V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m34s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m34s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -61,13 +61,13 @@ Wants=ifup@${VAR_FINAL_NIC}.service
|
||||
### If any tentative IPv6 address exists on the device, wait and retry.
|
||||
### Check for the exact global address (fixed-string match, include trailing "/").
|
||||
ExecStartPre=/bin/sh -c '\
|
||||
for i in $(seq 1 60); do \
|
||||
for i in \$(seq 1 60); do \
|
||||
ip -6 addr show dev ${VAR_FINAL_NIC} tentative | grep -q "inet6" && { sleep 0.5; continue; }; \
|
||||
ip -6 addr show dev ${VAR_FINAL_NIC} scope global | grep -Fq " ${VAR_FINAL_IPV6}/" && exit 0; \
|
||||
sleep 0.5; \
|
||||
done; \
|
||||
echo "IPv6 address ${VAR_FINAL_IPV6} on ${VAR_FINAL_NIC} not ready"; exit 1'
|
||||
TimeoutStartSec=32s
|
||||
TimeoutStartSec=40s
|
||||
Restart=on-failure
|
||||
RestartSec=2s
|
||||
EOF
|
||||
|
||||
@@ -1258,94 +1258,79 @@ write_pam_login() {
|
||||
|
||||
insert_header "${var_target}/etc/pam.d/login"
|
||||
insert_comments "${var_target}/etc/pam.d/login"
|
||||
cat << 'EOF' >> "${var_target}/etc/pam.d/login"
|
||||
cat << EOF >> "${var_target}/etc/pam.d/login"
|
||||
#
|
||||
# The PAM configuration file for the Shadow 'login' service
|
||||
#
|
||||
|
||||
# Enforce a minimal delay in case of failure (in microseconds).
|
||||
# (Replaces the 'FAIL_DELAY' setting from login.defs)
|
||||
# Note that other modules may require another minimal delay. (for example,
|
||||
# to disable any delay, you should add the nodelay option to pam_unix)
|
||||
# Enforce a minimal delay in case of failure (in microseconds). (Replaces the 'FAIL_DELAY' setting from login.defs).
|
||||
# Note that other modules may require another minimal delay. (For example, to disable any delay, you should add the 'nodelay'
|
||||
# option to pam_unix).
|
||||
auth optional pam_faildelay.so delay=3000000
|
||||
|
||||
# Outputs an issue file prior to each login prompt (Replaces the
|
||||
# ISSUE_FILE option from login.defs). Uncomment for use
|
||||
# Outputs an issue file prior to each login prompt (Replaces the ISSUE_FILE option from login.defs). Uncomment for use.
|
||||
# auth required pam_issue.so issue=/etc/issue
|
||||
|
||||
# Disallows other than root logins when /etc/nologin exists
|
||||
# (Replaces the `NOLOGINS_FILE' option from login.defs)
|
||||
# Disallows other than root logins when /etc/nologin exists. (Replaces the 'NOLOGINS_FILE' option from login.defs).
|
||||
auth requisite pam_nologin.so
|
||||
|
||||
# SELinux needs to be the first session rule. This ensures that any
|
||||
# lingering context has been cleared. Without this it is possible
|
||||
# that a module could execute code in the wrong domain.
|
||||
# When the module is present, "required" would be sufficient (When SELinux
|
||||
# is disabled, this returns success.)
|
||||
# SELinux needs to be the first session rule. This ensures that any lingering context has been cleared. Without this it is
|
||||
# possible that a module could execute code in the wrong domain. When the module is present, "required" would be sufficient
|
||||
# (When SELinux is disabled, this returns success.)
|
||||
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
||||
|
||||
# Sets the loginuid process attribute
|
||||
session required pam_loginuid.so
|
||||
|
||||
# Prints the message of the day upon successful login.
|
||||
# (Replaces the `MOTD_FILE' option in login.defs)
|
||||
# This includes a dynamically generated part from /run/motd.dynamic,
|
||||
# and a static (admin-editable) part from /etc/motd.
|
||||
# Prints the message of the day upon successful login. (Replaces the 'MOTD_FILE' option in login.defs). This includes a
|
||||
# dynamically generated part from /run/motd.dynamic, and a static (admin-editable) part from /etc/motd.
|
||||
session optional pam_motd.so motd=/run/motd.dynamic
|
||||
session optional pam_motd.so noupdate
|
||||
|
||||
# SELinux needs to intervene at login time to ensure that the process
|
||||
# starts in the proper default security context. Only sessions which are
|
||||
# intended to run in the user's context should be run after this.
|
||||
# pam_selinux.so changes the SELinux context of the used TTY and configures
|
||||
# SELinux in order to transition to the user context with the next execve()
|
||||
# SELinux needs to intervene at login time to ensure that the process starts in the proper default security context. Only
|
||||
# sessions which are intended to run in the user's context should be run after this. The module pam_selinux.so changes the
|
||||
# SELinux context of the used TTY and configures SELinux in order to transition to the user context with the next execve()
|
||||
# call.
|
||||
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
||||
# When the module is present, "required" would be sufficient (When SELinux
|
||||
# is disabled, this returns success.)
|
||||
# When the module is present, "required" would be sufficient (When SELinux is disabled, this returns success.)
|
||||
|
||||
# This module parses environment configuration file(s)
|
||||
# and also allows you to use an extended config
|
||||
# file /etc/security/pam_env.conf.
|
||||
#
|
||||
# parsing /etc/environment needs "readenv=1"
|
||||
# This module parses environment configuration file(s) and also allows you to use an extended config file
|
||||
# /etc/security/pam_env.conf. Parsing /etc/environment needs "readenv=1"
|
||||
session required pam_env.so readenv=1
|
||||
# locale variables can also be set in /etc/default/locale
|
||||
# reading this file *in addition to /etc/environment* does not hurt
|
||||
# Locale variables can also be set in /etc/default/locale reading this file *in addition to /etc/environment* does not hurt.
|
||||
session required pam_env.so readenv=1 envfile=/etc/default/locale
|
||||
|
||||
# Standard Un*x authentication.
|
||||
@include common-auth
|
||||
|
||||
# This allows certain extra groups to be granted to a user
|
||||
# based on things like time of day, tty, service, and user.
|
||||
# Please edit /etc/security/group.conf to fit your needs
|
||||
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
|
||||
# ===== CISS 2FA block =====
|
||||
|
||||
# If user is NOT listed -> succeed and SKIP next two lines (no TOTP prompt).
|
||||
auth [success=2 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa onerr=ignore
|
||||
|
||||
# Listed users: show a clear hint and then require GA. No 'nullok': missing secret → fail.
|
||||
auth required pam_echo.so file=/etc/ciss/login_totp.prompt
|
||||
auth required pam_google_authenticator.so
|
||||
|
||||
# ===== CISS 2FA block end =====
|
||||
|
||||
# This allows certain extra groups to be granted to a user based on things like time of day, tty, service, and user. Please
|
||||
# edit /etc/security/group.conf to fit your needs (Replaces the 'CONSOLE_GROUPS' option in login.defs).
|
||||
auth optional pam_group.so
|
||||
|
||||
# Uncomment and edit /etc/security/time.conf if you need to set
|
||||
# time restraint on logins.
|
||||
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
|
||||
# as well as /etc/porttime)
|
||||
# account requisite pam_time.so
|
||||
# Uncomment and edit /etc/security/time.conf if you need to set time restraint on logins. (Replaces the 'PORTTIME_CHECKS_ENAB'
|
||||
# option from login.defs as well as /etc/porttime).
|
||||
# account requisite am_time.so
|
||||
|
||||
# Uncomment and edit /etc/security/access.conf if you need to
|
||||
# set access limits.
|
||||
# (Replaces /etc/login.access file)
|
||||
# Uncomment and edit /etc/security/access.conf if you need to set access limits. (Replaces /etc/login.access file).
|
||||
# account required pam_access.so
|
||||
|
||||
# Sets up user limits according to /etc/security/limits.conf
|
||||
# (Replaces the use of /etc/limits in old login)
|
||||
# Sets up user limits according to /etc/security/limits.conf. (Replaces the use of /etc/limits in old login).
|
||||
session required pam_limits.so
|
||||
|
||||
# Prints the status of the user's mailbox upon successful login
|
||||
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
|
||||
#
|
||||
# This also defines the MAIL environment variable
|
||||
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
|
||||
# in /etc/login.defs to make sure that removing a user
|
||||
# also removes the user's mail spool file.
|
||||
# See comments in /etc/login.defs
|
||||
# Prints the status of the user's mailbox upon successful login (Replaces the 'MAIL_CHECK_ENAB' option from login.defs).
|
||||
# This also defines the MAIL environment variable. However, userdel also needs MAIL_DIR and MAIL_FILE variables in
|
||||
# /etc/login.defs to make sure that removing a user also removes the user's mail spool file. See comments in /etc/login.defs.
|
||||
session optional pam_mail.so standard
|
||||
|
||||
# Create a new session keyring.
|
||||
@@ -1358,9 +1343,13 @@ session optional pam_keyinit.so force revoke
|
||||
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
|
||||
EOF
|
||||
|
||||
do_log "info" "file_only" "4520() Written: [/etc/pam.d/login]."
|
||||
|
||||
cat << 'EOF' >| "${var_target}/etc/ciss/login_totp.prompt"
|
||||
After your UNIX password, please enter your 6-digit TOTP code.
|
||||
EOF
|
||||
chmod 0444 "${var_target}/etc/ciss/login_totp.prompt"
|
||||
do_log "info" "file_only" "4520() Written: [/etc/ciss/login_totp.prompt]."
|
||||
|
||||
return 0
|
||||
}
|
||||
@@ -1386,7 +1375,12 @@ write_pam_sshd() {
|
||||
insert_header "${var_target}/etc/pam.d/sshd"
|
||||
insert_comments "${var_target}/etc/pam.d/sshd"
|
||||
cat << EOF >> "${var_target}/etc/pam.d/sshd"
|
||||
# ===== CISS 2FA block (MUST be placed at the very top of /etc/pam.d/sshd) =====
|
||||
#
|
||||
# PAM configuration for the Secure Shell service
|
||||
#
|
||||
|
||||
# ===== CISS 2FA block =====
|
||||
|
||||
# If user is NOT listed -> succeed and SKIP next two lines (silent Keyboard-Interactive (KI) success).
|
||||
auth [success=2 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa onerr=ignore
|
||||
|
||||
@@ -1400,10 +1394,8 @@ auth required pam_google_authenticator.so
|
||||
auth sufficient pam_permit.so
|
||||
# ===== CISS 2FA block end =====
|
||||
|
||||
# Keep the rest as shipped by Debian; it will be short-circuited by pam_permit for KI
|
||||
# and never reached for 2FA users after successful GA.
|
||||
|
||||
# PAM configuration for the Secure Shell service
|
||||
# Keep the rest as shipped by Debian. It will be short-circuited by pam_permit for KI and never reached for 2FA users after
|
||||
# successful GA.
|
||||
|
||||
# Standard Un*x authentication.
|
||||
@include common-auth
|
||||
@@ -1411,16 +1403,14 @@ auth sufficient pam_permit.so
|
||||
# Disallow non-root logins when /etc/nologin exists.
|
||||
account required pam_nologin.so
|
||||
|
||||
# Uncomment and edit /etc/security/access.conf if you need to set complex
|
||||
# access limits that are hard to express in sshd_config.
|
||||
# Uncomment and edit /etc/security/access.conf if you need to set complex access limits that are hard to express in sshd_config.
|
||||
# account required pam_access.so
|
||||
|
||||
# Standard Un*x authorization.
|
||||
@include common-account
|
||||
|
||||
# SELinux needs to be the first session rule. This ensures that any
|
||||
# lingering context has been cleared. Without this it is possible that a
|
||||
# module could execute code in the wrong domain.
|
||||
# SELinux needs to be the first session rule. This ensures that any lingering context has been cleared. Without this it is
|
||||
# possible that a module could execute code in the wrong domain.
|
||||
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
||||
|
||||
# Set the loginuid process attribute.
|
||||
@@ -1432,9 +1422,8 @@ session optional pam_keyinit.so force revoke
|
||||
# Standard Un*x session setup and teardown.
|
||||
@include common-session
|
||||
|
||||
# Print the message of the day upon successful login.
|
||||
# This includes a dynamically generated part from /run/motd.dynamic
|
||||
# and a static (admin-editable) part from /etc/motd.
|
||||
# Print the message of the day upon successful login. This includes a dynamically generated part from /run/motd.dynamic and a
|
||||
# static (admin-editable) part from /etc/motd.
|
||||
session optional pam_motd.so motd=/run/motd.dynamic
|
||||
session optional pam_motd.so noupdate
|
||||
|
||||
@@ -1444,16 +1433,14 @@ session optional pam_mail.so standard noenv # [1]
|
||||
# Set up user limits from /etc/security/limits.conf.
|
||||
session required pam_limits.so
|
||||
|
||||
# Read environment variables from /etc/environment and
|
||||
# /etc/security/pam_env.conf.
|
||||
# Read environment variables from /etc/environment and /etc/security/pam_env.conf.
|
||||
session required pam_env.so # [1]
|
||||
# In Debian 4.0 (etch), locale-related environment variables were moved to
|
||||
# /etc/default/locale, so read that as well.
|
||||
|
||||
# In Debian 4.0 (etch), locale-related environment variables were moved to /etc/default/locale, so read that as well.
|
||||
session required pam_env.so envfile=/etc/default/locale
|
||||
|
||||
# SELinux needs to intervene at login time to ensure that the process starts
|
||||
# in the proper default security context. Only sessions which are intended
|
||||
# to run in the user's context should be run after this.
|
||||
# SELinux needs to intervene at login time to ensure that the process starts in the proper default security context. Only
|
||||
# sessions which are intended to run in the user's context should be run after this.
|
||||
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
||||
|
||||
# Standard Un*x password updating.
|
||||
|
||||
Reference in New Issue
Block a user