From a6a25fd53b12612e408692d2b854f8ee4e24be7c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Fri, 1 Sep 2023 09:25:16 +0000 Subject: [PATCH] feat: add type8 and type9 password hashes This requires the-bastion-mkhash-helper v1.1.0+ --- .github/workflows/freebsd.yml | 1 + bin/admin/install-mkhash-helper.sh | 93 +++++++++++++++++++ bin/admin/install-yubico-piv-checker.sh | 2 +- bin/plugin/group-owner/groupGeneratePassword | 19 +++- bin/plugin/open/groupListPasswords | 2 +- bin/plugin/open/selfGeneratePassword | 11 ++- bin/plugin/open/selfListPasswords | 2 +- bin/plugin/restricted/accountGeneratePassword | 11 ++- bin/plugin/restricted/accountListPasswords | 2 +- doc/sphinx/installation/basic.rst | 6 +- doc/sphinx/installation/upgrading.rst | 28 ++++++ docker/Dockerfile.centos7 | 9 +- docker/Dockerfile.debian10 | 9 +- docker/Dockerfile.debian11 | 9 +- docker/Dockerfile.debian12 | 9 +- docker/Dockerfile.opensuse15 | 11 ++- docker/Dockerfile.rockylinux8 | 9 +- docker/Dockerfile.rockylinux9 | 9 +- docker/Dockerfile.sandbox | 2 + docker/Dockerfile.ubuntu1604 | 9 +- docker/Dockerfile.ubuntu1804 | 9 +- docker/Dockerfile.ubuntu2004 | 9 +- docker/Dockerfile.ubuntu2204 | 9 +- lib/perl/OVH/Bastion/password.inc | 30 +++++- lib/shell/install.inc | 2 +- tests/functional/tests.d/350-groups.sh | 28 +++++- 26 files changed, 288 insertions(+), 52 deletions(-) create mode 100755 bin/admin/install-mkhash-helper.sh diff --git a/.github/workflows/freebsd.yml b/.github/workflows/freebsd.yml index e5d0c5a16..37692b6a8 100644 --- a/.github/workflows/freebsd.yml +++ b/.github/workflows/freebsd.yml @@ -26,6 +26,7 @@ jobs: /opt/bastion/bin/admin/packages-check.sh -i /opt/bastion/bin/admin/install-ttyrec.sh -s /opt/bastion/bin/admin/install-yubico-piv-checker.sh -s + /opt/bastion/bin/admin/install-mkhash-helper.sh -s /opt/bastion/bin/admin/install --new-install ssh-keygen -t ed25519 -f id_user ssh-keygen -t ed25519 -f id_root diff --git a/bin/admin/install-mkhash-helper.sh b/bin/admin/install-mkhash-helper.sh new file mode 100755 index 000000000..61570524f --- /dev/null +++ b/bin/admin/install-mkhash-helper.sh @@ -0,0 +1,93 @@ +#! /usr/bin/env bash +# vim: set filetype=sh ts=4 sw=4 sts=4 et: +set -e + +PROGRAM_NAME=the-bastion-mkhash-helper +RELEASE_API_URL="https://api.github.com/repos/ovh/$PROGRAM_NAME/releases" + +basedir=$(readlink -f "$(dirname "$0")"/../..) +# shellcheck source=lib/shell/install.inc +. "$basedir"/lib/shell/install.inc + +set_download_url_package() { + case "$1" in + rpm) set_download_url "/${PROGRAM_NAME}-.+\\.$archre\\.rpm$";; + deb) set_download_url "/${PROGRAM_NAME}_.+_$archre\\.deb$";; + *) exit 1;; + esac +} + +action_static() { + set_archre + os=$(uname -s | tr '[:upper:]' '[:lower:]') + + set_download_url "/${PROGRAM_NAME}.*_${os}_${archre}\\.tar\\.gz$" + prepare_temp_folder + + _download "$url" + # we have just one archive file in the current temp directory + # shellcheck disable=SC2035 + tar xzf *.tar.gz + action_done + + action_doing "Installing files" + for file in $PROGRAM_NAME; do + action_detail "/usr/local/bin/$file" + install -m 0755 "$file" /usr/local/bin/ + done + action_done + + cd / +} + +# only used when/if the API is down and we're in CI mode +default_urls() { + local ver="1.0.0" + local list=" + -${ver}.aarch64.rpm + -${ver}.armv7hnl.rpm + -${ver}.armv6l.rpm + -${ver}.i386.rpm + -${ver}.mips64el.rpm + -${ver}.ppc64le.rpm + -${ver}.s390x.rpm + -${ver}.x86_64.rpm + _${ver}_amd64.deb + _${ver}_arm64.deb + _${ver}_armel.deb + _${ver}_armhf.deb + _${ver}_darwin_amd64.tar.gz + _${ver}_freebsd_386.tar.gz + _${ver}_freebsd_amd64.tar.gz + _${ver}_freebsd_arm64.tar.gz + _${ver}_freebsd_armv5.tar.gz + _${ver}_freebsd_armv7.tar.gz + _${ver}_i386.deb + _${ver}_linux_386.tar.gz + _${ver}_linux_amd64.tar.gz + _${ver}_linux_arm64.tar.gz + _${ver}_linux_armv5.tar.gz + _${ver}_linux_armv7.tar.gz + _${ver}_linux_mips64le_hardfloat.tar.gz + _${ver}_linux_ppc64le.tar.gz + _${ver}_linux_s390x.tar.gz + _${ver}_mips64el.deb + _${ver}_netbsd_386.tar.gz + _${ver}_netbsd_amd64.tar.gz + _${ver}_netbsd_armv5.tar.gz + _${ver}_netbsd_armv7.tar.gz + _${ver}_openbsd_386.tar.gz + _${ver}_openbsd_amd64.tar.gz + _${ver}_openbsd_arm64.tar.gz + _${ver}_openbsd_armv5.tar.gz + _${ver}_openbsd_armv7.tar.gz + _${ver}_ppc64le.deb + _${ver}_s390x.deb + _${ver}_windows_amd64.tar.gz" + for suffix in $list + do + echo "https://github.com/ovh/$PROGRAM_NAME/releases/download/v${ver}/$PROGRAM_NAME${suffix}" + done +} + +install_main "$@" diff --git a/bin/admin/install-yubico-piv-checker.sh b/bin/admin/install-yubico-piv-checker.sh index 469d54bdc..019f33f4a 100755 --- a/bin/admin/install-yubico-piv-checker.sh +++ b/bin/admin/install-yubico-piv-checker.sh @@ -87,7 +87,7 @@ default_urls() { _${ver}_windows_amd64.tar.gz" for suffix in $list do - echo "https://github.com/ovh/yubico-piv-checker/releases/download/v${ver}/yubico-piv-checker${suffix}" + echo "https://github.com/ovh/$PROGRAM_NAME/releases/download/v${ver}/$PROGRAM_NAME${suffix}" done } diff --git a/bin/plugin/group-owner/groupGeneratePassword b/bin/plugin/group-owner/groupGeneratePassword index 8f7c3b2c7..ce995ea67 100755 --- a/bin/plugin/group-owner/groupGeneratePassword +++ b/bin/plugin/group-owner/groupGeneratePassword @@ -62,6 +62,14 @@ $fnret or osh_exit($fnret); $group = $fnret->value->{'group'}; my $shortGroup = $fnret->value->{'shortGroup'}; +$fnret = OVH::Bastion::plugin_config(plugin => $scriptName, key => "minPasswordSize"); +if ($fnret && $fnret->value && $size < $fnret->value) { + osh_exit('ERR_INVALID_PARAMETER', + "The minimum allowed password size defined by policy is " + . $fnret->value + . " characters, you asked only $size"); +} + if (not $doIt) { help(); osh_exit('ERR_MISSING_PARAMETER', "Missing mandatory parameter: please read the BEWARE note above."); @@ -76,9 +84,10 @@ push @command, "--group", $group, "--size", $size; $fnret = OVH::Bastion::helper(cmd => \@command); $fnret or osh_exit($fnret); -osh_info "Generated a new password of length $size for group $shortGroup, hashes follow:"; -osh_info "md5crypt: " . $fnret->value->{'hashes'}{'md5crypt'} . "\n"; -osh_info "sha256crypt: " . $fnret->value->{'hashes'}{'sha256crypt'} . "\n"; -osh_info "sha512crypt: " . $fnret->value->{'hashes'}{'sha512crypt'} . "\n"; -osh_info "This new password will now be used by default."; +osh_info "Generated a new password of length $size for group $shortGroup, hashes follow:\n\n"; +my $hashes = $fnret->value->{'hashes'}; +foreach my $type (qw{ md5crypt sha256crypt sha512crypt type8 type9 }) { + osh_info(sprintf("%11s: %s\n", $type, $hashes->{$type})) if $hashes->{$type}; +} +osh_info "\nThis new password will now be used by default."; osh_exit $fnret; diff --git a/bin/plugin/open/groupListPasswords b/bin/plugin/open/groupListPasswords index f732c1c49..3947c76a9 100755 --- a/bin/plugin/open/groupListPasswords +++ b/bin/plugin/open/groupListPasswords @@ -49,7 +49,7 @@ $fnret or osh_exit $fnret; foreach my $item (@{$fnret->value}) { osh_info $item->{'description'}; foreach my $hash (sort keys %{$item->{'hashes'}}) { - osh_info "... $hash: " . $item->{'hashes'}{$hash}; + osh_info(sprintf("... %11s: %s\n", $hash, $item->{'hashes'}{$hash})); } osh_info "\n"; } diff --git a/bin/plugin/open/selfGeneratePassword b/bin/plugin/open/selfGeneratePassword index c53dc506a..4cdf8b36c 100755 --- a/bin/plugin/open/selfGeneratePassword +++ b/bin/plugin/open/selfGeneratePassword @@ -71,9 +71,10 @@ $fnret = OVH::Bastion::Plugin::generatePassword::act(self => $self, context => 'account', account => $self, size => $size); $fnret or osh_exit($fnret); -osh_info "Generated a new password of length $size for your account, $self, hashes follow:"; -osh_info "md5crypt: " . $fnret->value->{'hashes'}{'md5crypt'} . "\n"; -osh_info "sha256crypt: " . $fnret->value->{'hashes'}{'sha256crypt'} . "\n"; -osh_info "sha512crypt: " . $fnret->value->{'hashes'}{'sha512crypt'} . "\n"; -osh_info "This new password will now be used by default."; +osh_info "Generated a new password of length $size for your account, $self, hashes follow:\n\n"; +my $hashes = $fnret->value->{'hashes'}; +foreach my $type (qw{ md5crypt sha256crypt sha512crypt type8 type9 }) { + osh_info(sprintf("%11s: %s\n", $type, $hashes->{$type})) if $hashes->{$type}; +} +osh_info "\nThis new password will now be used by default."; osh_exit $fnret; diff --git a/bin/plugin/open/selfListPasswords b/bin/plugin/open/selfListPasswords index b8d27a653..2d0ff9db9 100755 --- a/bin/plugin/open/selfListPasswords +++ b/bin/plugin/open/selfListPasswords @@ -30,7 +30,7 @@ $fnret or osh_exit $fnret; foreach my $item (@{$fnret->value}) { osh_info $item->{'description'}; foreach my $hash (sort keys %{$item->{'hashes'}}) { - osh_info "... $hash: " . $item->{'hashes'}{$hash}; + osh_info(sprintf("... %11s: %s\n", $hash, $item->{'hashes'}{$hash})); } osh_info "\n"; } diff --git a/bin/plugin/restricted/accountGeneratePassword b/bin/plugin/restricted/accountGeneratePassword index 38fef5b63..dfb0a8c9c 100755 --- a/bin/plugin/restricted/accountGeneratePassword +++ b/bin/plugin/restricted/accountGeneratePassword @@ -83,9 +83,10 @@ push @command, "--account", $account, "--size", $size; $fnret = OVH::Bastion::helper(cmd => \@command); $fnret or osh_exit($fnret); -osh_info "Generated a new password of length $size for account $account, hashes follow:"; -osh_info "md5crypt: " . $fnret->value->{'hashes'}{'md5crypt'} . "\n"; -osh_info "sha256crypt: " . $fnret->value->{'hashes'}{'sha256crypt'} . "\n"; -osh_info "sha512crypt: " . $fnret->value->{'hashes'}{'sha512crypt'} . "\n"; -osh_info "This new password will now be used by default."; +osh_info "Generated a new password of length $size for account $account, hashes follow:\n\n"; +my $hashes = $fnret->value->{'hashes'}; +foreach my $type (qw{ md5crypt sha256crypt sha512crypt type8 type9 }) { + osh_info(sprintf("%11s: %s\n", $type, $hashes->{$type})) if $hashes->{$type}; +} +osh_info "\nThis new password will now be used by default."; osh_exit $fnret; diff --git a/bin/plugin/restricted/accountListPasswords b/bin/plugin/restricted/accountListPasswords index bdfacc2ae..996c581d7 100755 --- a/bin/plugin/restricted/accountListPasswords +++ b/bin/plugin/restricted/accountListPasswords @@ -43,7 +43,7 @@ $fnret or osh_exit $fnret; foreach my $item (@{$fnret->value}) { osh_info $item->{'description'}; foreach my $hash (sort keys %{$item->{'hashes'}}) { - osh_info "... $hash: " . $item->{'hashes'}{$hash}; + osh_info(sprintf("... %11s: %s\n", $hash, $item->{'hashes'}{$hash})); } osh_info "\n"; } diff --git a/doc/sphinx/installation/basic.rst b/doc/sphinx/installation/basic.rst index 3f9c4dd64..35d76f9e0 100644 --- a/doc/sphinx/installation/basic.rst +++ b/doc/sphinx/installation/basic.rst @@ -135,11 +135,15 @@ it'll fallback to installing precompiled static binaries. Of course you can package it yourself and make it available to your own internal repositories instead of installing it this way. If you plan to use the PIV functionalities of The Bastion, -you'll also need to install the ``yubico-piv-checker`` `helper tool `_: +you'll also need to install the ``yubico-piv-checker`` `helper tool `_. + +You may also want to install ``the-bastion-mkhash-helper`` `tool `_ +if you want to be able to generate so-called type 8 and type 9 password hashes. .. code-block:: shell /opt/bastion/bin/admin/install-yubico-piv-checker.sh -a + /opt/bastion/bin/admin/install-mkhash-helper.sh -a .. _install-basic_encrypt-home: diff --git a/doc/sphinx/installation/upgrading.rst b/doc/sphinx/installation/upgrading.rst index 58b033622..806f57b0b 100644 --- a/doc/sphinx/installation/upgrading.rst +++ b/doc/sphinx/installation/upgrading.rst @@ -27,6 +27,34 @@ See the ``--help`` for a more fine-grained upgrade path if needed. Version-specific upgrade instructions ===================================== +v3.xx.xx - xxxx/xx/xx +********************* + +A new helper is required to support the so-called "type 8" and "type 9" password hash types, used on some +network devices. This helper is optional, and these hashes types will simply not be generated if the helper is +missing. The plugins concerned by this change are ``selfGeneratePassword``, ``selfListPasswords``, +``accountGeneratePassword``, ``accountListPasswords``, ``groupGeneratePassword``, ``groupListPasswords``. + +New installations will get this helper installed automatically. When upgrading, if you'd like to install +this helper, you'll need to install it by running the following command as ``root``: + +.. code-block:: shell + + /opt/bastion/bin/admin/install-mkhash-helper.sh -a + +This will detect your OS and either install a ``.deb`` file, an ``.rpm`` file, or a static binary. + +If you want to ensure that the helper has installed correctly, you can call it manually for testing purposes: + +.. code-block:: shell + :emphasize-lines: 1 + + echo test | the-bastion-mkhash-helper + {"Type8":"$8$EpvF1cVVzoEQFE$L3ZBWzfH9MTPo4WLX29Jd8LTM5sKlfEjtRZ//XMys2U","Type9":"$9$yRlXzt0T7WBs3E$YdKk8WMvLvAVcbglx.bMZoRlwBa6l5EhwLhBh1o0u4g","PasswordLen":4} + +If you're not generating passwords for use with network devices using type 8 or type 9 hash types, installation of this +helper is not required. + v3.13.01 - 2023/08/22 ********************* diff --git a/docker/Dockerfile.centos7 b/docker/Dockerfile.centos7 index b7ddb7fd8..3ded58a28 100644 --- a/docker/Dockerfile.centos7 +++ b/docker/Dockerfile.centos7 @@ -2,11 +2,16 @@ FROM centos:7 LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" # cache builds efficiently: just copy the scripts to install packages first -COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/ -COPY lib/shell /opt/bastion/lib/shell/ +COPY bin/admin/install-ttyrec.sh \ + bin/admin/install-yubico-piv-checker.sh \ + bin/admin/install-mkhash-helper.sh \ + bin/admin/packages-check.sh \ + /opt/bastion/bin/admin/ +COPY lib/shell /opt/bastion/lib/shell/ RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-r"] RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-r"] +RUN ["/opt/bastion/bin/admin/install-mkhash-helper.sh","-r"] # disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log RUN test -e /etc/syslog-ng/syslog-ng.conf && \ diff --git a/docker/Dockerfile.debian10 b/docker/Dockerfile.debian10 index 2ead4d42a..60a1f565c 100644 --- a/docker/Dockerfile.debian10 +++ b/docker/Dockerfile.debian10 @@ -2,11 +2,16 @@ FROM debian:buster LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" # cache builds efficiently: just copy the scripts to install packages first -COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/ -COPY lib/shell /opt/bastion/lib/shell/ +COPY bin/admin/install-ttyrec.sh \ + bin/admin/install-yubico-piv-checker.sh \ + bin/admin/install-mkhash-helper.sh \ + bin/admin/packages-check.sh \ + /opt/bastion/bin/admin/ +COPY lib/shell /opt/bastion/lib/shell/ RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"] RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-d"] +RUN ["/opt/bastion/bin/admin/install-mkhash-helper.sh","-d"] # handle locales RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen diff --git a/docker/Dockerfile.debian11 b/docker/Dockerfile.debian11 index 3f0422f47..b3bb80ea5 100644 --- a/docker/Dockerfile.debian11 +++ b/docker/Dockerfile.debian11 @@ -2,11 +2,16 @@ FROM debian:bullseye LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" # cache builds efficiently: just copy the scripts to install packages first -COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/ -COPY lib/shell /opt/bastion/lib/shell/ +COPY bin/admin/install-ttyrec.sh \ + bin/admin/install-yubico-piv-checker.sh \ + bin/admin/install-mkhash-helper.sh \ + bin/admin/packages-check.sh \ + /opt/bastion/bin/admin/ +COPY lib/shell /opt/bastion/lib/shell/ RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"] RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-d"] +RUN ["/opt/bastion/bin/admin/install-mkhash-helper.sh","-d"] # handle locales RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen diff --git a/docker/Dockerfile.debian12 b/docker/Dockerfile.debian12 index 263663bb9..10e88640b 100644 --- a/docker/Dockerfile.debian12 +++ b/docker/Dockerfile.debian12 @@ -2,11 +2,16 @@ FROM debian:bookworm LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" # cache builds efficiently: just copy the scripts to install packages first -COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/ -COPY lib/shell /opt/bastion/lib/shell/ +COPY bin/admin/install-ttyrec.sh \ + bin/admin/install-yubico-piv-checker.sh \ + bin/admin/install-mkhash-helper.sh \ + bin/admin/packages-check.sh \ + /opt/bastion/bin/admin/ +COPY lib/shell /opt/bastion/lib/shell/ RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"] RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-d"] +RUN ["/opt/bastion/bin/admin/install-mkhash-helper.sh","-d"] # handle locales RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen diff --git a/docker/Dockerfile.opensuse15 b/docker/Dockerfile.opensuse15 index 4a5c540e1..ee4cec94c 100644 --- a/docker/Dockerfile.opensuse15 +++ b/docker/Dockerfile.opensuse15 @@ -2,14 +2,19 @@ FROM opensuse/leap:15 LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" # cache builds efficiently: just copy the scripts to install packages first -COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/ -COPY lib/shell /opt/bastion/lib/shell/ +COPY bin/admin/install-ttyrec.sh \ + bin/admin/install-yubico-piv-checker.sh \ + bin/admin/install-mkhash-helper.sh \ + bin/admin/packages-check.sh \ + /opt/bastion/bin/admin/ +COPY lib/shell /opt/bastion/lib/shell/ RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] RUN ["/usr/bin/chmod","u+s","/usr/bin/ping","/usr/sbin/fping"] RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-r"] RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-r"] +RUN ["/opt/bastion/bin/admin/install-mkhash-helper.sh","-r"] -# disable /dev/kmsg handling by syslog-ng and explicitely enable /dev/log +# disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log RUN test -e /etc/syslog-ng/syslog-ng.conf && \ sed -i -re 's=system\(\);=unix-stream("/dev/log");=' /etc/syslog-ng/syslog-ng.conf diff --git a/docker/Dockerfile.rockylinux8 b/docker/Dockerfile.rockylinux8 index af2cd90e6..4d4a473b3 100644 --- a/docker/Dockerfile.rockylinux8 +++ b/docker/Dockerfile.rockylinux8 @@ -2,11 +2,16 @@ FROM rockylinux:8 LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" # cache builds efficiently: just copy the scripts to install packages first -COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/ -COPY lib/shell /opt/bastion/lib/shell/ +COPY bin/admin/install-ttyrec.sh \ + bin/admin/install-yubico-piv-checker.sh \ + bin/admin/install-mkhash-helper.sh \ + bin/admin/packages-check.sh \ + /opt/bastion/bin/admin/ +COPY lib/shell /opt/bastion/lib/shell/ RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-r"] RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-r"] +RUN ["/opt/bastion/bin/admin/install-mkhash-helper.sh","-r"] # disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log RUN test -e /etc/syslog-ng/syslog-ng.conf && \ diff --git a/docker/Dockerfile.rockylinux9 b/docker/Dockerfile.rockylinux9 index 29685f88a..7b8d5dad3 100644 --- a/docker/Dockerfile.rockylinux9 +++ b/docker/Dockerfile.rockylinux9 @@ -2,11 +2,16 @@ FROM rockylinux:9 LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" # cache builds efficiently: just copy the scripts to install packages first -COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/ -COPY lib/shell /opt/bastion/lib/shell/ +COPY bin/admin/install-ttyrec.sh \ + bin/admin/install-yubico-piv-checker.sh \ + bin/admin/install-mkhash-helper.sh \ + bin/admin/packages-check.sh \ + /opt/bastion/bin/admin/ +COPY lib/shell /opt/bastion/lib/shell/ RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-r"] RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-r"] +RUN ["/opt/bastion/bin/admin/install-mkhash-helper.sh","-r"] # disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log RUN test -e /etc/syslog-ng/syslog-ng.conf && \ diff --git a/docker/Dockerfile.sandbox b/docker/Dockerfile.sandbox index a18eb0244..e0d44b0fd 100644 --- a/docker/Dockerfile.sandbox +++ b/docker/Dockerfile.sandbox @@ -15,6 +15,8 @@ RUN \ /opt/bastion/bin/admin/install-ttyrec.sh -d && \ # download and install the yubico-piv-checker deb package (-d) \ /opt/bastion/bin/admin/install-yubico-piv-checker.sh -d && \ + # download and install the the-bastion-mkhash-helper deb package (-d) \ + /opt/bastion/bin/admin/install-mkhash-helper.sh -d && \ # cleanup packages cache to save space \ rm -rf /var/cache/apt && \ # handle locales \ diff --git a/docker/Dockerfile.ubuntu1604 b/docker/Dockerfile.ubuntu1604 index 2fc4e62c7..6d49677d4 100644 --- a/docker/Dockerfile.ubuntu1604 +++ b/docker/Dockerfile.ubuntu1604 @@ -2,11 +2,16 @@ FROM ubuntu:16.04 LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" # cache builds efficiently: just copy the scripts to install packages first -COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/ -COPY lib/shell /opt/bastion/lib/shell/ +COPY bin/admin/install-ttyrec.sh \ + bin/admin/install-yubico-piv-checker.sh \ + bin/admin/install-mkhash-helper.sh \ + bin/admin/packages-check.sh \ + /opt/bastion/bin/admin/ +COPY lib/shell /opt/bastion/lib/shell/ RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"] RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-d"] +RUN ["/opt/bastion/bin/admin/install-mkhash-helper.sh","-d"] # handle locales RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen diff --git a/docker/Dockerfile.ubuntu1804 b/docker/Dockerfile.ubuntu1804 index 90227095f..e0e4c6e4e 100644 --- a/docker/Dockerfile.ubuntu1804 +++ b/docker/Dockerfile.ubuntu1804 @@ -2,11 +2,16 @@ FROM ubuntu:18.04 LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" # cache builds efficiently: just copy the scripts to install packages first -COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/ -COPY lib/shell /opt/bastion/lib/shell/ +COPY bin/admin/install-ttyrec.sh \ + bin/admin/install-yubico-piv-checker.sh \ + bin/admin/install-mkhash-helper.sh \ + bin/admin/packages-check.sh \ + /opt/bastion/bin/admin/ +COPY lib/shell /opt/bastion/lib/shell/ RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"] RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-d"] +RUN ["/opt/bastion/bin/admin/install-mkhash-helper.sh","-d"] # handle locales RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen diff --git a/docker/Dockerfile.ubuntu2004 b/docker/Dockerfile.ubuntu2004 index bd4b4a745..87faf7ace 100644 --- a/docker/Dockerfile.ubuntu2004 +++ b/docker/Dockerfile.ubuntu2004 @@ -2,11 +2,16 @@ FROM ubuntu:20.04 LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" # cache builds efficiently: just copy the scripts to install packages first -COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/ -COPY lib/shell /opt/bastion/lib/shell/ +COPY bin/admin/install-ttyrec.sh \ + bin/admin/install-yubico-piv-checker.sh \ + bin/admin/install-mkhash-helper.sh \ + bin/admin/packages-check.sh \ + /opt/bastion/bin/admin/ +COPY lib/shell /opt/bastion/lib/shell/ RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"] RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-d"] +RUN ["/opt/bastion/bin/admin/install-mkhash-helper.sh","-d"] # handle locales RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen diff --git a/docker/Dockerfile.ubuntu2204 b/docker/Dockerfile.ubuntu2204 index ce62941ba..ecce83762 100644 --- a/docker/Dockerfile.ubuntu2204 +++ b/docker/Dockerfile.ubuntu2204 @@ -2,11 +2,16 @@ FROM ubuntu:22.04 LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" # cache builds efficiently: just copy the scripts to install packages first -COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/ -COPY lib/shell /opt/bastion/lib/shell/ +COPY bin/admin/install-ttyrec.sh \ + bin/admin/install-yubico-piv-checker.sh \ + bin/admin/install-mkhash-helper.sh \ + bin/admin/packages-check.sh \ + /opt/bastion/bin/admin/ +COPY lib/shell /opt/bastion/lib/shell/ RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"] RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-d"] +RUN ["/opt/bastion/bin/admin/install-mkhash-helper.sh","-d"] # handle locales RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen diff --git a/lib/perl/OVH/Bastion/password.inc b/lib/perl/OVH/Bastion/password.inc index f7e309b3b..f3a7da784 100644 --- a/lib/perl/OVH/Bastion/password.inc +++ b/lib/perl/OVH/Bastion/password.inc @@ -28,7 +28,7 @@ sub _get_key_from_password { } # generate a fixed salt given (a password AND a nonce AND a salt len) -sub _get_salt_for_password { +sub _get_salt { my %params = @_; my $password = $params{'password'}; my $nonce = $params{'nonce'} || $password; @@ -64,16 +64,38 @@ sub get_hashes_from_password { my %ret; $ret{'md5crypt'} = - crypt($password, '$1$' . _get_salt_for_password(password => $password, nonce => '$1', len => 4)->value . '$'); + crypt($password, '$1$' . _get_salt(password => $password, nonce => '$1', len => 4)->value . '$'); $ret{'sha256crypt'} = - crypt($password, '$5$' . _get_salt_for_password(password => $password, nonce => '$5', len => 8)->value . '$'); + crypt($password, '$5$' . _get_salt(password => $password, nonce => '$5', len => 8)->value . '$'); $ret{'sha512crypt'} = - crypt($password, '$6$' . _get_salt_for_password(password => $password, nonce => '$6', len => 8)->value . '$'); + crypt($password, '$6$' . _get_salt(password => $password, nonce => '$6', len => 8)->value . '$'); # some OSes have a broken crypt() that doesn't generate invalid hashes, undef those $ret{'sha256crypt'} = undef if $ret{'sha256crypt'} !~ m{^\$5\$}; $ret{'sha512crypt'} = undef if $ret{'sha512crypt'} !~ m{^\$6\$}; + # get fixed (and untainted) salts for type8 and type9 + my ($type8salt) = _get_salt(password => $password, nonce => '$8', len => 14)->value =~ m{^([a-zA-Z0-9./]+)$}; + my ($type9salt) = _get_salt(password => $password, nonce => '$9', len => 14)->value =~ m{^([a-zA-Z0-9./]+)$}; + + # if we have the-bastion-mkhash-helper, use it + my $fnret = OVH::Bastion::execute( + cmd => ['the-bastion-mkhash-helper', '--salt-type8', $type8salt, '--salt-type9', $type9salt], + stdin_str => $password, + must_succeed => 1 + ); + if ($fnret && $fnret->value && $fnret->value->{'stdout'}) { + require JSON; + my $hashes = eval { JSON::decode_json(join("\n", @{$fnret->value->{'stdout'}})); }; + if ($@) { + warn_syslog("Couldn't parse the-bastion-mkhash-helper output: $@"); + } + elsif ($hashes) { + $ret{'type8'} = $hashes->{'Type8'} if $hashes->{'Type8'}; + $ret{'type9'} = $hashes->{'Type9'} if $hashes->{'Type9'}; + } + } + return R('OK', value => \%ret); } diff --git a/lib/shell/install.inc b/lib/shell/install.inc index e4bd94237..0817e828c 100644 --- a/lib/shell/install.inc +++ b/lib/shell/install.inc @@ -1,7 +1,7 @@ # vim: set filetype=sh ts=4 sw=4 sts=4 et: # shellcheck shell=bash -# common parts of install-ttyrec.sh and install-yubico-piv-checker.sh +# common parts of install-{ttyrec,yubico-piv-checker,the-bastion-mkhash-helper}.sh # shellcheck source=lib/shell/functions.inc disable=SC2128 . "$(dirname "$BASH_SOURCE")"/functions.inc diff --git a/tests/functional/tests.d/350-groups.sh b/tests/functional/tests.d/350-groups.sh index 5073186fb..41f46f3f4 100644 --- a/tests/functional/tests.d/350-groups.sh +++ b/tests/functional/tests.d/350-groups.sh @@ -317,6 +317,8 @@ EOS md5a=$(get_json | $jq '.value.hashes.md5crypt') sha256a=$(get_json | $jq '.value.hashes.sha256crypt') sha512a=$(get_json | $jq '.value.hashes.sha512crypt') + type8a=$(get_json | $jq '.value.hashes.type8') + type9a=$(get_json | $jq '.value.hashes.type9') success works $a0 --osh groupListPasswords --group $group3 json $(cat <