V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m44s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m44s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -18,6 +18,7 @@ guard_sourcing
|
||||
# RECOVERY
|
||||
# TARGET
|
||||
# VAR_RUN_RECOVERY
|
||||
# VAR_SETUP_PATH
|
||||
# VAR_TEMP_PLAIN_MFA_SEED
|
||||
# VAR_USER_MAX
|
||||
# VAR_USER_ROOT_SPECIFIC
|
||||
@@ -51,6 +52,10 @@ accounts_setup() {
|
||||
|
||||
chroot_logger "${var_target}${var_logfile}"
|
||||
|
||||
### Install CISS TOTP gate script.
|
||||
install -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/usr/local/libexec/ciss_pam_2fa_gate.sh" \
|
||||
"${var_target}/usr/local/libexec/"
|
||||
|
||||
### Update pam modules for 2fa.
|
||||
write_pam_login "${var_target}"
|
||||
write_pam_sshd "${var_target}"
|
||||
@@ -166,7 +171,10 @@ EOF
|
||||
if [[ "${user_root_authentication_2fa_ssh}" == "true" || "${user_root_authentication_2fa_tty}" == "true" ]]; then
|
||||
|
||||
write_google_authenticator_file "root" "0" "0" "${var_target}"
|
||||
printf '%s\n' "root" >> "${var_target}/etc/ciss/2fa.users"
|
||||
|
||||
[[ "${user_root_authentication_2fa_ssh}" == "true" ]] && write_ciss_2fa_user "root" "sshd" "on" "${var_target}"
|
||||
|
||||
[[ "${user_root_authentication_2fa_tty}" == "true" ]] && write_ciss_2fa_user "root" "login" "on" "${var_target}"
|
||||
|
||||
fi
|
||||
|
||||
@@ -382,7 +390,10 @@ EOF
|
||||
if [[ "${var_2fa_ssh}" == "true" || "${var_2fa_tty}" == "true" ]]; then
|
||||
|
||||
write_google_authenticator_file "${var_username}" "${var_uid}" "${var_gid}" "${var_target}"
|
||||
printf '%s\n' "${var_username}" >> "${var_target}/etc/ciss/2fa.users"
|
||||
|
||||
[[ "${var_2fa_ssh}" == "true" ]] && write_ciss_2fa_user "${var_username}" "sshd" "on" "${var_target}"
|
||||
|
||||
[[ "${var_2fa_tty}" == "true" ]] && write_ciss_2fa_user "${var_username}" "login" "on" "${var_target}"
|
||||
|
||||
fi
|
||||
|
||||
@@ -652,7 +663,7 @@ EOF
|
||||
cat << EOF >> "${var_lr_conf}"
|
||||
/var/log/sudo.log {
|
||||
daily
|
||||
rotate 128
|
||||
rotate 384
|
||||
maxage 384
|
||||
compress
|
||||
delaycompress
|
||||
@@ -666,18 +677,6 @@ EOF
|
||||
}
|
||||
EOF
|
||||
|
||||
### Verify logrotate config in chroot.
|
||||
if ! chroot_script "${var_target}" "logrotate -d /etc/logrotate.conf >> ${var_logfile}"; then
|
||||
|
||||
do_log "warn" "file_only" "4520() Command: [chroot_script ${var_target} logrotate -d /etc/logrotate.conf] failed."
|
||||
return "${ERR_VERIFY_LOGROTATE}"
|
||||
|
||||
else
|
||||
|
||||
do_log "info" "file_only" "4520() Command: [chroot_script ${var_target} logrotate -d /etc/logrotate.conf] successful."
|
||||
|
||||
fi
|
||||
|
||||
fi
|
||||
|
||||
return 0
|
||||
@@ -721,6 +720,131 @@ read_totp_seed(){
|
||||
# shellcheck disable=SC2034
|
||||
readonly -f read_totp_seed
|
||||
|
||||
#######################################
|
||||
# Writes idempotently '/etc/ciss/2fa.map'.
|
||||
# Globals:
|
||||
# None
|
||||
# Arguments:
|
||||
# 1: user
|
||||
# 2: module {login, sshd, su, sudo}
|
||||
# 3: status {on, off, 1, 0, yes, no, true, false}
|
||||
# 4: target
|
||||
# Returns:
|
||||
# 0: on success
|
||||
#######################################
|
||||
write_ciss_2fa_user() {
|
||||
### Declare Arrays, HashMaps, and Variables.
|
||||
declare -r var_u="${1}" var_m="${2,,}" var_s="${3}" var_target="${4}"
|
||||
declare -r var_ciss_2fa_map="${var_target}/etc/ciss/2fa.map" var_map_file="${var_ciss_2fa_map}" \
|
||||
var_tmp_file="${var_map_file}.tmp.$$" var_umask=$(umask)
|
||||
declare -i col_idx="" found="0" status=""
|
||||
declare line=""
|
||||
|
||||
umask 0077
|
||||
|
||||
# shellcheck disable=SC2249
|
||||
case "${var_s,,}" in
|
||||
on|1|yes|true) status="1" ;;
|
||||
off|0|no|false) status="0" ;;
|
||||
esac
|
||||
|
||||
# shellcheck disable=SC2249
|
||||
case "${var_m}" in
|
||||
login) col_idx=2 ;;
|
||||
sshd) col_idx=3 ;;
|
||||
su) col_idx=4 ;;
|
||||
sudo) col_idx=5 ;;
|
||||
esac
|
||||
|
||||
### Read the old map, rewrite with targeted change.
|
||||
if [[ -r "${var_map_file}" ]]; then
|
||||
|
||||
### Read line by line; preserve comments/blank lines; drop duplicate user lines beyond the first.
|
||||
while IFS= read -r line || [[ -n "${line}" ]]; do
|
||||
|
||||
### Preserve comments and blanks verbatim.
|
||||
if [[ -z "${line}" || "${line:0:1}" == "#" ]]; then
|
||||
|
||||
printf '%s\n' "${line}" >> "${var_tmp_file}"
|
||||
continue
|
||||
|
||||
fi
|
||||
|
||||
### Parse colon-separated fields (the rest is ignored).
|
||||
declare u="" f_login="" f_sshd="" f_su="" f_sudo="" rest=""
|
||||
IFS=':' read -r u f_login f_sshd f_su f_sudo rest <<< "${line}"
|
||||
|
||||
### Keep non-target users verbatim.
|
||||
if [[ "${u}" != "${var_u}" ]]; then
|
||||
|
||||
printf '%s\n' "${line}" >> "${var_tmp_file}"
|
||||
continue
|
||||
|
||||
fi
|
||||
|
||||
### If we already updated this user once, skip any further duplicates.
|
||||
if [[ "${found}" -eq 1 ]]; then
|
||||
### Drop duplicate occurrence to keep the file canonical.
|
||||
continue
|
||||
fi
|
||||
|
||||
### Fill missing fields with defaults=1.
|
||||
[[ -n "${f_login}" ]] || f_login=1
|
||||
[[ -n "${f_sshd}" ]] || f_sshd=1
|
||||
[[ -n "${f_su}" ]] || f_su=1
|
||||
[[ -n "${f_sudo}" ]] || f_sudo=1
|
||||
|
||||
### Toggle the requested column only.
|
||||
# shellcheck disable=SC2249
|
||||
case "${col_idx}" in
|
||||
|
||||
2) f_login="${status}" ;;
|
||||
3) f_sshd="${status}" ;;
|
||||
4) f_su="${status}" ;;
|
||||
5) f_sudo="${status}" ;;
|
||||
|
||||
esac
|
||||
|
||||
printf '%s:%s:%s:%s:%s\n' "${u}" "${f_login}" "${f_sshd}" "${f_su}" "${f_sudo}" >> "${var_tmp_file}"
|
||||
found=1
|
||||
|
||||
done < "${var_map_file}"
|
||||
|
||||
fi
|
||||
|
||||
### If user not found: append a new default line (all 1), with the column set.
|
||||
if [[ "${found}" -eq 0 ]]; then
|
||||
|
||||
declare -i d_login="1" d_sshd="1" d_su="1" d_sudo="1"
|
||||
|
||||
# shellcheck disable=SC2249
|
||||
case "${col_idx}" in
|
||||
|
||||
2) d_login="${status}" ;;
|
||||
3) d_sshd="${status}" ;;
|
||||
4) d_su="${status}" ;;
|
||||
5) d_sudo="${status}" ;;
|
||||
|
||||
esac
|
||||
|
||||
printf '%s:%s:%s:%s:%s\n' "${var_u}" "${d_login}" "${d_sshd}" "${d_su}" "${d_sudo}" >> "${var_tmp_file}"
|
||||
|
||||
fi
|
||||
|
||||
if [[ -e "${var_tmp_file}" ]]; then
|
||||
|
||||
mv -f -- "${var_tmp_file}" "${var_map_file}" || rm -f -- "${var_tmp_file}"
|
||||
|
||||
fi
|
||||
|
||||
umask "${var_umask}"
|
||||
|
||||
return 0
|
||||
}
|
||||
### Prevents accidental 'unset -f'.
|
||||
# shellcheck disable=SC2034
|
||||
readonly -f write_ciss_2fa_user
|
||||
|
||||
#######################################
|
||||
# Writes '.google_authenticator'-file for the respective user.
|
||||
# Globals:
|
||||
@@ -859,8 +983,8 @@ session required pam_env.so readenv=1 envfile=/etc/default/locale
|
||||
|
||||
# ===== CISS 2FA block ========
|
||||
|
||||
# If user is NOT listed -> succeed and SKIP next two lines (no TOTP prompt).
|
||||
auth [success=2 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa.users onerr=ignore
|
||||
# If gate returns SUCCESS => skip next two lines (no TOTP).
|
||||
auth [success=2 default=ignore] pam_exec.so quiet /usr/local/libexec/ciss_pam_2fa_gate.sh
|
||||
|
||||
# For listed users: enforce that the secret file exists, else deny without prompting.
|
||||
# pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
|
||||
@@ -943,8 +1067,8 @@ write_pam_sshd() {
|
||||
|
||||
# ===== CISS 2FA block ========
|
||||
|
||||
# If user is NOT listed -> succeed and SKIP next two lines (silent Keyboard-Interactive (KI) success).
|
||||
auth [success=2 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa.users onerr=ignore
|
||||
# If gate returns SUCCESS => skip next two lines (no TOTP).
|
||||
auth [success=2 default=ignore] pam_exec.so quiet /usr/local/libexec/ciss_pam_2fa_gate.sh
|
||||
|
||||
# For listed users: enforce that the secret file exists, else deny without prompting.
|
||||
# pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
|
||||
@@ -1064,8 +1188,8 @@ auth sufficient pam_timestamp.so
|
||||
|
||||
# ===== CISS 2FA block ========
|
||||
|
||||
# If user is NOT listed -> succeed and SKIP next two lines (no TOTP prompt).
|
||||
auth [success=2 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa.users onerr=ignore
|
||||
# If gate returns SUCCESS => skip next two lines (no TOTP).
|
||||
auth [success=2 default=ignore] pam_exec.so quiet /usr/local/libexec/ciss_pam_2fa_gate.sh
|
||||
|
||||
# For listed users: enforce that the secret file exists, else deny without prompting.
|
||||
# pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
|
||||
@@ -1129,8 +1253,8 @@ auth sufficient pam_timestamp.so
|
||||
|
||||
# ===== CISS 2FA block ========
|
||||
|
||||
# If user is NOT listed -> succeed and SKIP next two lines (no TOTP prompt).
|
||||
auth [success=2 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa.users onerr=ignore
|
||||
# If gate returns SUCCESS => skip next two lines (no TOTP).
|
||||
auth [success=2 default=ignore] pam_exec.so quiet /usr/local/libexec/ciss_pam_2fa_gate.sh
|
||||
|
||||
# For listed users: enforce that the secret file exists, else deny without prompting.
|
||||
# pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
|
||||
|
||||
Reference in New Issue
Block a user