Compare commits
5 Commits
28b246d280
...
master
| Author | SHA256 | Date | |
|---|---|---|---|
aa94c53d65
|
|||
|
aef00ec63d
|
|||
|
71d189e2c7
|
|||
|
403a70a886
|
|||
|
3d39f44c75
|
@@ -1 +0,0 @@
|
||||
7cad63da408c27b5121c89cdd0cf878b8f8df1f34bcc0a944152261ee1481fda
|
||||
@@ -1 +0,0 @@
|
||||
PleASE_CHan3e_M!
|
||||
@@ -454,7 +454,7 @@ grub:
|
||||
other-os: true # This one makes grub-installer install to the UEFI partition '/boot' record if it also finds
|
||||
# some other OS, which is less safe as it might not be able to boot that other OS.
|
||||
password: true # If you want to set a password for GRUB. The password MUST be set at:
|
||||
# '/.preseed/password_grub.txt'.
|
||||
# '/.preseed/SECRETS.yaml'.
|
||||
prober: false # OS-prober did not detect any other operating systems on your computer at this time, but you
|
||||
# may still wish to enable it in case you install more in the future.
|
||||
skip: false # Skip installing grub.
|
||||
@@ -839,9 +839,6 @@ ssh:
|
||||
# User settings
|
||||
################################################################################################################################
|
||||
user:
|
||||
mfa:
|
||||
info: "totp:v1"
|
||||
salt: "CISS:CDI:OTP" # + (Server_FQDN/Username)
|
||||
##############################################################################################################################
|
||||
# Root: The superuser account (normally disabled for direct login).
|
||||
# Key 'user.root.password' MUST contain a valid yescrypt hashed password string.
|
||||
|
||||
@@ -9,7 +9,7 @@
|
||||
# SPDX-PackageName: CISS.debian.installer
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
|
||||
This file was automatically generated by the DEPLOY BOT on: "2025-10-26T17:21:50Z".
|
||||
This file was automatically generated by the DEPLOY BOT on: "2025-10-26T18:19:45Z".
|
||||
|
||||
⚠️ The last linter check was NOT successful. ⚠️
|
||||
|
||||
|
||||
@@ -50,6 +50,7 @@ ciss_secrets_unset() {
|
||||
### Declare Arrays, HashMaps, and Variables.
|
||||
declare var_k="" var_v=""
|
||||
|
||||
### SECRETS handling ---------------------------------------------------------------------------------------------------------
|
||||
guard_trace on
|
||||
|
||||
for var_k in "${!CISS_SECRETS_MAP[@]}"; do
|
||||
@@ -67,6 +68,7 @@ ciss_secrets_unset() {
|
||||
CISS_SECRETS_MAP=()
|
||||
|
||||
guard_trace off
|
||||
### SECRETS handling ---------------------------------------------------------------------------------------------------------
|
||||
|
||||
return 0
|
||||
}
|
||||
@@ -154,6 +156,7 @@ yaml_secret() {
|
||||
__umask=$(umask)
|
||||
umask 0077
|
||||
|
||||
### SECRETS handling ---------------------------------------------------------------------------------------------------------
|
||||
guard_trace on
|
||||
|
||||
secrets_encrypted="$(yq -r '.secrets.x_files // false' -- "${secrets_if}")" || secrets_encrypted="false"
|
||||
@@ -258,6 +261,7 @@ yaml_secret() {
|
||||
umask "${__umask}"
|
||||
|
||||
guard_trace off
|
||||
### SECRETS handling ---------------------------------------------------------------------------------------------------------
|
||||
|
||||
guard_dir; return 0
|
||||
}
|
||||
|
||||
@@ -25,6 +25,7 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
|
||||
# ERR_GENERATE_SALT: on failure
|
||||
#######################################
|
||||
nuke_passphrase() {
|
||||
### SECRETS handling ---------------------------------------------------------------------------------------------------------
|
||||
guard_trace on
|
||||
|
||||
### Declare Arrays, HashMaps, and Variables.
|
||||
@@ -62,6 +63,7 @@ nuke_passphrase() {
|
||||
do_log "debug" "file_only" "0105() NUKE hash starts with: [${VAR_NUKE_HASH:0:32}...]"
|
||||
|
||||
guard_trace off
|
||||
### SECRETS handling ---------------------------------------------------------------------------------------------------------
|
||||
|
||||
guard_dir; return 0
|
||||
}
|
||||
|
||||
@@ -68,20 +68,24 @@ partition_encryption() {
|
||||
|
||||
declare -a ary_luks_opts=()
|
||||
|
||||
### SECRETS handling ---------------------------------------------------------------------------------------------------------
|
||||
guard_trace on
|
||||
printf '%s' "${CISS_SECRET_LUKS_BOOT}" >| "${DIR_CNF}/password_luks_boot.txt" && chmod 0600 "${DIR_CNF}/password_luks_boot.txt"
|
||||
printf '%s' "${CISS_SECRET_LUKS_COMMON}" >| "${DIR_CNF}/password_luks_common.txt" && chmod 0600 "${DIR_CNF}/password_luks_common.txt"
|
||||
unset CISS_SECRET_LUKS_BOOT CISS_SECRET_LUKS_COMMON
|
||||
guard_trace on
|
||||
### SECRETS handling ---------------------------------------------------------------------------------------------------------
|
||||
|
||||
if [[ -n "${VAR_LUKS_URL}" ]]; then
|
||||
|
||||
VAR_LUKS_URL=${VAR_LUKS_URL%/}
|
||||
|
||||
### SECRETS handling -------------------------------------------------------------------------------------------------------
|
||||
guard_trace on
|
||||
var_temp_plain_nc_auth="${CISS_SECRET_LUKS_BACKUP}"
|
||||
unset CISS_SECRET_LUKS_BACKUP
|
||||
guard_trace on
|
||||
### SECRETS handling -------------------------------------------------------------------------------------------------------
|
||||
|
||||
do_log "debug" "file_only" "3220() Var: [var_temp_plain_nc_auth] set."
|
||||
|
||||
@@ -272,6 +276,7 @@ partition_encryption() {
|
||||
|
||||
if [[ -n "${VAR_LUKS_URL}" ]]; then
|
||||
|
||||
### SECRETS handling ---------------------------------------------------------------------------------------------------
|
||||
guard_trace on
|
||||
|
||||
if curl --silent --show-error --fail --retry 2 "${VAR_LUKS_URL}/public.php/webdav/${var_luks_backup_name}" \
|
||||
@@ -288,6 +293,7 @@ partition_encryption() {
|
||||
fi
|
||||
|
||||
guard_trace off
|
||||
### SECRETS handling ---------------------------------------------------------------------------------------------------
|
||||
|
||||
fi
|
||||
|
||||
@@ -295,9 +301,11 @@ partition_encryption() {
|
||||
|
||||
done
|
||||
|
||||
### SECRETS handling ---------------------------------------------------------------------------------------------------------
|
||||
guard_trace on
|
||||
[[ -n "${VAR_LUKS_URL}" ]] && unset var_temp_plain_nc_auth
|
||||
guard_trace off
|
||||
### SECRETS handling ---------------------------------------------------------------------------------------------------------
|
||||
|
||||
ciss_secrets_wiper "${DIR_CNF}/password_luks_boot.txt"
|
||||
ciss_secrets_wiper "${DIR_CNF}/password_luks_common.txt"
|
||||
|
||||
@@ -15,26 +15,29 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
|
||||
#######################################
|
||||
# Append the GRUB superuser block to '/etc/grub.d/40_custom'.
|
||||
# Globals:
|
||||
# DIR_CNF
|
||||
# CISS_SECRET_GRUB
|
||||
# TARGET
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
# 0: on success
|
||||
# ERR_READ_GRUB_FILE
|
||||
# ERR_READ_GRUB_FILE: on failure
|
||||
#######################################
|
||||
update_grub_password() {
|
||||
### Declare Arrays, HashMaps, and Variables.
|
||||
declare var_username="superadmin" var_password="" var_password_file="${DIR_CNF}/password_grub.txt" \
|
||||
declare var_username="superadmin" var_password="" \
|
||||
var_of="${TARGET}/etc/grub.d/40_custom" var_grub_entry=""
|
||||
|
||||
### SECRETS handling ---------------------------------------------------------------------------------------------------------
|
||||
guard_trace on
|
||||
|
||||
var_password=$(<"${var_password_file}") || return "${ERR_READ_GRUB_FILE}"
|
||||
var_password="${CISS_SECRET_GRUB}" || return "${ERR_READ_GRUB_FILE}"
|
||||
unset CISS_SECRET_GRUB
|
||||
|
||||
var_grub_entry=$(generate_grub_password_pbkdf2 "${var_username}" "${var_password}")
|
||||
|
||||
guard_trace off
|
||||
### SECRETS handling ---------------------------------------------------------------------------------------------------------
|
||||
|
||||
### Append if not already present.
|
||||
if ! grep -q "set superusers=" "${var_of}"; then
|
||||
@@ -56,6 +59,8 @@ readonly -f update_grub_password
|
||||
|
||||
#######################################
|
||||
# Generate PBKDF2 password hash for GRUB.
|
||||
# Globals:
|
||||
# None
|
||||
# Arguments:
|
||||
# 1: Username (default to superadmin).
|
||||
# 2: User password.
|
||||
|
||||
@@ -15,6 +15,9 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
|
||||
#######################################
|
||||
# Updating root account and generation user accounts.
|
||||
# Globals:
|
||||
# CISS_SECRET_USER_ROOT_PASSWORD
|
||||
# CISS_SECRET_USER_ROOT_SSHPUBKEY
|
||||
# LOG_ERR
|
||||
# RECOVERY
|
||||
# TARGET
|
||||
# VAR_RUN_RECOVERY
|
||||
@@ -27,8 +30,6 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
|
||||
# user_root_authentication_access_ssh
|
||||
# user_root_authentication_access_tty
|
||||
# user_root_authentication_password
|
||||
# user_root_password
|
||||
# user_root_sshpubkey
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
@@ -152,7 +153,9 @@ EOF
|
||||
esac
|
||||
|
||||
### 4) Check the password policy for the 'root' account.
|
||||
chroot_script "${var_target}" "printf '%s:%s\n' 'root' '${user_root_password}' | /usr/sbin/chpasswd -e"
|
||||
chroot_script "${var_target}" "printf '%s:%s\n' 'root' '${CISS_SECRET_USER_ROOT_PASSWORD}' | /usr/sbin/chpasswd -e"
|
||||
do_log "info" "file_only" "4520() User: 'root' password: inserted."
|
||||
unset CISS_SECRET_USER_ROOT_PASSWORD
|
||||
|
||||
case "${user_root_authentication_password,,}" in
|
||||
|
||||
@@ -174,9 +177,10 @@ EOF
|
||||
esac
|
||||
|
||||
### 5) Update the 'root' SSH pubkey, if provided via 'preseed.yaml'.
|
||||
if [[ -n "${user_root_sshpubkey:-}" ]]; then
|
||||
if [[ -n "${CISS_SECRET_USER_ROOT_SSHPUBKEY:-}" ]]; then
|
||||
|
||||
printf "%s\n" "${user_root_sshpubkey}" >| "${var_target}/root/.ssh/authorized_keys"
|
||||
printf "%s\n" "${CISS_SECRET_USER_ROOT_SSHPUBKEY}" >| "${var_target}/root/.ssh/authorized_keys"
|
||||
unset CISS_SECRET_USER_ROOT_SSHPUBKEY
|
||||
do_log "info" "file_only" "4520() User: 'root' SSH public key: inserted."
|
||||
|
||||
fi
|
||||
@@ -231,8 +235,8 @@ EOF
|
||||
tmp_uid="user_user${i}_uid"
|
||||
tmp_gid="user_user${i}_gid"
|
||||
tmp_shell="user_user${i}_shell"
|
||||
tmp_password="user_user${i}_password"
|
||||
tmp_sshpubkey="user_user${i}_sshpubkey"
|
||||
tmp_password="CISS_SECRET_USER_USER${i}_PASSWORD"
|
||||
tmp_sshpubkey="CISS_SECRET_USER_USER${i}_SSHPUBKEY"
|
||||
tmp_access_tty="user_user${i}_authentication_access_tty"
|
||||
tmp_auth_pwd="user_user${i}_authentication_password"
|
||||
tmp_2fa_ssh="user_user${i}_authentication_2fa_ssh"
|
||||
@@ -450,6 +454,7 @@ EOF
|
||||
find "${var_target}/home/${var_username}" -xdev -exec chown -h "${var_uid}:${var_gid}" {} +
|
||||
|
||||
### 9) Final status logging.
|
||||
unset var_password var_sshpubkey
|
||||
do_log "info" "file_only" "4520() Created user: [${var_username}] UID: [${var_uid}] GID: [${var_gid}]"
|
||||
|
||||
done
|
||||
@@ -460,8 +465,6 @@ EOF
|
||||
|
||||
fi
|
||||
|
||||
unset VAR_TEMP_PLAIN_MFA_SEED
|
||||
|
||||
if ! grep -Fqx -- '-: ALL:ALL' "${var_target}/etc/security/access.conf"; then
|
||||
|
||||
printf '%s\n' '-: ALL:ALL' >> "${var_target}/etc/security/access.conf"
|
||||
@@ -471,6 +474,8 @@ EOF
|
||||
printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${var_target}/etc/security/access.conf"
|
||||
printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${var_target}/etc/ssh/sshd_config"
|
||||
|
||||
unset VAR_TEMP_PLAIN_MFA_SEED
|
||||
|
||||
guard_dir; return 0
|
||||
}
|
||||
### Prevents accidental 'unset -f'.
|
||||
@@ -511,12 +516,12 @@ readonly -f eza_installer
|
||||
|
||||
#######################################
|
||||
# Generates a deterministic TOTP secret based on:
|
||||
# Username, FQDN, MFA salt, MFA master seed
|
||||
# Username, FQDN, MFA salt, MFA master seed
|
||||
# Globals:
|
||||
# CISS_SECRET_SEEDS_MFA_INFO
|
||||
# CISS_SECRET_SEEDS_MFA_SALT
|
||||
# VAR_FINAL_FQDN
|
||||
# VAR_TEMP_PLAIN_MFA_SEED
|
||||
# user_mfa_info
|
||||
# user_mfa_salt
|
||||
# Arguments:
|
||||
# 1: Username
|
||||
# Returns:
|
||||
@@ -526,10 +531,11 @@ generate_totp_secret() {
|
||||
### Declare Arrays, HashMaps, and Variables.
|
||||
declare var_user="${1}"
|
||||
declare var_host_id="${VAR_FINAL_FQDN}"
|
||||
declare var_salt="${user_mfa_salt}:${var_host_id}:${var_user}"
|
||||
declare var_info="${user_mfa_info}"
|
||||
declare var_salt="${CISS_SECRET_SEEDS_MFA_SALT}:${var_host_id}:${var_user}"
|
||||
declare var_info="${CISS_SECRET_SEEDS_MFA_INFO}"
|
||||
declare var_secret=""
|
||||
|
||||
### SECRETS handling ---------------------------------------------------------------------------------------------------------
|
||||
guard_trace on
|
||||
|
||||
### Derive 20 bytes via HKDF-SHA256 using OpenSSL 3 kdf, output as raw, then base32 (uppercase, no padding).
|
||||
@@ -550,6 +556,7 @@ generate_totp_secret() {
|
||||
printf '%s\n' "${var_secret}"
|
||||
|
||||
guard_trace off
|
||||
### SECRETS handling ---------------------------------------------------------------------------------------------------------
|
||||
|
||||
return 0
|
||||
}
|
||||
@@ -717,33 +724,31 @@ EOF
|
||||
readonly -f hardening_sudo
|
||||
|
||||
#######################################
|
||||
# Reads a 256-bit seed from '${DIR_CNF}/mfa_master.txt' (64 hex chars) into VAR_TEMP_PLAIN_MFA_SEED.
|
||||
# Reads a 256-bit seed from '${CISS_SECRET_SEEDS_MFA_SECRET}' '(64 hex chars) into VAR_TEMP_PLAIN_MFA_SEED.
|
||||
# Globals:
|
||||
# DIR_CNF
|
||||
# CISS_SECRET_SEEDS_MFA_SECRET
|
||||
# VAR_TEMP_PLAIN_MFA_SEED
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
# 0: on success
|
||||
# ERR_READ_SEED_FILE
|
||||
# ERR_READ_SEED_FILE: on failure
|
||||
#######################################
|
||||
read_totp_seed(){
|
||||
### Declare Arrays, HashMaps, and Variables.
|
||||
declare -r var_mfa_seed_file="${DIR_CNF}/mfa_master.txt"
|
||||
declare -g VAR_TEMP_PLAIN_MFA_SEED=""
|
||||
|
||||
### SECRETS handling ---------------------------------------------------------------------------------------------------------
|
||||
guard_trace on
|
||||
|
||||
if ! read_password_file "${var_mfa_seed_file}" VAR_TEMP_PLAIN_MFA_SEED; then
|
||||
|
||||
return "${ERR_READ_SEED_FILE}"
|
||||
|
||||
fi
|
||||
VAR_TEMP_PLAIN_MFA_SEED="${CISS_SECRET_SEEDS_MFA_SECRET}"
|
||||
unset CISS_SECRET_SEEDS_MFA_SECRET
|
||||
|
||||
### Validate: exactly 64 hex.
|
||||
[[ "${VAR_TEMP_PLAIN_MFA_SEED}" =~ ^[0-9a-fA-F]{64}$ ]] || return "${ERR_READ_SEED_FILE}"
|
||||
|
||||
guard_trace off
|
||||
### SECRETS handling ---------------------------------------------------------------------------------------------------------
|
||||
|
||||
return 0
|
||||
}
|
||||
@@ -889,14 +894,17 @@ readonly -f write_ciss_2fa_user
|
||||
write_google_authenticator_file() {
|
||||
### Declare Arrays, HashMaps, and Variables.
|
||||
declare -r var_user="${1}" var_user_id="${2}" var_group_id="${3}" var_target="${4}"
|
||||
declare var_secret=""
|
||||
declare -i i=0
|
||||
declare var_secret="" __umask=""
|
||||
|
||||
__umask=$(umask)
|
||||
|
||||
case "${1}" in
|
||||
root) declare var_base="${var_target}/root" ;;
|
||||
*) declare var_base="${var_target}/home/${var_user}" ;;
|
||||
esac
|
||||
declare -i i=0
|
||||
|
||||
### SECRETS handling ---------------------------------------------------------------------------------------------------------
|
||||
guard_trace on
|
||||
|
||||
var_secret="$(generate_totp_secret "${var_user}")"
|
||||
@@ -941,9 +949,10 @@ write_google_authenticator_file() {
|
||||
} >| "${DIR_TMP}/TOTP_${var_user}.secret"
|
||||
chmod 0400 "${DIR_TMP}/TOTP_${var_user}.secret"
|
||||
|
||||
umask 0022
|
||||
|
||||
guard_trace off
|
||||
### SECRETS handling ---------------------------------------------------------------------------------------------------------
|
||||
|
||||
umask "${__umask}"
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
@@ -13,11 +13,13 @@
|
||||
guard_sourcing || return "${ERR_GUARD_SOURCE}"
|
||||
|
||||
#######################################
|
||||
# Capture an initial snapshot of all variables (excluding '^(BASH|_).*').
|
||||
# Capture an initial snapshot of all variables (excluding '^(BASH|_|CISS_SECRET_)').
|
||||
# Globals:
|
||||
# VAR_DUMP_VARS_INITIAL
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
# 0: on success
|
||||
#######################################
|
||||
dump_vars_initial() {
|
||||
# shellcheck disable=SC2312
|
||||
@@ -25,12 +27,16 @@ dump_vars_initial() {
|
||||
declare var
|
||||
while IFS= read -r var; do
|
||||
declare -p "${var}" 2> /dev/null
|
||||
done < <(compgen -v | grep -Ev '^(BASH|_).*')
|
||||
done < <(compgen -v | grep -Ev '^(BASH|_|CISS_SECRET_)')
|
||||
} | sort >| "${VAR_DUMP_VARS_INITIAL}"
|
||||
return 0
|
||||
}
|
||||
### Prevents accidental 'unset -f'.
|
||||
# shellcheck disable=SC2034
|
||||
readonly -f dump_vars_initial
|
||||
|
||||
#######################################
|
||||
# Capture the final snapshot of all variables (excluding '^(BASH|_).*').
|
||||
# Capture the final snapshot of all variables (excluding '^(BASH|_|CISS_SECRET_)').
|
||||
# Globals:
|
||||
# LOG_VAR
|
||||
# VAR_DUMP_VARS_FINAL
|
||||
@@ -38,6 +44,8 @@ dump_vars_initial() {
|
||||
# VAR_VERSION
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
# 0: on success
|
||||
#######################################
|
||||
dump_vars_exiting() {
|
||||
set +x
|
||||
@@ -46,7 +54,7 @@ dump_vars_exiting() {
|
||||
declare var
|
||||
while IFS= read -r var; do
|
||||
declare -p "${var}" 2>/dev/null
|
||||
done < <(compgen -v | grep -Ev '^(BASH|_).*')
|
||||
done < <(compgen -v | grep -Ev '^(BASH|_|CISS_SECRET_)')
|
||||
} | sort >| "${VAR_DUMP_VARS_FINAL}"
|
||||
set -x
|
||||
|
||||
@@ -71,5 +79,10 @@ dump_vars_exiting() {
|
||||
set -x
|
||||
|
||||
rm -f "${VAR_DUMP_VARS_INITIAL}" "${VAR_DUMP_VARS_FINAL}"
|
||||
|
||||
return 0
|
||||
}
|
||||
### Prevents accidental 'unset -f'.
|
||||
# shellcheck disable=SC2034
|
||||
readonly -f dump_vars_exiting
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|
||||
|
||||
Reference in New Issue
Block a user