V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-08-10 21:45:51 +02:00
parent 12c7b2eab4
commit 5560ed09c9
25 changed files with 585 additions and 43 deletions
--- a/func/cdi_4500_user/4500_installation_accounts.sh
+++ b/func/cdi_4500_user/4500_installation_accounts.sh
@@ -28,10 +28,6 @@ guard_sourcing
 #   0: on success
 #######################################
 installation_accounts() {
-
-  #######################################
-  # Declare Variables
-  #######################################
  declare -i i
  declare tmp_username="" tmp_fullname="" tmp_uid="" tmp_gid="" tmp_shell="" tmp_password="" tmp_sshpubkey="" tmp_sudo="" \
    tmp_restricted=""
@@ -159,6 +155,132 @@ installation_accounts() {

  done

+
+  unset VAR_TEMP_PLAIN_MFA_SEED
+
  guard_dir && return 0
 }
+
+#######################################
+# Writes '.google_authenticator'-file for the respective user.
+# Globals:
+#   RANDOM
+#   TARGET
+# Arguments:
+#   1: Username
+# Returns:
+#   0: on success
+#######################################
+write_google_authenticator_file() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare     var_user="${1}" var_secret=""
+  case "${1}" in
+    root) declare var_base="${TARGET}/root"             ;;
+    *)    declare var_base="${TARGET}/home/${var_user}" ;;
+  esac
+  declare -i  i=0
+
+  ### TODO: PASSWORD REMINDER START:NOT ACTIVE
+  ### No tracing for security reasons
+  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
+
+  var_secret="$(generate_totp_secret "${var_user}")"
+
+  umask 0077
+
+  {
+    printf '%s\n' "${var_secret}"
+    printf '"RATE_LIMIT 3 30"\n'
+    printf '"WINDOW 10"\n'
+    printf '"DISALLOW_REUSE"\n'
+    printf '"TOTP_AUTH"\n'
+    ### Emergency Codes:
+    for i in {0..7}; do printf '%08d\n' "$(( RANDOM % 100000000 ))"; done
+  } >| "${var_base}/.google_authenticator"
+
+  ### Turn on tracing again
+  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
+  ### TODO: PASSWORD REMINDER STOP:NOT ACTIVE
+
+  chown "${var_user}:${var_user}" "${var_base}/.google_authenticator"
+
+  chmod 0600 "${var_base}/.google_authenticator"
+
+  umask 0022
+
+  return 0
+}
+
+#######################################
+# Generates a deterministic TOTP secret based on:
+# Username, FQDN, MFA salt, MFA master seed
+# Globals:
+#   VAR_FINAL_FQDN
+#   VAR_TEMP_PLAIN_MFA_SEED
+#   user_mfa_info
+#   user_mfa_salt
+# Arguments:
+#   1: Username
+# Returns:
+#   0: on success
+#######################################
+generate_totp_secret() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare  var_user="${1}"
+  declare  var_host_id="${VAR_FINAL_FQDN}"
+  declare  var_salt="${user_mfa_salt}:${var_host_id}:${var_user}"
+  declare  var_info="${user_mfa_info}"
+  declare  var_secret=""
+
+  ### TODO: PASSWORD REMINDER START:NOT ACTIVE
+  ### No tracing for security reasons
+  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
+
+  ### Derive 20 bytes via HKDF-SHA256 using OpenSSL 3 kdf, output as raw, then base32 (uppercase, no padding).
+  # shellcheck disable=SC2312
+  var_secret="$(
+    printf '%s' "${VAR_TEMP_PLAIN_MFA_SEED}" | xxd -r -p | openssl kdf -keylen 20 -kdfopt digest:SHA256 \
+      -kdfopt salt:"${var_salt}" -kdfopt info:"${var_info}" -binary HKDF | base32 | tr -d '=' | tr '[:lower:]' '[:upper:]'
+  )"
+
+  ### Turn on tracing again
+  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
+  ### TODO: PASSWORD REMINDER STOP:NOT ACTIVE
+
+  printf '%s\n' "${var_secret}"
+  return 0
+}
+
+#######################################
+# Reads a 256-bit seed from '${DIR_CNF}/mfa_master.txt' (64 hex chars) into VAR_TEMP_PLAIN_MFA_SEED.
+# Globals:
+#   DIR_CNF
+#   VAR_TEMP_PLAIN_MFA_SEED
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#   ERR_READ_SEED_FILE
+#######################################
+read_totp_seed(){
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r var_mfa_seed_file="${DIR_CNF}/mfa_master.txt"
+  declare -g VAR_TEMP_PLAIN_MFA_SEED=""
+
+  ### TODO: PASSWORD REMINDER START:NOT ACTIVE
+  ### No tracing for security reasons
+  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
+  if ! read_password_file "${var_mfa_seed_file}" VAR_TEMP_PLAIN_MFA_SEED; then
+    return "${ERR_READ_SEED_FILE}"
+  fi
+
+  ### Validate: exactly 64 hex.
+  [[ "${VAR_TEMP_PLAIN_MFA_SEED}" =~ ^[0-9a-fA-F]{64}$ ]] || return "${ERR_READ_SEED_FILE}"
+
+  ### Turn on tracing again
+  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
+  ### TODO: PASSWORD REMINDER STOP:NOT ACTIVE
+
+  return 0
+}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh