msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m25s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-07-22 18:16:44 +02:00
parent ae1306db99
commit 15c16ebe58
8 changed files with 159 additions and 138 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
.preseed/preseed.yaml
View File

@@ -688,13 +688,12 @@ user:
protected: true # Prevent unintentional edits or deletions.
shell: /bin/zsh # Login shell (e.g., '/bin/bash', '/bin/zsh'); use '/usr/sbin/nologin' for non-interactive users.
password: ""
ssh_pubkeys: # List of public SSH keys for authentication.
- ""
sshpubkey: ""
authentication:
access:
ssh: false # Allow SSH access.
tty: true # Allow TTY (local console) login.
password_auth:
password:
ssh: false # Allow SSH password login.
tty: true # Allow TTY (local console) password login.
2fa:
@@ -703,9 +702,9 @@ user:
privileges:
description: "Root user with full system access and administrative privileges."
sudo: false # Whether the user can escalate to root using sudo.
system_user: false # Whether this is a low-UID system user (e.g., for automation).
restricted: false # If true, user is limited in scope (e.g., no login, no file access).
shell_access: true # MUST be "true" if shell is not '/usr/sbin/nologin' or '/bin/false'.
system: true # Whether this is a low-UID system user (e.g., for automation).
restricted: false # If true, user is limited in scope (e.g., no login, no file access, --no-create-home)
shell: true # MUST be "true" if shell is not '/usr/sbin/nologin' or '/bin/false'.
##############################################################################################################################
# Primary administrative user with full sudo access
@@ -719,13 +718,12 @@ user:
gid: 1000 # Ensures that the same user has the same GID on all systems.
shell: /bin/zsh # Login shell (e.g., '/bin/bash', '/bin/zsh'); use '/usr/sbin/nologin' for non-interactive users.
password: ""
ssh_pubkeys: # List of public SSH keys for authentication.
- ""
sshpubkey: ""
authentication:
access:
ssh: true # Allow SSH access.
tty: true # Allow TTY (local console) login.
password_auth:
password:
ssh: false # Allow SSH password login.
tty: true # Allow TTY (local console) password login.
2fa:
@@ -734,9 +732,9 @@ user:
privileges:
description: "Primary admin user with full sudo access and interactive login."
sudo: true # Whether the user can escalate to root using sudo.
system_user: false # Whether this is a low-UID system user (e.g., for automation).
restricted: false # If true, user is limited in scope (e.g., no login, no file access).
shell_access: true # MUST be "true" if shell is not '/usr/sbin/nologin' or '/bin/false'.
system: false # Whether this is a low-UID system user (e.g., for automation).
restricted: false # If true, user is limited in scope (e.g., no login, no file access, --no-create-home)
shell: true # MUST be "true" if shell is not '/usr/sbin/nologin' or '/bin/false'.
##############################################################################################################################
# ansible System user for automation, no interactive shell
@@ -750,13 +748,12 @@ user:
gid: 137 # Ensures that the same user has the same GID on all systems.
shell: /usr/sbin/nologin # Login shell (e.g., '/bin/bash', '/bin/zsh'); use '/usr/sbin/nologin' for non-interactive users.
password: "" # No password set for ansible user
ssh_pubkeys: # List of public SSH keys for authentication.
- ""
sshpubkey: ""
authentication:
access:
ssh: true # Allow SSH access.
tty: false # Allow TTY (local console) login.
password_auth:
password:
ssh: false # Allow SSH password login.
tty: false # Allow TTY (local console) password login.
2fa:
@@ -765,8 +762,8 @@ user:
privileges:
description: "Automation user without interactive shell and no sudo."
sudo: true # Whether the user can escalate to root using sudo.
system_user: true # Whether this is a low-UID system user (e.g., for automation).
restricted: true # If true, user is limited in scope (e.g., no login, no file access).
shell_access: false # MUST be "true" if shell is not '/usr/sbin/nologin' or '/bin/false'.
system: true # Whether this is a low-UID system user (e.g., for automation).
restricted: false # If true, user is limited in scope (e.g., no login, no file access, --no-create-home)
shell: false # MUST be "true" if shell is not '/usr/sbin/nologin' or '/bin/false'.
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

2
func/1080_helper_chroot.sh
View File

@@ -98,7 +98,7 @@ do_in_target_script() {
do_log "emergency" "true" "Failure: chroot '${var_chroot_target}': '${var_chroot_script}'."
do_log "debug" "true" "Return code: '${var_chroot_rc}'."
# TODO: Tests with Dialog Wrapper in interactive mode.
# TODO: Test with Dialog Wrapper in interactive mode.
#if [[ "${DEBUG_INTERACTIVE}" == "true" ]]; then
# do_log "warning" "true" "Launching interactive debug shell in chroot: '${var_chroot_target}'."
# chroot "${var_chroot_target}" /bin/bash -l

13
func/1250_yaml_parser.sh
View File

@@ -32,8 +32,10 @@ yaml_parser() {
yq -o=shell "${DIR_TMP}/combined.yaml" >| "${VAR_PRESEED}"
declare -agx ARY_BOOTPARAM=() ARY_NTPSRVR=() ARY_PACKAGES=()
declare var_key var_value
declare -gix VAR_USER_MAX=0
declare var_index var_key var_value
### Generate Arrays for Grub Parameter, NTPSec Server FQDN, Software Packages
while IFS='=' read -r var_key var_value; do
var_value=${var_value#\'}
var_value=${var_value%\'}
@@ -44,6 +46,15 @@ yaml_parser() {
esac
done < "${VAR_PRESEED}"
### Search all set variables for user_userN_name patterns.
while IFS='=' read -r var_index; do
if [[ "${var_index}" =~ ^user_user([0-9]+)_name$ ]]; then
var_index="${BASH_REMATCH[1]}"
(( var_index > VAR_USER_MAX )) && VAR_USER_MAX="${var_index}"
fi
done < <(compgen -v)
### Delete the respective 'key:value'-variables in the global variable set.
sed -i '/^grub_parameter_[0-9]\+=/d' "${VAR_PRESEED}"
sed -i '/^ntp_server_[0-9]\+=/d' "${VAR_PRESEED}"
sed -i '/^software_[0-9]\+=/d' "${VAR_PRESEED}"

4
func/4090_minimal_toolset.sh
View File

@@ -30,6 +30,8 @@ minimal_toolset() {
["cat"]="coreutils"
["chmod"]="coreutils"
["chown"]="coreutils"
["chpasswd"]="passwd"
["chsh"]="passwd"
["cp"]="coreutils"
["cryptsetup"]="cryptsetup-initramfs"
["echo"]="coreutils"
@@ -39,7 +41,9 @@ minimal_toolset() {
["mkdir"]="coreutils"
["ping"]="iputils-ping"
["sed"]="sed"
["sudo"]="sudo"
["update-initramfs"]="initramfs-tools"
["zsh"]="zsh"
)
for var_bin in "${!hmp_tool_pkg[@]}"; do

2
func/4155_setup_grub_password.sh
View File

@@ -78,7 +78,7 @@ generate_grub_password_pbkdf2() {
expect <<EOF
log_user 0
spawn grub-mkpasswd-pbkdf2
spawn grub-mkpasswd-pbkdf2 --iteration-count=131072 --salt=64 --buflen=64
expect "Enter password:"
send "$var_pass\r"
expect "Reenter password:"

37
func/4180_setup_ssh.sh
View File

@@ -15,6 +15,7 @@ guard_sourcing
#######################################
# Setup ssh server.
# Globals:
# BASH_REMATCH
# DIR_BAK
# DIR_LOG
# TARGET
@@ -24,10 +25,6 @@ guard_sourcing
# VAR_SETUP_PATH
# ssh_port
# ssh_root_ca
# user_user0_name
# user_user1_name
# user_user2_name
# user_user3_name
# Arguments:
# None
# Returns:
@@ -40,21 +37,13 @@ setup_ssh() {
# Variable declaration
#######################################
declare -a ary_user=()
declare -i max_index=0 index i
declare var=""
### Search all set variables for user_userN_name patterns.
while IFS='=' read -r var; do
if [[ "${var}" =~ ^user_user([0-9]+)_name$ ]]; then
index="${BASH_REMATCH[1]}"
(( index > max_index )) && max_index="${index}"
fi
done < <(compgen -v)
declare -i i
declare var_auth="" var_name=""
### Only process those for which both *_name and *_authentication_access_ssh are set.
for ((i = 0; i <= max_index; i++)); do
declare var_auth="user_user${i}_authentication_access_ssh"
declare var_name="user_user${i}_name"
for ((i = 0; i <= VAR_USER_MAX; i++)); do
var_auth="user_user${i}_authentication_access_ssh"
var_name="user_user${i}_name"
if [[ -v "${var_auth}" && -v "${var_name}" && "${!var_auth}" == "true" ]]; then
ary_user+=("${!var_name}")
@@ -64,11 +53,8 @@ setup_ssh() {
rm -rf "${TARGET}"/etc/ssh/ssh_host_*key*
do_in_target "${TARGET}" ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
do_log "info" "true" "Generated ed25519 SSH Key, executed in: '${TARGET}'."
do_in_target "${TARGET}" ssh-keygen -o -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
do_log "info" "true" "Generated RSA4096 SSH Key, executed in: '${TARGET}'."
mkdir -p "${DIR_BAK}/etc/ssh"
cp "${TARGET}/etc/ssh/sshd_config" "${DIR_BAK}/etc/ssh/sshd_config.bak"
@@ -83,23 +69,23 @@ setup_ssh() {
chmod 0600 "${TARGET}/etc/ssh/ssh_config"
# shellcheck disable=SC2153
sed -i "s/ListenAddress 0.0.0.0/ListenAddress ${VAR_FINAL_IPV4}/" "${TARGET}/etc/ssh/sshd_config"
sed -i -E "s|^\s*ListenAddress\s+.*$|$(printf '%-30s%s' 'ListenAddress' "${VAR_FINAL_IPV4}")|" "${TARGET}/etc/ssh/sshd_config"
if [[ -n "${VAR_FINAL_IPV6}" ]]; then
sed -i "s/ListenAddress ::/ListenAddress ${VAR_FINAL_IPV6}/" "${TARGET}/etc/ssh/sshd_config"
sed -i -E "s|^\s*ListenAddress\s+::.*$|$(printf '%-30s%s' 'ListenAddress' "${VAR_FINAL_IPV6}")|" "${TARGET}/etc/ssh/sshd_config"
else
sed -i "/^\s*ListenAddress\s*::/d" "${TARGET}/etc/ssh/sshd_config"
fi
sed -i "s/Port MUST_BE_CHANGED/Port ${ssh_port}/" "${TARGET}/etc/ssh/sshd_config"
sed -i -E "s|^\s*Port\s+.*$|$(printf '%-30s%s' 'Port' "${ssh_port}")|" "${TARGET}/etc/ssh/sshd_config"
if (( ${#ary_user[@]} > 0 )); then
sed -i "s/AllowUsers root/AllowUsers root ${ary_user[*]}/" "${TARGET}/etc/ssh/sshd_config"
sed -i -E "s|^\s*AllowUsers\s+.*$|$(printf '%-30s%s' 'AllowUsers' "root ${ary_user[*]}")|" "${TARGET}/etc/ssh/sshd_config"
fi
if [[ -n "${ssh_root_ca}" ]]; then
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}${ssh_root_ca}" "${TARGET}/etc/ssh/"
sed -i "s/TrustedUserCAKeys none/TrustedUserCAKeys \/etc\/ssh\/${ssh_root_ca}/" "${TARGET}/etc/ssh/sshd_config"
sed -i -E "s|^\s*TrustedUserCAKeys\s+.*$|$(printf '%-30s%s' 'TrustedUserCAKeys' "/etc/ssh/${ssh_root_ca}")|" "${TARGET}/etc/ssh/sshd_config"
fi
do_in_target_script "${TARGET}" "sshd -T >| ${DIR_LOG}/sshd_config.log"
@@ -113,6 +99,7 @@ setup_ssh() {
# The chmod +x command ensures that the file is executed in every shell session. #
###########################################################################################
echo "readonly TMOUT=14400" >| "${TARGET}/etc/profile.d/idle-users.sh"
# TODO: Check empty value
#echo "readonly HISTFILE" >> "${TARGET}/etc/profile.d/idle-users.sh"
chmod +x "${TARGET}/etc/profile.d/idle-users.sh"

8
func/4195_setup_dropbear.sh
View File

@@ -51,14 +51,8 @@ setup_dropbear() {
chown root:root "${TARGET}"/etc/dropbear/initramfs/dropbear*key
### Prepare dropbear authorized_keys
declare -a ary_user=()
ary_user+=("${user_root_ssh_pubkeys_0}")
[[ -v user_root_ssh_pubkeys_1 ]] && ary_user+=("${user_root_ssh_pubkeys_1}")
[[ -v user_root_ssh_pubkeys_2 ]] && ary_user+=("${user_root_ssh_pubkeys_2}")
[[ -v user_root_ssh_pubkeys_3 ]] && ary_user+=("${user_root_ssh_pubkeys_3}")
touch "${TARGET}/etc/dropbear/initramfs/authorized_keys" && chmod 0600 "${TARGET}/etc/dropbear/initramfs/authorized_keys"
printf "%s\n" "${ary_user[@]}" > "${TARGET}/etc/dropbear/initramfs/authorized_keys"
printf "%s\n" "${user_root_sshpubkey}" > "${TARGET}/etc/dropbear/initramfs/authorized_keys"
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/etc/banner" "${TARGET}/etc/dropbear/initramfs/"
### Check for initramfs "IP"-variable: static or dynamic configuration vai dhcp.

188
func/4200_setup_accounts.sh
View File

@@ -12,104 +12,132 @@
guard_sourcing
###########################################################################################
# Updating user accounts
###########################################################################################
#######################################
# Updating user accounts.
# Globals:
# TARGET
# VAR_USER_MAX
# user_root_authentication_access_ssh
# user_root_password
# user_root_shell
# user_root_sshpubkey
# Arguments:
# None
# Returns:
# 0: on success
#######################################
setup_accounts() {
declare -a ary_user_accounts=()
ary_user_accounts+=("")
#######################################
# Declare Variables
#######################################
declare -i i
declare tmp_username="" tmp_fullname="" tmp_uid="" tmp_gid="" tmp_shell="" tmp_password="" tmp_sshpubkey="" tmp_sudo="" \
tmp_restricted=""
declare var_username="" var_fullname="" var_uid="" var_gid="" var_shell="" var_password="" var_sshpubkey="" var_sudo="" \
var_restricted="" var_chpasswd="" var_sshdir=""
if [[ ${accounts_root_login,,} == "true" ]]; then
### Preparing the root account
chown root:root "${TARGET}/etc/passwd" "${TARGET}/etc/shadow" "${TARGET}/etc/group" "${TARGET}/etc/gshadow"
chmod 644 "${TARGET}/etc/passwd" "${TARGET}/etc/group"
chmod 600 "${TARGET}/etc/shadow" "${TARGET}/etc/gshadow"
do_in_target "${TARGET}" /bin/bash -c "echo 'root:${accounts_root_password_crypted}' | chpasswd -e"
do_log "info" "false" "Account 'root' password inserted."
if [[ -x "${TARGET}${user_root_shell}" ]]; then
do_in_target "${TARGET}" chsh -s "${user_root_shell}" root
else
do_log "warn" "true" "Shell: '${user_root_shell}' not found for: 'root'. Using '/bin/bash' instead."
fi
if [[ ! -d ${TARGET}/root/.ssh ]]; then
var_chpasswd="root:${user_root_password}"
do_in_target_script "${TARGET}" "echo \"${var_chpasswd}\" | chpasswd -e"
var_chpasswd=""
mkdir "${TARGET}"/root/.ssh
chown root:root "${TARGET}"/root/.ssh
chmod 0700 "${TARGET}"/root/.ssh
install -d -m 0700 -o root -g root "${TARGET}/root/.ssh"
install -m 0600 -o root -g root /dev/null "${TARGET}/root/.ssh/authorized_keys"
grep -qxF "${user_root_sshpubkey}" "${TARGET}/root/.ssh/authorized_keys" || \
printf "%s\n" "${user_root_sshpubkey}" >> "${TARGET}/root/.ssh/authorized_keys"
if [[ "${user_root_authentication_access_ssh}" == "false" ]]; then
if grep -q '^\s*PermitRootLogin' "${TARGET}/etc/ssh/sshd_config"; then
sed -i 's/^\s*PermitRootLogin\s\+.*/PermitRootLogin no/' "${TARGET}/etc/ssh/sshd_config"
else
echo 'PermitRootLogin no' >> "${TARGET}/etc/ssh/sshd_config"
fi
fi
### Install all user accounts.
for ((i = 0; i <= VAR_USER_MAX; i++)); do
tmp_username="user_user${i}_name"
tmp_fullname="user_user${i}_fullname"
tmp_uid="user_user${i}_uid"
tmp_gid="user_user${i}_gid"
tmp_shell="user_user${i}_shell"
tmp_password="user_user${i}_password"
tmp_sshpubkey="user_user${i}_sshpubkey"
tmp_sudo="user_user${i}_privileges_sudo"
tmp_restricted="user_user${i}_privileges_restricted"
var_username="${!tmp_username}"
var_fullname="${!tmp_fullname}"
var_uid="${!tmp_uid}"
var_gid="${!tmp_gid}"
var_shell="${!tmp_shell}"
var_password="${!tmp_password}"
var_sshpubkey="${!tmp_sshpubkey}"
var_sudo="${!tmp_sudo}"
var_restricted="${!tmp_restricted}"
do_in_target "${TARGET}" getent group "${var_username}" >/dev/null || \
do_in_target "${TARGET}" groupadd --gid "${var_gid}" "${var_username}"
if [[ "${var_restricted}" == "false" ]]; then
do_in_target "${TARGET}" useradd \
--comment "${var_fullname}" \
--create-home \
--expiredate 2102-12-31 \
--gid "${var_gid}" \
--home-dir /home/"${var_username}" \
--inactive 0 \
--shell "${var_shell}" \
--uid "${var_uid}" \
"${var_username}"
else
chown root:root "${TARGET}"/root/.ssh
chmod 0700 "${TARGET}"/root/.ssh
do_in_target "${TARGET}" useradd \
--comment "${var_fullname}" \
--expiredate 2102-12-31 \
--gid "${var_gid}" \
--home-dir /home/"${var_username}" \
--inactive 0 \
--no-create-home \
--shell "${var_shell}" \
--uid "${var_uid}" \
"${var_username}"
fi
if [[ ! -f ${TARGET}/root/.ssh/authorized_keys ]]; then
touch "${TARGET}"/root/.ssh/authorized_keys
chown root:root "${TARGET}"/root/.ssh/authorized_keys
chmod 0600 "${TARGET}"/root/.ssh/authorized_keys
printf "%s\n" "$accounts_root_ssh_pub_key" >> "${TARGET}"/root/.ssh/authorized_keys
do_log "info" "false" "Account 'root' SSH public key '/root/.ssh/authorized_keys' inserted."
else
chown root:root "${TARGET}"/root/.ssh/authorized_keys
chmod 0600 "${TARGET}"/root/.ssh/authorized_keys
printf "%s\n" "$accounts_root_ssh_pub_key" >> "${TARGET}"/root/.ssh/authorized_keys
do_log "info" "false" "Account 'root' SSH public key '/root/.ssh/authorized_keys' inserted."
var_chpasswd="${var_username}:${var_password}"
do_in_target_script "${TARGET}" "echo \"${var_chpasswd}\" | chpasswd -e"
var_chpasswd=""
if [[ "${var_sudo}" == "true" ]]; then
do_in_target "${TARGET}" usermod -aG sudo "${var_username}"
fi
elif [[ ${accounts_root_login,,} == "false" ]]; then
do_log "info" "false" "Skipped creation of 'root' password."
else
do_log "error" "true" "Invalid value for 'accounts_root_login': '${accounts_root_login}'. Expected value: 'true' or 'false'."
if [[ -n "${var_sshpubkey}" ]]; then
var_sshdir="${TARGET}/home/${var_username}/.ssh"
install -d -m 0700 -o "${var_username}" -g "${var_username}" "${var_sshdir}"
install -m 0600 -o "${var_username}" -g "${var_username}" /dev/null "${var_sshdir}/authorized_keys"
grep -qxF "${var_sshpubkey}" "${var_sshdir}/authorized_keys" || \
printf "%s\n" "${var_sshpubkey}" >> "${var_sshdir}/authorized_keys"
fi
if [[ ${accounts_user_login,,} == "true" ]]; then
do_log "info" "true" "Created user: [${var_username}] UID: [${var_uid}], GID: [${var_gid}]"
echo "${accounts_user_name}:${accounts_user_password_crypted}" | chpasswd -e
do_log "info" "false" "Account '${accounts_user_name}' password inserted."
if [[ ! -d ${TARGET}/home/${accounts_user_name}/.ssh ]]; then
mkdir "${TARGET}"/home/"${accounts_user_name}"/.ssh
chown "${accounts_user_name}":"${accounts_user_name}" "${TARGET}"/home/"${accounts_user_name}"/.ssh
chmod 0700 "${TARGET}"/home/"${accounts_user_name}"/.ssh
else
chown "${accounts_user_name}":"${accounts_user_name}" "${TARGET}"/home/"${accounts_user_name}"/.ssh
chmod 0700 "${TARGET}"/home/"${accounts_user_name}"/.ssh
fi
if [[ ! -f ${TARGET}/home/${accounts_user_name}/.ssh/authorized_keys ]]; then
touch "${TARGET}"/home/"${accounts_user_name}"/.ssh/authorized_keys
chown "${accounts_user_name}":"${accounts_user_name}" "${TARGET}"/home/"${accounts_user_name}"/.ssh/authorized_keys
chmod 0600 "${TARGET}"/home/"${accounts_user_name}"/.ssh/authorized_keys
printf "%s\n" "$accounts_user_ssh_pub_key" >> "${TARGET}"/home/"${accounts_user_name}"/.ssh/authorized_keys
do_log "info" "false" "Account '${accounts_user_name}' SSH public key '${TARGET}/home/${accounts_user_name}/.ssh/authorized_keys' inserted."
else
chown "${accounts_user_name}":"${accounts_user_name}" "${TARGET}"/home/"${accounts_user_name}"/.ssh/authorized_keys
chmod 0600 "${TARGET}"/home/"${accounts_user_name}"/.ssh/authorized_keys
printf "%s\n" "$accounts_user_ssh_pub_key" >> "${TARGET}"/home/"${accounts_user_name}"/.ssh/authorized_keys
do_log "info" "false" "Account '${accounts_user_name}' SSH public key '${TARGET}/home/${accounts_user_name}/.ssh/authorized_keys' inserted."
fi
elif [[ ${accounts_user_login,,} == "false" ]]; then
do_log "info" "false" "Skipped creation of account '${accounts_user_name}'."
else
do_log "error" "true" "Invalid value for 'accounts_user_login': '${accounts_user_login}'. Expected 'true' or 'false'."
fi
done
return 0
}