Skip to content

Commit c1dd94f

Browse files
authored
Add California-SB237 feature. Requires to change default user password (sonic-net#12678)
#### Why I did it Add support of California-SB237 conformance. https://github.com/sonic-net/SONiC/tree/master/doc/California-SB237 #### How I did it Expire user passwords during build #### How to verify it Enable build flag and check if default user is prompted for a new password
1 parent 3e316cb commit c1dd94f

File tree

5 files changed

+42
-1
lines changed

5 files changed

+42
-1
lines changed

Makefile.work

+1
Original file line numberDiff line numberDiff line change
@@ -499,6 +499,7 @@ SONIC_BUILD_INSTRUCTION := $(MAKE) \
499499
MDEBUG=$(MDEBUG) \
500500
PASSWORD=$(PASSWORD) \
501501
USERNAME=$(USERNAME) \
502+
CHANGE_DEFAULT_PASSWORD=$(CHANGE_DEFAULT_PASSWORD) \
502503
SONIC_BUILD_JOBS=$(SONIC_BUILD_JOBS) \
503504
SONIC_USE_DOCKER_BUILDKIT=$(SONIC_USE_DOCKER_BUILDKIT) \
504505
VS_PREPARE_MEM=$(VS_PREPARE_MEM) \

build_debian.sh

+10
Original file line numberDiff line numberDiff line change
@@ -684,6 +684,16 @@ sudo LANG=C chroot $FILESYSTEM_ROOT umount /proc || true
684684
## Prepare empty directory to trigger mount move in initramfs-tools/mount_loop_root, implemented by patching
685685
sudo mkdir $FILESYSTEM_ROOT/host
686686

687+
688+
if [[ "$CHANGE_DEFAULT_PASSWORD" == "y" ]]; then
689+
## Expire default password for exitsing users that can do login
690+
default_users=$(cat $FILESYSTEM_ROOT/etc/passwd | grep "/home"| grep ":/bin/bash\|:/bin/sh" | awk -F ":" '{print $1}' 2> /dev/null)
691+
for user in $default_users
692+
do
693+
sudo LANG=C chroot $FILESYSTEM_ROOT passwd -e ${user}
694+
done
695+
fi
696+
687697
## Compress most file system into squashfs file
688698
sudo rm -f $ONIE_INSTALLER_PAYLOAD $FILESYSTEM_SQUASHFS
689699
## Output the file system total size for diag purpose

check_install.py

+26-1
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ def main():
1111
parser = argparse.ArgumentParser(description='test_login cmdline parser')
1212
parser.add_argument('-u', default="admin", help='login user name')
1313
parser.add_argument('-P', default="YourPaSsWoRd", help='login password')
14+
parser.add_argument('-N', default="Test@2022", help='new password')
1415
parser.add_argument('-p', type=int, default=9000, help='local port')
1516

1617
args = parser.parse_args()
@@ -20,6 +21,7 @@ def main():
2021
cmd_prompt = "{}@sonic:~\$ $".format(args.u)
2122
grub_selection = "The highlighted entry will be executed"
2223
firsttime_prompt = 'firsttime_exit'
24+
passwd_change_prompt = ['Current password:', 'New password:', 'Retype new password:']
2325

2426
i = 0
2527
while True:
@@ -36,7 +38,6 @@ def main():
3638
# select default SONiC Image
3739
p.expect(grub_selection)
3840
p.sendline()
39-
4041
# bootup sonic image
4142
while True:
4243
i = p.expect([login_prompt, passwd_prompt, firsttime_prompt, cmd_prompt])
@@ -46,6 +47,30 @@ def main():
4647
elif i == 1:
4748
# send password
4849
p.sendline(args.P)
50+
# Check for password change prompt
51+
try:
52+
p.expect('Current password:', timeout=2)
53+
except pexpect.TIMEOUT:
54+
break
55+
else:
56+
# send old password for password prompt
57+
p.sendline(args.P)
58+
p.expect(passwd_change_prompt[1])
59+
# send new password
60+
p.sendline(args.N)
61+
p.expect(passwd_change_prompt[2])
62+
# retype new password
63+
p.sendline(args.N)
64+
time.sleep(1)
65+
# Restore default password
66+
p.sendline('passwd {}'.format(args.u))
67+
p.expect(passwd_change_prompt[0])
68+
p.sendline(args.N)
69+
p.expect(passwd_change_prompt[1])
70+
p.sendline(args.P)
71+
p.expect(passwd_change_prompt[2])
72+
p.sendline(args.P)
73+
break
4974
elif i == 2:
5075
# fix a login timeout issue, caused by the login_prompt message mixed with the output message of the rc.local
5176
time.sleep(1)

rules/config

+3
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,9 @@ DEFAULT_BUILD_LOG_TIMESTAMP = none
3939
# Comment next line to disable:
4040
# SONIC_CONFIG_ENABLE_COLORS = y
4141

42+
# CHANGE_DEFAULT_PASSWORD - enforce default user/users to change password on 1st login
43+
CHANGE_DEFAULT_PASSWORD ?= n
44+
4245
# DEFAULT_USERNAME - default username for installer build
4346
DEFAULT_USERNAME = admin
4447

slave.mk

+2
Original file line numberDiff line numberDiff line change
@@ -376,6 +376,7 @@ $(info "USE_NATIVE_DOCKERD_FOR_BUILD" : "$(SONIC_CONFIG_USE_NATIVE_DOCKERD_FO
376376
$(info "SONIC_USE_DOCKER_BUILDKIT" : "$(SONIC_USE_DOCKER_BUILDKIT)")
377377
$(info "USERNAME" : "$(USERNAME)")
378378
$(info "PASSWORD" : "$(PASSWORD)")
379+
$(info "CHANGE_DEFAULT_PASSWORD" : "$(CHANGE_DEFAULT_PASSWORD)")
379380
$(info "ENABLE_DHCP_GRAPH_SERVICE" : "$(ENABLE_DHCP_GRAPH_SERVICE)")
380381
$(info "SHUTDOWN_BGP_ON_START" : "$(SHUTDOWN_BGP_ON_START)")
381382
$(info "ENABLE_PFCWD_ON_START" : "$(ENABLE_PFCWD_ON_START)")
@@ -1430,6 +1431,7 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
14301431
DEBUG_SRC_ARCHIVE_FILE="$(DBG_SRC_ARCHIVE_FILE)" \
14311432
USERNAME="$(USERNAME)" \
14321433
PASSWORD="$(PASSWORD)" \
1434+
CHANGE_DEFAULT_PASSWORD="$(CHANGE_DEFAULT_PASSWORD)" \
14331435
TARGET_MACHINE=$(dep_machine) \
14341436
IMAGE_TYPE=$($*_IMAGE_TYPE) \
14351437
TARGET_PATH=$(TARGET_PATH) \

0 commit comments

Comments
 (0)