V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.preseed/preseed.yaml

@@ -833,13 +833,15 @@ user:
     info: "totp:v1"
     salt: "CISS:CDI:OTP"       # + (Server_FQDN/Username)
   ##############################################################################################################################
-  # root – Superuser account (normally disabled for direct login)
+  # Root: The superuser account (normally disabled for direct login).
+  #       Key 'user.root.password' MUST contain a valid yescrypt hashed password string.
+  #       Key 'user.root.sshpubkey' MUST be set in case dropbear is used.
   ##############################################################################################################################
   root:
     ensure: present            # Must always be 'present'. (Not in use in this version of the installer.)
     protected: true            # Prevent unintentional edits or deletions. (Not in use in this version of the installer.)
     shell: /bin/zsh            # Login shell (e.g., '/bin/bash', '/bin/zsh'); use '/usr/sbin/nologin' for non-interactive users.
-    password: "47110815"
+    password: "$y$jFT$7pQlcZrgTEGrzkEm7UQW/.$QoCamalYEAV5mN4QWIE.xpHo8kvXa9sym2Uz.9oELwA"
     sshpubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
     authentication:
       access:
@@ -855,6 +857,7 @@ user:
       shell: true              # MUST be "true" if the shell is not '/usr/sbin/nologin' or '/bin/false'.
       sudo: false              # Whether the user can escalate to root using sudo.
       system: true             # Whether this is a low-UID system user (e.g., for automation).
+    specific: "ciss"
 
   ##############################################################################################################################
   # Primary administrative user with full sudo access
@@ -867,7 +870,7 @@ user:
     uid: 1000                  # Ensures that the same user has the same UID on all systems.
     gid: 1000                  # Ensures that the same user has the same GID on all systems.
     shell: /bin/zsh            # Login shell (e.g., '/bin/bash', '/bin/zsh'); use '/usr/sbin/nologin' for non-interactive users.
-    password: "47110815"
+    password: "$y$jFT$OGeZONH5ho2JSXvAbyIBQ1$5OhyHqOaMZ9BZcfMOYEwF.nMLFKd9ceiW2oNksPCHVB"
     sshpubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
     authentication:
       access:
@@ -883,6 +886,7 @@ user:
       system: false            # Whether this is a low-UID system user (e.g., for automation).
       restricted: false        # If true, the user is limited in scope (e.g., no login, no file access, --no-create-home)
       shell: true              # MUST be "true" if the shell is not '/usr/sbin/nologin' or '/bin/false'.
+    specific: "ciss"
 
   ##############################################################################################################################
   # ansible – System user for automation, no interactive shell
@@ -911,5 +915,6 @@ user:
       system: true             # Whether this is a low-UID system user (e.g., for automation).
       restricted: false        # If true, the user is limited in scope (e.g., no login, no file access, --no-create-home)
       shell: true              # MUST be "true" if the shell is not '/usr/sbin/nologin' or '/bin/false'.
+    specific: "none"
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

func/cdi_1000_helper/1080_helper_chroot.sh

@@ -81,6 +81,9 @@ chroot_exec() {
 
   fi
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f chroot_exec
 
 #######################################
 # Run a complete shell script line inside the chroot using the command 'bash -c'.
@@ -158,6 +161,9 @@ chroot_script() {
 
   fi
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f chroot_script
 
 #######################################
 # Run the installer-desired code incl. positional arguments via stdin (HEREDOC) inside the chroot with bash -s.
@@ -248,4 +254,7 @@ chroot_stdin() {
 
   fi
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f chroot_stdin
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_1250_yaml/1250_yaml_parser.sh

@@ -94,4 +94,7 @@ yaml_parser() {
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f yaml_parser
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_1250_yaml/1251_yaml_reader.sh

@@ -234,4 +234,7 @@ END { print max }
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f yaml_reader
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_3200_partitioning/3220_partition_encryption.sh

@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
+# TODO: LUKS Header Cloud Backup
+
 guard_sourcing
 
 #######################################

func/cdi_4300_network/4312_dropbear_setup.sh

@@ -140,6 +140,9 @@ EOF
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f dropbear_setup
 
 #######################################
 # Write '/etc/dropbear/initramfs/dropbear.conf'.
@@ -195,6 +198,10 @@ DROPBEAR_OPTIONS="-b /etc/dropbear/banner -E -I 300 -K 60 -p ${dropbear_port}"
 EOF
 
   do_log "info" "file_only" "4312() Written: '${TARGET}/etc/dropbear/initramfs/dropbear.conf'."
+  do_log "info" "file_only" "4312() Written: 'DROPBEAR_OPTIONS=\"-b /etc/dropbear/banner -E -I 300 -K 60 -p ${dropbear_port}\"'."
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f write_dropbear_conf
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4500_user/4520_accounts_setup.sh

@@ -37,9 +37,11 @@ accounts_setup() {
   declare -r  var_logfile="/root/.ciss/cdi/log/4520_accounts_setup.log"
   declare -i  i=0
   declare     tmp_username="" tmp_fullname="" tmp_uid="" tmp_gid="" tmp_shell="" tmp_password="" tmp_sshpubkey="" \
-              tmp_access_tty="" tmp_auth_pwd="" tmp_2fa_ssh="" tmp_2fa_tty="" tmp_sudo="" tmp_restricted="" tmp_system=""
+              tmp_access_tty="" tmp_auth_pwd="" tmp_2fa_ssh="" tmp_2fa_tty="" tmp_sudo="" tmp_restricted="" tmp_system="" \
+              tmp_specific=""
   declare     var_username="" var_fullname="" var_uid="" var_gid="" var_shell="" var_password="" var_sshpubkey="" \
-              var_access_tty="" var_auth_pwd="" var_2fa_ssh="" var_2fa_tty="" var_sudo="" var_restricted="" var_system=""
+              var_access_tty="" var_auth_pwd="" var_2fa_ssh="" var_2fa_tty="" var_sudo="" var_restricted="" var_system="" \
+              var_specific=""
   declare     var_ssh_totp_update="false"
 
   chroot_logger "${TARGET}${var_logfile}"
@@ -60,13 +62,25 @@ accounts_setup() {
 
     if [[ -x "${TARGET}${user_root_shell}" ]]; then
 
-      zsh_omz_installer "root"
+      case "${user_root_specific,,}" in
+
+        "ciss")
+          zsh_omz_installer "root"
+          mv "${TARGET}/root/.zshrc" "${TARGET}/root/.zshrc.bak"
+          install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${TARGET}/root/"
+          ;;
+
+        "physnet")
+          :
+          ;;
+
+        "none"|*)
+          :
+          ;;
+
+      esac
 
       chroot_exec "${TARGET}" chsh -s "${user_root_shell}" root
-
-      mv "${TARGET}/root/.zshrc" "${TARGET}/root/.zshrc.bak"
-      install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${TARGET}/root/"
-
       do_log "info" "file_only" "4520() Shell: '${user_root_shell}' used for: 'root'."
 
     else
@@ -160,9 +174,8 @@ EOF
       do_log "info" "file_only" "4520() User: 'root' password access: [false]"
       ;;
     true)
-      chpasswd --root "${TARGET}" --crypt-method YESCRYPT <<EOF
-root:${user_root_password}
-EOF
+      chroot_script "${TARGET}" "printf '%s:%s\n' root '${var_password}' | /usr/sbin/chpasswd -e"
+      #chroot_script "${TARGET}" "/usr/sbin/usermod -p '${user_root_password}' root"
       do_log "info" "file_only" "4520() User: 'root' password access: [true]"
       ;;
   esac
@@ -224,6 +237,7 @@ EOF
     tmp_sudo="user_user${i}_privileges_sudo"
     tmp_system="user_user${i}_privileges_system"
     tmp_restricted="user_user${i}_privileges_restricted"
+    tmp_specific="user_user${i}_privileges_restricted"
 
     var_username="${!tmp_username}"
     var_fullname="${!tmp_fullname}"
@@ -239,6 +253,7 @@ EOF
     var_sudo="${!tmp_sudo}"
     var_system="${!tmp_system}"
     var_restricted="${!tmp_restricted}"
+    var_specific="${!tmp_specific}"
 
     ### 0) A) Check if the 'group' of the 'user' already exists.
     if ! chroot_exec "${TARGET}" getent group "${var_username}" >/dev/null; then
@@ -314,10 +329,23 @@ EOF
 
       if [[ -x "${TARGET}${var_shell}" ]]; then
 
-        zsh_omz_installer "${var_username}"
+        case "${var_specific,,}" in
 
-        mv "${TARGET}/home/${var_username}/.zshrc" "${TARGET}/home/${var_username}/.zshrc.bak"
-        install -m 0600 -o "${var_uid}" -g "${var_gid}" "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${TARGET}/home/${var_username}"
+          "ciss")
+            zsh_omz_installer "${var_username}"
+            mv "${TARGET}/home/${var_username}/.zshrc" "${TARGET}/home/${var_username}/.zshrc.bak"
+            install -m 0600 -o "${var_uid}" -g "${var_gid}" "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${TARGET}/home/${var_username}"
+            ;;
+
+          "physnet")
+            :
+            ;;
+
+          "none"|*)
+            :
+            ;;
+
+        esac
 
         chroot_exec "${TARGET}" chsh -s "${var_shell}" "${var_username}"
         do_log "info" "file_only" "4520() Shell: '${var_shell}' used for: '${var_username}'."
@@ -369,9 +397,8 @@ EOF
         do_log "info" "file_only" "4520() User: '${var_username}' password access: [false]"
         ;;
       true)
-        chpasswd --root "${TARGET}" --crypt-method YESCRYPT <<EOF
-${var_username}:${var_password}
-EOF
+        chroot_script "${TARGET}" "printf '%s:%s\n' \"${var_username}\" '${var_password}' | /usr/sbin/chpasswd -e"
+        #chroot_script "${TARGET}" "/usr/sbin/usermod -p '${var_password}' ${var_username}"
         do_log "info" "file_only" "4520() User: '${var_username}' password access: [true]"
         ;;
     esac
@@ -404,7 +431,7 @@ EOF
 
       chroot_exec "${TARGET}" usermod -aG sudo "${var_username}"
       ### Hardening sudo users (idempotent) and ensure WinSCP SFTP-as-root.
-      hardening_sudo "${var_username}"
+      hardening_sudo "${var_username}" "${var_specific:-none}"
       ### Enable per-user TOTP in a given PAM service (login, sshd, su, sudo).
       pam_access_totp_enable "${var_username}" "sudo"
 
@@ -443,6 +470,9 @@ EOF
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f accounts_setup
 
 #######################################
 # Install eza CISS theme for the respective user.
@@ -470,6 +500,9 @@ eza_installer() {
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f eza_installer
 
 #######################################
 # Generates a deterministic TOTP secret based on:
@@ -515,6 +548,9 @@ generate_totp_secret() {
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f generate_totp_secret
 
 #######################################
 # Hardening of '/bin/su': only members of the group 'sudo' can su to root.
@@ -565,6 +601,9 @@ EOF
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f hardening_su
 
 #######################################
 # Hardening sudo users (idempotent) and ensure WinSCP SFTP-as-root.
@@ -580,6 +619,7 @@ EOF
 hardening_sudo() {
   ### Declare Arrays, HashMaps, and Variables.
   declare     var_user="$1"
+  declare     var_specific="$2"
   declare -r  var_logfile="/root/.ciss/cdi/log/4520_accounts_setup.log"
   declare -r  var_sudo_iolog_dir="${TARGET}/var/log/sudo-io"
   declare -r  var_sudoers_main="${TARGET}/etc/sudoers"
@@ -607,14 +647,17 @@ Defaults log_host, log_year, log_input, log_exit_status, log_subcmds, logfile="/
 EOF
   fi
 
-  ### Install global WinSCP SFTP-as-root command alias (idempotent).
-  if [[ -x "${TARGET}${var_sftp_bin}" ]]; then
+  case "${var_specific,,}" in
 
-    if [[ ! -f "${var_sudoers_winscp_global}" ]]; then
+    "ciss")
+      ### Install global WinSCP SFTP-as-root command alias (idempotent).
+      if [[ -x "${TARGET}${var_sftp_bin}" ]]; then
 
-      insert_header   "${var_sudoers_winscp_global}"
-      insert_header "${var_sudoers_winscp_global}"
-      cat << EOF >|    "${var_sudoers_winscp_global}"
+        if [[ ! -f "${var_sudoers_winscp_global}" ]]; then
+
+          insert_header   "${var_sudoers_winscp_global}"
+          insert_comments "${var_sudoers_winscp_global}"
+          cat << EOF >|   "${var_sudoers_winscp_global}"
 ### Added by CISS.debian.installer. WinSCP SFTP-as-root (least privilege).
 ### Allow exactly the sftp-server binary, optionally with -e (stderr logging).
 Cmnd_Alias CISS_SFTPROOT = ${var_sftp_bin}, ${var_sftp_bin} -e
@@ -627,34 +670,45 @@ Defaults!CISS_SFTPROOT noexec, !setenv, timestamp_timeout=0
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
-      chmod 0440 "${var_sudoers_winscp_global}"
+          chmod 0440 "${var_sudoers_winscp_global}"
 
-    fi
+        fi
 
-  else
+      else
 
-    do_log "warn" "file_only" "4520() sftp-server not found at [${var_sftp_bin}] in TARGET; skipping global alias for now."
+        do_log "warn" "file_only" "4520() sftp-server not found at [${var_sftp_bin}] in TARGET; skipping global alias for now."
 
-  fi
+      fi
 
-  ### Grant this user access to the alias (idempotent). Only add if not already present; keep the file permissive correctness.
-  if [[ -f "${var_sudoers_winscp_user}" ]]; then
+      ### Grant this user access to the alias (idempotent). Only add if not already present; keep the file permissive correctness.
+      if [[ -f "${var_sudoers_winscp_user}" ]]; then
 
-    if ! grep -qE "^${var_user}\s+ALL=\(root\)\s+NOPASSWD:\s+CISS_SFTPROOT\b" "${var_sudoers_winscp_user}" 2>/dev/null; then
+        if ! grep -qE "^${var_user}\s+ALL=\(root\)\s+NOPASSWD:\s+CISS_SFTPROOT\b" "${var_sudoers_winscp_user}" 2>/dev/null; then
 
-      echo "${var_user} ALL=(root) NOPASSWD: CISS_SFTPROOT" >> "${var_sudoers_winscp_user}"
+          echo "${var_user} ALL=(root) NOPASSWD: CISS_SFTPROOT" >> "${var_sudoers_winscp_user}"
 
-    fi
+        fi
 
-  else
+      else
 
-    insert_header   "${var_sudoers_winscp_user}"
-    insert_header "${var_sudoers_winscp_user}"
-    echo "${var_user} ALL=(root) PASSWD: CISS_SFTPROOT" >> "${var_sudoers_winscp_user}"
-    printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${var_sudoers_winscp_user}"
+        insert_header   "${var_sudoers_winscp_user}"
+        insert_comments "${var_sudoers_winscp_user}"
+        echo "${var_user} ALL=(root) PASSWD: CISS_SFTPROOT" >> "${var_sudoers_winscp_user}"
+        printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${var_sudoers_winscp_user}"
 
-  fi
-  chmod 0440 "${var_sudoers_winscp_user}"
+      fi
+      chmod 0440 "${var_sudoers_winscp_user}"
+      ;;
+
+    "physnet")
+      :
+      ;;
+
+    "none"|*)
+      :
+      ;;
+
+  esac
 
   ### Tighten perms on sudoers.d (idempotent).
   find "${var_sudoers_dir}" -type f -exec chmod 0440 {} \;
@@ -709,6 +763,9 @@ EOF
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f hardening_sudo
 
 #######################################
 # Ensure the 'pam_access' line is not activated in '/etc/pam.d/login' and '/etc/pam.d/sshd' in parallel.
@@ -774,6 +831,9 @@ EOF
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f pam_access_sync_login_sshd
 
 #######################################
 # Enable per-user TOTP in a given PAM service (login, sshd, su, sudo).
@@ -869,6 +929,9 @@ EOF
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f pam_access_totp_enable
 
 #######################################
 # Reads a 256-bit seed from '${DIR_CNF}/mfa_master.txt' (64 hex chars) into VAR_TEMP_PLAIN_MFA_SEED.
@@ -901,12 +964,14 @@ read_totp_seed(){
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f read_totp_seed
 
 #######################################
 # Writes '.google_authenticator'-file for the respective user.
 # Globals:
 #   DIR_TMP
-#   RANDOM
 #   TARGET
 # Arguments:
 #   1: Username
@@ -965,6 +1030,9 @@ write_google_authenticator_file() {
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f write_google_authenticator_file
 
 #######################################
 # Use the official ohmyzsh-installer but force non-interactive behavior; do not run zsh; do not chsh.
@@ -1089,4 +1157,7 @@ EOF
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f zsh_omz_installer
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/cdi_0005_guard/0005_guard_sourcing.sh

@@ -39,4 +39,7 @@ guard_sourcing() {
   declare -grx "${var_guard_var}"=1
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f guard_sourcing
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/cdi_0005_guard/0006_source_guard.sh

@@ -25,4 +25,7 @@ source_guard() {
     . "${var_file}"
   fi
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f source_guard
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/cdi_0005_guard/0007_guard_safe_exec.sh

@@ -25,4 +25,7 @@ safe_exec() {
   do_log "error" "file_only" "0007() Command '${ary_cmd[*]}' failed."
   return "${var_errcode}"
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f safe_exec
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/cdi_0005_guard/0008_guard_variable.sh

@@ -32,6 +32,9 @@ ensure_lowercase() {
   ref="${ref,,}"
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f ensure_lowercase
 
 #######################################
 # Converts the value of a passed variable to uppercase.
@@ -53,6 +56,9 @@ ensure_uppercase() {
   ref="${ref^^}"
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f ensure_uppercase
 
 #######################################
 # Removes leading and trailing spaces in the value.
@@ -75,6 +81,9 @@ ensure_trimmed() {
   ref="${ref%"${ref##*[![:space:]]}"}"
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f ensure_trimmed
 
 #######################################
 # Resets the value of the variable to a default value if it is empty or contains only whitespace.
@@ -102,6 +111,9 @@ reset_to_default() {
   fi
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f reset_to_default
 
 #######################################
 # Checks whether the content of a variable matches a specific regex.
@@ -129,4 +141,7 @@ assert_match() {
   fi
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f assert_match
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/cdi_0005_guard/0009_guard_dir.sh

@@ -23,4 +23,7 @@ guard_dir() {
   cd "${VAR_SETUP_PATH}"
   do_log "info" "file_only" "${mod} Finished successfully."
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f guard_dir
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh