V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m54s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m54s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -24,13 +24,14 @@ guard_sourcing
|
||||
# user_root_authentication_access_ssh
|
||||
# user_root_authentication_access_tty
|
||||
# user_root_authentication_password
|
||||
# user_root_password
|
||||
# user_root_shell
|
||||
# user_root_specific
|
||||
# user_root_sshpubkey
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
# 0: on success
|
||||
# ERR_ACCOUNT_CREATE: on failure
|
||||
#######################################
|
||||
accounts_setup() {
|
||||
### Declare Arrays, HashMaps, and Variables.
|
||||
@@ -102,19 +103,28 @@ accounts_setup() {
|
||||
do_log "info" "file_only" "4520() Skeleton: 'root' successfully generated."
|
||||
|
||||
### 2) Check SSH access capabilities.
|
||||
case "${user_root_authentication_access_ssh}" in
|
||||
case "${user_root_authentication_access_ssh,,}" in
|
||||
|
||||
false)
|
||||
sed -i -E "s|^[[:space:]]*PermitRootLogin[[:space:]]+.*$|$(printf '%-29s%s' 'PermitRootLogin' 'no')|" "${TARGET}/etc/ssh/sshd_config"
|
||||
do_log "info" "file_only" "4520() User: 'root' SSH access: [PermitRootLogin no]"
|
||||
;;
|
||||
|
||||
true)
|
||||
sed -i -E "s|^[[:space:]]*PermitRootLogin[[:space:]]+.*$|$(printf '%-29s%s' 'PermitRootLogin' 'prohibit-password')|" "${TARGET}/etc/ssh/sshd_config"
|
||||
do_log "info" "file_only" "4520() User: 'root' SSH access: [PermitRootLogin prohibit-password]"
|
||||
;;
|
||||
|
||||
*)
|
||||
do_log "fatal" "file_only" "4520() Not set: user_root_authentication_access_ssh [${user_root_authentication_access_ssh}]"
|
||||
return "${ERR_ACCOUNT_CREATE}"
|
||||
;;
|
||||
|
||||
esac
|
||||
|
||||
### 3) Check tty access capabilities.
|
||||
case "${user_root_authentication_access_tty}" in
|
||||
case "${user_root_authentication_access_tty,,}" in
|
||||
|
||||
false)
|
||||
### 3) A) 1) Ensure the 'pam_access' line is not activated in '/etc/pam.d/login' and '/etc/pam.d/sshd' in parallel.
|
||||
pam_access_sync_login_sshd
|
||||
@@ -165,33 +175,53 @@ tty1
|
||||
EOF
|
||||
do_log "info" "file_only" "4520() User: 'root' tty access: [true]"
|
||||
;;
|
||||
|
||||
*)
|
||||
do_log "fatal" "file_only" "4520() Not set: user_root_authentication_access_tty [${user_root_authentication_access_tty}]"
|
||||
return "${ERR_ACCOUNT_CREATE}"
|
||||
;;
|
||||
|
||||
esac
|
||||
|
||||
### 4) Check the password policy for the 'root' account.
|
||||
case "${user_root_authentication_password}" in
|
||||
case "${user_root_authentication_password,,}" in
|
||||
|
||||
false)
|
||||
chroot_script "${TARGET}" "passwd -l root"
|
||||
do_log "info" "file_only" "4520() User: 'root' password access: [false]"
|
||||
;;
|
||||
|
||||
true)
|
||||
chroot_script "${TARGET}" "printf '%s:%s\n' root '${var_password}' | /usr/sbin/chpasswd -e"
|
||||
#chroot_script "${TARGET}" "/usr/sbin/usermod -p '${user_root_password}' root"
|
||||
do_log "info" "file_only" "4520() User: 'root' password access: [true]"
|
||||
;;
|
||||
|
||||
*)
|
||||
do_log "fatal" "file_only" "4520() Not set: user_root_authentication_password [${user_root_authentication_password}]"
|
||||
return "${ERR_ACCOUNT_CREATE}"
|
||||
;;
|
||||
|
||||
esac
|
||||
|
||||
### 5) Update the 'root' SSH pubkey, if provided via 'preseed.yaml'.
|
||||
if [[ -n "${user_root_sshpubkey:-}" ]]; then
|
||||
|
||||
printf "%s\n" "${user_root_sshpubkey}" >| "${TARGET}/root/.ssh/authorized_keys"
|
||||
do_log "info" "file_only" "4520() User: 'root' SSH public key: inserted."
|
||||
|
||||
fi
|
||||
|
||||
### 6) Update the 'root' 'totp'-policy and write the '.google_authenticator'-file.
|
||||
if [[ "${user_root_authentication_2fa_ssh}" == "true" || "${user_root_authentication_2fa_tty}" == "true" ]]; then
|
||||
|
||||
write_google_authenticator_file "root" "0" "0"
|
||||
|
||||
fi
|
||||
|
||||
|
||||
if [[ "${user_root_authentication_2fa_ssh}" == "true" ]]; then
|
||||
|
||||
pam_access_totp_enable "root" "sshd"
|
||||
var_ssh_totp_update="true"
|
||||
cat << EOF >> "${TARGET}/etc/ssh/sshd_config"
|
||||
@@ -318,6 +348,11 @@ EOF
|
||||
"${var_username}"
|
||||
;;
|
||||
|
||||
*)
|
||||
do_log "fatal" "file_only" "4520() Not set: var_restricted:var_system [${var_restricted}:${var_system}]"
|
||||
return "${ERR_ACCOUNT_CREATE}"
|
||||
;;
|
||||
|
||||
esac
|
||||
|
||||
### 1) Prepare the 'user' account.
|
||||
@@ -365,7 +400,8 @@ EOF
|
||||
### Nothing to do here as per-user SSH capabilities are already handled in '4330_installation_ssh.sh'.
|
||||
|
||||
### 3) Check tty access capabilities.
|
||||
case "${var_access_tty}" in
|
||||
case "${var_access_tty,,}" in
|
||||
|
||||
false)
|
||||
### 3) A) 1) Ensure the 'pam_access' line is not activated in '/etc/pam.d/login' and '/etc/pam.d/sshd' in parallel.
|
||||
pam_access_sync_login_sshd
|
||||
@@ -388,33 +424,52 @@ EOF
|
||||
|
||||
do_log "info" "file_only" "4520() User: '${var_username}' tty access: [true]"
|
||||
;;
|
||||
|
||||
*)
|
||||
do_log "fatal" "file_only" "4520() Not set: var_access_tty [${var_access_tty}]"
|
||||
return "${ERR_ACCOUNT_CREATE}"
|
||||
;;
|
||||
|
||||
esac
|
||||
|
||||
### 4) Check the password policy for the 'user' account.
|
||||
case "${var_auth_pwd}" in
|
||||
|
||||
false)
|
||||
chroot_script "${TARGET}" "passwd -l ${var_username}"
|
||||
do_log "info" "file_only" "4520() User: '${var_username}' password access: [false]"
|
||||
;;
|
||||
|
||||
true)
|
||||
chroot_script "${TARGET}" "printf '%s:%s\n' \"${var_username}\" '${var_password}' | /usr/sbin/chpasswd -e"
|
||||
#chroot_script "${TARGET}" "/usr/sbin/usermod -p '${var_password}' ${var_username}"
|
||||
do_log "info" "file_only" "4520() User: '${var_username}' password access: [true]"
|
||||
;;
|
||||
|
||||
*)
|
||||
do_log "fatal" "file_only" "4520() Not set: var_auth_pwd [${var_auth_pwd}]"
|
||||
return "${ERR_ACCOUNT_CREATE}"
|
||||
;;
|
||||
|
||||
esac
|
||||
|
||||
### 5) Update the 'user' SSH pubkey, if provided via 'preseed.yaml'.
|
||||
if [[ -n "${var_sshpubkey:-}" ]]; then
|
||||
|
||||
printf "%s\n" "${var_sshpubkey}" >| "${TARGET}/home/${var_username}/.ssh/authorized_keys"
|
||||
do_log "info" "file_only" "4520() User: '${var_username}' SSH public key: inserted."
|
||||
|
||||
fi
|
||||
|
||||
### 6) Update the 'root' 'totp'-policy and write the '.google_authenticator'-file.
|
||||
if [[ "${var_2fa_ssh}" == "true" || "${var_2fa_tty}" == "true" ]]; then
|
||||
|
||||
write_google_authenticator_file "${var_username}" "${var_uid}" "${var_gid}"
|
||||
|
||||
fi
|
||||
|
||||
if [[ "${var_2fa_ssh}" == "true" ]]; then
|
||||
|
||||
pam_access_totp_enable "${var_username}" "sshd"
|
||||
var_ssh_totp_update="true"
|
||||
cat << EOF >> "${TARGET}/etc/ssh/sshd_config"
|
||||
@@ -453,13 +508,17 @@ EOF
|
||||
done
|
||||
|
||||
if [[ "${var_ssh_totp_update}" == "true" ]]; then
|
||||
|
||||
sed -i -E "s|^[[:space:]]*KbdInteractiveAuthentication[[:space:]]+.*$|$(printf '%-29s%s' 'KbdInteractiveAuthentication' 'yes')|" "${TARGET}/etc/ssh/sshd_config"
|
||||
|
||||
fi
|
||||
|
||||
unset VAR_TEMP_PLAIN_MFA_SEED
|
||||
|
||||
if ! grep -Fqx -- '-: ALL:ALL' "${TARGET}/etc/security/access.conf"; then
|
||||
|
||||
printf '%s\n' '-: ALL:ALL' >> "${TARGET}/etc/security/access.conf"
|
||||
|
||||
fi
|
||||
|
||||
printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${TARGET}/etc/security/access.conf"
|
||||
|
||||
Reference in New Issue
Block a user