V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_4500_user/4520_accounts_setup.sh

@@ -627,7 +627,8 @@ pam_access_sync_login_sshd() {
   ### 1) If the 'pam_access' line is commented in '/etc/pam.d/login', uncomment exactly one occurrence.
   chroot_stdin "${TARGET}" "__payload__" <<'EOF'
 tmp="$(mktemp /etc/pam.d/login.XXXXXX)"
-LC_ALL=C awk '
+export LC_ALL=C
+awk '
 BEGIN { done=0 }
 {
   if (!done) {
@@ -651,10 +652,10 @@ EOF
   [[ -f "${TARGET}${var_file_sshd}" ]] || return 0
 
   chroot_stdin "${TARGET}" "__payload__" <<'EOF'
-LC_ALL=C
+export LC_ALL=C
 if grep -Eq '^[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access[.]so([[:space:]]|$)' /etc/pam.d/login; then
   tmp="$(mktemp /etc/pam.d/sshd.XXXXXX)"
-  LC_ALL=C awk '
+  awk '
     /^[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access[.]so([[:space:]]|$)/ { print "# " $0; next }
     { print }
   ' /etc/pam.d/sshd >| "${tmp}"
@@ -705,27 +706,27 @@ pam="$1"
 allowlist="$2"
 tmp="$(mktemp "${pam}.XXXXXX")"
 
-awk -v START='# CISS TOTP START' -v END='# CISS TOTP END' -v allowlist="${allowlist}" '
+awk -v MARK_S="# CISS TOTP START" -v MARK_E="# CISS TOTP END" -v allowlist="${allowlist}" '
   BEGIN { ins=0 }
   {
     print
     if (!ins && ($0 ~ /^[[:space:]]*auth[[:space:]]+.*pam_unix[.]so/ \
                  || $0 ~ /^[[:space:]]*@include[[:space:]]+common-auth/)) {
-      print START
+      print MARK_S
-      # Only users in allowlist must pass GA:
+      ### Only users in allowlist must pass GA:
-      # pam_listfile sense=deny succeeds for non-listed → skip next line (GA)
+      ### pam_listfile sense=deny succeeds for non-listed > skip next line (GA)
       print "auth  [success=1 default=ignore] pam_listfile.so item=user sense=deny file=" allowlist " onerr=ignore"
       print "auth  required  pam_google_authenticator.so"
-      print END
+      print MARK_E
       ins=1
     }
   }
   END {
     if (!ins) {
-      print START
+      print MARK_S
       print "auth  [success=1 default=ignore] pam_listfile.so item=user sense=deny file=" allowlist " onerr=ignore"
       print "auth  required  pam_google_authenticator.so"
-      print END
+      print MARK_E
     }
   }
 ' "${pam}" >| "${tmp}"
@@ -821,13 +822,25 @@ write_google_authenticator_file() {
 
   umask 0077
   {
+    declare accept hex val
     printf '%s\n' "${var_secret}"
     printf 'RATE_LIMIT 3 30 \n'
     printf 'WINDOW 10 \n'
     printf 'DISALLOW_REUSE \n'
     printf 'TOTP_AUTH \n'
-    ### Emergency Codes:
+    ### Emergency Codes (8× unbiased 8-digit, CSPRNG via OpenSSL).
-    for i in {0..7}; do printf '%08d\n' "$(( RANDOM % 100000000 ))"; done
+    for i in {1..8}; do
+      ### Draw 32 bits; rejection sampling to avoid modulo bias.
+      while :; do
+        hex="$(openssl rand -hex 4)" || exit 1
+        val=$((16#${hex}))                              # 0..4294967295
+        accept=$(( (1<<32) / 100000000 * 100000000 ))   # 4_200_000_000
+        if (( val < accept )); then
+          printf '%08d\n' "$(( val % 100000000 ))"
+          break
+       fi
+      done
+    done
   } >| "${var_base}/.google_authenticator"
   chown "${var_user}:${var_user}" "${var_base}/.google_authenticator"
   chmod 0600 "${var_base}/.google_authenticator"