Skip to content

Password Hardening HLD#874

Merged
liat-grozovik merged 16 commits intosonic-net:masterfrom
davidpil2002:master
Feb 8, 2022
Merged

Password Hardening HLD#874
liat-grozovik merged 16 commits intosonic-net:masterfrom
davidpil2002:master

Conversation

@davidpil2002
Copy link
Contributor

@davidpil2002 davidpil2002 commented Sep 30, 2021
edited
Loading

@ghost
Copy link

ghost commented Sep 30, 2021
edited by ghost
Loading

CLA assistant check
All CLA requirements met.

@lguohan lguohan requested a review from liuh-80 November 12, 2021 01:50
liuh-80
liuh-80 reviewed Nov 26, 2021
View reviewed changes
Copy link
Contributor

@liuh-80 liuh-80 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have following concern and questions:

  1. What's the responsbility of PASSWH? If this daemon only for read hardening setting from config DB and update PAM config file, then there already hostcfgd for this, not necessary add a new daemon. And if this daemon also will handle the password history to config DB storage, I think there will be security risk.

  2. According to the design, password history will store in DB, if that means config DB, then because currently there is no ACL for config DB, so password history can be access by anyone, this will be a security risk, but if the password history stored by pam_pwhistory it self, It think it's OK.

@davidpil2002
Copy link
Contributor Author

davidpil2002 commented Nov 28, 2021

Hi,
In continue of your concerns and questions,

regarding question 1:
The feature should run in the host, we had a discussion if is better to integrate the feature to the current hostcfg daemon or to create a daemon to manage this feature only. For now, we think it's better to have it separate, that because the feature can be enabled by a compilation flag, meaning that the feature is not always exposed to the user, but we can discuss about it in the meeting. (in addition, the feature will use the STATE_DB as well).

Regarding concern 2, the "old passwords" (passwords history), the meaning of saving the password history is to save only have many old passwords the feature can save, not to save the passwords itself. The passwords will be saved like you commented by pw_history in /etc/security/opasswd or similar file with just root permission access.
Thanks
David

@davidpil2002
add more description in the init flow chapter, use hostcfgd daemon in…
a931290 
…stead creating a new daemon and remove the STATE_DB
liuh-80
liuh-80 previously approved these changes Dec 13, 2021
View reviewed changes
Copy link
Contributor

@liuh-80 liuh-80 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Found some minor issue in latest document.

liuh-80
liuh-80 previously approved these changes Dec 20, 2021
View reviewed changes
venkatmahalingam
venkatmahalingam reviewed Jan 11, 2022
View reviewed changes
venkatmahalingam
venkatmahalingam reviewed Jan 11, 2022
View reviewed changes
venkatmahalingam
venkatmahalingam reviewed Jan 11, 2022
View reviewed changes
doc/passw_hardening/sonic-passwh.yang Outdated
range 1..30;
}
}
leaf history {
Copy link
Collaborator

@venkatmahalingam venkatmahalingam Jan 11, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

history_cnt?

Copy link
Contributor Author

@davidpil2002 davidpil2002 Jan 19, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks, I will update this one

@davidpil2002
Copy link
Contributor Author

davidpil2002 commented Jan 19, 2022

Hi @liuh-80,

How are you doing?
I answered the questions above.
In addition, I had an HLD review with the community and added the changes suggested in the commit: cbe88dd
can you approve this HLD, or pls let me know if you have any more comments.

Thanks,
David

liuh-80
liuh-80 reviewed Jan 19, 2022
View reviewed changes
doc/passw_hardening/sonic-passwh.yang Outdated
description
"First Revision";
}
typedef feature_state {
Copy link
Contributor

@liuh-80 liuh-80 Jan 19, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please follow sonic yang model guideline, every definition should inside top level container, in this case, should inside sonic-passwh

https://github.com/Azure/SONiC/blob/master/doc/mgmt/SONiC_YANG_Model_Guidelines.md

Copy link
Contributor Author

@davidpil2002 davidpil2002 Jan 20, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done, I moved the "typedef feature_state" inside the container.

@davidpil2002
Copy link
Contributor Author

davidpil2002 commented Jan 26, 2022

@liuh-80 @liat-grozovik
can you help to merge to master?

@liat-grozovik
Copy link
Collaborator

liat-grozovik commented Jan 26, 2022

@venkatmahalingam can you please approve from your side? you had comments and i wish to merge once we agree they were handled.

@davidpil2002
Copy link
Contributor Author

davidpil2002 commented Feb 6, 2022

Hi @venkatmahalingam,

this is a kind reminder to reply to the Liat Q in the comment above.
Thanks,

@liat-grozovik liat-grozovik merged commit 66277d7 into sonic-net:master Feb 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@venkatmahalingam venkatmahalingam venkatmahalingam approved these changes

@liuh-80 liuh-80 liuh-80 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@davidpil2002 @liat-grozovik @venkatmahalingam @liuh-80 @zhangyanzhao