V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-09-14 17:26:36 +02:00
parent c2cd6e64d2
commit 21e5a1e5c7
3 changed files with 16 additions and 13 deletions
--- a/.preseed/preseed.yaml
+++ b/.preseed/preseed.yaml
@@ -855,8 +855,8 @@ user:
    uid: 1000                  # Ensures that the same user has the same UID on all systems.
    gid: 1000                  # Ensures that the same user has the same GID on all systems.
    shell: /bin/zsh            # Login shell (e.g., '/bin/bash', '/bin/zsh'); use '/usr/sbin/nologin' for non-interactive users.
-    password: ""
+    password: "47110815"
-    sshpubkey: ""
+    sshpubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
    authentication:
      access:
        ssh: true              # Allow SSH access.
--- a/func/cdi_1000_helper/1080_helper_chroot.sh
+++ b/func/cdi_1000_helper/1080_helper_chroot.sh
@@ -178,9 +178,9 @@ chroot_script() {
 #######################################
 chroot_stdin() {
  ### Declare Arrays, HashMaps, and Variables.
-  declare     var_chroot_target="$1"; shift             # consume TARGET
+  declare     var_chroot_target="$1"; shift      ### consume TARGET
-  declare     payload_marker="$1"; shift             # consume marker (e.g. "__payload__")
+  declare     payload_marker="$1"; shift         ### consume marker (e.g. "__payload__")
-  declare     var_log_level_on_error="emergency"        # default
+  declare     var_log_level_on_error="emergency" ### default
  declare     var_default_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
  declare     var_mod="${BASH_SOURCE[1]##*/}"; var_mod="${var_mod%%_*}()"
--- a/func/cdi_4500_user/4520_accounts_setup.sh
+++ b/func/cdi_4500_user/4520_accounts_setup.sh
@@ -169,7 +169,7 @@ EOF
  ### 6) Update the 'root' 'totp'-policy and write the '.google_authenticator'-file.
  if [[ "${user_root_authentication_2fa_ssh}" == "true" || "${user_root_authentication_2fa_tty}" == "true" ]]; then
-    write_google_authenticator_file "root"
+    write_google_authenticator_file "root" "0" "0"
  fi
  if [[ "${user_root_authentication_2fa_ssh}" == "true" ]]; then
@@ -327,7 +327,7 @@ EOF
    ### 6) Update the 'root' 'totp'-policy and write the '.google_authenticator'-file.
    if [[ "${var_2fa_ssh}" == "true" || "${var_2fa_tty}" == "true" ]]; then
-      write_google_authenticator_file "${var_username}"
+      write_google_authenticator_file "${var_username}" "${var_uid}" "${var_gid}"
    fi
    if [[ "${var_2fa_ssh}" == "true" ]]; then
@@ -804,12 +804,14 @@ read_totp_seed(){
 #   TARGET
 # Arguments:
 #   1: Username
 #   2: UID
 #   3: GID
 # Returns:
 #   0: on success
 #######################################
 write_google_authenticator_file() {
  ### Declare Arrays, HashMaps, and Variables.
-  declare     var_user="${1}" var_secret=""
+  declare     var_user="${1}" var_user_id="${2}" var_group_id="${3}" var_secret=""
  case "${1}" in
    root) declare var_base="${TARGET}/root"             ;;
    *)    declare var_base="${TARGET}/home/${var_user}" ;;
@@ -824,10 +826,11 @@ write_google_authenticator_file() {
  {
    declare accept hex val
    printf '%s\n' "${var_secret}"
-    printf 'RATE_LIMIT 3 30 \n'
+    printf 'RATE_LIMIT 3 30\n'
-    printf 'WINDOW 10 \n'
+    printf 'WINDOW_SIZE 10\n'
-    printf 'DISALLOW_REUSE \n'
+    printf 'TOTP_DIGITS 8\n'
-    printf 'TOTP_AUTH \n'
+    printf 'DISALLOW_REUSE\n'
    printf 'TOTP_AUTH\n'
    ### Emergency Codes (8× unbiased 8-digit, CSPRNG via OpenSSL).
    for i in {1..8}; do
      ### Draw 32 bits; rejection sampling to avoid modulo bias.
@@ -842,7 +845,7 @@ write_google_authenticator_file() {
      done
    done
  } >| "${var_base}/.google_authenticator"
-  chown "${var_user}:${var_user}" "${var_base}/.google_authenticator"
+  chown "${var_user_id}:${var_group_id}" "${var_base}/.google_authenticator"
  chmod 0600 "${var_base}/.google_authenticator"
  {