diff options
author | segfault <segfault@riseup.net> | 2019-10-08 18:43:17 +0200 |
---|---|---|
committer | segfault <segfault@riseup.net> | 2019-10-08 18:56:17 +0200 |
commit | 0ad357901a936bc1195f715483556896bbd0be8f (patch) | |
tree | 9348df2924f8b07f0ddf5f34a0f147c522a148b8 | |
parent | f0d80cd5e8950eba821a144fe8cf6e63d4800592 (diff) |
Store admin password hashed and salted instead of in cleartext (refs: #17135)bugfix/17135-store-admin-pw-hashed
By calling chpasswd with the -e option, it uses the provided hashed and
salted password instead of hashing and salting it via PAM.
PAM uses SHA512 to hash the password, as configured in /etc/login.defs,
so in the call to mkpasswd we set --method=sha512crypt to also use SHA512.
3 files changed, 13 insertions, 3 deletions
diff --git a/config/chroot_local-includes/etc/gdm3/PostLogin/Default b/config/chroot_local-includes/etc/gdm3/PostLogin/Default index a3fe997..ab873bb 100755 --- a/config/chroot_local-includes/etc/gdm3/PostLogin/Default +++ b/config/chroot_local-includes/etc/gdm3/PostLogin/Default @@ -132,7 +132,7 @@ if [ -z "${TAILS_USER_PASSWORD}" ] ; then fi # Sets the password -echo "${LIVE_USERNAME}:${TAILS_USER_PASSWORD}" | chpasswd +echo "${LIVE_USERNAME}:${TAILS_USER_PASSWORD}" | chpasswd -e # Add sudoers entry echo "${LIVE_USERNAME} ALL = (ALL) ALL" >> "${SUDOERS}" diff --git a/config/chroot_local-includes/usr/lib/python3/dist-packages/tailsgreeter/settings/admin.py b/config/chroot_local-includes/usr/lib/python3/dist-packages/tailsgreeter/settings/admin.py index d573941..2d0b4cb 100644 --- a/config/chroot_local-includes/usr/lib/python3/dist-packages/tailsgreeter/settings/admin.py +++ b/config/chroot_local-includes/usr/lib/python3/dist-packages/tailsgreeter/settings/admin.py @@ -3,6 +3,7 @@ import os import os.path import logging import pipes +import subprocess from typing import Union import tailsgreeter.config @@ -18,9 +19,17 @@ class AdminSetting(object): setting_file = tailsgreeter.config.admin_password_output_path if self.password: + proc = subprocess.run( + ["mkpasswd", "-s", "--method", "sha512crypt"], + input=self.password, + capture_output=True, + check=True, + ) + hashed_and_salted_pw = proc.stdout.decode().strip() + with open(setting_file, 'w') as f: os.chmod(setting_file, 0o600) - f.write('TAILS_USER_PASSWORD=%s\n' % pipes.quote(self.password)) + f.write('TAILS_USER_PASSWORD=%s\n' % pipes.quote(hashed_and_salted_pw)) logging.debug('password written to %s', setting_file) return diff --git a/config/chroot_local-packageslists/tails-common.list b/config/chroot_local-packageslists/tails-common.list index aa2cbba..93ae7cd 100644 --- a/config/chroot_local-packageslists/tails-common.list +++ b/config/chroot_local-packageslists/tails-common.list @@ -5,7 +5,8 @@ tails-persistence-setup whisperback # profiling => squashfs optimization python3-pyinotify -# contains mkpasswd, needed in chroot_local-hooks/01-password +# contains mkpasswd, needed in chroot_local-hooks/01-password and for +# setting the admin password in chroot_local-includes/etc/gdm3/PostLogin/Default whois # needed in chroot_local-includes/etc/NetworkManager/dispatcher.d/50-htp.sh bind9-host |