V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_4500_user/4520_accounts_setup.sh

@@ -29,23 +29,13 @@ guard_sourcing
 #######################################
 accounts_setup() {
   ### Declare Arrays, HashMaps, and Variables.
-  declare -i i
-  declare tmp_username="" tmp_fullname="" tmp_uid="" tmp_gid="" tmp_shell="" tmp_password="" tmp_sshpubkey="" tmp_sudo="" \
-    tmp_restricted=""
-  declare var_username="" var_fullname="" var_uid="" var_gid="" var_shell="" var_password="" var_sshpubkey="" var_sudo="" \
-    var_restricted="" var_chpasswd="" var_sshdir=""
+  declare -i  i=0
+  declare     tmp_username="" tmp_fullname="" tmp_uid="" tmp_gid="" tmp_shell="" tmp_password="" tmp_sshpubkey="" tmp_sudo="" \
+              tmp_restricted=""
+  declare     var_username="" var_fullname="" var_uid="" var_gid="" var_shell="" var_password="" var_sshpubkey="" var_sudo="" \
+              var_restricted="" var_chpasswd="" var_sshdir=""
 
-  ### Hardening '/etc/login.defs'
-  rm -f "${TARGET}/etc/login.defs"
-  insert_header "${TARGET}/etc/login.defs"
-  insert_comments "${TARGET}/etc/login.defs"
-  cat "${VAR_SETUP_PATH}/includes/target/etc/login.defs" >> "${TARGET}/etc/login.defs"
 
-  ### Hardening '/etc/security/pwquality.conf'
-  rm -f "${TARGET}/etc/security/pwquality.conf"
-  insert_header "${TARGET}/etc/security/pwquality.conf"
-  insert_comments "${TARGET}/etc/security/pwquality.conf"
-  cat "${VAR_SETUP_PATH}/includes/target/etc/security/pwquality.cnf" >> "${TARGET}/etc/security/pwquality.conf"
 
   ### Preparing the root account
   chown root:root "${TARGET}/etc/passwd" "${TARGET}/etc/shadow" "${TARGET}/etc/group" "${TARGET}/etc/gshadow"
@@ -55,6 +45,7 @@ accounts_setup() {
   if [[ -x "${TARGET}${user_root_shell}" ]]; then
     chroot_exec "${TARGET}" chsh -s "${user_root_shell}" root
   else
+    chroot_exec "${TARGET}" chsh -s /bin/bash root
     do_log "warn" "file_only" "4500() Shell: '${user_root_shell}' not found for: 'root'. Using '/bin/bash' instead."
   fi
 
@@ -185,8 +176,7 @@ write_google_authenticator_file() {
   esac
   declare -i  i=0
 
-  ### TODO: PASSWORD REMINDER START:NOT ACTIVE
-  #guard_trace on
+  guard_trace on
 
   var_secret="$(generate_totp_secret "${var_user}")"
 
@@ -202,8 +192,7 @@ write_google_authenticator_file() {
     for i in {0..7}; do printf '%08d\n' "$(( RANDOM % 100000000 ))"; done
   } >| "${var_base}/.google_authenticator"
 
-  ### TODO: PASSWORD REMINDER STOP:NOT ACTIVE
-  #guard_trace off
+  guard_trace off
 
   chown "${var_user}:${var_user}" "${var_base}/.google_authenticator"
 
@@ -235,8 +224,7 @@ generate_totp_secret() {
   declare  var_info="${user_mfa_info}"
   declare  var_secret=""
 
-  ### TODO: PASSWORD REMINDER START:NOT ACTIVE
-  #guard_trace on
+  guard_trace on
 
   ### Derive 20 bytes via HKDF-SHA256 using OpenSSL 3 kdf, output as raw, then base32 (uppercase, no padding).
   # shellcheck disable=SC2312
@@ -245,8 +233,7 @@ generate_totp_secret() {
       -kdfopt salt:"${var_salt}" -kdfopt info:"${var_info}" -binary HKDF | base32 | tr -d '=' | tr '[:lower:]' '[:upper:]'
   )"
 
-  ### TODO: PASSWORD REMINDER STOP:NOT ACTIVE
-  #guard_trace off
+  guard_trace off
 
   printf '%s\n' "${var_secret}"
   return 0
@@ -268,8 +255,7 @@ read_totp_seed(){
   declare -r var_mfa_seed_file="${DIR_CNF}/mfa_master.txt"
   declare -g VAR_TEMP_PLAIN_MFA_SEED=""
 
-  ### TODO: PASSWORD REMINDER START:NOT ACTIVE
-  #guard_trace on
+  guard_trace on
 
   if ! read_password_file "${var_mfa_seed_file}" VAR_TEMP_PLAIN_MFA_SEED; then
 
@@ -280,8 +266,7 @@ read_totp_seed(){
   ### Validate: exactly 64 hex.
   [[ "${VAR_TEMP_PLAIN_MFA_SEED}" =~ ^[0-9a-fA-F]{64}$ ]] || return "${ERR_READ_SEED_FILE}"
 
-  ### TODO: PASSWORD REMINDER STOP:NOT ACTIVE
-  #guard_trace off
+  guard_trace off
 
   return 0
 }