V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_4500_user/4520_accounts_setup.sh

@@ -1008,7 +1008,7 @@ auth                [success=2 default=ignore] pam_exec.so quiet /usr/local/libe
 # pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
 # No 'nullok' here: listed users MUST have a secret; missing -> hard fail.
 auth     required   pam_echo.so file=/etc/ciss/pam_login_totp.prompt
-auth     required   pam_google_authenticator.so disallow-reuse
+auth     required   pam_google_authenticator.so
 
 # ===== CISS 2FA block end =====
 
@@ -1092,7 +1092,7 @@ auth                [success=2 default=ignore] pam_exec.so quiet /usr/local/libe
 # pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
 # No 'nullok' here: listed users MUST have a secret; missing -> hard fail.
 auth     required   pam_echo.so file=/etc/ciss/pam_ssh_totp.prompt
-auth     required   pam_google_authenticator.so disallow-reuse
+auth     required   pam_google_authenticator.so
 
 # For non-2FA users KI must be a silent success to satisfy AuthenticationMethods.
 auth     sufficient pam_permit.so
@@ -1213,7 +1213,7 @@ auth                [success=2 default=ignore] pam_exec.so quiet /usr/local/libe
 # pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
 # No 'nullok' here: listed users MUST have a secret; missing -> hard fail.
 auth     required   pam_echo.so file=/etc/ciss/pam_su_totp.prompt
-auth     required   pam_google_authenticator.so disallow-reuse
+auth     required   pam_google_authenticator.so
 
 # ===== CISS 2FA block end =====
 
@@ -1278,7 +1278,7 @@ auth                [success=2 default=ignore] pam_exec.so quiet /usr/local/libe
 # pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
 # No 'nullok' here: listed users MUST have a secret; missing -> hard fail.
 auth     required   pam_echo.so file=/etc/ciss/pam_sudo_totp.prompt
-auth     required   pam_google_authenticator.so disallow-reuse
+auth     required   pam_google_authenticator.so
 
 # ===== CISS 2FA block end =====
 

func/cdi_4900_xtended/4900_final_command.sh

@@ -37,7 +37,7 @@ final_commands() {
     updatedb | tee -a ${var_logfile}
   "
 
-  rm -f "${var_target}/etc/root/ciss_xdg_tmp.sh"
+  rm -f "${var_target}/root/ciss_xdg_tmp.sh"
 
   guard_dir && return 0
 }

includes/target/usr/local/libexec/ciss_pam_2fa_gate.sh

@@ -26,7 +26,6 @@ declare -g VAR_POLICY="${CISS_POLICY:-strict}"
 declare -g VAR_U="${PAM_USER:-}"
 declare -g VAR_S="${PAM_SERVICE:-}"
 
-
 #######################################
 # Read flag for user and service (0/1), default: empty (not found).
 # Globals: