V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m59s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m59s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -50,6 +50,7 @@ ciss_secrets_unset() {
|
||||
### Declare Arrays, HashMaps, and Variables.
|
||||
declare var_k="" var_v=""
|
||||
|
||||
### SECRETS handling ---------------------------------------------------------------------------------------------------------
|
||||
guard_trace on
|
||||
|
||||
for var_k in "${!CISS_SECRETS_MAP[@]}"; do
|
||||
@@ -67,6 +68,7 @@ ciss_secrets_unset() {
|
||||
CISS_SECRETS_MAP=()
|
||||
|
||||
guard_trace off
|
||||
### SECRETS handling ---------------------------------------------------------------------------------------------------------
|
||||
|
||||
return 0
|
||||
}
|
||||
@@ -154,6 +156,7 @@ yaml_secret() {
|
||||
__umask=$(umask)
|
||||
umask 0077
|
||||
|
||||
### SECRETS handling ---------------------------------------------------------------------------------------------------------
|
||||
guard_trace on
|
||||
|
||||
secrets_encrypted="$(yq -r '.secrets.x_files // false' -- "${secrets_if}")" || secrets_encrypted="false"
|
||||
@@ -258,6 +261,7 @@ yaml_secret() {
|
||||
umask "${__umask}"
|
||||
|
||||
guard_trace off
|
||||
### SECRETS handling ---------------------------------------------------------------------------------------------------------
|
||||
|
||||
guard_dir; return 0
|
||||
}
|
||||
|
||||
@@ -25,6 +25,7 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
|
||||
# ERR_GENERATE_SALT: on failure
|
||||
#######################################
|
||||
nuke_passphrase() {
|
||||
### SECRETS handling ---------------------------------------------------------------------------------------------------------
|
||||
guard_trace on
|
||||
|
||||
### Declare Arrays, HashMaps, and Variables.
|
||||
@@ -62,6 +63,7 @@ nuke_passphrase() {
|
||||
do_log "debug" "file_only" "0105() NUKE hash starts with: [${VAR_NUKE_HASH:0:32}...]"
|
||||
|
||||
guard_trace off
|
||||
### SECRETS handling ---------------------------------------------------------------------------------------------------------
|
||||
|
||||
guard_dir; return 0
|
||||
}
|
||||
|
||||
@@ -15,26 +15,29 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
|
||||
#######################################
|
||||
# Append the GRUB superuser block to '/etc/grub.d/40_custom'.
|
||||
# Globals:
|
||||
# DIR_CNF
|
||||
# CISS_SECRET_GRUB
|
||||
# TARGET
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
# 0: on success
|
||||
# ERR_READ_GRUB_FILE
|
||||
# ERR_READ_GRUB_FILE: on failure
|
||||
#######################################
|
||||
update_grub_password() {
|
||||
### Declare Arrays, HashMaps, and Variables.
|
||||
declare var_username="superadmin" var_password="" var_password_file="${DIR_CNF}/password_grub.txt" \
|
||||
declare var_username="superadmin" var_password="" \
|
||||
var_of="${TARGET}/etc/grub.d/40_custom" var_grub_entry=""
|
||||
|
||||
### SECRETS handling ---------------------------------------------------------------------------------------------------------
|
||||
guard_trace on
|
||||
|
||||
var_password=$(<"${var_password_file}") || return "${ERR_READ_GRUB_FILE}"
|
||||
var_password="${CISS_SECRET_GRUB}" || return "${ERR_READ_GRUB_FILE}"
|
||||
unset CISS_SECRET_GRUB
|
||||
|
||||
var_grub_entry=$(generate_grub_password_pbkdf2 "${var_username}" "${var_password}")
|
||||
|
||||
guard_trace off
|
||||
### SECRETS handling ---------------------------------------------------------------------------------------------------------
|
||||
|
||||
### Append if not already present.
|
||||
if ! grep -q "set superusers=" "${var_of}"; then
|
||||
@@ -56,6 +59,8 @@ readonly -f update_grub_password
|
||||
|
||||
#######################################
|
||||
# Generate PBKDF2 password hash for GRUB.
|
||||
# Globals:
|
||||
# None
|
||||
# Arguments:
|
||||
# 1: Username (default to superadmin).
|
||||
# 2: User password.
|
||||
|
||||
@@ -15,6 +15,9 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
|
||||
#######################################
|
||||
# Updating root account and generation user accounts.
|
||||
# Globals:
|
||||
# CISS_SECRET_USER_ROOT_PASSWORD
|
||||
# CISS_SECRET_USER_ROOT_SSHPUBKEY
|
||||
# LOG_ERR
|
||||
# RECOVERY
|
||||
# TARGET
|
||||
# VAR_RUN_RECOVERY
|
||||
@@ -27,8 +30,6 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
|
||||
# user_root_authentication_access_ssh
|
||||
# user_root_authentication_access_tty
|
||||
# user_root_authentication_password
|
||||
# user_root_password
|
||||
# user_root_sshpubkey
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
@@ -152,7 +153,9 @@ EOF
|
||||
esac
|
||||
|
||||
### 4) Check the password policy for the 'root' account.
|
||||
chroot_script "${var_target}" "printf '%s:%s\n' 'root' '${user_root_password}' | /usr/sbin/chpasswd -e"
|
||||
chroot_script "${var_target}" "printf '%s:%s\n' 'root' '${CISS_SECRET_USER_ROOT_PASSWORD}' | /usr/sbin/chpasswd -e"
|
||||
do_log "info" "file_only" "4520() User: 'root' password: inserted."
|
||||
unset CISS_SECRET_USER_ROOT_PASSWORD
|
||||
|
||||
case "${user_root_authentication_password,,}" in
|
||||
|
||||
@@ -174,9 +177,10 @@ EOF
|
||||
esac
|
||||
|
||||
### 5) Update the 'root' SSH pubkey, if provided via 'preseed.yaml'.
|
||||
if [[ -n "${user_root_sshpubkey:-}" ]]; then
|
||||
if [[ -n "${CISS_SECRET_USER_ROOT_SSHPUBKEY:-}" ]]; then
|
||||
|
||||
printf "%s\n" "${user_root_sshpubkey}" >| "${var_target}/root/.ssh/authorized_keys"
|
||||
printf "%s\n" "${CISS_SECRET_USER_ROOT_SSHPUBKEY}" >| "${var_target}/root/.ssh/authorized_keys"
|
||||
unset CISS_SECRET_USER_ROOT_SSHPUBKEY
|
||||
do_log "info" "file_only" "4520() User: 'root' SSH public key: inserted."
|
||||
|
||||
fi
|
||||
@@ -231,8 +235,8 @@ EOF
|
||||
tmp_uid="user_user${i}_uid"
|
||||
tmp_gid="user_user${i}_gid"
|
||||
tmp_shell="user_user${i}_shell"
|
||||
tmp_password="user_user${i}_password"
|
||||
tmp_sshpubkey="user_user${i}_sshpubkey"
|
||||
tmp_password="CISS_SECRET_USER_USER${i}_PASSWORD"
|
||||
tmp_sshpubkey="CISS_SECRET_USER_USER${i}_SSHPUBKEY"
|
||||
tmp_access_tty="user_user${i}_authentication_access_tty"
|
||||
tmp_auth_pwd="user_user${i}_authentication_password"
|
||||
tmp_2fa_ssh="user_user${i}_authentication_2fa_ssh"
|
||||
@@ -450,6 +454,7 @@ EOF
|
||||
find "${var_target}/home/${var_username}" -xdev -exec chown -h "${var_uid}:${var_gid}" {} +
|
||||
|
||||
### 9) Final status logging.
|
||||
unset var_password var_sshpubkey
|
||||
do_log "info" "file_only" "4520() Created user: [${var_username}] UID: [${var_uid}] GID: [${var_gid}]"
|
||||
|
||||
done
|
||||
@@ -460,8 +465,6 @@ EOF
|
||||
|
||||
fi
|
||||
|
||||
unset VAR_TEMP_PLAIN_MFA_SEED
|
||||
|
||||
if ! grep -Fqx -- '-: ALL:ALL' "${var_target}/etc/security/access.conf"; then
|
||||
|
||||
printf '%s\n' '-: ALL:ALL' >> "${var_target}/etc/security/access.conf"
|
||||
@@ -471,6 +474,8 @@ EOF
|
||||
printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${var_target}/etc/security/access.conf"
|
||||
printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${var_target}/etc/ssh/sshd_config"
|
||||
|
||||
unset VAR_TEMP_PLAIN_MFA_SEED
|
||||
|
||||
guard_dir; return 0
|
||||
}
|
||||
### Prevents accidental 'unset -f'.
|
||||
@@ -511,12 +516,12 @@ readonly -f eza_installer
|
||||
|
||||
#######################################
|
||||
# Generates a deterministic TOTP secret based on:
|
||||
# Username, FQDN, MFA salt, MFA master seed
|
||||
# Username, FQDN, MFA salt, MFA master seed
|
||||
# Globals:
|
||||
# CISS_SECRET_SEEDS_MFA_INFO
|
||||
# CISS_SECRET_SEEDS_MFA_SALT
|
||||
# VAR_FINAL_FQDN
|
||||
# VAR_TEMP_PLAIN_MFA_SEED
|
||||
# user_mfa_info
|
||||
# user_mfa_salt
|
||||
# Arguments:
|
||||
# 1: Username
|
||||
# Returns:
|
||||
@@ -526,10 +531,11 @@ generate_totp_secret() {
|
||||
### Declare Arrays, HashMaps, and Variables.
|
||||
declare var_user="${1}"
|
||||
declare var_host_id="${VAR_FINAL_FQDN}"
|
||||
declare var_salt="${user_mfa_salt}:${var_host_id}:${var_user}"
|
||||
declare var_info="${user_mfa_info}"
|
||||
declare var_salt="${CISS_SECRET_SEEDS_MFA_SALT}:${var_host_id}:${var_user}"
|
||||
declare var_info="${CISS_SECRET_SEEDS_MFA_INFO}"
|
||||
declare var_secret=""
|
||||
|
||||
### SECRETS handling ---------------------------------------------------------------------------------------------------------
|
||||
guard_trace on
|
||||
|
||||
### Derive 20 bytes via HKDF-SHA256 using OpenSSL 3 kdf, output as raw, then base32 (uppercase, no padding).
|
||||
@@ -550,6 +556,7 @@ generate_totp_secret() {
|
||||
printf '%s\n' "${var_secret}"
|
||||
|
||||
guard_trace off
|
||||
### SECRETS handling ---------------------------------------------------------------------------------------------------------
|
||||
|
||||
return 0
|
||||
}
|
||||
@@ -717,33 +724,31 @@ EOF
|
||||
readonly -f hardening_sudo
|
||||
|
||||
#######################################
|
||||
# Reads a 256-bit seed from '${DIR_CNF}/mfa_master.txt' (64 hex chars) into VAR_TEMP_PLAIN_MFA_SEED.
|
||||
# Reads a 256-bit seed from '${CISS_SECRET_SEEDS_MFA_SECRET}' '(64 hex chars) into VAR_TEMP_PLAIN_MFA_SEED.
|
||||
# Globals:
|
||||
# DIR_CNF
|
||||
# CISS_SECRET_SEEDS_MFA_SECRET
|
||||
# VAR_TEMP_PLAIN_MFA_SEED
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
# 0: on success
|
||||
# ERR_READ_SEED_FILE
|
||||
# ERR_READ_SEED_FILE: on failure
|
||||
#######################################
|
||||
read_totp_seed(){
|
||||
### Declare Arrays, HashMaps, and Variables.
|
||||
declare -r var_mfa_seed_file="${DIR_CNF}/mfa_master.txt"
|
||||
declare -g VAR_TEMP_PLAIN_MFA_SEED=""
|
||||
|
||||
### SECRETS handling ---------------------------------------------------------------------------------------------------------
|
||||
guard_trace on
|
||||
|
||||
if ! read_password_file "${var_mfa_seed_file}" VAR_TEMP_PLAIN_MFA_SEED; then
|
||||
|
||||
return "${ERR_READ_SEED_FILE}"
|
||||
|
||||
fi
|
||||
VAR_TEMP_PLAIN_MFA_SEED="${CISS_SECRET_SEEDS_MFA_SECRET}"
|
||||
unset CISS_SECRET_SEEDS_MFA_SECRET
|
||||
|
||||
### Validate: exactly 64 hex.
|
||||
[[ "${VAR_TEMP_PLAIN_MFA_SEED}" =~ ^[0-9a-fA-F]{64}$ ]] || return "${ERR_READ_SEED_FILE}"
|
||||
|
||||
guard_trace off
|
||||
### SECRETS handling ---------------------------------------------------------------------------------------------------------
|
||||
|
||||
return 0
|
||||
}
|
||||
@@ -889,14 +894,17 @@ readonly -f write_ciss_2fa_user
|
||||
write_google_authenticator_file() {
|
||||
### Declare Arrays, HashMaps, and Variables.
|
||||
declare -r var_user="${1}" var_user_id="${2}" var_group_id="${3}" var_target="${4}"
|
||||
declare var_secret=""
|
||||
declare -i i=0
|
||||
declare var_secret="" __umask=""
|
||||
|
||||
__umask=$(umask)
|
||||
|
||||
case "${1}" in
|
||||
root) declare var_base="${var_target}/root" ;;
|
||||
*) declare var_base="${var_target}/home/${var_user}" ;;
|
||||
esac
|
||||
declare -i i=0
|
||||
|
||||
### SECRETS handling ---------------------------------------------------------------------------------------------------------
|
||||
guard_trace on
|
||||
|
||||
var_secret="$(generate_totp_secret "${var_user}")"
|
||||
@@ -941,9 +949,10 @@ write_google_authenticator_file() {
|
||||
} >| "${DIR_TMP}/TOTP_${var_user}.secret"
|
||||
chmod 0400 "${DIR_TMP}/TOTP_${var_user}.secret"
|
||||
|
||||
umask 0022
|
||||
|
||||
guard_trace off
|
||||
### SECRETS handling ---------------------------------------------------------------------------------------------------------
|
||||
|
||||
umask "${__umask}"
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user