V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_4500_user/4520_accounts_setup.sh

@@ -40,7 +40,7 @@ accounts_setup() {
               tmp_access_tty="" tmp_auth_pwd="" tmp_2fa_ssh="" tmp_2fa_tty="" tmp_sudo="" tmp_restricted=""
   declare     var_username="" var_fullname="" var_uid="" var_gid="" var_shell="" var_password="" var_sshpubkey="" \
               var_access_tty="" var_auth_pwd="" var_2fa_ssh="" var_2fa_tty="" var_sudo="" var_restricted=""
-  declare     var_chpasswd="" var_pam_login="/etc/pam.d/login" var_ssh_totp_update="false"
+  declare     var_chpasswd="" var_ssh_totp_update="false"
 
   chroot_logger "${TARGET}${var_logfile}"
 
@@ -101,18 +101,19 @@ accounts_setup() {
 
       ### 3) A) 2) Ensure 'pam_securetty' in the auth phase; requisite causes immediate fail for disallowed ttys.
       chroot_script "${TARGET}" "
-        if ! grep -qE '^\s*auth\s+requisite\s+pam_securetty\.so' /etc/pam.d/login; then
+        if ! grep -Eq '^[[:space:]]*auth[[:space:]]+requisite[[:space:]]+pam_securetty\.so' /etc/pam.d/login; then
-          ### Insert pam_securetty before pam_unix to fail early.
           awk '
             BEGIN{ins=0}
-            {
+              {
-              if(!ins && $0 ~ /^\s*auth\s+.*pam_unix\.so/){
+                if(!ins && $0 ~ /^[[:space:]]*auth[[:space:]]+.*pam_unix\.so/){
-                print 'auth  requisite  pam_securetty.so'
+                print \"auth  requisite  pam_securetty.so\"
                 ins=1
               }
               print
             }
-            END{ if(!ins) print 'auth  requisite  pam_securetty.so' }
+            END{
+              if(!ins) print \"auth  requisite  pam_securetty.so\"
+            }
           ' /etc/pam.d/login >| /etc/pam.d/login.new && mv -f /etc/pam.d/login.new /etc/pam.d/login
         fi
       "
@@ -190,10 +191,10 @@ EOF
     tmp_shell="user_user${i}_shell"
     tmp_password="user_user${i}_password"
     tmp_sshpubkey="user_user${i}_sshpubkey"
-    tmp_access_tty="user_user${i}authentication_access_tty"
+    tmp_access_tty="user_user${i}_authentication_access_tty"
-    tmp_auth_pwd="user_user${i}authentication_password"
+    tmp_auth_pwd="user_user${i}_authentication_password"
-    tmp_2fa_ssh="user_user${i}authentication_2fa_ssh"
+    tmp_2fa_ssh="user_user${i}_authentication_2fa_ssh"
-    tmp_2fa_tty="user_user${i}authentication_2fa_tty"
+    tmp_2fa_tty="user_user${i}_authentication_2fa_tty"
     tmp_sudo="user_user${i}_privileges_sudo"
     tmp_restricted="user_user${i}_privileges_restricted"
 
@@ -611,11 +612,12 @@ pam_access_sync_login_sshd() {
       awk '
         BEGIN { done=0 }
         {
-          if (!done && \$0 ~ /^[[:space:]]*#[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access\.so([[:space:]]|$)/) {
+          if (!done && $0 ~ /^[[:space:]]*#[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access\.so([[:space:]]|$/)) {
-            sub(/^[[:space:]]*#[[:space:]]*/, "", \$0);  ### drop leading '#' and following spaces.
+            ### Drop leading '#'+spaces; use 2-arg form to avoid $0 in the source.
-            done=1;
+            sub(/^[[:space:]]*#[[:space:]]*/, "")
+            done=1
           }
-          print;
+          print
         }
       ' /etc/pam.d/login >| /etc/pam.d/login.new
       mv -f /etc/pam.d/login.new /etc/pam.d/login
@@ -627,8 +629,8 @@ pam_access_sync_login_sshd() {
     if grep -Eq '^[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access\.so([[:space:]]|$)' /etc/pam.d/login; then
       if [[ -f /etc/pam.d/sshd ]]; then
         awk '
-          ### Comment only active matches; leave already-commented lines as-is.
+          ### Comment only active matches; keep pre-commented lines untouched.
-          /^[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access\.so([[:space:]]|$)/ { print \"# \" $0; next }
+          /^[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access\.so([[:space:]]|$)/ { print \"# \" \$0; next }
           { print }
         ' /etc/pam.d/sshd >| /etc/pam.d/sshd.new
         mv -f /etc/pam.d/sshd.new /etc/pam.d/sshd