V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m34s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m34s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -61,13 +61,13 @@ Wants=ifup@${VAR_FINAL_NIC}.service
|
|||||||
### If any tentative IPv6 address exists on the device, wait and retry.
|
### If any tentative IPv6 address exists on the device, wait and retry.
|
||||||
### Check for the exact global address (fixed-string match, include trailing "/").
|
### Check for the exact global address (fixed-string match, include trailing "/").
|
||||||
ExecStartPre=/bin/sh -c '\
|
ExecStartPre=/bin/sh -c '\
|
||||||
for i in $(seq 1 60); do \
|
for i in \$(seq 1 60); do \
|
||||||
ip -6 addr show dev ${VAR_FINAL_NIC} tentative | grep -q "inet6" && { sleep 0.5; continue; }; \
|
ip -6 addr show dev ${VAR_FINAL_NIC} tentative | grep -q "inet6" && { sleep 0.5; continue; }; \
|
||||||
ip -6 addr show dev ${VAR_FINAL_NIC} scope global | grep -Fq " ${VAR_FINAL_IPV6}/" && exit 0; \
|
ip -6 addr show dev ${VAR_FINAL_NIC} scope global | grep -Fq " ${VAR_FINAL_IPV6}/" && exit 0; \
|
||||||
sleep 0.5; \
|
sleep 0.5; \
|
||||||
done; \
|
done; \
|
||||||
echo "IPv6 address ${VAR_FINAL_IPV6} on ${VAR_FINAL_NIC} not ready"; exit 1'
|
echo "IPv6 address ${VAR_FINAL_IPV6} on ${VAR_FINAL_NIC} not ready"; exit 1'
|
||||||
TimeoutStartSec=32s
|
TimeoutStartSec=40s
|
||||||
Restart=on-failure
|
Restart=on-failure
|
||||||
RestartSec=2s
|
RestartSec=2s
|
||||||
EOF
|
EOF
|
||||||
|
|||||||
@@ -1258,98 +1258,83 @@ write_pam_login() {
|
|||||||
|
|
||||||
insert_header "${var_target}/etc/pam.d/login"
|
insert_header "${var_target}/etc/pam.d/login"
|
||||||
insert_comments "${var_target}/etc/pam.d/login"
|
insert_comments "${var_target}/etc/pam.d/login"
|
||||||
cat << 'EOF' >> "${var_target}/etc/pam.d/login"
|
cat << EOF >> "${var_target}/etc/pam.d/login"
|
||||||
#
|
#
|
||||||
# The PAM configuration file for the Shadow 'login' service
|
# The PAM configuration file for the Shadow 'login' service
|
||||||
#
|
#
|
||||||
|
|
||||||
# Enforce a minimal delay in case of failure (in microseconds).
|
# Enforce a minimal delay in case of failure (in microseconds). (Replaces the 'FAIL_DELAY' setting from login.defs).
|
||||||
# (Replaces the 'FAIL_DELAY' setting from login.defs)
|
# Note that other modules may require another minimal delay. (For example, to disable any delay, you should add the 'nodelay'
|
||||||
# Note that other modules may require another minimal delay. (for example,
|
# option to pam_unix).
|
||||||
# to disable any delay, you should add the nodelay option to pam_unix)
|
auth optional pam_faildelay.so delay=3000000
|
||||||
auth optional pam_faildelay.so delay=3000000
|
|
||||||
|
|
||||||
# Outputs an issue file prior to each login prompt (Replaces the
|
# Outputs an issue file prior to each login prompt (Replaces the ISSUE_FILE option from login.defs). Uncomment for use.
|
||||||
# ISSUE_FILE option from login.defs). Uncomment for use
|
# auth required pam_issue.so issue=/etc/issue
|
||||||
# auth required pam_issue.so issue=/etc/issue
|
|
||||||
|
|
||||||
# Disallows other than root logins when /etc/nologin exists
|
# Disallows other than root logins when /etc/nologin exists. (Replaces the 'NOLOGINS_FILE' option from login.defs).
|
||||||
# (Replaces the `NOLOGINS_FILE' option from login.defs)
|
auth requisite pam_nologin.so
|
||||||
auth requisite pam_nologin.so
|
|
||||||
|
|
||||||
# SELinux needs to be the first session rule. This ensures that any
|
# SELinux needs to be the first session rule. This ensures that any lingering context has been cleared. Without this it is
|
||||||
# lingering context has been cleared. Without this it is possible
|
# possible that a module could execute code in the wrong domain. When the module is present, "required" would be sufficient
|
||||||
# that a module could execute code in the wrong domain.
|
# (When SELinux is disabled, this returns success.)
|
||||||
# When the module is present, "required" would be sufficient (When SELinux
|
|
||||||
# is disabled, this returns success.)
|
|
||||||
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
||||||
|
|
||||||
# Sets the loginuid process attribute
|
# Sets the loginuid process attribute
|
||||||
session required pam_loginuid.so
|
session required pam_loginuid.so
|
||||||
|
|
||||||
# Prints the message of the day upon successful login.
|
# Prints the message of the day upon successful login. (Replaces the 'MOTD_FILE' option in login.defs). This includes a
|
||||||
# (Replaces the `MOTD_FILE' option in login.defs)
|
# dynamically generated part from /run/motd.dynamic, and a static (admin-editable) part from /etc/motd.
|
||||||
# This includes a dynamically generated part from /run/motd.dynamic,
|
session optional pam_motd.so motd=/run/motd.dynamic
|
||||||
# and a static (admin-editable) part from /etc/motd.
|
session optional pam_motd.so noupdate
|
||||||
session optional pam_motd.so motd=/run/motd.dynamic
|
|
||||||
session optional pam_motd.so noupdate
|
|
||||||
|
|
||||||
# SELinux needs to intervene at login time to ensure that the process
|
# SELinux needs to intervene at login time to ensure that the process starts in the proper default security context. Only
|
||||||
# starts in the proper default security context. Only sessions which are
|
# sessions which are intended to run in the user's context should be run after this. The module pam_selinux.so changes the
|
||||||
# intended to run in the user's context should be run after this.
|
# SELinux context of the used TTY and configures SELinux in order to transition to the user context with the next execve()
|
||||||
# pam_selinux.so changes the SELinux context of the used TTY and configures
|
|
||||||
# SELinux in order to transition to the user context with the next execve()
|
|
||||||
# call.
|
# call.
|
||||||
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
||||||
# When the module is present, "required" would be sufficient (When SELinux
|
# When the module is present, "required" would be sufficient (When SELinux is disabled, this returns success.)
|
||||||
# is disabled, this returns success.)
|
|
||||||
|
|
||||||
# This module parses environment configuration file(s)
|
# This module parses environment configuration file(s) and also allows you to use an extended config file
|
||||||
# and also allows you to use an extended config
|
# /etc/security/pam_env.conf. Parsing /etc/environment needs "readenv=1"
|
||||||
# file /etc/security/pam_env.conf.
|
session required pam_env.so readenv=1
|
||||||
#
|
# Locale variables can also be set in /etc/default/locale reading this file *in addition to /etc/environment* does not hurt.
|
||||||
# parsing /etc/environment needs "readenv=1"
|
session required pam_env.so readenv=1 envfile=/etc/default/locale
|
||||||
session required pam_env.so readenv=1
|
|
||||||
# locale variables can also be set in /etc/default/locale
|
|
||||||
# reading this file *in addition to /etc/environment* does not hurt
|
|
||||||
session required pam_env.so readenv=1 envfile=/etc/default/locale
|
|
||||||
|
|
||||||
# Standard Un*x authentication.
|
# Standard Un*x authentication.
|
||||||
@include common-auth
|
@include common-auth
|
||||||
|
|
||||||
# This allows certain extra groups to be granted to a user
|
# ===== CISS 2FA block =====
|
||||||
# based on things like time of day, tty, service, and user.
|
|
||||||
# Please edit /etc/security/group.conf to fit your needs
|
|
||||||
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
|
|
||||||
auth optional pam_group.so
|
|
||||||
|
|
||||||
# Uncomment and edit /etc/security/time.conf if you need to set
|
# If user is NOT listed -> succeed and SKIP next two lines (no TOTP prompt).
|
||||||
# time restraint on logins.
|
auth [success=2 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa onerr=ignore
|
||||||
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
|
|
||||||
# as well as /etc/porttime)
|
|
||||||
# account requisite pam_time.so
|
|
||||||
|
|
||||||
# Uncomment and edit /etc/security/access.conf if you need to
|
# Listed users: show a clear hint and then require GA. No 'nullok': missing secret → fail.
|
||||||
# set access limits.
|
auth required pam_echo.so file=/etc/ciss/login_totp.prompt
|
||||||
# (Replaces /etc/login.access file)
|
auth required pam_google_authenticator.so
|
||||||
# account required pam_access.so
|
|
||||||
|
|
||||||
# Sets up user limits according to /etc/security/limits.conf
|
# ===== CISS 2FA block end =====
|
||||||
# (Replaces the use of /etc/limits in old login)
|
|
||||||
session required pam_limits.so
|
|
||||||
|
|
||||||
# Prints the status of the user's mailbox upon successful login
|
# This allows certain extra groups to be granted to a user based on things like time of day, tty, service, and user. Please
|
||||||
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
|
# edit /etc/security/group.conf to fit your needs (Replaces the 'CONSOLE_GROUPS' option in login.defs).
|
||||||
#
|
auth optional pam_group.so
|
||||||
# This also defines the MAIL environment variable
|
|
||||||
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
|
# Uncomment and edit /etc/security/time.conf if you need to set time restraint on logins. (Replaces the 'PORTTIME_CHECKS_ENAB'
|
||||||
# in /etc/login.defs to make sure that removing a user
|
# option from login.defs as well as /etc/porttime).
|
||||||
# also removes the user's mail spool file.
|
# account requisite am_time.so
|
||||||
# See comments in /etc/login.defs
|
|
||||||
session optional pam_mail.so standard
|
# Uncomment and edit /etc/security/access.conf if you need to set access limits. (Replaces /etc/login.access file).
|
||||||
|
# account required pam_access.so
|
||||||
|
|
||||||
|
# Sets up user limits according to /etc/security/limits.conf. (Replaces the use of /etc/limits in old login).
|
||||||
|
session required pam_limits.so
|
||||||
|
|
||||||
|
# Prints the status of the user's mailbox upon successful login (Replaces the 'MAIL_CHECK_ENAB' option from login.defs).
|
||||||
|
# This also defines the MAIL environment variable. However, userdel also needs MAIL_DIR and MAIL_FILE variables in
|
||||||
|
# /etc/login.defs to make sure that removing a user also removes the user's mail spool file. See comments in /etc/login.defs.
|
||||||
|
session optional pam_mail.so standard
|
||||||
|
|
||||||
# Create a new session keyring.
|
# Create a new session keyring.
|
||||||
session optional pam_keyinit.so force revoke
|
session optional pam_keyinit.so force revoke
|
||||||
|
|
||||||
# Standard Un*x account and session
|
# Standard Un*x account and session
|
||||||
@include common-account
|
@include common-account
|
||||||
@@ -1358,9 +1343,13 @@ session optional pam_keyinit.so force revoke
|
|||||||
|
|
||||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
|
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
do_log "info" "file_only" "4520() Written: [/etc/pam.d/login]."
|
do_log "info" "file_only" "4520() Written: [/etc/pam.d/login]."
|
||||||
|
|
||||||
|
cat << 'EOF' >| "${var_target}/etc/ciss/login_totp.prompt"
|
||||||
|
After your UNIX password, please enter your 6-digit TOTP code.
|
||||||
|
EOF
|
||||||
|
chmod 0444 "${var_target}/etc/ciss/login_totp.prompt"
|
||||||
|
do_log "info" "file_only" "4520() Written: [/etc/ciss/login_totp.prompt]."
|
||||||
|
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
@@ -1386,7 +1375,12 @@ write_pam_sshd() {
|
|||||||
insert_header "${var_target}/etc/pam.d/sshd"
|
insert_header "${var_target}/etc/pam.d/sshd"
|
||||||
insert_comments "${var_target}/etc/pam.d/sshd"
|
insert_comments "${var_target}/etc/pam.d/sshd"
|
||||||
cat << EOF >> "${var_target}/etc/pam.d/sshd"
|
cat << EOF >> "${var_target}/etc/pam.d/sshd"
|
||||||
# ===== CISS 2FA block (MUST be placed at the very top of /etc/pam.d/sshd) =====
|
#
|
||||||
|
# PAM configuration for the Secure Shell service
|
||||||
|
#
|
||||||
|
|
||||||
|
# ===== CISS 2FA block =====
|
||||||
|
|
||||||
# If user is NOT listed -> succeed and SKIP next two lines (silent Keyboard-Interactive (KI) success).
|
# If user is NOT listed -> succeed and SKIP next two lines (silent Keyboard-Interactive (KI) success).
|
||||||
auth [success=2 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa onerr=ignore
|
auth [success=2 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa onerr=ignore
|
||||||
|
|
||||||
@@ -1400,61 +1394,54 @@ auth required pam_google_authenticator.so
|
|||||||
auth sufficient pam_permit.so
|
auth sufficient pam_permit.so
|
||||||
# ===== CISS 2FA block end =====
|
# ===== CISS 2FA block end =====
|
||||||
|
|
||||||
# Keep the rest as shipped by Debian; it will be short-circuited by pam_permit for KI
|
# Keep the rest as shipped by Debian. It will be short-circuited by pam_permit for KI and never reached for 2FA users after
|
||||||
# and never reached for 2FA users after successful GA.
|
# successful GA.
|
||||||
|
|
||||||
# PAM configuration for the Secure Shell service
|
|
||||||
|
|
||||||
# Standard Un*x authentication.
|
# Standard Un*x authentication.
|
||||||
@include common-auth
|
@include common-auth
|
||||||
|
|
||||||
# Disallow non-root logins when /etc/nologin exists.
|
# Disallow non-root logins when /etc/nologin exists.
|
||||||
account required pam_nologin.so
|
account required pam_nologin.so
|
||||||
|
|
||||||
# Uncomment and edit /etc/security/access.conf if you need to set complex
|
# Uncomment and edit /etc/security/access.conf if you need to set complex access limits that are hard to express in sshd_config.
|
||||||
# access limits that are hard to express in sshd_config.
|
# account required pam_access.so
|
||||||
# account required pam_access.so
|
|
||||||
|
|
||||||
# Standard Un*x authorization.
|
# Standard Un*x authorization.
|
||||||
@include common-account
|
@include common-account
|
||||||
|
|
||||||
# SELinux needs to be the first session rule. This ensures that any
|
# SELinux needs to be the first session rule. This ensures that any lingering context has been cleared. Without this it is
|
||||||
# lingering context has been cleared. Without this it is possible that a
|
# possible that a module could execute code in the wrong domain.
|
||||||
# module could execute code in the wrong domain.
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
||||||
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
|
||||||
|
|
||||||
# Set the loginuid process attribute.
|
# Set the loginuid process attribute.
|
||||||
session required pam_loginuid.so
|
session required pam_loginuid.so
|
||||||
|
|
||||||
# Create a new session keyring.
|
# Create a new session keyring.
|
||||||
session optional pam_keyinit.so force revoke
|
session optional pam_keyinit.so force revoke
|
||||||
|
|
||||||
# Standard Un*x session setup and teardown.
|
# Standard Un*x session setup and teardown.
|
||||||
@include common-session
|
@include common-session
|
||||||
|
|
||||||
# Print the message of the day upon successful login.
|
# Print the message of the day upon successful login. This includes a dynamically generated part from /run/motd.dynamic and a
|
||||||
# This includes a dynamically generated part from /run/motd.dynamic
|
# static (admin-editable) part from /etc/motd.
|
||||||
# and a static (admin-editable) part from /etc/motd.
|
session optional pam_motd.so motd=/run/motd.dynamic
|
||||||
session optional pam_motd.so motd=/run/motd.dynamic
|
session optional pam_motd.so noupdate
|
||||||
session optional pam_motd.so noupdate
|
|
||||||
|
|
||||||
# Print the status of the user's mailbox upon successful login.
|
# Print the status of the user's mailbox upon successful login.
|
||||||
session optional pam_mail.so standard noenv # [1]
|
session optional pam_mail.so standard noenv # [1]
|
||||||
|
|
||||||
# Set up user limits from /etc/security/limits.conf.
|
# Set up user limits from /etc/security/limits.conf.
|
||||||
session required pam_limits.so
|
session required pam_limits.so
|
||||||
|
|
||||||
# Read environment variables from /etc/environment and
|
# Read environment variables from /etc/environment and /etc/security/pam_env.conf.
|
||||||
# /etc/security/pam_env.conf.
|
session required pam_env.so # [1]
|
||||||
session required pam_env.so # [1]
|
|
||||||
# In Debian 4.0 (etch), locale-related environment variables were moved to
|
|
||||||
# /etc/default/locale, so read that as well.
|
|
||||||
session required pam_env.so envfile=/etc/default/locale
|
|
||||||
|
|
||||||
# SELinux needs to intervene at login time to ensure that the process starts
|
# In Debian 4.0 (etch), locale-related environment variables were moved to /etc/default/locale, so read that as well.
|
||||||
# in the proper default security context. Only sessions which are intended
|
session required pam_env.so envfile=/etc/default/locale
|
||||||
# to run in the user's context should be run after this.
|
|
||||||
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
# SELinux needs to intervene at login time to ensure that the process starts in the proper default security context. Only
|
||||||
|
# sessions which are intended to run in the user's context should be run after this.
|
||||||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
||||||
|
|
||||||
# Standard Un*x password updating.
|
# Standard Un*x password updating.
|
||||||
@include common-password
|
@include common-password
|
||||||
|
|||||||
Reference in New Issue
Block a user