Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Password Hardening HLD #874

Merged
merged 16 commits into from Feb 8, 2022
Merged

Password Hardening HLD #874

merged 16 commits into from Feb 8, 2022

Conversation

davidpil2002
Copy link
Contributor

@davidpil2002 davidpil2002 commented Sep 30, 2021
edited

@ghost
Copy link

ghost commented Sep 30, 2021
edited by ghost

CLA assistant check
All CLA requirements met.

@lguohan lguohan requested a review from liuh-80 November 12, 2021 01:50
liuh-80
liuh-80 reviewed Nov 26, 2021
View reviewed changes
Copy link
Contributor

@liuh-80 liuh-80 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have following concern and questions:

  1. What's the responsbility of PASSWH? If this daemon only for read hardening setting from config DB and update PAM config file, then there already hostcfgd for this, not necessary add a new daemon. And if this daemon also will handle the password history to config DB storage, I think there will be security risk.

  2. According to the design, password history will store in DB, if that means config DB, then because currently there is no ACL for config DB, so password history can be access by anyone, this will be a security risk, but if the password history stored by pam_pwhistory it self, It think it's OK.

@davidpil2002
Copy link
Contributor Author

Hi,
In continue of your concerns and questions,

regarding question 1:
The feature should run in the host, we had a discussion if is better to integrate the feature to the current hostcfg daemon or to create a daemon to manage this feature only. For now, we think it's better to have it separate, that because the feature can be enabled by a compilation flag, meaning that the feature is not always exposed to the user, but we can discuss about it in the meeting. (in addition, the feature will use the STATE_DB as well).

Regarding concern 2, the "old passwords" (passwords history), the meaning of saving the password history is to save only have many old passwords the feature can save, not to save the passwords itself. The passwords will be saved like you commented by pw_history in /etc/security/opasswd or similar file with just root permission access.
Thanks
David

@davidpil2002
add more description in the init flow chapter, use hostcfgd daemon in…
a931290 
…stead creating a new daemon and remove the STATE_DB
liuh-80
liuh-80 previously approved these changes Dec 13, 2021
View reviewed changes
Copy link
Contributor

@liuh-80 liuh-80 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Found some minor issue in latest document.

doc/passw_hardening/hld_password_hardening.md Show resolved Hide resolved
doc/passw_hardening/hld_password_hardening.md Outdated Show resolved Hide resolved
doc/passw_hardening/hld_password_hardening.md Outdated Show resolved Hide resolved
doc/passw_hardening/hld_password_hardening.md Show resolved Hide resolved
doc/passw_hardening/hld_password_hardening.md Show resolved Hide resolved
doc/passw_hardening/hld_password_hardening.md Show resolved Hide resolved
doc/passw_hardening/hld_password_hardening.md Outdated Show resolved Hide resolved
doc/passw_hardening/hld_password_hardening.md Outdated Show resolved Hide resolved
doc/passw_hardening/hld_password_hardening.md Show resolved Hide resolved
doc/passw_hardening/hld_password_hardening.md Outdated Show resolved Hide resolved
liuh-80
liuh-80 previously approved these changes Dec 20, 2021
View reviewed changes
venkatmahalingam
venkatmahalingam reviewed Jan 11, 2022
View reviewed changes
doc/passw_hardening/sonic-passwh.yang Outdated
range 1..30;
}
}
leaf history {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

history_cnt?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks, I will update this one

@davidpil2002
according the community review decision: modified init flow defaults …
cbe88dd 
…in yang model and HLD, add bash example using expiration time
@zhangyanzhao zhangyanzhao added this to Reviewed in 202205 Release HLD via automation Jan 14, 2022
@davidpil2002
Copy link
Contributor Author

Hi @liuh-80,

How are you doing?
I answered the questions above.
In addition, I had an HLD review with the community and added the changes suggested in the commit: cbe88dd
can you approve this HLD, or pls let me know if you have any more comments.

Thanks,
David

liuh-80
liuh-80 reviewed Jan 19, 2022
View reviewed changes
doc/passw_hardening/sonic-passwh.yang Outdated
description
"First Revision";
}
typedef feature_state {
Copy link
Contributor

@liuh-80 liuh-80 Jan 19, 2022
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please follow sonic yang model guideline, every definition should inside top level container, in this case, should inside sonic-passwh

https://github.com/Azure/SONiC/blob/master/doc/mgmt/SONiC_YANG_Model_Guidelines.md

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done, I moved the "typedef feature_state" inside the container.

202205 Release HLD automation moved this from Reviewed to Approved Jan 25, 2022
@davidpil2002
Copy link
Contributor Author

@liuh-80 @liat-grozovik
can you help to merge to master?

@liat-grozovik
Copy link
Collaborator

@venkatmahalingam can you please approve from your side? you had comments and i wish to merge once we agree they were handled.

@davidpil2002
Copy link
Contributor Author

Hi @venkatmahalingam,

this is a kind reminder to reply to the Liat Q in the comment above.
Thanks,

@liat-grozovik liat-grozovik merged commit 66277d7 into sonic-net:master Feb 8, 2022
202205 Release HLD automation moved this from Approved to Merged Feb 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@venkatmahalingam venkatmahalingam venkatmahalingam approved these changes

@liuh-80 liuh-80 liuh-80 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
No open projects
202205 Release HLD
Merged
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@davidpil2002 @liat-grozovik @venkatmahalingam @liuh-80