msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m1s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-09-12 16:47:59 +02:00
parent eaafaafaab
commit b6369cceda
1 changed files with 19 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
func/cdi_4500_user/4520_accounts_setup.sh
View File

@@ -40,7 +40,7 @@ accounts_setup() {
tmp_access_tty="" tmp_auth_pwd="" tmp_2fa_ssh="" tmp_2fa_tty="" tmp_sudo="" tmp_restricted=""
declare var_username="" var_fullname="" var_uid="" var_gid="" var_shell="" var_password="" var_sshpubkey="" \
var_access_tty="" var_auth_pwd="" var_2fa_ssh="" var_2fa_tty="" var_sudo="" var_restricted=""
declare var_chpasswd="" var_pam_login="/etc/pam.d/login" var_ssh_totp_update="false"
declare var_chpasswd="" var_ssh_totp_update="false"
chroot_logger "${TARGET}${var_logfile}"
@@ -101,18 +101,19 @@ accounts_setup() {
### 3) A) 2) Ensure 'pam_securetty' in the auth phase; requisite causes immediate fail for disallowed ttys.
chroot_script "${TARGET}" "
if ! grep -qE '^\s*auth\s+requisite\s+pam_securetty\.so' /etc/pam.d/login; then
### Insert pam_securetty before pam_unix to fail early.
if ! grep -Eq '^[[:space:]]*auth[[:space:]]+requisite[[:space:]]+pam_securetty\.so' /etc/pam.d/login; then
awk '
BEGIN{ins=0}
{
if(!ins && $0 ~ /^\s*auth\s+.*pam_unix\.so/){
print 'auth requisite pam_securetty.so'
{
if(!ins && $0 ~ /^[[:space:]]*auth[[:space:]]+.*pam_unix\.so/){
print \"auth requisite pam_securetty.so\"
ins=1
}
print
}
END{ if(!ins) print 'auth requisite pam_securetty.so' }
END{
if(!ins) print \"auth requisite pam_securetty.so\"
}
' /etc/pam.d/login >| /etc/pam.d/login.new && mv -f /etc/pam.d/login.new /etc/pam.d/login
fi
"
@@ -190,10 +191,10 @@ EOF
tmp_shell="user_user${i}_shell"
tmp_password="user_user${i}_password"
tmp_sshpubkey="user_user${i}_sshpubkey"
tmp_access_tty="user_user${i}authentication_access_tty"
tmp_auth_pwd="user_user${i}authentication_password"
tmp_2fa_ssh="user_user${i}authentication_2fa_ssh"
tmp_2fa_tty="user_user${i}authentication_2fa_tty"
tmp_access_tty="user_user${i}_authentication_access_tty"
tmp_auth_pwd="user_user${i}_authentication_password"
tmp_2fa_ssh="user_user${i}_authentication_2fa_ssh"
tmp_2fa_tty="user_user${i}_authentication_2fa_tty"
tmp_sudo="user_user${i}_privileges_sudo"
tmp_restricted="user_user${i}_privileges_restricted"
@@ -611,11 +612,12 @@ pam_access_sync_login_sshd() {
awk '
BEGIN { done=0 }
{
if (!done && \$0 ~ /^[[:space:]]*#[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access\.so([[:space:]]|$)/) {
sub(/^[[:space:]]*#[[:space:]]*/, "", \$0); ### drop leading '#' and following spaces.
done=1;
if (!done && $0 ~ /^[[:space:]]*#[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access\.so([[:space:]]|$/)) {
### Drop leading '#'+spaces; use 2-arg form to avoid $0 in the source.
sub(/^[[:space:]]*#[[:space:]]*/, "")
done=1
}
print;
print
}
' /etc/pam.d/login >| /etc/pam.d/login.new
mv -f /etc/pam.d/login.new /etc/pam.d/login
@@ -627,8 +629,8 @@ pam_access_sync_login_sshd() {
if grep -Eq '^[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access\.so([[:space:]]|$)' /etc/pam.d/login; then
if [[ -f /etc/pam.d/sshd ]]; then
awk '
### Comment only active matches; leave already-commented lines as-is.
/^[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access\.so([[:space:]]|$)/ { print \"# \" $0; next }
### Comment only active matches; keep pre-commented lines untouched.
/^[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access\.so([[:space:]]|$)/ { print \"# \" \$0; next }
{ print }
' /etc/pam.d/sshd >| /etc/pam.d/sshd.new
mv -f /etc/pam.d/sshd.new /etc/pam.d/sshd