* Re: [isar-cip-core v3] recipes-core/images/cip-core-image-security.bb:Add libpam-google-authenticator Package
[not found] <20220711102903.4088463-1-Shreyas.Karmahe@toshiba-tsip.com>
@ 2022-07-11 10:59 ` Jan Kiszka
2022-07-12 8:19 ` Shreyas.Karmahe
[not found] ` <20220711102903.4088463-2-Shreyas.Karmahe@toshiba-tsip.com>
1 sibling, 1 reply; 4+ messages in thread
From: Jan Kiszka @ 2022-07-11 10:59 UTC (permalink / raw)
To: Shreyas.Karmahe, cip-dev; +Cc: dinesh.kumar, venkata.pyla, kazuhiro3.hayashi
On 11.07.22 12:29, Shreyas.Karmahe@toshiba-tsip.com wrote:
> From: Shreyas Karmahe <Shreyas.Karmahe@toshiba-tsip.com>
>
> Add libpam-google-authenticator to enable Multi-factor authentication.
>
> Signed-off-by: Shreyas Karmahe <Shreyas.Karmahe@toshiba-tsip.com>
> ---
> recipes-core/images/cip-core-image-security.bb | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
> index 6060978..24b1f46 100644
> --- a/recipes-core/images/cip-core-image-security.bb
> +++ b/recipes-core/images/cip-core-image-security.bb
> @@ -33,6 +33,7 @@ IMAGE_PREINSTALL += " \
> uuid-runtime \
> sudo \
> aide-common \
> + libpam-google-authenticator \
> "
>
> OVERRIDES_append = ":${BASE_DISTRO_CODENAME}"
With v3 of "recipes-core/security-customizations/files/postinst:Add
configuration for MFA" (non-optimal naming BTW, will adjust), this patch
is now obsolete.
Jan
--
Siemens AG, Technology
Competence Center Embedded Linux
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [isar-cip-core v3] recipes-core/security-customizations/files/postinst:Add configuration for MFA
[not found] ` <20220711102903.4088463-2-Shreyas.Karmahe@toshiba-tsip.com>
@ 2022-07-11 11:01 ` Jan Kiszka
0 siblings, 0 replies; 4+ messages in thread
From: Jan Kiszka @ 2022-07-11 11:01 UTC (permalink / raw)
To: Shreyas.Karmahe, cip-dev; +Cc: dinesh.kumar, venkata.pyla, kazuhiro3.hayashi
On 11.07.22 12:29, Shreyas.Karmahe@toshiba-tsip.com wrote:
> From: Shreyas Karmahe <Shreyas.Karmahe@toshiba-tsip.com>
>
> It configures libpam-google-authenticator for achieving the IEC requirement for
> Multi-Factor Authentication.
>
> Signed-off-by: Shreyas Karmahe <Shreyas.Karmahe@toshiba-tsip.com>
> ---
> recipes-core/security-customizations/files/postinst | 11 +++++++++++
> .../security-customizations.bb | 2 +-
> 2 files changed, 12 insertions(+), 1 deletion(-)
>
> diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst
> index 3699ba2..9ba8540 100644
> --- a/recipes-core/security-customizations/files/postinst
> +++ b/recipes-core/security-customizations/files/postinst
> @@ -49,3 +49,14 @@ sed -i 's/admin_space_left_action = .*/admin_space_left_action = SYSLOG/' $AUDIT
>
> # CR2.10: Response to audit processing failures
> sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/' $AUDIT_CONF_FILE
> +
> +# CR2.11: Enable Mutli Factor Authentication for Local and Remote Session
> +SSHD_AUTH_CONFIG="/etc/pam.d/common-auth"
> +google_authenticator="auth required pam_google_authenticator.so nullok"
> +if grep -c "pam_google_authenticator.so" "${SSHD_AUTH_CONFIG}";then
> + sed -i '/pam_google_authenticator.so/ s/^#*/#/' "${SSHD_AUTH_CONFIG}"
> +fi
> +echo "auth required pam_google_authenticator.so nullok" | tee -a "${SSHD_AUTH_CONFIG}"
> +# Enable PAM configuration for Remote Session
> +sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' "${SSHD_CONFIG}"
> +echo "AuthenticationMethods keyboard-interactive" | tee -a "${SSHD_CONFIG}"
> diff --git a/recipes-core/security-customizations/security-customizations.bb b/recipes-core/security-customizations/security-customizations.bb
> index 10d875c..4a41d2d 100644
> --- a/recipes-core/security-customizations/security-customizations.bb
> +++ b/recipes-core/security-customizations/security-customizations.bb
> @@ -16,4 +16,4 @@ DESCRIPTION = "CIP Security image for IEC62443-4-2 evaluation"
> SRC_URI = " file://postinst"
>
> DEPENDS = "sshd-regen-keys"
> -DEBIAN_DEPENDS = "sshd-regen-keys"
> +DEBIAN_DEPENDS = "sshd-regen-keys, libpam-google-authenticator"
Applied to next, with a little bit of subject massaging:
"security-customizations: Add configuration for MFA"
Thanks,
Jan
--
Siemens AG, Technology
Competence Center Embedded Linux
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [isar-cip-core v3] recipes-core/images/cip-core-image-security.bb:Add libpam-google-authenticator Package
2022-07-11 10:59 ` [isar-cip-core v3] recipes-core/images/cip-core-image-security.bb:Add libpam-google-authenticator Package Jan Kiszka
@ 2022-07-12 8:19 ` Shreyas.Karmahe
2022-07-14 12:00 ` Jan Kiszka
0 siblings, 1 reply; 4+ messages in thread
From: Shreyas.Karmahe @ 2022-07-12 8:19 UTC (permalink / raw)
To: jan.kiszka, cip-dev; +Cc: dinesh.kumar, Venkata.Pyla, kazuhiro3.hayashi
Hi Jan-San,
Is there any new patch required to add libpam-google-authenticator Package in cip-core-image-security.bb file with v3 version
Or is there anything else need to be addressed along with package ?
Kindly clarify my queries
Kind Regards,
Shreyas
-----Original Message-----
From: Jan Kiszka <jan.kiszka@siemens.com>
Sent: Monday, July 11, 2022 4:29 PM
To: karmahe shreyas(TSIP TMIEC ODG Porting) <Shreyas.Karmahe@toshiba-tsip.com>; cip-dev@lists.cip-project.org
Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba-tsip.com>; pyla venkata(TSIP TMIEC ODG Porting) <Venkata.Pyla@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 □SWC◯ACT) <kazuhiro3.hayashi@toshiba.co.jp>
Subject: Re: [isar-cip-core v3] recipes-core/images/cip-core-image-security.bb:Add libpam-google-authenticator Package
On 11.07.22 12:29, Shreyas.Karmahe@toshiba-tsip.com wrote:
> From: Shreyas Karmahe <Shreyas.Karmahe@toshiba-tsip.com>
>
> Add libpam-google-authenticator to enable Multi-factor authentication.
>
> Signed-off-by: Shreyas Karmahe <Shreyas.Karmahe@toshiba-tsip.com>
> ---
> recipes-core/images/cip-core-image-security.bb | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/recipes-core/images/cip-core-image-security.bb
> b/recipes-core/images/cip-core-image-security.bb
> index 6060978..24b1f46 100644
> --- a/recipes-core/images/cip-core-image-security.bb
> +++ b/recipes-core/images/cip-core-image-security.bb
> @@ -33,6 +33,7 @@ IMAGE_PREINSTALL += " \
> uuid-runtime \
> sudo \
> aide-common \
> + libpam-google-authenticator \
> "
>
> OVERRIDES_append = ":${BASE_DISTRO_CODENAME}"
With v3 of "recipes-core/security-customizations/files/postinst:Add
configuration for MFA" (non-optimal naming BTW, will adjust), this patch is now obsolete.
Jan
--
Siemens AG, Technology
Competence Center Embedded Linux
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [isar-cip-core v3] recipes-core/images/cip-core-image-security.bb:Add libpam-google-authenticator Package
2022-07-12 8:19 ` Shreyas.Karmahe
@ 2022-07-14 12:00 ` Jan Kiszka
0 siblings, 0 replies; 4+ messages in thread
From: Jan Kiszka @ 2022-07-14 12:00 UTC (permalink / raw)
To: Shreyas.Karmahe, cip-dev; +Cc: dinesh.kumar, Venkata.Pyla, kazuhiro3.hayashi
On 12.07.22 10:19, Shreyas.Karmahe@toshiba-tsip.com wrote:
> Hi Jan-San,
>
> Is there any new patch required to add libpam-google-authenticator Package in cip-core-image-security.bb file with v3 version
> Or is there anything else need to be addressed along with package ?
As I wrote below: This patch is technically no longer needed because
security-customizations pulls it in now as dependency. If you still like
to have the package explicitly (and now rudundantly) listed in
cip-core-image-security.bb, please provide the reasoning with the patch.
Jan
> Kindly clarify my queries
>
> Kind Regards,
> Shreyas
>
> -----Original Message-----
> From: Jan Kiszka <jan.kiszka@siemens.com>
> Sent: Monday, July 11, 2022 4:29 PM
> To: karmahe shreyas(TSIP TMIEC ODG Porting) <Shreyas.Karmahe@toshiba-tsip.com>; cip-dev@lists.cip-project.org
> Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba-tsip.com>; pyla venkata(TSIP TMIEC ODG Porting) <Venkata.Pyla@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 □SWC◯ACT) <kazuhiro3.hayashi@toshiba.co.jp>
> Subject: Re: [isar-cip-core v3] recipes-core/images/cip-core-image-security.bb:Add libpam-google-authenticator Package
>
> On 11.07.22 12:29, Shreyas.Karmahe@toshiba-tsip.com wrote:
>> From: Shreyas Karmahe <Shreyas.Karmahe@toshiba-tsip.com>
>>
>> Add libpam-google-authenticator to enable Multi-factor authentication.
>>
>> Signed-off-by: Shreyas Karmahe <Shreyas.Karmahe@toshiba-tsip.com>
>> ---
>> recipes-core/images/cip-core-image-security.bb | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/recipes-core/images/cip-core-image-security.bb
>> b/recipes-core/images/cip-core-image-security.bb
>> index 6060978..24b1f46 100644
>> --- a/recipes-core/images/cip-core-image-security.bb
>> +++ b/recipes-core/images/cip-core-image-security.bb
>> @@ -33,6 +33,7 @@ IMAGE_PREINSTALL += " \
>> uuid-runtime \
>> sudo \
>> aide-common \
>> + libpam-google-authenticator \
>> "
>>
>> OVERRIDES_append = ":${BASE_DISTRO_CODENAME}"
>
> With v3 of "recipes-core/security-customizations/files/postinst:Add
> configuration for MFA" (non-optimal naming BTW, will adjust), this patch is now obsolete.
>
> Jan
>
> --
> Siemens AG, Technology
> Competence Center Embedded Linux
--
Siemens AG, Technology
Competence Center Embedded Linux
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-07-14 12:00 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20220711102903.4088463-1-Shreyas.Karmahe@toshiba-tsip.com>
2022-07-11 10:59 ` [isar-cip-core v3] recipes-core/images/cip-core-image-security.bb:Add libpam-google-authenticator Package Jan Kiszka
2022-07-12 8:19 ` Shreyas.Karmahe
2022-07-14 12:00 ` Jan Kiszka
[not found] ` <20220711102903.4088463-2-Shreyas.Karmahe@toshiba-tsip.com>
2022-07-11 11:01 ` [isar-cip-core v3] recipes-core/security-customizations/files/postinst:Add configuration for MFA Jan Kiszka
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.