msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 55s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-08-11 08:12:39 +02:00
parent f39096f4f9
commit 034f4de335
5 changed files with 48 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
func/cdi_4500_user/4500_installation_accounts.sh
View File

@@ -181,8 +181,7 @@ write_google_authenticator_file() {
declare -i i=0 declare -i i=0
### TODO: PASSWORD REMINDER START:NOT ACTIVE ### TODO: PASSWORD REMINDER START:NOT ACTIVE
### No tracing for security reasons #guard_trace on
#[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
var_secret="$(generate_totp_secret "${var_user}")" var_secret="$(generate_totp_secret "${var_user}")"
@@ -198,9 +197,8 @@ write_google_authenticator_file() {
for i in {0..7}; do printf '%08d\n' "$(( RANDOM % 100000000 ))"; done for i in {0..7}; do printf '%08d\n' "$(( RANDOM % 100000000 ))"; done
} >| "${var_base}/.google_authenticator" } >| "${var_base}/.google_authenticator"
### Turn on tracing again
#[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
### TODO: PASSWORD REMINDER STOP:NOT ACTIVE ### TODO: PASSWORD REMINDER STOP:NOT ACTIVE
#guard_trace off
chown "${var_user}:${var_user}" "${var_base}/.google_authenticator" chown "${var_user}:${var_user}" "${var_base}/.google_authenticator"
@@ -233,8 +231,7 @@ generate_totp_secret() {
declare var_secret="" declare var_secret=""
### TODO: PASSWORD REMINDER START:NOT ACTIVE ### TODO: PASSWORD REMINDER START:NOT ACTIVE
### No tracing for security reasons #guard_trace on
#[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
### Derive 20 bytes via HKDF-SHA256 using OpenSSL 3 kdf, output as raw, then base32 (uppercase, no padding). ### Derive 20 bytes via HKDF-SHA256 using OpenSSL 3 kdf, output as raw, then base32 (uppercase, no padding).
# shellcheck disable=SC2312 # shellcheck disable=SC2312
@@ -243,9 +240,8 @@ generate_totp_secret() {
-kdfopt salt:"${var_salt}" -kdfopt info:"${var_info}" -binary HKDF | base32 | tr -d '=' | tr '[:lower:]' '[:upper:]' -kdfopt salt:"${var_salt}" -kdfopt info:"${var_info}" -binary HKDF | base32 | tr -d '=' | tr '[:lower:]' '[:upper:]'
)" )"
### Turn on tracing again
#[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
### TODO: PASSWORD REMINDER STOP:NOT ACTIVE ### TODO: PASSWORD REMINDER STOP:NOT ACTIVE
#guard_trace off
printf '%s\n' "${var_secret}" printf '%s\n' "${var_secret}"
return 0 return 0
@@ -268,18 +264,19 @@ read_totp_seed(){
declare -g VAR_TEMP_PLAIN_MFA_SEED="" declare -g VAR_TEMP_PLAIN_MFA_SEED=""
### TODO: PASSWORD REMINDER START:NOT ACTIVE ### TODO: PASSWORD REMINDER START:NOT ACTIVE
### No tracing for security reasons #guard_trace on
#[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
if ! read_password_file "${var_mfa_seed_file}" VAR_TEMP_PLAIN_MFA_SEED; then if ! read_password_file "${var_mfa_seed_file}" VAR_TEMP_PLAIN_MFA_SEED; then
return "${ERR_READ_SEED_FILE}" return "${ERR_READ_SEED_FILE}"
fi fi
### Validate: exactly 64 hex. ### Validate: exactly 64 hex.
[[ "${VAR_TEMP_PLAIN_MFA_SEED}" =~ ^[0-9a-fA-F]{64}$ ]] || return "${ERR_READ_SEED_FILE}" [[ "${VAR_TEMP_PLAIN_MFA_SEED}" =~ ^[0-9a-fA-F]{64}$ ]] || return "${ERR_READ_SEED_FILE}"
### Turn on tracing again
#[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
### TODO: PASSWORD REMINDER STOP:NOT ACTIVE ### TODO: PASSWORD REMINDER STOP:NOT ACTIVE
#guard_trace off
return 0 return 0
} }

28
lib/cdi_0050_debug/0056_debug_guard.sh Normal file
View File

@@ -0,0 +1,28 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Wrapper that enables and disables XTRACE password handling safely.
# Globals:
# VAR_DEBUG_TRACE
# Arguments:
# 1: on [set +x] || off [set -x]
#######################################
guard_trace() {
case "${1,,}" in
on) [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x;;
off) [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x;;
esac
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

6
lib/cdi_0100_arg/0104_arg_passphrase_modules.sh
View File

@@ -57,8 +57,7 @@ read_password_file() {
declare -a lines=() declare -a lines=()
### TODO: PASSWORD REMINDER START ### TODO: PASSWORD REMINDER START
### No tracing for security reasons guard_trace on
[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
if [[ ! -f "${var_input_file}" ]]; then if [[ ! -f "${var_input_file}" ]]; then
@@ -88,9 +87,8 @@ read_password_file() {
fi fi
### Turn on tracing again
[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
### TODO: PASSWORD REMINDER STOP ### TODO: PASSWORD REMINDER STOP
guard_trace off
sync sync

18
lib/cdi_0100_arg/0105_arg_nuke_converter.sh
View File

@@ -29,36 +29,34 @@ nuke_passphrase() {
declare -r var_nuke_pwd_file="${DIR_CNF}/password_luks_nuke.txt" declare -r var_nuke_pwd_file="${DIR_CNF}/password_luks_nuke.txt"
declare var_temp_nuke_hash="" var_temp_plain_nuke_pwd="" var_salt="" declare var_temp_nuke_hash="" var_temp_plain_nuke_pwd="" var_salt=""
### TODO: PASSWORD REMINDER START [[ ! -f "${var_nuke_pwd_file}" ]] && return 0
### No tracing for security reasons
[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x ### TODO: PASSWORD REMINDER START
guard_trace on
if ! read_password_file "${var_nuke_pwd_file}" var_temp_plain_nuke_pwd; then if ! read_password_file "${var_nuke_pwd_file}" var_temp_plain_nuke_pwd; then
return "${ERR_READ_NUKE_FILE}" return "${ERR_READ_NUKE_FILE}"
fi fi
### Turn on tracing again
[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
### TODO: PASSWORD REMINDER STOP ### TODO: PASSWORD REMINDER STOP
guard_trace off
if ! var_salt="$(generate_salt)"; then if ! var_salt="$(generate_salt)"; then
return "${ERR_GENERATE_SALT}" return "${ERR_GENERATE_SALT}"
fi fi
### TODO: PASSWORD REMINDER START ### TODO: PASSWORD REMINDER START
### No tracing for security reasons guard_trace on
[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
var_temp_nuke_hash=$(mkpasswd --method=sha-512 --salt="${var_salt}" --rounds="${VAR_NUKE_ROUNDS:-8388608}" "${var_temp_plain_nuke_pwd}") var_temp_nuke_hash=$(mkpasswd --method=sha-512 --salt="${var_salt}" --rounds="${VAR_NUKE_ROUNDS:-8388608}" "${var_temp_plain_nuke_pwd}")
### Turn on tracing again
[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
### TODO: PASSWORD REMINDER STOP ### TODO: PASSWORD REMINDER STOP
guard_trace off
declare -grx VAR_NUKE_HASH="${var_temp_nuke_hash}" declare -grx VAR_NUKE_HASH="${var_temp_nuke_hash}"
unset var_temp_nuke_hash var_temp_plain_nuke_pwd unset var_temp_nuke_hash var_temp_plain_nuke_pwd

1
meta_loader_lib.sh
View File

@@ -30,6 +30,7 @@ source_guard "./lib/cdi_0050_debug/0052_debug_trace.sh"
source_guard "./lib/cdi_0050_debug/0053_debug_trace_header.sh" source_guard "./lib/cdi_0050_debug/0053_debug_trace_header.sh"
source_guard "./lib/cdi_0050_debug/0054_debug_trap.sh" source_guard "./lib/cdi_0050_debug/0054_debug_trap.sh"
source_guard "./lib/cdi_0050_debug/0055_debug_trap_header.sh" source_guard "./lib/cdi_0050_debug/0055_debug_trap_header.sh"
source_guard "./lib/cdi_0050_debug/0056_debug_guard.sh"
source_guard "./lib/cdi_0060_traps/0060_trap_err.sh" source_guard "./lib/cdi_0060_traps/0060_trap_err.sh"
source_guard "./lib/cdi_0060_traps/0070_trap_exit.sh" source_guard "./lib/cdi_0060_traps/0070_trap_exit.sh"