From 3bd0b3f837d5ad8c87e59b99c6baef1e2c74507b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 8 Dec 2019 03:10:41 -0500 Subject: [PATCH] notify when attempting to use ssh but user is member of group ssh --- usr/lib/security-misc/pam_tally2-info | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/usr/lib/security-misc/pam_tally2-info b/usr/lib/security-misc/pam_tally2-info index 383a239..caa1189 100755 --- a/usr/lib/security-misc/pam_tally2-info +++ b/usr/lib/security-misc/pam_tally2-info @@ -3,8 +3,31 @@ ## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## https://forums.whonix.org/t/etc-security-hardening-console-lockdown/8592 -if grep -q "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null; then +grep_result="$(grep "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)" + +if ! echo "$grep_result" | grep -q "#" ; then + ## https://forums.whonix.org/t/etc-security-hardening-console-lockdown/8592 + + if [ "$PAM_SERVICE" = "sshd" ]; then + if id --name --groups --zero "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings "ssh"; then + ssh_allowed=true + fi + if [ ! "$ssh_allowed" = "true" ]; then + echo "$0: ERROR: PAM_USER: $PAM_USER is not a member of group 'ssh'" >&2 + echo "$0: To unlock, run the following command as superuser:" >&2 + echo "$0: (If you still have a sudo/root shell somewhere.)" >&2 + echo "" >&2 + echo "addgroup $PAM_USER ssh" >&2 + echo "" >&2 + echo "$0: However, possibly unlock procedure is required." >&2 + echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2 + echo "$0: See also:" >&2 + echo "https://www.whonix.org/wiki/root#ssh" >&2 + echo "" >&2 + exit 0 + fi + fi + if id --name --groups --zero "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings "console"; then console_allowed=true fi