V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.preseed/preseed.yaml

@@ -856,7 +856,7 @@ user:
       password: true           # Allow password login. SSH password login is always disabled.
       2fa:
         ssh: false             # Require 2FA for SSH access.
-        tty: false             # Require 2FA for TTY (local console) login.
+        tty: true              # Require 2FA for TTY (local console) login.
     privileges:
       description: "Root user with full system access and administrative privileges."
       restricted: false        # If true, the user is limited in scope (e.g., no login, no file access, --no-create-home)
@@ -885,8 +885,8 @@ user:
         tty: true              # Allow TTY (local console) login.
       password: true           # Allow password login. SSH password login is always disabled.
       2fa:
-        ssh: false             # Require 2FA for SSH access.
-        tty: false             # Require 2FA for TTY (local console) login.
+        ssh: true              # Require 2FA for SSH access.
+        tty: true              # Require 2FA for TTY (local console) login.
     privileges:
       description: "Primary admin user with full sudo access and interactive login."
       sudo: true               # Whether the user can escalate to root using sudo.

func/cdi_4500_user/4510_accounts_hardening.sh

@@ -45,8 +45,9 @@ accounts_hardening() {
 
   ### Preparing 2fa hardening.
   install -d -m 0755 -o root -g root "${var_target}/etc/ciss"
-  touch "${var_target}/etc/ciss/2fa.users"
-  chmod 0600 "${var_target}/etc/ciss/2fa.users"
+  insert_header   "${var_target}/etc/ciss/2fa.users"
+  insert_comments "${var_target}/etc/ciss/2fa.users"
+  chmod 0600      "${var_target}/etc/ciss/2fa.users"
 
   ### Keep 'tty1' active, disable the rest.
   # shellcheck disable=SC2016