V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_4500_user/4520_accounts_setup.sh

@@ -606,22 +606,25 @@ pam_access_sync_login_sshd() {
   fi
 
   ### 1) If the 'pam_access' line is commented in '/etc/pam.d/login', uncomment exactly one occurrence.
-  ### Match lines like: [spaces]# [spaces]account required pam_access.so ...
   chroot_script "${TARGET}" "
-    if grep -Eq '^[[:space:]]*#[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access\.so([[:space:]]|$)' /etc/pam.d/login; then
+    LC_ALL=C awk '
-      awk '
       BEGIN { done=0 }
         {
-          if (!done && $0 ~ /^[[:space:]]*#[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access\.so([[:space:]]|$)/) {
+          if (!done) {
-            ### Drop leading '#'+spaces; use 2-arg form to avoid $0 in the source.
+            tmp=\$0
-            sub(/^[[:space:]]*#[[:space:]]*/, "")
+            # Strip a leading comment marker plus following spaces (but only once)
+            sub(/^[[:space:]]*#+[[:space:]]*/, \"\", tmp)
+            # Match the pam_access.so line after decommenting attempt
+              if (tmp ~ /^[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access[.]so([[:space:]]|$)/) {
+              print tmp
               done=1
+              next
+            }
           }
         print
         }
       ' /etc/pam.d/login >| /etc/pam.d/login.new
       mv -f /etc/pam.d/login.new /etc/pam.d/login
-    fi
     "
 
   ### 2) If '/etc/pam.d/login' now has an active pam_access line, ensure '/etc/pam.d/sshd' pam_access line(s) are commented out.