summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorsegfault <segfault@riseup.net>2019-10-08 18:43:17 +0200
committersegfault <segfault@riseup.net>2019-10-08 18:56:17 +0200
commit0ad357901a936bc1195f715483556896bbd0be8f (patch)
tree9348df2924f8b07f0ddf5f34a0f147c522a148b8
parentf0d80cd5e8950eba821a144fe8cf6e63d4800592 (diff)
Store admin password hashed and salted instead of in cleartext (refs: #17135)bugfix/17135-store-admin-pw-hashed
By calling chpasswd with the -e option, it uses the provided hashed and salted password instead of hashing and salting it via PAM. PAM uses SHA512 to hash the password, as configured in /etc/login.defs, so in the call to mkpasswd we set --method=sha512crypt to also use SHA512.
-rwxr-xr-xconfig/chroot_local-includes/etc/gdm3/PostLogin/Default2
-rw-r--r--config/chroot_local-includes/usr/lib/python3/dist-packages/tailsgreeter/settings/admin.py11
-rw-r--r--config/chroot_local-packageslists/tails-common.list3
3 files changed, 13 insertions, 3 deletions
diff --git a/config/chroot_local-includes/etc/gdm3/PostLogin/Default b/config/chroot_local-includes/etc/gdm3/PostLogin/Default
index a3fe997..ab873bb 100755
--- a/config/chroot_local-includes/etc/gdm3/PostLogin/Default
+++ b/config/chroot_local-includes/etc/gdm3/PostLogin/Default
@@ -132,7 +132,7 @@ if [ -z "${TAILS_USER_PASSWORD}" ] ; then
fi
# Sets the password
-echo "${LIVE_USERNAME}:${TAILS_USER_PASSWORD}" | chpasswd
+echo "${LIVE_USERNAME}:${TAILS_USER_PASSWORD}" | chpasswd -e
# Add sudoers entry
echo "${LIVE_USERNAME} ALL = (ALL) ALL" >> "${SUDOERS}"
diff --git a/config/chroot_local-includes/usr/lib/python3/dist-packages/tailsgreeter/settings/admin.py b/config/chroot_local-includes/usr/lib/python3/dist-packages/tailsgreeter/settings/admin.py
index d573941..2d0b4cb 100644
--- a/config/chroot_local-includes/usr/lib/python3/dist-packages/tailsgreeter/settings/admin.py
+++ b/config/chroot_local-includes/usr/lib/python3/dist-packages/tailsgreeter/settings/admin.py
@@ -3,6 +3,7 @@ import os
import os.path
import logging
import pipes
+import subprocess
from typing import Union
import tailsgreeter.config
@@ -18,9 +19,17 @@ class AdminSetting(object):
setting_file = tailsgreeter.config.admin_password_output_path
if self.password:
+ proc = subprocess.run(
+ ["mkpasswd", "-s", "--method", "sha512crypt"],
+ input=self.password,
+ capture_output=True,
+ check=True,
+ )
+ hashed_and_salted_pw = proc.stdout.decode().strip()
+
with open(setting_file, 'w') as f:
os.chmod(setting_file, 0o600)
- f.write('TAILS_USER_PASSWORD=%s\n' % pipes.quote(self.password))
+ f.write('TAILS_USER_PASSWORD=%s\n' % pipes.quote(hashed_and_salted_pw))
logging.debug('password written to %s', setting_file)
return
diff --git a/config/chroot_local-packageslists/tails-common.list b/config/chroot_local-packageslists/tails-common.list
index aa2cbba..93ae7cd 100644
--- a/config/chroot_local-packageslists/tails-common.list
+++ b/config/chroot_local-packageslists/tails-common.list
@@ -5,7 +5,8 @@ tails-persistence-setup
whisperback
# profiling => squashfs optimization
python3-pyinotify
-# contains mkpasswd, needed in chroot_local-hooks/01-password
+# contains mkpasswd, needed in chroot_local-hooks/01-password and for
+# setting the admin password in chroot_local-includes/etc/gdm3/PostLogin/Default
whois
# needed in chroot_local-includes/etc/NetworkManager/dispatcher.d/50-htp.sh
bind9-host