://github.com/ovh/yubico-piv-checker/releases/download/v${ver}/yubico-piv-checker${suffix}"
+        echo "https://github.com/ovh/$PROGRAM_NAME/releases/download/v${ver}/$PROGRAM_NAME${suffix}"
     done
 }
 

diff --git a/bin/plugin/group-owner/groupGeneratePassword b/bin/plugin/group-owner/groupGeneratePassword
@@ -62,6 +62,14 @@ $fnret or osh_exit($fnret);
 $group = $fnret->value->{'group'};
 my $shortGroup = $fnret->value->{'shortGroup'};
 
+$fnret = OVH::Bastion::plugin_config(plugin => $scriptName, key => "minPasswordSize");
+if ($fnret && $fnret->value && $size < $fnret->value) {
+    osh_exit('ERR_INVALID_PARAMETER',
+            "The minimum allowed password size defined by policy is "
+          . $fnret->value
+          . " characters, you asked only $size");
+}
+
 if (not $doIt) {
     help();
     osh_exit('ERR_MISSING_PARAMETER', "Missing mandatory parameter: please read the BEWARE note above.");
@@ -76,9 +84,10 @@ push @command, "--group", $group, "--size", $size;
 $fnret = OVH::Bastion::helper(cmd => \@command);
 $fnret or osh_exit($fnret);
 
-osh_info "Generated a new password of length $size for group $shortGroup, hashes follow:";
-osh_info "md5crypt: " . $fnret->value->{'hashes'}{'md5crypt'} . "\n";
-osh_info "sha256crypt: " . $fnret->value->{'hashes'}{'sha256crypt'} . "\n";
-osh_info "sha512crypt: " . $fnret->value->{'hashes'}{'sha512crypt'} . "\n";
-osh_info "This new password will now be used by default.";
+osh_info "Generated a new password of length $size for group $shortGroup, hashes follow:\n\n";
+my $hashes = $fnret->value->{'hashes'};
+foreach my $type (qw{ md5crypt sha256crypt sha512crypt type8 type9 }) {
+    osh_info(sprintf("%11s: %s\n", $type, $hashes->{$type})) if $hashes->{$type};
+}
+osh_info "\nThis new password will now be used by default.";
 osh_exit $fnret;
diff --git a/bin/plugin/open/groupListPasswords b/bin/plugin/open/groupListPasswords
@@ -49,7 +49,7 @@ $fnret or osh_exit $fnret;
 foreach my $item (@{$fnret->value}) {
     osh_info $item->{'description'};
     foreach my $hash (sort keys %{$item->{'hashes'}}) {
-        osh_info "... $hash: " . $item->{'hashes'}{$hash};
+        osh_info(sprintf("... %11s: %s\n", $hash, $item->{'hashes'}{$hash}));
     }
     osh_info "\n";
 }

diff --git a/bin/plugin/open/selfGeneratePassword b/bin/plugin/open/selfGeneratePassword
@@ -71,9 +71,10 @@ $fnret =
   OVH::Bastion::Plugin::generatePassword::act(self => $self, context => 'account', account => $self, size => $size);
 $fnret or osh_exit($fnret);
 
-osh_info "Generated a new password of length $size for your account, $self, hashes follow:";
-osh_info "md5crypt: " . $fnret->value->{'hashes'}{'md5crypt'} . "\n";
-osh_info "sha256crypt: " . $fnret->value->{'hashes'}{'sha256crypt'} . "\n";
-osh_info "sha512crypt: " . $fnret->value->{'hashes'}{'sha512crypt'} . "\n";
-osh_info "This new password will now be used by default.";
+osh_info "Generated a new password of length $size for your account, $self, hashes follow:\n\n";
+my $hashes = $fnret->value->{'hashes'};
+foreach my $type (qw{ md5crypt sha256crypt sha512crypt type8 type9 }) {
+    osh_info(sprintf("%11s: %s\n", $type, $hashes->{$type})) if $hashes->{$type};
+}
+osh_info "\nThis new password will now be used by default.";
 osh_exit $fnret;
diff --git a/bin/plugin/open/selfListPasswords b/bin/plugin/open/selfListPasswords
@@ -30,7 +30,7 @@ $fnret or osh_exit $fnret;
 foreach my $item (@{$fnret->value}) {
     osh_info $item->{'description'};
     foreach my $hash (sort keys %{$item->{'hashes'}}) {
-        osh_info "... $hash: " . $item->{'hashes'}{$hash};
+        osh_info(sprintf("... %11s: %s\n", $hash, $item->{'hashes'}{$hash}));
     }
     osh_info "\n";
 }

diff --git a/bin/plugin/restricted/accountGeneratePassword b/bin/plugin/restricted/accountGeneratePassword
@@ -83,9 +83,10 @@ push @command, "--account", $account, "--size", $size;
 $fnret = OVH::Bastion::helper(cmd => \@command);
 $fnret or osh_exit($fnret);
 
-osh_info "Generated a new password of length $size for account $account, hashes follow:";
-osh_info "md5crypt: " . $fnret->value->{'hashes'}{'md5crypt'} . "\n";
-osh_info "sha256crypt: " . $fnret->value->{'hashes'}{'sha256crypt'} . "\n";
-osh_info "sha512crypt: " . $fnret->value->{'hashes'}{'sha512crypt'} . "\n";
-osh_info "This new password will now be used by default.";
+osh_info "Generated a new password of length $size for account $account, hashes follow:\n\n";
+my $hashes = $fnret->value->{'hashes'};
+foreach my $type (qw{ md5crypt sha256crypt sha512crypt type8 type9 }) {
+    osh_info(sprintf("%11s: %s\n", $type, $hashes->{$type})) if $hashes->{$type};
+}
+osh_info "\nThis new password will now be used by default.";
 osh_exit $fnret;
diff --git a/bin/plugin/restricted/accountListPasswords b/bin/plugin/restricted/accountListPasswords
@@ -43,7 +43,7 @@ $fnret or osh_exit $fnret;
 foreach my $item (@{$fnret->value}) {
     osh_info $item->{'description'};
     foreach my $hash (sort keys %{$item->{'hashes'}}) {
-        osh_info "... $hash: " . $item->{'hashes'}{$hash};
+        osh_info(sprintf("... %11s: %s\n", $hash, $item->{'hashes'}{$hash}));
     }
     osh_info "\n";
 }

diff --git a/doc/sphinx/installation/basic.rst b/doc/sphinx/installation/basic.rst
@@ -135,11 +135,15 @@ it'll fallback to installing precompiled static binaries.
 Of course you can package it yourself and make it available to your own internal repositories instead of installing it this way.
 
 If you plan to use the PIV functionalities of The Bastion,
-you'll also need to install the ``yubico-piv-checker`` `helper tool <https://github.com/ovh/yubico-piv-checker>`_:
+you'll also need to install the ``yubico-piv-checker`` `helper tool <https://github.com/ovh/yubico-piv-checker>`_.
+
+You may also want to install ``the-bastion-mkhash-helper`` `tool <https://github.com/ovh/the-bastion-mkhash-helper>`_
+if you want to be able to generate so-called type 8 and type 9 password hashes.
 
 .. code-block:: shell
 
    /opt/bastion/bin/admin/install-yubico-piv-checker.sh -a
+   /opt/bastion/bin/admin/install-mkhash-helper.sh -a
 
 .. _install-basic_encrypt-home:
 

diff --git a/doc/sphinx/installation/upgrading.rst b/doc/sphinx/installation/upgrading.rst
@@ -27,6 +27,34 @@ See the ``--help`` for a more fine-grained upgrade path if needed.
 Version-specific upgrade instructions
 =====================================
 
+v3.xx.xx - xxxx/xx/xx
+*********************
+
+A new helper is required to support the so-called "type 8" and "type 9" password hash types, used on some
+network devices. This helper is optional, and these hashes types will simply not be generated if the helper is
+missing. The plugins concerned by this change are ``selfGeneratePassword``, ``selfListPasswords``,
+``accountGeneratePassword``, ``accountListPasswords``, ``groupGeneratePassword``, ``groupListPasswords``.
+
+New installations will get this helper installed automatically. When upgrading, if you'd like to install
+this helper, you'll need to install it by running the following command as ``root``:
+
+.. code-block:: shell
+
+   /opt/bastion/bin/admin/install-mkhash-helper.sh -a
+
+This will detect your OS and either install a ``.deb`` file, an ``.rpm`` file, or a static binary.
+
+If you want to ensure that the helper has installed correctly, you can call it manually for testing purposes:
+
+.. code-block:: shell
+   :emphasize-lines: 1
+
+   echo test | the-bastion-mkhash-helper
+   {"Type8":"$8$EpvF1cVVzoEQFE$L3ZBWzfH9MTPo4WLX29Jd8LTM5sKlfEjtRZ//XMys2U","Type9":"$9$yRlXzt0T7WBs3E$YdKk8WMvLvAVcbglx.bMZoRlwBa6l5EhwLhBh1o0u4g","PasswordLen":4}
+
+If you're not generating passwords for use with network devices using type 8 or type 9 hash types, installation of this
+helper is not required.
+
 v3.13.01 - 2023/08/22
 *********************
 

diff --git a/docker/Dockerfile.centos7 b/docker/Dockerfile.centos7
@@ -2,11 +2,16 @@ FROM centos:7
 LABEL maintainer="[email protected]"
 
 # cache builds efficiently: just copy the scripts to install packages first
-COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
-COPY lib/shell                                                                                       /opt/bastion/lib/shell/
+COPY bin/admin/install-ttyrec.sh \
+    bin/admin/install-yubico-piv-checker.sh \
+    bin/admin/install-mkhash-helper.sh \
+    bin/admin/packages-check.sh \
+    /opt/bastion/bin/admin/
+COPY lib/shell /opt/bastion/lib/shell/
 RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
 RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-r"]
 RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-r"]
+RUN ["/opt/bastion/bin/admin/install-mkhash-helper.sh","-r"]
 
 # disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log
 RUN test -e /etc/syslog-ng/syslog-ng.conf && \

diff --git a/docker/Dockerfile.debian10 b/docker/Dockerfile.debian10
@@ -2,11 +2,16 @@ FROM debian:buster
 LABEL maintainer="[email protected]"
 
 # cache builds efficiently: just copy the scripts to install packages first
-COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
-COPY lib/shell                                                                                       /opt/bastion/lib/shell/
+COPY bin/admin/install-ttyrec.sh \
+    bin/admin/install-yubico-piv-checker.sh \
+    bin/admin/install-mkhash-helper.sh \
+    bin/admin/packages-check.sh \
+    /opt/bastion/bin/admin/
+COPY lib/shell /opt/bastion/lib/shell/
 RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
 RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"]
 RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-d"]
+RUN ["/opt/bastion/bin/admin/install-mkhash-helper.sh","-d"]
 
 # handle locales
 RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen

diff --git a/docker/Dockerfile.debian11 b/docker/Dockerfile.debian11
@@ -2,11 +2,16 @@ FROM debian:bullseye
 LABEL maintainer="[email protected]"
 
 # cache builds efficiently: just copy the scripts to install packages first
-COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
-COPY lib/shell                                                                                       /opt/bastion/lib/shell/
+COPY bin/admin/install-ttyrec.sh \
+    bin/admin/install-yubico-piv-checker.sh \
+    bin/admin/install-mkhash-helper.sh \
+    bin/admin/packages-check.sh \
+    /opt/bastion/bin/admin/
+COPY lib/shell /opt/bastion/lib/shell/
 RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
 RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"]
 RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-d"]
+RUN ["/opt/bastion/bin/admin/install-mkhash-helper.sh","-d"]
 
 # handle locales
 RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen

diff --git a/docker/Dockerfile.debian12 b/docker/Dockerfile.debian12
@@ -2,11 +2,16 @@ FROM debian:bookworm
 LABEL maintainer="[email protected]"
 
 # cache builds efficiently: just copy the scripts to install packages first
-COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
-COPY lib/shell                                                                                       /opt/bastion/lib/shell/
+COPY bin/admin/install-ttyrec.sh \
+    bin/admin/install-yubico-piv-checker.sh \
+    bin/admin/install-mkhash-helper.sh \
+    bin/admin/packages-check.sh \
+    /opt/bastion/bin/admin/
+COPY lib/shell /opt/bastion/lib/shell/
 RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
 RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"]
 RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-d"]
+RUN ["/opt/bastion/bin/admin/install-mkhash-helper.sh","-d"]
 
 # handle locales
 RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen

diff --git a/docker/Dockerfile.opensuse15 b/docker/Dockerfile.opensuse15
@@ -2,14 +2,19 @@ FROM opensuse/leap:15
 LABEL maintainer="[email protected]"
 
 # cache builds efficiently: just copy the scripts to install packages first
-COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
-COPY lib/shell                                                                                       /opt/bastion/lib/shell/
+COPY bin/admin/install-ttyrec.sh \
+    bin/admin/install-yubico-piv-checker.sh \
+    bin/admin/install-mkhash-helper.sh \
+    bin/admin/packages-check.sh \
+    /opt/bastion/bin/admin/
+COPY lib/shell /opt/bastion/lib/shell/
 RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
 RUN ["/usr/bin/chmod","u+s","/usr/bin/ping","/usr/sbin/fping"]
 RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-r"]
 RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-r"]
+RUN ["/opt/bastion/bin/admin/install-mkhash-helper.sh","-r"]
 
-# disable /dev/kmsg handling by syslog-ng and explicitely enable /dev/log
+# disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log
 RUN test -e /etc/syslog-ng/syslog-ng.conf && \
     sed -i -re 's=system\(\);=unix-stream("/dev/log");=' /etc/syslog-ng/syslog-ng.conf
 

diff --git a/docker/Dockerfile.rockylinux8 b/docker/Dockerfile.rockylinux8
@@ -2,11 +2,16 @@ FROM rockylinux:8
 LABEL maintainer="[email protected]"
 
 # cache builds efficiently: just copy the scripts to install packages first
-COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
-COPY lib/shell                                                                                       /opt/bastion/lib/shell/
+COPY bin/admin/install-ttyrec.sh \
+    bin/admin/install-yubico-piv-checker.sh \
+    bin/admin/install-mkhash-helper.sh \
+    bin/admin/packages-check.sh \
+    /opt/bastion/bin/admin/
+COPY lib/shell /opt/bastion/lib/shell/
 RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
 RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-r"]
 RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-r"]
+RUN ["/opt/bastion/bin/admin/install-mkhash-helper.sh","-r"]
 
 # disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log
 RUN test -e /etc/syslog-ng/syslog-ng.conf && \

diff --git a/docker/Dockerfile.rockylinux9 b/docker/Dockerfile.rockylinux9
@@ -2,11 +2,16 @@ FROM rockylinux:9
 LABEL maintainer="[email protected]"
 
 # cache builds efficiently: just copy the scripts to install packages first
-COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
-COPY lib/shell                                                                                       /opt/bastion/lib/shell/
+COPY bin/admin/install-ttyrec.sh \
+    bin/admin/install-yubico-piv-checker.sh \
+    bin/admin/install-mkhash-helper.sh \
+    bin/admin/packages-check.sh \
+    /opt/bastion/bin/admin/
+COPY lib/shell /opt/bastion/lib/shell/
 RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
 RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-r"]
 RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-r"]
+RUN ["/opt/bastion/bin/admin/install-mkhash-helper.sh","-r"]
 
 # disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log
 RUN test -e /etc/syslog-ng/syslog-ng.conf && \

diff --git a/docker/Dockerfile.sandbox b/docker/Dockerfile.sandbox
@@ -15,6 +15,8 @@ RUN \
     /opt/bastion/bin/admin/install-ttyrec.sh -d && \
     # download and install the yubico-piv-checker deb package (-d) \
     /opt/bastion/bin/admin/install-yubico-piv-checker.sh -d && \
+    # download and install the the-bastion-mkhash-helper deb package (-d) \
+    /opt/bastion/bin/admin/install-mkhash-helper.sh -d && \
     # cleanup packages cache to save space \
     rm -rf /var/cache/apt && \
     # handle locales \