V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_4500_user/4520_accounts_setup.sh

@@ -95,9 +95,19 @@ accounts_setup() {
       ;;
 
     true)
-      ### SSH Public Key per default, only.
-      sed -i -E "s|^[[:space:]]*PermitRootLogin[[:space:]]+.*$|$(printf '%-29s%s' 'PermitRootLogin' 'prohibit-password')|" "${var_target}/etc/ssh/sshd_config"
-      do_log "info" "file_only" "4520() User: 'root' SSH access: [PermitRootLogin prohibit-password]"
+      if [[ "${user_root_authentication_2fa_ssh}" == "true" || "${user_root_authentication_2fa_tty}" == "true" ]]; then
+
+        ### SSH Public Key per default, only.
+        sed -i -E "s|^[[:space:]]*PermitRootLogin[[:space:]]+.*$|$(printf '%-29s%s' 'PermitRootLogin' 'yes')|" "${var_target}/etc/ssh/sshd_config"
+        do_log "info" "file_only" "4520() User: 'root' SSH access: [PermitRootLogin yes]"
+
+      else
+
+        ### SSH Public Key per default, only.
+        sed -i -E "s|^[[:space:]]*PermitRootLogin[[:space:]]+.*$|$(printf '%-29s%s' 'PermitRootLogin' 'prohibit-password')|" "${var_target}/etc/ssh/sshd_config"
+        do_log "info" "file_only" "4520() User: 'root' SSH access: [PermitRootLogin prohibit-password]"
+
+      fi
       ;;
 
     *)
@@ -895,12 +905,12 @@ write_google_authenticator_file() {
 
     printf '%s\n' "${var_secret}"
     printf '" RATE_LIMIT 3 30\n'
-    printf '" WINDOW_SIZE 10\n'
+    printf '" WINDOW_SIZE 04\n'
     printf '" DISALLOW_REUSE\n'
     printf '" TOTP_AUTH\n'
 
-    ### Emergency Codes (8x unbiased 8-digit, CSPRNG via OpenSSL).
-    for i in {1..8}; do
+    ### Emergency Codes (10x unbiased 8-digit, CSPRNG via OpenSSL).
+    for i in {1..10}; do
 
       ### Draw 32 bits; rejection sampling to avoid modulo bias.
       while :; do