Add California-SB237 feature. Requires to change default user password (#12678)
#### Why I did it Add support of California-SB237 conformance. https://github.com/sonic-net/SONiC/tree/master/doc/California-SB237 #### How I did it Expire user passwords during build #### How to verify it Enable build flag and check if default user is prompted for a new password
This commit is contained in:
Andriy Dobush
GitHub
parent
3e316cbf24
commit
c1dd94f368
@ -499,6 +499,7 @@ SONIC_BUILD_INSTRUCTION := $(MAKE) \
|
|||||||
MDEBUG=$(MDEBUG) \
|
MDEBUG=$(MDEBUG) \
|
||||||
PASSWORD=$(PASSWORD) \
|
PASSWORD=$(PASSWORD) \
|
||||||
USERNAME=$(USERNAME) \
|
USERNAME=$(USERNAME) \
|
||||||
|
CHANGE_DEFAULT_PASSWORD=$(CHANGE_DEFAULT_PASSWORD) \
|
||||||
SONIC_BUILD_JOBS=$(SONIC_BUILD_JOBS) \
|
SONIC_BUILD_JOBS=$(SONIC_BUILD_JOBS) \
|
||||||
SONIC_USE_DOCKER_BUILDKIT=$(SONIC_USE_DOCKER_BUILDKIT) \
|
SONIC_USE_DOCKER_BUILDKIT=$(SONIC_USE_DOCKER_BUILDKIT) \
|
||||||
VS_PREPARE_MEM=$(VS_PREPARE_MEM) \
|
VS_PREPARE_MEM=$(VS_PREPARE_MEM) \
|
||||||
|
|||||||
@ -684,6 +684,16 @@ sudo LANG=C chroot $FILESYSTEM_ROOT umount /proc || true
|
|||||||
## Prepare empty directory to trigger mount move in initramfs-tools/mount_loop_root, implemented by patching
|
## Prepare empty directory to trigger mount move in initramfs-tools/mount_loop_root, implemented by patching
|
||||||
sudo mkdir $FILESYSTEM_ROOT/host
|
sudo mkdir $FILESYSTEM_ROOT/host
|
||||||
|
|
||||||
|
|
||||||
|
if [[ "$CHANGE_DEFAULT_PASSWORD" == "y" ]]; then
|
||||||
|
## Expire default password for exitsing users that can do login
|
||||||
|
default_users=$(cat $FILESYSTEM_ROOT/etc/passwd | grep "/home"| grep ":/bin/bash\|:/bin/sh" | awk -F ":" '{print $1}' 2> /dev/null)
|
||||||
|
for user in $default_users
|
||||||
|
do
|
||||||
|
sudo LANG=C chroot $FILESYSTEM_ROOT passwd -e ${user}
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
## Compress most file system into squashfs file
|
## Compress most file system into squashfs file
|
||||||
sudo rm -f $ONIE_INSTALLER_PAYLOAD $FILESYSTEM_SQUASHFS
|
sudo rm -f $ONIE_INSTALLER_PAYLOAD $FILESYSTEM_SQUASHFS
|
||||||
## Output the file system total size for diag purpose
|
## Output the file system total size for diag purpose
|
||||||
|
|||||||
@ -11,6 +11,7 @@ def main():
|
|||||||
parser = argparse.ArgumentParser(description='test_login cmdline parser')
|
parser = argparse.ArgumentParser(description='test_login cmdline parser')
|
||||||
parser.add_argument('-u', default="admin", help='login user name')
|
parser.add_argument('-u', default="admin", help='login user name')
|
||||||
parser.add_argument('-P', default="YourPaSsWoRd", help='login password')
|
parser.add_argument('-P', default="YourPaSsWoRd", help='login password')
|
||||||
|
parser.add_argument('-N', default="Test@2022", help='new password')
|
||||||
parser.add_argument('-p', type=int, default=9000, help='local port')
|
parser.add_argument('-p', type=int, default=9000, help='local port')
|
||||||
|
|
||||||
args = parser.parse_args()
|
args = parser.parse_args()
|
||||||
@ -20,6 +21,7 @@ def main():
|
|||||||
cmd_prompt = "{}@sonic:~\$ $".format(args.u)
|
cmd_prompt = "{}@sonic:~\$ $".format(args.u)
|
||||||
grub_selection = "The highlighted entry will be executed"
|
grub_selection = "The highlighted entry will be executed"
|
||||||
firsttime_prompt = 'firsttime_exit'
|
firsttime_prompt = 'firsttime_exit'
|
||||||
|
passwd_change_prompt = ['Current password:', 'New password:', 'Retype new password:']
|
||||||
|
|
||||||
i = 0
|
i = 0
|
||||||
while True:
|
while True:
|
||||||
@ -36,7 +38,6 @@ def main():
|
|||||||
# select default SONiC Image
|
# select default SONiC Image
|
||||||
p.expect(grub_selection)
|
p.expect(grub_selection)
|
||||||
p.sendline()
|
p.sendline()
|
||||||
|
|
||||||
# bootup sonic image
|
# bootup sonic image
|
||||||
while True:
|
while True:
|
||||||
i = p.expect([login_prompt, passwd_prompt, firsttime_prompt, cmd_prompt])
|
i = p.expect([login_prompt, passwd_prompt, firsttime_prompt, cmd_prompt])
|
||||||
@ -46,6 +47,30 @@ def main():
|
|||||||
elif i == 1:
|
elif i == 1:
|
||||||
# send password
|
# send password
|
||||||
p.sendline(args.P)
|
p.sendline(args.P)
|
||||||
|
# Check for password change prompt
|
||||||
|
try:
|
||||||
|
p.expect('Current password:', timeout=2)
|
||||||
|
except pexpect.TIMEOUT:
|
||||||
|
break
|
||||||
|
else:
|
||||||
|
# send old password for password prompt
|
||||||
|
p.sendline(args.P)
|
||||||
|
p.expect(passwd_change_prompt[1])
|
||||||
|
# send new password
|
||||||
|
p.sendline(args.N)
|
||||||
|
p.expect(passwd_change_prompt[2])
|
||||||
|
# retype new password
|
||||||
|
p.sendline(args.N)
|
||||||
|
time.sleep(1)
|
||||||
|
# Restore default password
|
||||||
|
p.sendline('passwd {}'.format(args.u))
|
||||||
|
p.expect(passwd_change_prompt[0])
|
||||||
|
p.sendline(args.N)
|
||||||
|
p.expect(passwd_change_prompt[1])
|
||||||
|
p.sendline(args.P)
|
||||||
|
p.expect(passwd_change_prompt[2])
|
||||||
|
p.sendline(args.P)
|
||||||
|
break
|
||||||
elif i == 2:
|
elif i == 2:
|
||||||
# fix a login timeout issue, caused by the login_prompt message mixed with the output message of the rc.local
|
# fix a login timeout issue, caused by the login_prompt message mixed with the output message of the rc.local
|
||||||
time.sleep(1)
|
time.sleep(1)
|
||||||
|
|||||||
@ -39,6 +39,9 @@ DEFAULT_BUILD_LOG_TIMESTAMP = none
|
|||||||
# Comment next line to disable:
|
# Comment next line to disable:
|
||||||
# SONIC_CONFIG_ENABLE_COLORS = y
|
# SONIC_CONFIG_ENABLE_COLORS = y
|
||||||
|
|
||||||
|
# CHANGE_DEFAULT_PASSWORD - enforce default user/users to change password on 1st login
|
||||||
|
CHANGE_DEFAULT_PASSWORD ?= n
|
||||||
|
|
||||||
# DEFAULT_USERNAME - default username for installer build
|
# DEFAULT_USERNAME - default username for installer build
|
||||||
DEFAULT_USERNAME = admin
|
DEFAULT_USERNAME = admin
|
||||||
|
|
||||||
|
|||||||
2
slave.mk
2
slave.mk
@ -376,6 +376,7 @@ $(info "USE_NATIVE_DOCKERD_FOR_BUILD" : "$(SONIC_CONFIG_USE_NATIVE_DOCKERD_FO
|
|||||||
$(info "SONIC_USE_DOCKER_BUILDKIT" : "$(SONIC_USE_DOCKER_BUILDKIT)")
|
$(info "SONIC_USE_DOCKER_BUILDKIT" : "$(SONIC_USE_DOCKER_BUILDKIT)")
|
||||||
$(info "USERNAME" : "$(USERNAME)")
|
$(info "USERNAME" : "$(USERNAME)")
|
||||||
$(info "PASSWORD" : "$(PASSWORD)")
|
$(info "PASSWORD" : "$(PASSWORD)")
|
||||||
|
$(info "CHANGE_DEFAULT_PASSWORD" : "$(CHANGE_DEFAULT_PASSWORD)")
|
||||||
$(info "ENABLE_DHCP_GRAPH_SERVICE" : "$(ENABLE_DHCP_GRAPH_SERVICE)")
|
$(info "ENABLE_DHCP_GRAPH_SERVICE" : "$(ENABLE_DHCP_GRAPH_SERVICE)")
|
||||||
$(info "SHUTDOWN_BGP_ON_START" : "$(SHUTDOWN_BGP_ON_START)")
|
$(info "SHUTDOWN_BGP_ON_START" : "$(SHUTDOWN_BGP_ON_START)")
|
||||||
$(info "ENABLE_PFCWD_ON_START" : "$(ENABLE_PFCWD_ON_START)")
|
$(info "ENABLE_PFCWD_ON_START" : "$(ENABLE_PFCWD_ON_START)")
|
||||||
@ -1430,6 +1431,7 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
|
|||||||
DEBUG_SRC_ARCHIVE_FILE="$(DBG_SRC_ARCHIVE_FILE)" \
|
DEBUG_SRC_ARCHIVE_FILE="$(DBG_SRC_ARCHIVE_FILE)" \
|
||||||
USERNAME="$(USERNAME)" \
|
USERNAME="$(USERNAME)" \
|
||||||
PASSWORD="$(PASSWORD)" \
|
PASSWORD="$(PASSWORD)" \
|
||||||
|
CHANGE_DEFAULT_PASSWORD="$(CHANGE_DEFAULT_PASSWORD)" \
|
||||||
TARGET_MACHINE=$(dep_machine) \
|
TARGET_MACHINE=$(dep_machine) \
|
||||||
IMAGE_TYPE=$($*_IMAGE_TYPE) \
|
IMAGE_TYPE=$($*_IMAGE_TYPE) \
|
||||||
TARGET_PATH=$(TARGET_PATH) \
|
TARGET_PATH=$(TARGET_PATH) \
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user