Skip to content

Commit

Permalink
Password Hardening: Add support to disable expiration date (#93)
Browse files Browse the repository at this point in the history
* password-hardening: Add support to disable expiration date like in Linux (PAM)

* password-hardening: Fix default return of dict to -1 instead None
  • Loading branch information
davidpil2002 authored Aug 26, 2024
1 parent 39e31a9 commit 39834f2
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 13 deletions.
18 changes: 7 additions & 11 deletions scripts/hostcfgd
Original file line number Diff line number Diff line change
Expand Up @@ -59,8 +59,8 @@ SSH_MAX_VALUES={"authentication_retries": 100, "login_timeout": 600, "ports": 65
SSH_CONFIG_NAMES={"authentication_retries": "MaxAuthTries" , "login_timeout": "LoginGraceTime"}

ACCOUNT_NAME = 0 # index of account name
AGE_DICT = { 'MAX_DAYS': {'REGEX_DAYS': r'^PASS_MAX_DAYS[ \t]*(?P<max_days>\d*)', 'DAYS': 'max_days', 'CHAGE_FLAG': '-M '},
'WARN_DAYS': {'REGEX_DAYS': r'^PASS_WARN_AGE[ \t]*(?P<warn_days>\d*)', 'DAYS': 'warn_days', 'CHAGE_FLAG': '-W '}
AGE_DICT = { 'MAX_DAYS': {'REGEX_DAYS': r'^PASS_MAX_DAYS[ \t]*(?P<max_days>-?\d*)', 'DAYS': 'max_days', 'CHAGE_FLAG': '-M '},
'WARN_DAYS': {'REGEX_DAYS': r'^PASS_WARN_AGE[ \t]*(?P<warn_days>-?\d*)', 'DAYS': 'warn_days', 'CHAGE_FLAG': '-W '}
}
PAM_LIMITS_CONF_TEMPLATE = "/usr/share/sonic/templates/pam_limits.j2"
LIMITS_CONF_TEMPLATE = "/usr/share/sonic/templates/limits.conf.j2"
Expand Down Expand Up @@ -916,15 +916,11 @@ class PasswHardening(object):
if passw_policies:
if 'state' in passw_policies:
if passw_policies['state'] == 'enabled':
if 'expiration' in passw_policies:
if int(self.passw_policies['expiration']) != 0: # value '0' meaning age policy is disabled
# the logic is to modify the expiration time according the last updated modificatiion
#
curr_expiration = int(passw_policies['expiration'])

if 'expiration_warning' in passw_policies:
if int(self.passw_policies['expiration_warning']) != 0: # value '0' meaning age policy is disabled
curr_expiration_warning = int(passw_policies['expiration_warning'])
# Special values of expiration/expiration warning
# 0: meaning password will be expired/warning immediately.
# -1: meaning password expired/warning never.
curr_expiration = int(passw_policies.get('expiration', -1))
curr_expiration_warning = int(passw_policies.get('expiration_warning', -1))

if self.is_passwd_aging_expire_update(curr_expiration, 'MAX_DAYS'):
# Set aging policy for existing users
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -157,9 +157,9 @@ UMASK 022
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MAX_DAYS 0
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
PASS_WARN_AGE 0

#
# Min/max values for automatic uid selection in useradd
Expand Down

0 comments on commit 39834f2

Please sign in to comment.