V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-08-11 08:12:39 +02:00
parent f39096f4f9
commit 034f4de335
5 changed files with 48 additions and 26 deletions
--- a/func/cdi_4500_user/4500_installation_accounts.sh
+++ b/func/cdi_4500_user/4500_installation_accounts.sh
@@ -181,8 +181,7 @@ write_google_authenticator_file() {
  declare -i  i=0

  ### TODO: PASSWORD REMINDER START:NOT ACTIVE
-  ### No tracing for security reasons
-  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
+  #guard_trace on

  var_secret="$(generate_totp_secret "${var_user}")"

@@ -198,9 +197,8 @@ write_google_authenticator_file() {
    for i in {0..7}; do printf '%08d\n' "$(( RANDOM % 100000000 ))"; done
  } >| "${var_base}/.google_authenticator"

-  ### Turn on tracing again
-  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
  ### TODO: PASSWORD REMINDER STOP:NOT ACTIVE
+  #guard_trace off

  chown "${var_user}:${var_user}" "${var_base}/.google_authenticator"

@@ -233,8 +231,7 @@ generate_totp_secret() {
  declare  var_secret=""

  ### TODO: PASSWORD REMINDER START:NOT ACTIVE
-  ### No tracing for security reasons
-  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
+  #guard_trace on

  ### Derive 20 bytes via HKDF-SHA256 using OpenSSL 3 kdf, output as raw, then base32 (uppercase, no padding).
  # shellcheck disable=SC2312
@@ -243,9 +240,8 @@ generate_totp_secret() {
      -kdfopt salt:"${var_salt}" -kdfopt info:"${var_info}" -binary HKDF | base32 | tr -d '=' | tr '[:lower:]' '[:upper:]'
  )"

-  ### Turn on tracing again
-  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
  ### TODO: PASSWORD REMINDER STOP:NOT ACTIVE
+  #guard_trace off

  printf '%s\n' "${var_secret}"
  return 0
@@ -268,18 +264,19 @@ read_totp_seed(){
  declare -g VAR_TEMP_PLAIN_MFA_SEED=""

  ### TODO: PASSWORD REMINDER START:NOT ACTIVE
-  ### No tracing for security reasons
-  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
+  #guard_trace on
+
  if ! read_password_file "${var_mfa_seed_file}" VAR_TEMP_PLAIN_MFA_SEED; then
+
    return "${ERR_READ_SEED_FILE}"
+
  fi

  ### Validate: exactly 64 hex.
  [[ "${VAR_TEMP_PLAIN_MFA_SEED}" =~ ^[0-9a-fA-F]{64}$ ]] || return "${ERR_READ_SEED_FILE}"

-  ### Turn on tracing again
-  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
  ### TODO: PASSWORD REMINDER STOP:NOT ACTIVE
+  #guard_trace off

  return 0
 }