New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add terminal password check via 'TTY_ROOT_PASSWORD' #2539
Conversation
@@ -0,0 +1,3 @@ | |||
# Store TTY_ROOT_PASSWORD for terminal logins | |||
|
|||
[[ -n "$TTY_ROOT_PASSWORD" ]] && echo "$TTY_ROOT_PASSWORD" > "$ROOTFS_DIR/.TTY_ROOT_PASSWORD" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Argh!
I see now that also the SSH_ROOT_PASSWORD value
would appear in the log file when the code is run with set -x
.
So we need to do for SSH_ROOT_PASSWORD and TTY_ROOT_PASSWORD
the same as I did for BACKUP_PROG_CRYPT_KEY by running commands
that would expose those *_ROOT_PASSWORD values
with stderr redirected to /dev/null like
{ COMMAND ; } 2>/dev/null
Redirecting 2>/dev/null
outside of a group command { ... ; }
is mandatory
also for a single command inside the group command, cf. the comment
for the UserInput
function in lib/_input-output-functions.sh that reads (excerpt):
The redirection must be done via a compound group command
{ confidential_command ; } 2>/dev/null
even for a single confidential command to ensure
STDERR is redirected to /dev/null also for 'set -x'
otherwise the confidential command and its arguments
would be shown in the log file, for example
{ openssl des3 -salt -k secret_passphrase ; } 2>/dev/null
where the secret passphrase must not appear in the log,
cf. https://github.com/rear/rear/issues/2155
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well spotted. Addressed via 8bc2b1c.
# { TTY_ROOT_PASSWORD=''; } 2>/dev/null | ||
# NOTE: stderr is redirected in the above line to avoid exposing the password hash | ||
# in the log file when ReaR runs in debugscript mode. | ||
TTY_ROOT_PASSWORD='' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Related to not expose *_ROOT_PASSWORD values
see what I did in #2541 via
5292851
Set SSH_ROOT_PASSWORD to a default value
only if not already set so that the user can set it e.g. with
export SSH_ROOT_PASSWORD=my_recovery_system_root_password
before he calls "rear ..." so there is no need
to have SSH_ROOT_PASSWORD in local.conf.
for usr/share/rear/conf/default.conf
# Avoid that the SSH_ROOT_PASSWORD value is shown when usr/sbin/rear was called with 'set -x'
# for debugging usr/sbin/rear cf. https://github.com/rear/rear/issues/2144#issuecomment-493908133
# In debugscript mode only scripts sourced by the Source function in lib/framework-functions.sh
# are run with 'set -x' but default.conf is sourced by usr/sbin/rear directly.
# See the comment of the UserInput function in lib/_input-output-functions.sh
# how to keep things confidential when usr/sbin/rear is run in debugscript mode
# ('2>/dev/null' should be sufficient here because 'test' does not output on stdout).
# SSH_ROOT_PASSWORD is set to a default value here only
# if not already set so that the user can set it also like
# export SSH_ROOT_PASSWORD='my_recovery_system_root_password'
# directly before he calls "rear ...":
{ test "$SSH_ROOT_PASSWORD" ; } 2>/dev/null || SSH_ROOT_PASSWORD=''
@OliverO2 Only an offhanded idea: I didn't had sufficient free mind-space to have a closer look Do you think an automatism to have TTY_ROOT_PASSWORD and Offhandedly I think about something like:
results that TTY_ROOT_PASSWORD is also set to be 'mypw' It seems my automated sync idea gets too complicated. |
@jsmeix
This way one can have all combinations with |
@OliverO2 @jsmeix IMHO I would go for 1 variable |
@gdha The motivation for having a name So maybe go for |
About the env names in my opinion 2 things are important:
Why? To make it simple for end-users to understand what is going on. Furthermore, if we ever want to have a generic env variable based configuration mechanism then we can just iterate over all What do you think? |
So if I understand correctly, there would be
If so, that sounds good to me. Any other opinions on environment variables containing secrets? And the final naming of the password variable in this case? |
Yes, like that. However I am not sure about the priority question: Should env variables always override configuration settings? Or should it only override the built-in defaults? Probably good to look at other software and follow that. |
I have no good precedent at hand, but if I did a test invocation like this REAR_OUTPUT_URL=file:///my/test/destination rear mkrescue and found out that this would not override So I'd say an environment variable is like a command line parameter: An explicit setting for a single invocation that must always be honored. Configuration files must not overturn such explicit user decisions. |
@gdha Yes, this is ready to merge as is. Once we agree on some common name unifying |
I do fully agree with |
Pull Request Details:
Type: New Feature
Impact: Normal
Reference to related issue (URL):
How was this pull request tested? On Ubuntu 20.04 LTS Server
Brief description of the changes in this pull request:
Currently, ReaR allows a password check on SSH sessions only (via
SSH_ROOT_PASSWORD
).This PR enables the rescue/recovery system to enforce a password check also on terminal connections (the system console and/or serial terminals).
This prevents unauthenticated local root access
Usage
TTY_ROOT_PASSWORD
in the same way asSSH_ROOT_PASSWORD
.rear mkrescue
.Example Configuration
Configure the password
test
: