Add California-SB237 feature. Requires to change default user password (#12678)
#### Why I did it Add support of California-SB237 conformance. https://github.com/sonic-net/SONiC/tree/master/doc/California-SB237 #### How I did it Expire user passwords during build #### How to verify it Enable build flag and check if default user is prompted for a new password
This commit is contained in:
Родитель
3e316cbf24
Коммит
c1dd94f368
|
@ -499,6 +499,7 @@ SONIC_BUILD_INSTRUCTION := $(MAKE) \
|
|||
MDEBUG=$(MDEBUG) \
|
||||
PASSWORD=$(PASSWORD) \
|
||||
USERNAME=$(USERNAME) \
|
||||
CHANGE_DEFAULT_PASSWORD=$(CHANGE_DEFAULT_PASSWORD) \
|
||||
SONIC_BUILD_JOBS=$(SONIC_BUILD_JOBS) \
|
||||
SONIC_USE_DOCKER_BUILDKIT=$(SONIC_USE_DOCKER_BUILDKIT) \
|
||||
VS_PREPARE_MEM=$(VS_PREPARE_MEM) \
|
||||
|
|
|
@ -684,6 +684,16 @@ sudo LANG=C chroot $FILESYSTEM_ROOT umount /proc || true
|
|||
## Prepare empty directory to trigger mount move in initramfs-tools/mount_loop_root, implemented by patching
|
||||
sudo mkdir $FILESYSTEM_ROOT/host
|
||||
|
||||
|
||||
if [[ "$CHANGE_DEFAULT_PASSWORD" == "y" ]]; then
|
||||
## Expire default password for exitsing users that can do login
|
||||
default_users=$(cat $FILESYSTEM_ROOT/etc/passwd | grep "/home"| grep ":/bin/bash\|:/bin/sh" | awk -F ":" '{print $1}' 2> /dev/null)
|
||||
for user in $default_users
|
||||
do
|
||||
sudo LANG=C chroot $FILESYSTEM_ROOT passwd -e ${user}
|
||||
done
|
||||
fi
|
||||
|
||||
## Compress most file system into squashfs file
|
||||
sudo rm -f $ONIE_INSTALLER_PAYLOAD $FILESYSTEM_SQUASHFS
|
||||
## Output the file system total size for diag purpose
|
||||
|
|
|
@ -11,6 +11,7 @@ def main():
|
|||
parser = argparse.ArgumentParser(description='test_login cmdline parser')
|
||||
parser.add_argument('-u', default="admin", help='login user name')
|
||||
parser.add_argument('-P', default="YourPaSsWoRd", help='login password')
|
||||
parser.add_argument('-N', default="Test@2022", help='new password')
|
||||
parser.add_argument('-p', type=int, default=9000, help='local port')
|
||||
|
||||
args = parser.parse_args()
|
||||
|
@ -20,6 +21,7 @@ def main():
|
|||
cmd_prompt = "{}@sonic:~\$ $".format(args.u)
|
||||
grub_selection = "The highlighted entry will be executed"
|
||||
firsttime_prompt = 'firsttime_exit'
|
||||
passwd_change_prompt = ['Current password:', 'New password:', 'Retype new password:']
|
||||
|
||||
i = 0
|
||||
while True:
|
||||
|
@ -36,7 +38,6 @@ def main():
|
|||
# select default SONiC Image
|
||||
p.expect(grub_selection)
|
||||
p.sendline()
|
||||
|
||||
# bootup sonic image
|
||||
while True:
|
||||
i = p.expect([login_prompt, passwd_prompt, firsttime_prompt, cmd_prompt])
|
||||
|
@ -46,6 +47,30 @@ def main():
|
|||
elif i == 1:
|
||||
# send password
|
||||
p.sendline(args.P)
|
||||
# Check for password change prompt
|
||||
try:
|
||||
p.expect('Current password:', timeout=2)
|
||||
except pexpect.TIMEOUT:
|
||||
break
|
||||
else:
|
||||
# send old password for password prompt
|
||||
p.sendline(args.P)
|
||||
p.expect(passwd_change_prompt[1])
|
||||
# send new password
|
||||
p.sendline(args.N)
|
||||
p.expect(passwd_change_prompt[2])
|
||||
# retype new password
|
||||
p.sendline(args.N)
|
||||
time.sleep(1)
|
||||
# Restore default password
|
||||
p.sendline('passwd {}'.format(args.u))
|
||||
p.expect(passwd_change_prompt[0])
|
||||
p.sendline(args.N)
|
||||
p.expect(passwd_change_prompt[1])
|
||||
p.sendline(args.P)
|
||||
p.expect(passwd_change_prompt[2])
|
||||
p.sendline(args.P)
|
||||
break
|
||||
elif i == 2:
|
||||
# fix a login timeout issue, caused by the login_prompt message mixed with the output message of the rc.local
|
||||
time.sleep(1)
|
||||
|
|
|
@ -39,6 +39,9 @@ DEFAULT_BUILD_LOG_TIMESTAMP = none
|
|||
# Comment next line to disable:
|
||||
# SONIC_CONFIG_ENABLE_COLORS = y
|
||||
|
||||
# CHANGE_DEFAULT_PASSWORD - enforce default user/users to change password on 1st login
|
||||
CHANGE_DEFAULT_PASSWORD ?= n
|
||||
|
||||
# DEFAULT_USERNAME - default username for installer build
|
||||
DEFAULT_USERNAME = admin
|
||||
|
||||
|
|
2
slave.mk
2
slave.mk
|
@ -376,6 +376,7 @@ $(info "USE_NATIVE_DOCKERD_FOR_BUILD" : "$(SONIC_CONFIG_USE_NATIVE_DOCKERD_FO
|
|||
$(info "SONIC_USE_DOCKER_BUILDKIT" : "$(SONIC_USE_DOCKER_BUILDKIT)")
|
||||
$(info "USERNAME" : "$(USERNAME)")
|
||||
$(info "PASSWORD" : "$(PASSWORD)")
|
||||
$(info "CHANGE_DEFAULT_PASSWORD" : "$(CHANGE_DEFAULT_PASSWORD)")
|
||||
$(info "ENABLE_DHCP_GRAPH_SERVICE" : "$(ENABLE_DHCP_GRAPH_SERVICE)")
|
||||
$(info "SHUTDOWN_BGP_ON_START" : "$(SHUTDOWN_BGP_ON_START)")
|
||||
$(info "ENABLE_PFCWD_ON_START" : "$(ENABLE_PFCWD_ON_START)")
|
||||
|
@ -1430,6 +1431,7 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
|
|||
DEBUG_SRC_ARCHIVE_FILE="$(DBG_SRC_ARCHIVE_FILE)" \
|
||||
USERNAME="$(USERNAME)" \
|
||||
PASSWORD="$(PASSWORD)" \
|
||||
CHANGE_DEFAULT_PASSWORD="$(CHANGE_DEFAULT_PASSWORD)" \
|
||||
TARGET_MACHINE=$(dep_machine) \
|
||||
IMAGE_TYPE=$($*_IMAGE_TYPE) \
|
||||
TARGET_PATH=$(TARGET_PATH) \
|
||||
|
|
Загрузка…
Ссылка в новой задаче