V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m48s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m48s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -36,11 +36,30 @@ guard_sourcing
|
||||
setup_ssh() {
|
||||
do_in_target "${TARGET}" apt-get install -y ssh
|
||||
|
||||
#######################################
|
||||
# Variable declaration
|
||||
#######################################
|
||||
declare -a ary_user=()
|
||||
ary_user+=("${user_user0_name}")
|
||||
[[ -v "${user_user1_name}" ]] && ary_user+=("${user_user1_name}")
|
||||
[[ -v "${user_user2_name}" ]] && ary_user+=("${user_user2_name}")
|
||||
[[ -v "${user_user3_name}" ]] && ary_user+=("${user_user3_name}")
|
||||
declare -i max_index=0 index i
|
||||
declare var=""
|
||||
|
||||
### Search all set variables for user_userN_name patterns.
|
||||
while IFS='=' read -r var; do
|
||||
if [[ "${var}" =~ ^user_user([0-9]+)_name$ ]]; then
|
||||
index="${BASH_REMATCH[1]}"
|
||||
(( index > max_index )) && max_index="${index}"
|
||||
fi
|
||||
done < <(compgen -v)
|
||||
|
||||
### Only process those for which both *_name and *_authentication_access_ssh are set.
|
||||
for ((i = 0; i <= max_index; i++)); do
|
||||
declare var_auth="user_user${i}_authentication_access_ssh"
|
||||
declare var_name="user_user${i}_name"
|
||||
|
||||
if [[ -v "${var_auth}" && -v "${var_name}" && "${!var_auth}" == "true" ]]; then
|
||||
ary_user+=("${!var_name}")
|
||||
fi
|
||||
done
|
||||
|
||||
rm -rf "${TARGET}"/etc/ssh/ssh_host_*key*
|
||||
|
||||
@@ -63,6 +82,7 @@ setup_ssh() {
|
||||
chmod 0600 "${TARGET}/etc/ssh/sshd_config"
|
||||
chmod 0600 "${TARGET}/etc/ssh/ssh_config"
|
||||
|
||||
# shellcheck disable=SC2153
|
||||
sed -i "s/ListenAddress 0.0.0.0/ListenAddress ${VAR_FINAL_IPV4}/" "${TARGET}/etc/ssh/sshd_config"
|
||||
|
||||
if [[ -n "${VAR_FINAL_IPV6}" ]]; then
|
||||
@@ -73,7 +93,7 @@ setup_ssh() {
|
||||
|
||||
sed -i "s/Port MUST_BE_CHANGED/Port ${ssh_port}/" "${TARGET}/etc/ssh/sshd_config"
|
||||
|
||||
if [[ -n "${user_user0_name}" ]]; then
|
||||
if (( ${#ary_user[@]} > 0 )); then
|
||||
sed -i "s/AllowUsers root/AllowUsers root ${ary_user[*]}/" "${TARGET}/etc/ssh/sshd_config"
|
||||
fi
|
||||
|
||||
|
||||
116
func/4200_setup_accounts.sh
Normal file
116
func/4200_setup_accounts.sh
Normal file
@@ -0,0 +1,116 @@
|
||||
#!/bin/bash
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-FileType: SOURCE
|
||||
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
||||
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
||||
# SPDX-PackageName: CISS.debian.installer
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
|
||||
guard_sourcing
|
||||
|
||||
###########################################################################################
|
||||
# Updating user accounts
|
||||
###########################################################################################
|
||||
setup_accounts() {
|
||||
|
||||
declare -a ary_user_accounts=()
|
||||
ary_user_accounts+=("")
|
||||
|
||||
if [[ ${accounts_root_login,,} == "true" ]]; then
|
||||
|
||||
do_in_target "${TARGET}" /bin/bash -c "echo 'root:${accounts_root_password_crypted}' | chpasswd -e"
|
||||
do_log "info" "false" "Account 'root' password inserted."
|
||||
|
||||
if [[ ! -d ${TARGET}/root/.ssh ]]; then
|
||||
|
||||
mkdir "${TARGET}"/root/.ssh
|
||||
chown root:root "${TARGET}"/root/.ssh
|
||||
chmod 0700 "${TARGET}"/root/.ssh
|
||||
|
||||
else
|
||||
|
||||
chown root:root "${TARGET}"/root/.ssh
|
||||
chmod 0700 "${TARGET}"/root/.ssh
|
||||
|
||||
fi
|
||||
|
||||
if [[ ! -f ${TARGET}/root/.ssh/authorized_keys ]]; then
|
||||
|
||||
touch "${TARGET}"/root/.ssh/authorized_keys
|
||||
chown root:root "${TARGET}"/root/.ssh/authorized_keys
|
||||
chmod 0600 "${TARGET}"/root/.ssh/authorized_keys
|
||||
printf "%s\n" "$accounts_root_ssh_pub_key" >> "${TARGET}"/root/.ssh/authorized_keys
|
||||
do_log "info" "false" "Account 'root' SSH public key '/root/.ssh/authorized_keys' inserted."
|
||||
|
||||
else
|
||||
|
||||
chown root:root "${TARGET}"/root/.ssh/authorized_keys
|
||||
chmod 0600 "${TARGET}"/root/.ssh/authorized_keys
|
||||
printf "%s\n" "$accounts_root_ssh_pub_key" >> "${TARGET}"/root/.ssh/authorized_keys
|
||||
do_log "info" "false" "Account 'root' SSH public key '/root/.ssh/authorized_keys' inserted."
|
||||
|
||||
fi
|
||||
|
||||
|
||||
elif [[ ${accounts_root_login,,} == "false" ]]; then
|
||||
|
||||
do_log "info" "false" "Skipped creation of 'root' password."
|
||||
|
||||
else
|
||||
|
||||
do_log "error" "true" "Invalid value for 'accounts_root_login': '${accounts_root_login}'. Expected value: 'true' or 'false'."
|
||||
|
||||
fi
|
||||
|
||||
if [[ ${accounts_user_login,,} == "true" ]]; then
|
||||
|
||||
echo "${accounts_user_name}:${accounts_user_password_crypted}" | chpasswd -e
|
||||
do_log "info" "false" "Account '${accounts_user_name}' password inserted."
|
||||
|
||||
if [[ ! -d ${TARGET}/home/${accounts_user_name}/.ssh ]]; then
|
||||
|
||||
mkdir "${TARGET}"/home/"${accounts_user_name}"/.ssh
|
||||
chown "${accounts_user_name}":"${accounts_user_name}" "${TARGET}"/home/"${accounts_user_name}"/.ssh
|
||||
chmod 0700 "${TARGET}"/home/"${accounts_user_name}"/.ssh
|
||||
|
||||
else
|
||||
|
||||
chown "${accounts_user_name}":"${accounts_user_name}" "${TARGET}"/home/"${accounts_user_name}"/.ssh
|
||||
chmod 0700 "${TARGET}"/home/"${accounts_user_name}"/.ssh
|
||||
|
||||
fi
|
||||
|
||||
if [[ ! -f ${TARGET}/home/${accounts_user_name}/.ssh/authorized_keys ]]; then
|
||||
|
||||
touch "${TARGET}"/home/"${accounts_user_name}"/.ssh/authorized_keys
|
||||
chown "${accounts_user_name}":"${accounts_user_name}" "${TARGET}"/home/"${accounts_user_name}"/.ssh/authorized_keys
|
||||
chmod 0600 "${TARGET}"/home/"${accounts_user_name}"/.ssh/authorized_keys
|
||||
printf "%s\n" "$accounts_user_ssh_pub_key" >> "${TARGET}"/home/"${accounts_user_name}"/.ssh/authorized_keys
|
||||
do_log "info" "false" "Account '${accounts_user_name}' SSH public key '${TARGET}/home/${accounts_user_name}/.ssh/authorized_keys' inserted."
|
||||
|
||||
else
|
||||
|
||||
chown "${accounts_user_name}":"${accounts_user_name}" "${TARGET}"/home/"${accounts_user_name}"/.ssh/authorized_keys
|
||||
chmod 0600 "${TARGET}"/home/"${accounts_user_name}"/.ssh/authorized_keys
|
||||
printf "%s\n" "$accounts_user_ssh_pub_key" >> "${TARGET}"/home/"${accounts_user_name}"/.ssh/authorized_keys
|
||||
do_log "info" "false" "Account '${accounts_user_name}' SSH public key '${TARGET}/home/${accounts_user_name}/.ssh/authorized_keys' inserted."
|
||||
|
||||
fi
|
||||
|
||||
elif [[ ${accounts_user_login,,} == "false" ]]; then
|
||||
|
||||
do_log "info" "false" "Skipped creation of account '${accounts_user_name}'."
|
||||
|
||||
else
|
||||
|
||||
do_log "error" "true" "Invalid value for 'accounts_user_login': '${accounts_user_login}'. Expected 'true' or 'false'."
|
||||
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|
||||
Reference in New Issue
Block a user