V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.preseed/preseed.yaml

@@ -669,9 +669,9 @@ ntp:
 ssh:
   allow_hardening: true        # For additional hardening of SSH connections via TCP wrapper: '/etc/hosts.allow'.
   # If "allow_hardening" = "true", at least one 'allow_ipv4' MUST be provided.
-  allow_ipv4:                  # Provide Bastion / Jump-Server / static VPN-Exit-Nodes IPv4.
+  allow_ipv4:                  # Provide Bastion / Jump-Server / static VPN-Exit-Nodes IPv4: will be added: 'f2ban-ignoreip'.
     - 202.61.246.50
-  allow_ipv6:                  # Provide Bastion / Jump-Server / static VPN-Exit-Nodes IPv6.
+  allow_ipv6:                  # Provide Bastion / Jump-Server / static VPN-Exit-Nodes IPv6: will be added: 'f2ban-ignoreip'.
     - 2a03:4000:53:f:abcd:9494:0:2
   port: 42137                  # SSH Port.
   root_ca: "/.preseed/ssh_root_ca.pub"

func/4180_setup_ssh.sh

@@ -36,11 +36,30 @@ guard_sourcing
 setup_ssh() {
   do_in_target "${TARGET}" apt-get install -y ssh
 
+  #######################################
+  # Variable declaration
+  #######################################
   declare -a ary_user=()
-  ary_user+=("${user_user0_name}")
-  [[ -v "${user_user1_name}" ]] && ary_user+=("${user_user1_name}")
-  [[ -v "${user_user2_name}" ]] && ary_user+=("${user_user2_name}")
-  [[ -v "${user_user3_name}" ]] && ary_user+=("${user_user3_name}")
+  declare -i max_index=0 index i
+  declare var=""
+
+  ### Search all set variables for user_userN_name patterns.
+  while IFS='=' read -r var; do
+    if [[ "${var}" =~ ^user_user([0-9]+)_name$ ]]; then
+      index="${BASH_REMATCH[1]}"
+      (( index > max_index )) && max_index="${index}"
+    fi
+  done < <(compgen -v)
+
+  ### Only process those for which both *_name and *_authentication_access_ssh are set.
+  for ((i = 0; i <= max_index; i++)); do
+    declare var_auth="user_user${i}_authentication_access_ssh"
+    declare var_name="user_user${i}_name"
+
+    if [[ -v "${var_auth}" && -v "${var_name}" && "${!var_auth}" == "true" ]]; then
+      ary_user+=("${!var_name}")
+    fi
+  done
 
   rm -rf "${TARGET}"/etc/ssh/ssh_host_*key*
 
@@ -63,6 +82,7 @@ setup_ssh() {
   chmod 0600 "${TARGET}/etc/ssh/sshd_config"
   chmod 0600 "${TARGET}/etc/ssh/ssh_config"
 
+  # shellcheck disable=SC2153
   sed -i "s/ListenAddress                0.0.0.0/ListenAddress                ${VAR_FINAL_IPV4}/" "${TARGET}/etc/ssh/sshd_config"
 
   if [[ -n "${VAR_FINAL_IPV6}" ]]; then
@@ -73,7 +93,7 @@ setup_ssh() {
 
   sed -i "s/Port                         MUST_BE_CHANGED/Port                         ${ssh_port}/" "${TARGET}/etc/ssh/sshd_config"
 
-  if [[ -n "${user_user0_name}" ]]; then
+  if (( ${#ary_user[@]} > 0 )); then
     sed -i "s/AllowUsers                   root/AllowUsers                   root ${ary_user[*]}/" "${TARGET}/etc/ssh/sshd_config"
   fi
 

func/4200_setup_accounts.sh

@@ -1,39 +1,24 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
-# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
-# SPDX-PackageName: CISS.2025.hardened.installer
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-###########################################################################################
-# 3.8.3. Functions - installation - setup accounts                                        #
-###########################################################################################
+guard_sourcing
 
 ###########################################################################################
 # Updating user accounts
-# Globals:
-#   MODULE_ERR
-#   MODULE_TXT
-#   TARGET
-#   accounts_root_login
-#   accounts_root_password_crypted
-#   accounts_root_ssh_pub_key
-#   accounts_user_login
-#   accounts_user_name
-#   accounts_user_password_crypted
-#   accounts_user_ssh_pub_key
-# Arguments:
-#   None
 ###########################################################################################
-3_8_3_functions_installation_setup_accounts() {
-  declare -g -x MODULE_ERR="3_8_3_functions_installation_setup_accounts"
-  declare -g -x MODULE_TXT="Setup user account"
-  do_show_header "${MODULE_TXT}"
+setup_accounts() {
+
+  declare -a ary_user_accounts=()
+  ary_user_accounts+=("")
 
   if [[ ${accounts_root_login,,} == "true" ]]; then
 
@@ -126,6 +111,6 @@
 
   fi
 
-  do_show_footer "${MODULE_TXT}"
+  return 0
 }
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/initramfs-tools/files/unlock_wrapper.sh

@@ -45,7 +45,7 @@ color_echo() { declare c="$1"; shift; declare msg="${*}"; printf "%s%s %s%s" "${
 # Arguments:
 #   1: Message string to print.
 #######################################
-die() { printf "%s✘ %s%s\n" "${RED}" "$1" "${RES}" >&2; power_off 3; }
+die() { printf "%s✘ %s %s%s" "${RED}" "$1" "${RES}" "${NL}" >&2; power_off 3; }
 
 #######################################
 # Drop to bash environment.
@@ -333,7 +333,7 @@ verify_script() {
 }
 
 #######################################
-# Main Programm Sequence
+# Main Program Sequence
 # Globals:
 #   CURRENTDATE
 #   DEVICES_LUKS