Skip to content

Commit

Permalink
Add California-SB237 feature. Requires to change default user passwor…
Browse files Browse the repository at this point in the history
…d (#12678)

#### Why I did it
Add support of California-SB237 conformance.
https://github.com/sonic-net/SONiC/tree/master/doc/California-SB237

#### How I did it
Expire user passwords during build

#### How to verify it
Enable build flag and check if default user is prompted for a new password
  • Loading branch information
andriydnvd authored Feb 23, 2023
1 parent 3e316cb commit c1dd94f
Show file tree
Hide file tree
Showing 5 changed files with 42 additions and 1 deletion.
1 change: 1 addition & 0 deletions Makefile.work
Original file line number Diff line number Diff line change
Expand Up @@ -499,6 +499,7 @@ SONIC_BUILD_INSTRUCTION := $(MAKE) \
MDEBUG=$(MDEBUG) \
PASSWORD=$(PASSWORD) \
USERNAME=$(USERNAME) \
CHANGE_DEFAULT_PASSWORD=$(CHANGE_DEFAULT_PASSWORD) \
SONIC_BUILD_JOBS=$(SONIC_BUILD_JOBS) \
SONIC_USE_DOCKER_BUILDKIT=$(SONIC_USE_DOCKER_BUILDKIT) \
VS_PREPARE_MEM=$(VS_PREPARE_MEM) \
Expand Down
10 changes: 10 additions & 0 deletions build_debian.sh
Original file line number Diff line number Diff line change
Expand Up @@ -684,6 +684,16 @@ sudo LANG=C chroot $FILESYSTEM_ROOT umount /proc || true
## Prepare empty directory to trigger mount move in initramfs-tools/mount_loop_root, implemented by patching
sudo mkdir $FILESYSTEM_ROOT/host


if [[ "$CHANGE_DEFAULT_PASSWORD" == "y" ]]; then
## Expire default password for exitsing users that can do login
default_users=$(cat $FILESYSTEM_ROOT/etc/passwd | grep "/home"| grep ":/bin/bash\|:/bin/sh" | awk -F ":" '{print $1}' 2> /dev/null)
for user in $default_users
do
sudo LANG=C chroot $FILESYSTEM_ROOT passwd -e ${user}
done
fi

## Compress most file system into squashfs file
sudo rm -f $ONIE_INSTALLER_PAYLOAD $FILESYSTEM_SQUASHFS
## Output the file system total size for diag purpose
Expand Down
27 changes: 26 additions & 1 deletion check_install.py
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ def main():
parser = argparse.ArgumentParser(description='test_login cmdline parser')
parser.add_argument('-u', default="admin", help='login user name')
parser.add_argument('-P', default="YourPaSsWoRd", help='login password')
parser.add_argument('-N', default="Test@2022", help='new password')
parser.add_argument('-p', type=int, default=9000, help='local port')

args = parser.parse_args()
Expand All @@ -20,6 +21,7 @@ def main():
cmd_prompt = "{}@sonic:~\$ $".format(args.u)
grub_selection = "The highlighted entry will be executed"
firsttime_prompt = 'firsttime_exit'
passwd_change_prompt = ['Current password:', 'New password:', 'Retype new password:']

i = 0
while True:
Expand All @@ -36,7 +38,6 @@ def main():
# select default SONiC Image
p.expect(grub_selection)
p.sendline()

# bootup sonic image
while True:
i = p.expect([login_prompt, passwd_prompt, firsttime_prompt, cmd_prompt])
Expand All @@ -46,6 +47,30 @@ def main():
elif i == 1:
# send password
p.sendline(args.P)
# Check for password change prompt
try:
p.expect('Current password:', timeout=2)
except pexpect.TIMEOUT:
break
else:
# send old password for password prompt
p.sendline(args.P)
p.expect(passwd_change_prompt[1])
# send new password
p.sendline(args.N)
p.expect(passwd_change_prompt[2])
# retype new password
p.sendline(args.N)
time.sleep(1)
# Restore default password
p.sendline('passwd {}'.format(args.u))
p.expect(passwd_change_prompt[0])
p.sendline(args.N)
p.expect(passwd_change_prompt[1])
p.sendline(args.P)
p.expect(passwd_change_prompt[2])
p.sendline(args.P)
break
elif i == 2:
# fix a login timeout issue, caused by the login_prompt message mixed with the output message of the rc.local
time.sleep(1)
Expand Down
3 changes: 3 additions & 0 deletions rules/config
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,9 @@ DEFAULT_BUILD_LOG_TIMESTAMP = none
# Comment next line to disable:
# SONIC_CONFIG_ENABLE_COLORS = y

# CHANGE_DEFAULT_PASSWORD - enforce default user/users to change password on 1st login
CHANGE_DEFAULT_PASSWORD ?= n

# DEFAULT_USERNAME - default username for installer build
DEFAULT_USERNAME = admin

Expand Down
2 changes: 2 additions & 0 deletions slave.mk
Original file line number Diff line number Diff line change
Expand Up @@ -376,6 +376,7 @@ $(info "USE_NATIVE_DOCKERD_FOR_BUILD" : "$(SONIC_CONFIG_USE_NATIVE_DOCKERD_FO
$(info "SONIC_USE_DOCKER_BUILDKIT" : "$(SONIC_USE_DOCKER_BUILDKIT)")
$(info "USERNAME" : "$(USERNAME)")
$(info "PASSWORD" : "$(PASSWORD)")
$(info "CHANGE_DEFAULT_PASSWORD" : "$(CHANGE_DEFAULT_PASSWORD)")
$(info "ENABLE_DHCP_GRAPH_SERVICE" : "$(ENABLE_DHCP_GRAPH_SERVICE)")
$(info "SHUTDOWN_BGP_ON_START" : "$(SHUTDOWN_BGP_ON_START)")
$(info "ENABLE_PFCWD_ON_START" : "$(ENABLE_PFCWD_ON_START)")
Expand Down Expand Up @@ -1430,6 +1431,7 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
DEBUG_SRC_ARCHIVE_FILE="$(DBG_SRC_ARCHIVE_FILE)" \
USERNAME="$(USERNAME)" \
PASSWORD="$(PASSWORD)" \
CHANGE_DEFAULT_PASSWORD="$(CHANGE_DEFAULT_PASSWORD)" \
TARGET_MACHINE=$(dep_machine) \
IMAGE_TYPE=$($*_IMAGE_TYPE) \
TARGET_PATH=$(TARGET_PATH) \
Expand Down

0 comments on commit c1dd94f

Please sign in to comment.