V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_4300_network/4330_installation_ssh.sh

@@ -61,13 +61,13 @@ Wants=ifup@${VAR_FINAL_NIC}.service
 ### If any tentative IPv6 address exists on the device, wait and retry.
 ### Check for the exact global address (fixed-string match, include trailing "/").
 ExecStartPre=/bin/sh -c '\
-  for i in $(seq 1 60); do \
+  for i in \$(seq 1 60); do \
     ip -6 addr show dev ${VAR_FINAL_NIC} tentative | grep -q "inet6" && { sleep 0.5; continue; }; \
     ip -6 addr show dev ${VAR_FINAL_NIC} scope global | grep -Fq " ${VAR_FINAL_IPV6}/" && exit 0; \
     sleep 0.5; \
   done; \
   echo "IPv6 address ${VAR_FINAL_IPV6} on ${VAR_FINAL_NIC} not ready"; exit 1'
-TimeoutStartSec=32s
+TimeoutStartSec=40s
 Restart=on-failure
 RestartSec=2s
 EOF

func/cdi_4500_user/4520_accounts_setup.sh

@@ -1258,94 +1258,79 @@ write_pam_login() {
 
   insert_header   "${var_target}/etc/pam.d/login"
   insert_comments "${var_target}/etc/pam.d/login"
-  cat << 'EOF' >> "${var_target}/etc/pam.d/login"
+  cat << EOF >>   "${var_target}/etc/pam.d/login"
 #
 # The PAM configuration file for the Shadow 'login' service
 #
 
-# Enforce a minimal delay in case of failure (in microseconds).
+# Enforce a minimal delay in case of failure (in microseconds). (Replaces the 'FAIL_DELAY' setting from login.defs).
-# (Replaces the 'FAIL_DELAY' setting from login.defs)
+# Note that other modules may require another minimal delay. (For example, to disable any delay, you should add the 'nodelay'
-# Note that other modules may require another minimal delay. (for example,
+# option to pam_unix).
-# to disable any delay, you should add the nodelay option to pam_unix)
 auth    optional    pam_faildelay.so    delay=3000000
 
-# Outputs an issue file prior to each login prompt (Replaces the
+# Outputs an issue file prior to each login prompt (Replaces the ISSUE_FILE option from login.defs). Uncomment for use.
-# ISSUE_FILE option from login.defs). Uncomment for use
 # auth    required    pam_issue.so issue=/etc/issue
 
-# Disallows other than root logins when /etc/nologin exists
+# Disallows other than root logins when /etc/nologin exists. (Replaces the 'NOLOGINS_FILE' option from login.defs).
-# (Replaces the `NOLOGINS_FILE' option from login.defs)
 auth    requisite    pam_nologin.so
 
-# SELinux needs to be the first session rule. This ensures that any
+# SELinux needs to be the first session rule. This ensures that any lingering context has been cleared. Without this it is
-# lingering context has been cleared. Without this it is possible
+# possible that a module could execute code in the wrong domain. When the module is present, "required" would be sufficient
-# that a module could execute code in the wrong domain.
+# (When SELinux is disabled, this returns success.)
-# When the module is present, "required" would be sufficient (When SELinux
-# is disabled, this returns success.)
 session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
 
 # Sets the loginuid process attribute
 session    required    pam_loginuid.so
 
-# Prints the message of the day upon successful login.
+# Prints the message of the day upon successful login. (Replaces the 'MOTD_FILE' option in login.defs). This includes a
-# (Replaces the `MOTD_FILE' option in login.defs)
+# dynamically generated part from /run/motd.dynamic, and a static (admin-editable) part from /etc/motd.
-# This includes a dynamically generated part from /run/motd.dynamic,
-# and a static (admin-editable) part from /etc/motd.
 session    optional    pam_motd.so motd=/run/motd.dynamic
 session    optional    pam_motd.so noupdate
 
-# SELinux needs to intervene at login time to ensure that the process
+# SELinux needs to intervene at login time to ensure that the process starts in the proper default security context. Only
-# starts in the proper default security context. Only sessions which are
+# sessions which are intended to run in the user's context should be run after this. The module pam_selinux.so changes the
-# intended to run in the user's context should be run after this.
+# SELinux context of the used TTY and configures SELinux in order to transition to the user context with the next execve()
-# pam_selinux.so changes the SELinux context of the used TTY and configures
-# SELinux in order to transition to the user context with the next execve()
 # call.
 session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
-# When the module is present, "required" would be sufficient (When SELinux
+# When the module is present, "required" would be sufficient (When SELinux is disabled, this returns success.)
-# is disabled, this returns success.)
 
-# This module parses environment configuration file(s)
+# This module parses environment configuration file(s) and also allows you to use an extended config file
-# and also allows you to use an extended config
+# /etc/security/pam_env.conf. Parsing /etc/environment needs "readenv=1"
-# file /etc/security/pam_env.conf.
-#
-# parsing /etc/environment needs "readenv=1"
 session    required    pam_env.so readenv=1
-# locale variables can also be set in /etc/default/locale
+# Locale variables can also be set in /etc/default/locale reading this file *in addition to /etc/environment* does not hurt.
-# reading this file *in addition to /etc/environment* does not hurt
 session    required    pam_env.so readenv=1 envfile=/etc/default/locale
 
 # Standard Un*x authentication.
 @include common-auth
 
-# This allows certain extra groups to be granted to a user
+# ===== CISS 2FA block  =====
-# based on things like time of day, tty, service, and user.
+
-# Please edit /etc/security/group.conf to fit your needs
+# If user is NOT listed -> succeed and SKIP next two lines (no TOTP prompt).
-# (Replaces the `CONSOLE_GROUPS' option in login.defs)
+auth  [success=2 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa onerr=ignore
+
+# Listed users: show a clear hint and then require GA. No 'nullok': missing secret → fail.
+auth  required                    pam_echo.so file=/etc/ciss/login_totp.prompt
+auth  required                    pam_google_authenticator.so
+
+# ===== CISS 2FA block end =====
+
+# This allows certain extra groups to be granted to a user based on things like time of day, tty, service, and user. Please
+# edit /etc/security/group.conf to fit your needs (Replaces the 'CONSOLE_GROUPS' option in login.defs).
 auth    optional    pam_group.so
 
-# Uncomment and edit /etc/security/time.conf if you need to set
+# Uncomment and edit /etc/security/time.conf if you need to set time restraint on logins. (Replaces the 'PORTTIME_CHECKS_ENAB'
-# time restraint on logins.
+# option from login.defs as well as /etc/porttime).
-# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# account    requisite    am_time.so
-# as well as /etc/porttime)
-# account    requisite  pam_time.so
 
-# Uncomment and edit /etc/security/access.conf if you need to
+# Uncomment and edit /etc/security/access.conf if you need to set access limits. (Replaces /etc/login.access file).
-# set access limits.
-# (Replaces /etc/login.access file)
 # account    required    pam_access.so
 
-# Sets up user limits according to /etc/security/limits.conf
+# Sets up user limits according to /etc/security/limits.conf. (Replaces the use of /etc/limits in old login).
-# (Replaces the use of /etc/limits in old login)
 session    required    pam_limits.so
 
-# Prints the status of the user's mailbox upon successful login
+# Prints the status of the user's mailbox upon successful login (Replaces the 'MAIL_CHECK_ENAB' option from login.defs).
-# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
+# This also defines the MAIL environment variable. However, userdel also needs MAIL_DIR and MAIL_FILE variables in
-#
+# /etc/login.defs to make sure that removing a user also removes the user's mail spool file. See comments in /etc/login.defs.
-# This also defines the MAIL environment variable
-# However, userdel also needs MAIL_DIR and MAIL_FILE variables
-# in /etc/login.defs to make sure that removing a user
-# also removes the user's mail spool file.
-# See comments in /etc/login.defs
 session     optional    pam_mail.so standard
 
 # Create a new session keyring.
@@ -1358,9 +1343,13 @@ session    optional   pam_keyinit.so force revoke
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
-
   do_log "info" "file_only" "4520() Written: [/etc/pam.d/login]."
 
+  cat << 'EOF' >| "${var_target}/etc/ciss/login_totp.prompt"
+After your UNIX password, please enter your 6-digit TOTP code.
+EOF
+  chmod 0444 "${var_target}/etc/ciss/login_totp.prompt"
+  do_log "info" "file_only" "4520() Written: [/etc/ciss/login_totp.prompt]."
 
   return 0
 }
@@ -1386,7 +1375,12 @@ write_pam_sshd() {
   insert_header   "${var_target}/etc/pam.d/sshd"
   insert_comments "${var_target}/etc/pam.d/sshd"
   cat << EOF >>   "${var_target}/etc/pam.d/sshd"
-# ===== CISS 2FA block (MUST be placed at the very top of /etc/pam.d/sshd) =====
+#
+# PAM configuration for the Secure Shell service
+#
+
+# ===== CISS 2FA block  =====
+
 # If user is NOT listed -> succeed and SKIP next two lines (silent Keyboard-Interactive (KI) success).
 auth  [success=2 default=ignore]  pam_listfile.so item=user sense=deny file=/etc/ciss/2fa onerr=ignore
 
@@ -1400,10 +1394,8 @@ auth  required                    pam_google_authenticator.so
 auth  sufficient                  pam_permit.so
 # ===== CISS 2FA block end =====
 
-# Keep the rest as shipped by Debian; it will be short-circuited by pam_permit for KI
+# Keep the rest as shipped by Debian. It will be short-circuited by pam_permit for KI and never reached for 2FA users after
-# and never reached for 2FA users after successful GA.
+# successful GA.
-
-# PAM configuration for the Secure Shell service
 
 # Standard Un*x authentication.
 @include    common-auth
@@ -1411,16 +1403,14 @@ auth  sufficient                  pam_permit.so
 # Disallow non-root logins when /etc/nologin exists.
 account    required    pam_nologin.so
 
-# Uncomment and edit /etc/security/access.conf if you need to set complex
+# Uncomment and edit /etc/security/access.conf if you need to set complex access limits that are hard to express in sshd_config.
-# access limits that are hard to express in sshd_config.
 # account    required    pam_access.so
 
 # Standard Un*x authorization.
 @include common-account
 
-# SELinux needs to be the first session rule.  This ensures that any
+# SELinux needs to be the first session rule.  This ensures that any lingering context has been cleared. Without this it is
-# lingering context has been cleared.  Without this it is possible that a
+# possible that a module could execute code in the wrong domain.
-# module could execute code in the wrong domain.
 session [success=ok ignore=ignore module_unknown=ignore default=bad]    pam_selinux.so close
 
 # Set the loginuid process attribute.
@@ -1432,9 +1422,8 @@ session    optional     pam_keyinit.so force revoke
 # Standard Un*x session setup and teardown.
 @include    common-session
 
-# Print the message of the day upon successful login.
+# Print the message of the day upon successful login. This includes a dynamically generated part from /run/motd.dynamic and a
-# This includes a dynamically generated part from /run/motd.dynamic
+# static (admin-editable) part from /etc/motd.
-# and a static (admin-editable) part from /etc/motd.
 session    optional    pam_motd.so    motd=/run/motd.dynamic
 session    optional    pam_motd.so    noupdate
 
@@ -1444,16 +1433,14 @@ session    optional     pam_mail.so standard noenv # [1]
 # Set up user limits from /etc/security/limits.conf.
 session    required    pam_limits.so
 
-# Read environment variables from /etc/environment and
+# Read environment variables from /etc/environment and /etc/security/pam_env.conf.
-# /etc/security/pam_env.conf.
 session    required    pam_env.so # [1]
-# In Debian 4.0 (etch), locale-related environment variables were moved to
+
-# /etc/default/locale, so read that as well.
+# In Debian 4.0 (etch), locale-related environment variables were moved to /etc/default/locale, so read that as well.
 session    required    pam_env.so envfile=/etc/default/locale
 
-# SELinux needs to intervene at login time to ensure that the process starts
+# SELinux needs to intervene at login time to ensure that the process starts in the proper default security context. Only
-# in the proper default security context.  Only sessions which are intended
+# sessions which are intended to run in the user's context should be run after this.
-# to run in the user's context should be run after this.
 session [success=ok ignore=ignore module_unknown=ignore default=bad]    pam_selinux.so open
 
 # Standard Un*x password updating.