Password Hardening HLD

[davidpil2002]

This PR contains the Password Hardening HLD.

PR title	state	context
[sonic-buildimage] Add support for Password Hardening
[sonic-buildimage] [YANG] Add support for Password Hardening
[sonic-utilities] Add support for Password Hardening
[sonic-mgmt] Add support for Password Hardening

[ghost]

All CLA requirements met.

[liuh-80]

I have following concern and questions:

1. What's the responsbility of PASSWH? If this daemon only for read hardening setting from config DB and update PAM config file, then there already hostcfgd for this, not necessary add a new daemon. And if this daemon also will handle the password history to config DB storage, I think there will be security risk.

2. According to the design, password history will store in DB, if that means config DB, then because currently there is no ACL for config DB, so password history can be access by anyone, this will be a security risk, but if the password history stored by pam_pwhistory it self, It think it's OK.

[davidpil2002]

Hi,
In continue of your concerns and questions,

regarding question 1:
The feature should run in the host, we had a discussion if is better to integrate the feature to the current hostcfg daemon or to create a daemon to manage this feature only. For now, we think it's better to have it separate, that because the feature can be enabled by a compilation flag, meaning that the feature is not always exposed to the user, but we can discuss about it in the meeting. (in addition, the feature will use the STATE_DB as well).

Regarding concern 2, the "old passwords" (passwords history), the meaning of saving the password history is to save only have many old passwords the feature can save, not to save the passwords itself. The passwords will be saved like you commented by pw_history in /etc/security/opasswd or similar file with just root permission access.
Thanks
David

[liuh-80]

Found some minor issue in latest document.

[venkatmahalingam]

history_cnt?

[davidpil2002]

thanks, I will update this one

[davidpil2002]

Hi @liuh-80,

How are you doing?
I answered the questions above.
In addition, I had an HLD review with the community and added the changes suggested in the commit: cbe88dd
can you approve this HLD, or pls let me know if you have any more comments.

Thanks,
David

[liuh-80]

Please follow sonic yang model guideline, every definition should inside top level container, in this case, should inside sonic-passwh

https://github.com/Azure/SONiC/blob/master/doc/mgmt/SONiC_YANG_Model_Guidelines.md

[davidpil2002]

Done, I moved the "typedef feature_state" inside the container.

[davidpil2002]

@liuh-80 @liat-grozovik
can you help to merge to master?

[liat-grozovik]

@venkatmahalingam can you please approve from your side? you had comments and i wish to merge once we agree they were handled.

[davidpil2002]

Hi @venkatmahalingam,

this is a kind reminder to reply to the Liat Q in the comment above.
Thanks,