SSH login double password prompt

Hi,

I’ve been running OSMC on Raspberry Pis for years and couldn’t be happier with my media center.

I’ve run into a minor annoyance since I installed the April update, a couple of weeks ago. When I log in, via SSH, to a non-sudoer account, I’m asked for my password twice. When I enter the password a second time, I’m informed that my user is not a sudoer.

Using strace, as far as I can tell, this happens because of “sudo grep -q” in /etc/profile.d/105-check-ssh-password.sh

Is this a recent addition? Do I need to change something? Maybe adding a sudo -v to the condition in /etc/profile.d/105-check-ssh-password.sh would help.

Thanks.

It seems to be a recent innovation but, as you’ve found out, in need of improvement, since it assumes the user will be in the sudoers file.

There’s a lot wrong with that file.

The check for the existence of /home/osmc/.nosshwarn should be first, to allow a short-circuit which would keep the rest of the checks from running.

There also should be a check to see if the user ID of the user logging in is “1000” (the osmc user). Why bother to alert a user about a different user’s password status? If it actually worked for another user, then it would tell them there is an exploitable security hole.

And, the “grep” looks for an exact match of the line, but a change to something other than the password and account enabled status (like the password aging) would cause the “grep” to fail even though there is still a security issue.

There is no real good way to handle this, but giving all users the ability to run that exact grep command (maybe through a shell script as a proxy) would at least make it work more often.

This is my first post here, so first thing first: thank you developers for OSMC, it is great and I use it on 3 RPi’s, I love it!

I am affected by this new issue as well. It is related with /etc/profile.d/105-check-ssh-password.sh which is part of the package base-files-osmc. First line is

if systemctl is-active ssh -q && sudo grep -q "osmc:\$1\$P.ZH6EFu\$L08/1ZYI6FdHu3aw0us.u0:17569:0:99999:7:::" /etc/shadow && [ ! -f /home/osmc/.nosshwarn ]
then

Intent is clear: if default osmc pwd hasn’t been changed there is a security risk. However, being asked for a pwd every time is a bit of a pain… My (somewhat painful) workaround is to, every time base-files-osmc is update, modify the file and put at the very beginning a “return” (deleting the file would have the same effect). A better solution (and humble suggestion to developers) would be if the test about existence of .nosshwarn was BEFORE the check on passwork, so I could just “touch” that file on osmc home dir and all would be good:

if systemctl is-active ssh -q && [ ! -f /home/osmc/.nosshwarn ] && sudo grep -q "osmc:\$1\$P.ZH6EFu\$L08/1ZYI6FdHu3aw0us.u0:17569:0:99999:7:::" /etc/shadow 
    then

This would still leave some issues for users that don’t have read rights on /home/osmc. An alternative solution could be to first check if the user logging in is “osmc”, so the test is only run when accessing that account. I am sure many other solutions are possible.

Cheers

Oh well, nabsltd posted while I was writing my reply, but bottom line is I agree!

It probably makes sense to check the user that is logging in as the OSMC user, so I’ve added:

Alternatively we could use a systemd unit to perform these checks, but it wouldn’t be as responsive.

Happy to take any suggestions on board

Sam

How about something like that, and have it store something into a Kodi config file, then display an alert on the home screen at Kodi startup? This way, the user gets notified even if they don’t log in via SSH, but if the security hole (original password plus SSH enabled) exists.

Thanks Sam, I agree the check shouldn’t be done if we are not osmc. I may be getting something wrong here, but aren’t the scripts in /etc/profile.d/ “sourced” instead of “run”? In other words, if the test for osmc fails, should we have “return” instead of “exit”?

Also, I would additionally also invert the test for password and existence of .nosshwarn, no need to ask for sudo password if then the result of the test is irrelevant…

Sure — happy to accept a PR or updated script here and we will merge it

I don’t know what a PR is, but here is my proposal for the full updated script:

user=$(whoami)
if [ "$user" != "osmc" ]; then return 0; fi

if systemctl is-active ssh -q && [ ! -f /home/osmc/.nosshwarn ] && sudo grep -q "osmc:\$1\$P.ZH6EFu\$L08/1ZYI6FdHu3aw0us.u0:17569:0:99999:7:::" /etc/shadow
then
    echo "Warning: you are using SSH with the default OSMC credentials. This is a security risk."
    echo "To change your password, type passwd"
    echo "To disable this warning, type touch /home/osmc/.nosshwarn"
fi

cheers

A PR is basically a change that you directly suggest to the source code of OSMC.

The two files that need to be changed are listed in the change that @sam_nazarko linked above

I’ve updated the file to return rather than exit now.