V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m30s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m30s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -58,10 +58,11 @@ accounts_setup() {
|
||||
|
||||
### Update pam modules for 2fa.
|
||||
mkdir -p "${var_target}/root/.ciss/cdi/backup/etc/pam.d"
|
||||
write_pam_login "${var_target}"
|
||||
write_pam_sshd "${var_target}"
|
||||
write_pam_su "${var_target}"
|
||||
write_pam_sudo "${var_target}"
|
||||
write_pam_login "${var_target}"
|
||||
write_pam_sshd "${var_target}"
|
||||
write_pam_su "${var_target}"
|
||||
write_pam_su-l "${var_target}"
|
||||
write_pam_sudo-i "${var_target}"
|
||||
|
||||
### Prepare the '2fa'-seed variable.
|
||||
read_totp_seed
|
||||
@@ -1195,10 +1196,7 @@ write_pam_su() {
|
||||
auth sufficient pam_rootok.so
|
||||
|
||||
# Hardening of '/bin/su': only members of the group 'sudo' can su to root.
|
||||
auth required pam_wheel.so use_uid group=sudo
|
||||
|
||||
# Reuse a recent successful su-auth within the TTL:
|
||||
auth sufficient pam_timestamp.so
|
||||
auth required pam_wheel.so group=sudo
|
||||
|
||||
# Standard password for the target account (root or other):
|
||||
@include common-auth
|
||||
@@ -1220,8 +1218,6 @@ auth required pam_google_authenticator.so
|
||||
|
||||
@include common-account
|
||||
@include common-session
|
||||
# Keep a ticket to avoid re-prompts during this shell session:
|
||||
session optional pam_timestamp.so
|
||||
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
|
||||
EOF
|
||||
@@ -1241,7 +1237,7 @@ EOF
|
||||
readonly -f write_pam_su
|
||||
|
||||
#######################################
|
||||
# Writes CISS Header for '/etc/pam.d/sudo'.
|
||||
# Writes CISS Header for '/etc/pam.d/su-l'.
|
||||
# Globals:
|
||||
# None
|
||||
# Arguments:
|
||||
@@ -1249,15 +1245,81 @@ readonly -f write_pam_su
|
||||
# Returns:
|
||||
# 0: on success
|
||||
#######################################
|
||||
write_pam_sudo() {
|
||||
write_pam_su-l() {
|
||||
### Declare Arrays, HashMaps, and Variables.
|
||||
declare -r var_target="$1"
|
||||
|
||||
mv "${var_target}/etc/pam.d/sudo" "${var_target}/root/.ciss/cdi/backup/etc/pam.d/sudo"
|
||||
mv "${var_target}/etc/pam.d/su-l" "${var_target}/root/.ciss/cdi/backup/etc/pam.d/su-l"
|
||||
|
||||
insert_header "${var_target}/etc/pam.d/sudo"
|
||||
insert_comments "${var_target}/etc/pam.d/sudo"
|
||||
cat << EOF >> "${var_target}/etc/pam.d/sudo"
|
||||
insert_header "${var_target}/etc/pam.d/su-l"
|
||||
insert_comments "${var_target}/etc/pam.d/su-l"
|
||||
cat << EOF >> "${var_target}/etc/pam.d/su-l"
|
||||
#
|
||||
# PAM configuration for the su-l service
|
||||
#
|
||||
|
||||
# If caller is already root, allow quickly without further auth:
|
||||
auth sufficient pam_rootok.so
|
||||
|
||||
# Hardening of '/bin/su': only members of the group 'sudo' can su to root.
|
||||
auth required pam_wheel.so group=sudo
|
||||
|
||||
# Standard password for the target account (root or other):
|
||||
@include common-auth
|
||||
|
||||
|
||||
# ===== CISS 2FA block ========
|
||||
|
||||
# If gate returns SUCCESS => skip next two lines (no TOTP).
|
||||
auth [success=2 default=ignore] pam_exec.so quiet /usr/local/libexec/ciss_pam_2fa_gate.sh
|
||||
|
||||
# For listed users: enforce that the secret file exists, else deny without prompting.
|
||||
# pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
|
||||
# No 'nullok' here: listed users MUST have a secret; missing -> hard fail.
|
||||
auth required pam_echo.so file=/etc/ciss/pam_su_l_totp.prompt
|
||||
auth required pam_google_authenticator.so
|
||||
|
||||
# ===== CISS 2FA block end =====
|
||||
|
||||
|
||||
@include common-account
|
||||
@include common-session
|
||||
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
|
||||
EOF
|
||||
|
||||
do_log "info" "file_only" "4520() Written: [/etc/pam.d/su-l]."
|
||||
|
||||
cat << 'EOF' >| "${var_target}/etc/ciss/pam_su_l_totp.prompt"
|
||||
Please enter the 6-digit TOTP or 8-digit Backup code of the target user:
|
||||
EOF
|
||||
chmod 0444 "${var_target}/etc/ciss/pam_su_l_totp.prompt"
|
||||
do_log "info" "file_only" "4520() Written: [/etc/ciss/pam_su_l_totp.prompt]."
|
||||
|
||||
return 0
|
||||
}
|
||||
### Prevents accidental 'unset -f'.
|
||||
# shellcheck disable=SC2034
|
||||
readonly -f write_pam_su-l
|
||||
|
||||
#######################################
|
||||
# Writes CISS Header for '/etc/pam.d/sudo-i'.
|
||||
# Globals:
|
||||
# None
|
||||
# Arguments:
|
||||
# 1: TARGET
|
||||
# Returns:
|
||||
# 0: on success
|
||||
#######################################
|
||||
write_pam_sudo-i() {
|
||||
### Declare Arrays, HashMaps, and Variables.
|
||||
declare -r var_target="$1"
|
||||
|
||||
mv "${var_target}/etc/pam.d/sudo-i" "${var_target}/root/.ciss/cdi/backup/etc/pam.d/sudo-i"
|
||||
|
||||
insert_header "${var_target}/etc/pam.d/sudo-i"
|
||||
insert_comments "${var_target}/etc/pam.d/sudo-i"
|
||||
cat << EOF >> "${var_target}/etc/pam.d/sudo-i"
|
||||
#
|
||||
# PAM configuration for the sudo service
|
||||
#
|
||||
@@ -1277,7 +1339,7 @@ auth [success=2 default=ignore] pam_exec.so quiet /usr/local/libe
|
||||
# For listed users: enforce that the secret file exists, else deny without prompting.
|
||||
# pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
|
||||
# No 'nullok' here: listed users MUST have a secret; missing -> hard fail.
|
||||
auth required pam_echo.so file=/etc/ciss/pam_sudo_totp.prompt
|
||||
auth required pam_echo.so file=/etc/ciss/pam_sudo_i_totp.prompt
|
||||
auth required pam_google_authenticator.so
|
||||
|
||||
# ===== CISS 2FA block end =====
|
||||
@@ -1285,7 +1347,7 @@ auth required pam_google_authenticator.so
|
||||
|
||||
# Accounts, sessions:
|
||||
@include common-account
|
||||
@include common-session-noninteractive
|
||||
@include common-session
|
||||
|
||||
# Maintain a pam_timestamp ticket on successful sudo to suppress re-prompts.
|
||||
session optional pam_timestamp.so
|
||||
@@ -1293,19 +1355,19 @@ session optional pam_timestamp.so
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
|
||||
EOF
|
||||
|
||||
do_log "info" "file_only" "4520() Written: [/etc/pam.d/sudo]."
|
||||
do_log "info" "file_only" "4520() Written: [/etc/pam.d/sudo-i]."
|
||||
|
||||
cat << 'EOF' >| "${var_target}/etc/ciss/pam_sudo_totp.prompt"
|
||||
cat << 'EOF' >| "${var_target}/etc/ciss/pam_sudo_i_totp.prompt"
|
||||
Please enter your 6-digit TOTP or 8-digit Backup code:
|
||||
EOF
|
||||
chmod 0444 "${var_target}/etc/ciss/pam_sudo_totp.prompt"
|
||||
do_log "info" "file_only" "4520() Written: [/etc/ciss/pam_sudo_totp.prompt]."
|
||||
chmod 0444 "${var_target}/etc/ciss/pam_sudo_i_totp.prompt"
|
||||
do_log "info" "file_only" "4520() Written: [/etc/ciss/pam_sudo_i_totp.prompt]."
|
||||
|
||||
return 0
|
||||
}
|
||||
### Prevents accidental 'unset -f'.
|
||||
# shellcheck disable=SC2034
|
||||
readonly -f write_pam_sudo
|
||||
readonly -f write_pam_sudo-i
|
||||
|
||||
#######################################
|
||||
# Use the official ohmyzsh-installer but force non-interactive behavior; do not run zsh; do not chsh.
|
||||
|
||||
Reference in New Issue
Block a user