msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m33s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-10-19 19:12:01 +01:00
parent 0f137c0f2b
commit 422405119b
1 changed files with 5 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

73
func/cdi_4500_user/4520_accounts_setup.sh
View File

@@ -61,7 +61,6 @@ accounts_setup() {
write_pam_login "${var_target}"
write_pam_sshd "${var_target}"
write_pam_su "${var_target}"
write_pam_su-l "${var_target}"
write_pam_sudo-i "${var_target}"
### Prepare the '2fa'-seed variable.
@@ -1189,7 +1188,7 @@ write_pam_su() {
insert_comments "${var_target}/etc/pam.d/su"
cat << EOF >> "${var_target}/etc/pam.d/su"
#
# PAM configuration for the su service
# The PAM configuration file for the Shadow 'su' service
#
# If caller is already root, allow quickly without further auth:
@@ -1198,6 +1197,10 @@ auth sufficient pam_rootok.so
# Hardening of '/bin/su': only members of the group 'sudo' can su to root.
auth required pam_wheel.so group=sudo
# Sets up user limits according to /etc/security/limits.conf
# (Replaces the use of /etc/limits in old login)
session required pam_limits.so
# Standard password for the target account (root or other):
@include common-auth
@@ -1236,72 +1239,6 @@ EOF
# shellcheck disable=SC2034
readonly -f write_pam_su
#######################################
# Writes CISS Header for '/etc/pam.d/su-l'.
# Globals:
# None
# Arguments:
# 1: TARGET
# Returns:
# 0: on success
#######################################
write_pam_su-l() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_target="$1"
mv "${var_target}/etc/pam.d/su-l" "${var_target}/root/.ciss/cdi/backup/etc/pam.d/su-l"
insert_header "${var_target}/etc/pam.d/su-l"
insert_comments "${var_target}/etc/pam.d/su-l"
cat << EOF >> "${var_target}/etc/pam.d/su-l"
#
# PAM configuration for the su-l service
#
# If caller is already root, allow quickly without further auth:
auth sufficient pam_rootok.so
# Hardening of '/bin/su': only members of the group 'sudo' can su to root.
auth required pam_wheel.so group=sudo
# Standard password for the target account (root or other):
@include common-auth
# ===== CISS 2FA block ========
# If gate returns SUCCESS => skip next two lines (no TOTP).
auth [success=2 default=ignore] pam_exec.so quiet /usr/local/libexec/ciss_pam_2fa_gate.sh
# For listed users: enforce that the secret file exists, else deny without prompting.
# pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
# No 'nullok' here: listed users MUST have a secret; missing -> hard fail.
auth required pam_echo.so file=/etc/ciss/pam_su_l_totp.prompt
auth required pam_google_authenticator.so
# ===== CISS 2FA block end =====
@include common-account
@include common-session
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
do_log "info" "file_only" "4520() Written: [/etc/pam.d/su-l]."
cat << 'EOF' >| "${var_target}/etc/ciss/pam_su_l_totp.prompt"
Please enter the 6-digit TOTP or 8-digit Backup code of the target user:
EOF
chmod 0444 "${var_target}/etc/ciss/pam_su_l_totp.prompt"
do_log "info" "file_only" "4520() Written: [/etc/ciss/pam_su_l_totp.prompt]."
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f write_pam_su-l
#######################################
# Writes CISS Header for '/etc/pam.d/sudo-i'.
# Globals: