Update password handling for user and luks setup to use ecryption
This commit is contained in:
natemaia
parent
5416f553fc
commit
e6bbc6a999
@ -12,7 +12,7 @@
|
||||
# immutable variables {
|
||||
|
||||
readonly DIST="ArchLabs" # Linux distributor
|
||||
readonly VER="1.6.76" # Installer version
|
||||
readonly VER="1.6.77" # Installer version
|
||||
readonly LIVE="liveuser" # Live session user
|
||||
readonly MNT="/mnt/install" # Install mountpoint
|
||||
readonly ERR="/tmp/errlog" # Built-in error log
|
||||
@ -20,6 +20,7 @@ readonly EFI="/sys/firmware/efi/efivars"
|
||||
readonly TRN="/usr/share/archlabs/installer/lang"
|
||||
readonly RUN="/run/archiso/bootmnt/arch/boot"
|
||||
|
||||
readonly SALT="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"
|
||||
readonly VM="$(dmesg | grep -i "hypervisor")"
|
||||
readonly KBD="$(find /usr/share/kbd/keymaps -name '*.map.gz')"
|
||||
readonly LOCALES="$(awk '/\.UTF-8/ {gsub(/# .*|#/, ""); if($1) print $1 " -"}' /etc/locale.gen)"
|
||||
@ -149,7 +150,6 @@ source_file() {
|
||||
|
||||
user_setup() {
|
||||
tput cnorm
|
||||
|
||||
local values
|
||||
values="$(dialog --stdout --no-cancel --separator '~' --ok-label "Submit" --backtitle "$BT" \
|
||||
--title " $_UserTitle " --insecure --mixedform "$_UserBody" 27 75 10 \
|
||||
@ -158,26 +158,41 @@ user_setup() {
|
||||
"$_Password2" 3 1 "" 3 $((${#_Password2} + 2)) 71 0 1 \
|
||||
"$_RootBody" 6 1 "" 6 $((${#_RootBody} + 1)) 71 0 2 \
|
||||
"$_Password" 8 1 "" 8 $((${#_Password} + 2)) 71 0 1 \
|
||||
"$_Password2" 9 1 "" 9 $((${#_Password2} + 2)) 71 0 1)"
|
||||
"$_Password2" 9 1 "" 9 $((${#_Password2} + 2)) 71 0 1 |
|
||||
openssl enc -pbkdf2 -a -salt -pass pass:$SALT)"
|
||||
[[ $? != 0 || $values == "" ]] && return 1
|
||||
|
||||
# username doesn't need to be re-encrypted
|
||||
local user
|
||||
user="$(awk -F'~' '{print $1}' <<< "$values")"
|
||||
user="$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$values" |
|
||||
awk -F'~' '{print $1}')"
|
||||
|
||||
# all of this is a bit hacky, but we don't ever want the passwords to be stored in plain text
|
||||
# so it decrypts the string '$values', gets the field we want, and re-encrypts it
|
||||
local pass pass2
|
||||
pass="$(awk -F'~' '{print $2}' <<< "$values")"
|
||||
pass2="$(awk -F'~' '{print $3}' <<< "$values")"
|
||||
pass="$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$values" |
|
||||
awk -F'~' '{print $2}' | openssl enc -pbkdf2 -a -salt -pass pass:$SALT)"
|
||||
pass2="$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$values" |
|
||||
awk -F'~' '{print $3}' | openssl enc -pbkdf2 -a -salt -pass pass:$SALT)"
|
||||
|
||||
local rpass rpass2
|
||||
rpass="$(awk -F'~' '{print $5}' <<< "$values")"
|
||||
rpass2="$(awk -F'~' '{print $6}' <<< "$values")"
|
||||
rpass="$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$values" |
|
||||
awk -F'~' '{print $5}' | openssl enc -pbkdf2 -a -salt -pass pass:$SALT)"
|
||||
rpass2="$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$values" |
|
||||
awk -F'~' '{print $6}' | openssl enc -pbkdf2 -a -salt -pass pass:$SALT)"
|
||||
|
||||
# due to the encryption the string while encrypted will not be empty
|
||||
local empty
|
||||
empty="$(openssl enc -pbkdf2 -a -salt -pass pass:$SALT <<< "")"
|
||||
|
||||
# both root passwords are empty, so use the user passwords instead
|
||||
[[ $rpass == "" && $rpass2 == "" ]] && { rpass="$pass"; rpass2="$pass2"; }
|
||||
|
||||
# make sure a username was entered and that the passwords match
|
||||
if [[ ${#user} -eq 0 || $user =~ \ |\' || $user =~ [^a-z0-9\ ] || $pass == "" || "$pass" != "$pass2" || "$rpass" != "$rpass2" ]]; then
|
||||
if [[ ${#user} -eq 0 || $user =~ \ |\' || $user =~ [^a-z0-9\ ] || $pass == "$empty" || "$pass" != "$pass2" || "$rpass" != "$rpass2" ]]; then
|
||||
if [[ $pass == "" || "$pass" != "$pass2" || "$rpass" != "$rpass2" ]]; then
|
||||
# password was left empty or doesn't match
|
||||
if [[ $pass == "" ]]; then
|
||||
if [[ $pass == "$empty" ]]; then
|
||||
msgbox "$_ErrTitle" "\nUser password CANNOT be left empty.\n$_TryAgain"
|
||||
elif [[ "$rpass" != "$rpass2" ]]; then
|
||||
msgbox "$_ErrTitle" "$_RootPassErr\n$_TryAgain"
|
||||
@ -195,7 +210,6 @@ user_setup() {
|
||||
USER_PASS="$pass"
|
||||
ROOT_PASS="$rpass"
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
|
||||
@ -119,7 +119,7 @@ EOF
|
||||
|
||||
create_user() {
|
||||
# set root password
|
||||
chroot_cmd "echo 'root:$ROOT_PASS' | chpasswd"
|
||||
chroot_cmd "chpasswd <<< 'root:$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$ROOT_PASS")'"
|
||||
|
||||
# edit the group and passwd files in /etc/ to swap the liveuser account
|
||||
sed -i "s/${LIVE}/${NEWUSER}/g" $MNT/etc/{group,gshadow,passwd,shadow}
|
||||
@ -136,7 +136,7 @@ create_user() {
|
||||
chroot_cmd "mv -f /home/$LIVE /home/$NEWUSER"
|
||||
fi
|
||||
chroot_cmd "usermod -aG rfkill,wheel,network,storage,power,video,audio,lp,autologin $NEWUSER"
|
||||
chroot_cmd "echo '$NEWUSER:$USER_PASS' | chpasswd"
|
||||
chroot_cmd "chpasswd <<< '$NEWUSER:$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$USER_PASS")'"
|
||||
chroot_cmd "chown -Rf $NEWUSER:users /home/$NEWUSER"
|
||||
}
|
||||
|
||||
|
||||
@ -34,7 +34,7 @@ luks_open() {
|
||||
luks_pass "$_LuksOpen" "$LUKS_NAME" || return 1
|
||||
|
||||
infobox "$_LuksOpen" "$_LuksWaitBody $LUKS_NAME $_LuksWaitBody2 $LUKS_PART\n" 0
|
||||
echo "$LUKS_PASS" | cryptsetup open --type luks $LUKS_PART "$LUKS_NAME" 2>$ERR
|
||||
cryptsetup open --type luks $LUKS_PART "$LUKS_NAME" <<< "$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$LUKS_PASS")" 2>$ERR
|
||||
check_for_errors "cryptsetup open --type luks $LUKS_PART $LUKS_NAME"
|
||||
|
||||
LUKS=1
|
||||
@ -54,16 +54,26 @@ luks_pass() {
|
||||
--title " $title " --insecure --mixedform "$_LuksOpenBody" 16 75 4 \
|
||||
"$_Name" 1 1 "$name" 1 $((${#_Name} + 2)) 71 0 0 \
|
||||
"$_Password" 2 1 "" 2 $((${#_Password} + 2)) 71 0 1 \
|
||||
"$_Password2" 3 1 "" 3 $((${#_Password2} + 2)) 71 0 1)"
|
||||
"$_Password2" 3 1 "" 3 $((${#_Password2} + 2)) 71 0 1 |
|
||||
openssl enc -pbkdf2 -a -salt -pass pass:$SALT)"
|
||||
[[ $? != 0 || $values == "" ]] && return 1
|
||||
|
||||
name="$(awk -F'~' '{print $1}' <<< "$values")"
|
||||
name="$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$values" |
|
||||
awk -F'~' '{print $1}')"
|
||||
|
||||
# all of this is a bit hacky, but we don't ever want the passwords to be stored in plain text
|
||||
# so it decrypts the string '$values', gets the field we want, and re-encrypts it
|
||||
local pass pass2
|
||||
pass="$(awk -F'~' '{print $2}' <<< "$values")"
|
||||
pass2="$(awk -F'~' '{print $3}' <<< "$values")"
|
||||
pass="$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$values" |
|
||||
awk -F'~' '{print $2}' | openssl enc -pbkdf2 -a -salt -pass pass:$SALT)"
|
||||
pass2="$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$values" |
|
||||
awk -F'~' '{print $3}' | openssl enc -pbkdf2 -a -salt -pass pass:$SALT)"
|
||||
|
||||
if [[ $pass == "" || "$pass" != "$pass2" ]]; then
|
||||
# due to the encryption the string while encrypted will not be empty
|
||||
local empty
|
||||
empty="$(openssl enc -pbkdf2 -a -salt -pass pass:$SALT <<< "")"
|
||||
|
||||
if [[ $pass == "$empty" || "$pass" != "$pass2" ]]; then
|
||||
msgbox "$_ErrTitle" "$_PassErr\n$_TryAgain"
|
||||
luks_pass "$title" "$name" || return 1
|
||||
fi
|
||||
@ -105,13 +115,13 @@ luks_default() {
|
||||
luks_setup || return 1
|
||||
infobox "$_LuksEncrypt" "$_LuksWaitBody $LUKS_NAME $_LuksWaitBody2 $LUKS_PART\n" 0
|
||||
|
||||
echo "$LUKS_PASS" | cryptsetup -q luksFormat "$LUKS_PART" 2>$ERR
|
||||
cryptsetup -q luksFormat $LUKS_PART <<< "$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$LUKS_PASS")" 2>$ERR
|
||||
check_for_errors "cryptsetup -q luksFormat $LUKS_PART"
|
||||
|
||||
echo "$LUKS_PASS" | cryptsetup open "$LUKS_PART" "$LUKS_NAME" 2>$ERR
|
||||
cryptsetup open $LUKS_PART "$LUKS_NAME" <<< "$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$LUKS_PASS")" 2>$ERR
|
||||
check_for_errors "cryptsetup open $LUKS_PART $LUKS_NAME"
|
||||
LUKS=1
|
||||
|
||||
LUKS=1
|
||||
luks_show
|
||||
return 0
|
||||
}
|
||||
@ -125,10 +135,10 @@ luks_keycmd() {
|
||||
|
||||
infobox "$_LuksEncryptAdv" "$_LuksWaitBody $LUKS_NAME $_LuksWaitBody2 $LUKS_PART\n" 0
|
||||
|
||||
echo "$LUKS_PASS" | cryptsetup -q $cipher luksFormat $LUKS_PART 2>$ERR
|
||||
cryptsetup -q $cipher luksFormat $LUKS_PART <<< "$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$LUKS_PASS")" 2>$ERR
|
||||
check_for_errors "cryptsetup -q $cipher luksFormat $LUKS_PART"
|
||||
|
||||
echo "$LUKS_PASS" | cryptsetup open $LUKS_PART "$LUKS_NAME" 2>$ERR
|
||||
cryptsetup open $LUKS_PART "$LUKS_NAME" <<< "$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$LUKS_PASS")" 2>$ERR
|
||||
check_for_errors "cryptsetup open $LUKS_PART $LUKS_NAME"
|
||||
|
||||
luks_show
|
||||
@ -179,7 +189,7 @@ luks_keyfile() {
|
||||
|
||||
local mkkey="dd bs=512 count=8 if=/dev/urandom of=/crypto_keyfile.bin"
|
||||
mkkey="$mkkey && chmod 000 /crypto_keyfile.bin"
|
||||
mkkey="$mkkey && echo '$LUKS_PASS' | cryptsetup luksAddKey /dev/$n /crypto_keyfile.bin"
|
||||
mkkey="$mkkey && cryptsetup luksAddKey /dev/$n /crypto_keyfile.bin <<< '$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$LUKS_PASS")'"
|
||||
|
||||
chroot_cmd "$mkkey"
|
||||
sed -i 's/FILES=()/FILES=(\/crypto_keyfile.bin)/g' $MNT/etc/mkinitcpio.conf 2>$ERR
|
||||
|
||||
Reference in New Issue
Block a user