V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m3s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m3s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -596,19 +596,13 @@ pam_access_sync_login_sshd() {
|
||||
declare var_file_login="/etc/pam.d/login"
|
||||
declare var_file_sshd="/etc/pam.d/sshd"
|
||||
|
||||
### Guard: files must exist, no-op otherwise.
|
||||
### Guard: The file must exist, no-op otherwise.
|
||||
if [[ ! -f "${TARGET}${var_file_login}" ]]; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
if [[ ! -f "${TARGET}${var_file_sshd}" ]]; then
|
||||
: ### Still continue, only '/etc/pam.d/login' will be processed
|
||||
fi
|
||||
|
||||
### 1) If the 'pam_access' line is commented in '/etc/pam.d/login', uncomment exactly one occurrence.
|
||||
# shellcheck disable=SC2155
|
||||
declare var_payload="$(
|
||||
cat <<'CISS'
|
||||
chroot_stdin "${TARGET}" "__payload__" <<'EOF'
|
||||
tmp="$(mktemp /etc/pam.d/login.XXXXXX)"
|
||||
LC_ALL=C awk '
|
||||
BEGIN { done=0 }
|
||||
@@ -623,46 +617,28 @@ BEGIN { done=0 }
|
||||
print
|
||||
}
|
||||
' /etc/pam.d/login >| "${tmp}"
|
||||
|
||||
test -s "${tmp}"
|
||||
mv -f "${tmp}" /etc/pam.d/login
|
||||
CISS
|
||||
)"
|
||||
|
||||
chroot_script "${TARGET}" "${var_payload}"
|
||||
|
||||
#chroot_script "${TARGET}" "
|
||||
# LC_ALL=C awk '
|
||||
# BEGIN { done=0 }
|
||||
# {
|
||||
# if (!done) {
|
||||
# tmp=\$0
|
||||
# sub(/^[[:space:]]*#+[[:space:]]*/, \"\", tmp)
|
||||
# if (tmp ~ /^[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access[.]so([[:space:]]|$)/) {
|
||||
# print tmp
|
||||
# done=1
|
||||
# next
|
||||
# }
|
||||
# }
|
||||
# print
|
||||
# }
|
||||
# ' /etc/pam.d/login >| /etc/pam.d/login.new
|
||||
# mv -f /etc/pam.d/login.new /etc/pam.d/login
|
||||
# "
|
||||
[[ -f "${tmp}" ]] && rm -f "${tmp}"
|
||||
EOF
|
||||
|
||||
### 2) If '/etc/pam.d/login' now has an active pam_access line, ensure '/etc/pam.d/sshd' pam_access line(s) are commented out.
|
||||
chroot_script "${TARGET}" "
|
||||
if grep -Eq '^[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access\.so([[:space:]]|$)' /etc/pam.d/login; then
|
||||
if [[ -f /etc/pam.d/sshd ]]; then
|
||||
awk '
|
||||
### Comment only active matches; keep pre-commented lines untouched.
|
||||
/^[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access\.so([[:space:]]|$)/ { print \"# \" \$0; next }
|
||||
{ print }
|
||||
' /etc/pam.d/sshd >| /etc/pam.d/sshd.new
|
||||
mv -f /etc/pam.d/sshd.new /etc/pam.d/sshd
|
||||
fi
|
||||
fi
|
||||
"
|
||||
### No-op if '/etc/pam.d/sshd' is absent.
|
||||
[[ -f "${TARGET}${var_file_sshd}" ]] || return 0
|
||||
|
||||
chroot_stdin "${TARGET}" "__payload__" <<'EOF'
|
||||
LC_ALL=C
|
||||
if grep -Eq '^[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access[.]so([[:space:]]|$)' /etc/pam.d/login; then
|
||||
tmp="$(mktemp /etc/pam.d/sshd.XXXXXX)"
|
||||
LC_ALL=C awk '
|
||||
/^[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access[.]so([[:space:]]|$)/ { print "# " $0; next }
|
||||
{ print }
|
||||
' /etc/pam.d/sshd >| "${tmp}"
|
||||
test -s "${tmp}"
|
||||
mv -f "${tmp}" /etc/pam.d/sshd
|
||||
[[ -f "${tmp}" ]] && rm -f "${tmp}"
|
||||
fi
|
||||
EOF
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user