From c1dd94f3689a83d5461993bd2b1f9a5246845deb Mon Sep 17 00:00:00 2001 From: Andriy Dobush <78359998+andriydnvd@users.noreply.github.com> Date: Fri, 24 Feb 2023 01:36:37 +0200 Subject: [PATCH] Add California-SB237 feature. Requires to change default user password (#12678) #### Why I did it Add support of California-SB237 conformance. https://github.com/sonic-net/SONiC/tree/master/doc/California-SB237 #### How I did it Expire user passwords during build #### How to verify it Enable build flag and check if default user is prompted for a new password --- Makefile.work | 1 + build_debian.sh | 10 ++++++++++ check_install.py | 27 ++++++++++++++++++++++++++- rules/config | 3 +++ slave.mk | 2 ++ 5 files changed, 42 insertions(+), 1 deletion(-) diff --git a/Makefile.work b/Makefile.work index bea20edb42..e0099429ed 100644 --- a/Makefile.work +++ b/Makefile.work @@ -499,6 +499,7 @@ SONIC_BUILD_INSTRUCTION := $(MAKE) \ MDEBUG=$(MDEBUG) \ PASSWORD=$(PASSWORD) \ USERNAME=$(USERNAME) \ + CHANGE_DEFAULT_PASSWORD=$(CHANGE_DEFAULT_PASSWORD) \ SONIC_BUILD_JOBS=$(SONIC_BUILD_JOBS) \ SONIC_USE_DOCKER_BUILDKIT=$(SONIC_USE_DOCKER_BUILDKIT) \ VS_PREPARE_MEM=$(VS_PREPARE_MEM) \ diff --git a/build_debian.sh b/build_debian.sh index c0f409f49d..b599b8c859 100755 --- a/build_debian.sh +++ b/build_debian.sh @@ -684,6 +684,16 @@ sudo LANG=C chroot $FILESYSTEM_ROOT umount /proc || true ## Prepare empty directory to trigger mount move in initramfs-tools/mount_loop_root, implemented by patching sudo mkdir $FILESYSTEM_ROOT/host + +if [[ "$CHANGE_DEFAULT_PASSWORD" == "y" ]]; then + ## Expire default password for exitsing users that can do login + default_users=$(cat $FILESYSTEM_ROOT/etc/passwd | grep "/home"| grep ":/bin/bash\|:/bin/sh" | awk -F ":" '{print $1}' 2> /dev/null) + for user in $default_users + do + sudo LANG=C chroot $FILESYSTEM_ROOT passwd -e ${user} + done +fi + ## Compress most file system into squashfs file sudo rm -f $ONIE_INSTALLER_PAYLOAD $FILESYSTEM_SQUASHFS ## Output the file system total size for diag purpose diff --git a/check_install.py b/check_install.py index b8fc3936f7..3a923e91de 100755 --- a/check_install.py +++ b/check_install.py @@ -11,6 +11,7 @@ def main(): parser = argparse.ArgumentParser(description='test_login cmdline parser') parser.add_argument('-u', default="admin", help='login user name') parser.add_argument('-P', default="YourPaSsWoRd", help='login password') + parser.add_argument('-N', default="Test@2022", help='new password') parser.add_argument('-p', type=int, default=9000, help='local port') args = parser.parse_args() @@ -20,6 +21,7 @@ def main(): cmd_prompt = "{}@sonic:~\$ $".format(args.u) grub_selection = "The highlighted entry will be executed" firsttime_prompt = 'firsttime_exit' + passwd_change_prompt = ['Current password:', 'New password:', 'Retype new password:'] i = 0 while True: @@ -36,7 +38,6 @@ def main(): # select default SONiC Image p.expect(grub_selection) p.sendline() - # bootup sonic image while True: i = p.expect([login_prompt, passwd_prompt, firsttime_prompt, cmd_prompt]) @@ -46,6 +47,30 @@ def main(): elif i == 1: # send password p.sendline(args.P) + # Check for password change prompt + try: + p.expect('Current password:', timeout=2) + except pexpect.TIMEOUT: + break + else: + # send old password for password prompt + p.sendline(args.P) + p.expect(passwd_change_prompt[1]) + # send new password + p.sendline(args.N) + p.expect(passwd_change_prompt[2]) + # retype new password + p.sendline(args.N) + time.sleep(1) + # Restore default password + p.sendline('passwd {}'.format(args.u)) + p.expect(passwd_change_prompt[0]) + p.sendline(args.N) + p.expect(passwd_change_prompt[1]) + p.sendline(args.P) + p.expect(passwd_change_prompt[2]) + p.sendline(args.P) + break elif i == 2: # fix a login timeout issue, caused by the login_prompt message mixed with the output message of the rc.local time.sleep(1) diff --git a/rules/config b/rules/config index 0cf5c00dc0..ec659631e2 100644 --- a/rules/config +++ b/rules/config @@ -39,6 +39,9 @@ DEFAULT_BUILD_LOG_TIMESTAMP = none # Comment next line to disable: # SONIC_CONFIG_ENABLE_COLORS = y +# CHANGE_DEFAULT_PASSWORD - enforce default user/users to change password on 1st login +CHANGE_DEFAULT_PASSWORD ?= n + # DEFAULT_USERNAME - default username for installer build DEFAULT_USERNAME = admin diff --git a/slave.mk b/slave.mk index dc926087f3..5789287f1d 100644 --- a/slave.mk +++ b/slave.mk @@ -376,6 +376,7 @@ $(info "USE_NATIVE_DOCKERD_FOR_BUILD" : "$(SONIC_CONFIG_USE_NATIVE_DOCKERD_FO $(info "SONIC_USE_DOCKER_BUILDKIT" : "$(SONIC_USE_DOCKER_BUILDKIT)") $(info "USERNAME" : "$(USERNAME)") $(info "PASSWORD" : "$(PASSWORD)") +$(info "CHANGE_DEFAULT_PASSWORD" : "$(CHANGE_DEFAULT_PASSWORD)") $(info "ENABLE_DHCP_GRAPH_SERVICE" : "$(ENABLE_DHCP_GRAPH_SERVICE)") $(info "SHUTDOWN_BGP_ON_START" : "$(SHUTDOWN_BGP_ON_START)") $(info "ENABLE_PFCWD_ON_START" : "$(ENABLE_PFCWD_ON_START)") @@ -1430,6 +1431,7 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \ DEBUG_SRC_ARCHIVE_FILE="$(DBG_SRC_ARCHIVE_FILE)" \ USERNAME="$(USERNAME)" \ PASSWORD="$(PASSWORD)" \ + CHANGE_DEFAULT_PASSWORD="$(CHANGE_DEFAULT_PASSWORD)" \ TARGET_MACHINE=$(dep_machine) \ IMAGE_TYPE=$($*_IMAGE_TYPE) \ TARGET_PATH=$(TARGET_PATH) \