From e6bbc6a999a9f1bfd66bf024dfd4b4119a208405 Mon Sep 17 00:00:00 2001 From: natemaia Date: Fri, 12 Oct 2018 01:07:32 -0700 Subject: [PATCH] Update password handling for user and luks setup to use ecryption --- src/archlabs-installer | 36 +++++++++++++++++++++++++----------- src/lib/install.sh | 4 ++-- src/lib/luks.sh | 34 ++++++++++++++++++++++------------ 3 files changed, 49 insertions(+), 25 deletions(-) diff --git a/src/archlabs-installer b/src/archlabs-installer index d326ec7..b7953c9 100755 --- a/src/archlabs-installer +++ b/src/archlabs-installer @@ -12,7 +12,7 @@ # immutable variables { readonly DIST="ArchLabs" # Linux distributor -readonly VER="1.6.76" # Installer version +readonly VER="1.6.77" # Installer version readonly LIVE="liveuser" # Live session user readonly MNT="/mnt/install" # Install mountpoint readonly ERR="/tmp/errlog" # Built-in error log @@ -20,6 +20,7 @@ readonly EFI="/sys/firmware/efi/efivars" readonly TRN="/usr/share/archlabs/installer/lang" readonly RUN="/run/archiso/bootmnt/arch/boot" +readonly SALT="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)" readonly VM="$(dmesg | grep -i "hypervisor")" readonly KBD="$(find /usr/share/kbd/keymaps -name '*.map.gz')" readonly LOCALES="$(awk '/\.UTF-8/ {gsub(/# .*|#/, ""); if($1) print $1 " -"}' /etc/locale.gen)" @@ -149,7 +150,6 @@ source_file() { user_setup() { tput cnorm - local values values="$(dialog --stdout --no-cancel --separator '~' --ok-label "Submit" --backtitle "$BT" \ --title " $_UserTitle " --insecure --mixedform "$_UserBody" 27 75 10 \ @@ -158,26 +158,41 @@ user_setup() { "$_Password2" 3 1 "" 3 $((${#_Password2} + 2)) 71 0 1 \ "$_RootBody" 6 1 "" 6 $((${#_RootBody} + 1)) 71 0 2 \ "$_Password" 8 1 "" 8 $((${#_Password} + 2)) 71 0 1 \ - "$_Password2" 9 1 "" 9 $((${#_Password2} + 2)) 71 0 1)" + "$_Password2" 9 1 "" 9 $((${#_Password2} + 2)) 71 0 1 | + openssl enc -pbkdf2 -a -salt -pass pass:$SALT)" [[ $? != 0 || $values == "" ]] && return 1 + # username doesn't need to be re-encrypted local user - user="$(awk -F'~' '{print $1}' <<< "$values")" + user="$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$values" | + awk -F'~' '{print $1}')" + + # all of this is a bit hacky, but we don't ever want the passwords to be stored in plain text + # so it decrypts the string '$values', gets the field we want, and re-encrypts it local pass pass2 - pass="$(awk -F'~' '{print $2}' <<< "$values")" - pass2="$(awk -F'~' '{print $3}' <<< "$values")" + pass="$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$values" | + awk -F'~' '{print $2}' | openssl enc -pbkdf2 -a -salt -pass pass:$SALT)" + pass2="$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$values" | + awk -F'~' '{print $3}' | openssl enc -pbkdf2 -a -salt -pass pass:$SALT)" + local rpass rpass2 - rpass="$(awk -F'~' '{print $5}' <<< "$values")" - rpass2="$(awk -F'~' '{print $6}' <<< "$values")" + rpass="$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$values" | + awk -F'~' '{print $5}' | openssl enc -pbkdf2 -a -salt -pass pass:$SALT)" + rpass2="$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$values" | + awk -F'~' '{print $6}' | openssl enc -pbkdf2 -a -salt -pass pass:$SALT)" + + # due to the encryption the string while encrypted will not be empty + local empty + empty="$(openssl enc -pbkdf2 -a -salt -pass pass:$SALT <<< "")" # both root passwords are empty, so use the user passwords instead [[ $rpass == "" && $rpass2 == "" ]] && { rpass="$pass"; rpass2="$pass2"; } # make sure a username was entered and that the passwords match - if [[ ${#user} -eq 0 || $user =~ \ |\' || $user =~ [^a-z0-9\ ] || $pass == "" || "$pass" != "$pass2" || "$rpass" != "$rpass2" ]]; then + if [[ ${#user} -eq 0 || $user =~ \ |\' || $user =~ [^a-z0-9\ ] || $pass == "$empty" || "$pass" != "$pass2" || "$rpass" != "$rpass2" ]]; then if [[ $pass == "" || "$pass" != "$pass2" || "$rpass" != "$rpass2" ]]; then # password was left empty or doesn't match - if [[ $pass == "" ]]; then + if [[ $pass == "$empty" ]]; then msgbox "$_ErrTitle" "\nUser password CANNOT be left empty.\n$_TryAgain" elif [[ "$rpass" != "$rpass2" ]]; then msgbox "$_ErrTitle" "$_RootPassErr\n$_TryAgain" @@ -195,7 +210,6 @@ user_setup() { USER_PASS="$pass" ROOT_PASS="$rpass" fi - return 0 } diff --git a/src/lib/install.sh b/src/lib/install.sh index 55ac26a..d8e6497 100644 --- a/src/lib/install.sh +++ b/src/lib/install.sh @@ -119,7 +119,7 @@ EOF create_user() { # set root password - chroot_cmd "echo 'root:$ROOT_PASS' | chpasswd" + chroot_cmd "chpasswd <<< 'root:$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$ROOT_PASS")'" # edit the group and passwd files in /etc/ to swap the liveuser account sed -i "s/${LIVE}/${NEWUSER}/g" $MNT/etc/{group,gshadow,passwd,shadow} @@ -136,7 +136,7 @@ create_user() { chroot_cmd "mv -f /home/$LIVE /home/$NEWUSER" fi chroot_cmd "usermod -aG rfkill,wheel,network,storage,power,video,audio,lp,autologin $NEWUSER" - chroot_cmd "echo '$NEWUSER:$USER_PASS' | chpasswd" + chroot_cmd "chpasswd <<< '$NEWUSER:$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$USER_PASS")'" chroot_cmd "chown -Rf $NEWUSER:users /home/$NEWUSER" } diff --git a/src/lib/luks.sh b/src/lib/luks.sh index 184b421..9d20f07 100644 --- a/src/lib/luks.sh +++ b/src/lib/luks.sh @@ -34,7 +34,7 @@ luks_open() { luks_pass "$_LuksOpen" "$LUKS_NAME" || return 1 infobox "$_LuksOpen" "$_LuksWaitBody $LUKS_NAME $_LuksWaitBody2 $LUKS_PART\n" 0 - echo "$LUKS_PASS" | cryptsetup open --type luks $LUKS_PART "$LUKS_NAME" 2>$ERR + cryptsetup open --type luks $LUKS_PART "$LUKS_NAME" <<< "$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$LUKS_PASS")" 2>$ERR check_for_errors "cryptsetup open --type luks $LUKS_PART $LUKS_NAME" LUKS=1 @@ -54,16 +54,26 @@ luks_pass() { --title " $title " --insecure --mixedform "$_LuksOpenBody" 16 75 4 \ "$_Name" 1 1 "$name" 1 $((${#_Name} + 2)) 71 0 0 \ "$_Password" 2 1 "" 2 $((${#_Password} + 2)) 71 0 1 \ - "$_Password2" 3 1 "" 3 $((${#_Password2} + 2)) 71 0 1)" + "$_Password2" 3 1 "" 3 $((${#_Password2} + 2)) 71 0 1 | + openssl enc -pbkdf2 -a -salt -pass pass:$SALT)" [[ $? != 0 || $values == "" ]] && return 1 - name="$(awk -F'~' '{print $1}' <<< "$values")" + name="$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$values" | + awk -F'~' '{print $1}')" + # all of this is a bit hacky, but we don't ever want the passwords to be stored in plain text + # so it decrypts the string '$values', gets the field we want, and re-encrypts it local pass pass2 - pass="$(awk -F'~' '{print $2}' <<< "$values")" - pass2="$(awk -F'~' '{print $3}' <<< "$values")" + pass="$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$values" | + awk -F'~' '{print $2}' | openssl enc -pbkdf2 -a -salt -pass pass:$SALT)" + pass2="$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$values" | + awk -F'~' '{print $3}' | openssl enc -pbkdf2 -a -salt -pass pass:$SALT)" - if [[ $pass == "" || "$pass" != "$pass2" ]]; then + # due to the encryption the string while encrypted will not be empty + local empty + empty="$(openssl enc -pbkdf2 -a -salt -pass pass:$SALT <<< "")" + + if [[ $pass == "$empty" || "$pass" != "$pass2" ]]; then msgbox "$_ErrTitle" "$_PassErr\n$_TryAgain" luks_pass "$title" "$name" || return 1 fi @@ -105,13 +115,13 @@ luks_default() { luks_setup || return 1 infobox "$_LuksEncrypt" "$_LuksWaitBody $LUKS_NAME $_LuksWaitBody2 $LUKS_PART\n" 0 - echo "$LUKS_PASS" | cryptsetup -q luksFormat "$LUKS_PART" 2>$ERR + cryptsetup -q luksFormat $LUKS_PART <<< "$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$LUKS_PASS")" 2>$ERR check_for_errors "cryptsetup -q luksFormat $LUKS_PART" - echo "$LUKS_PASS" | cryptsetup open "$LUKS_PART" "$LUKS_NAME" 2>$ERR + cryptsetup open $LUKS_PART "$LUKS_NAME" <<< "$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$LUKS_PASS")" 2>$ERR check_for_errors "cryptsetup open $LUKS_PART $LUKS_NAME" - LUKS=1 + LUKS=1 luks_show return 0 } @@ -125,10 +135,10 @@ luks_keycmd() { infobox "$_LuksEncryptAdv" "$_LuksWaitBody $LUKS_NAME $_LuksWaitBody2 $LUKS_PART\n" 0 - echo "$LUKS_PASS" | cryptsetup -q $cipher luksFormat $LUKS_PART 2>$ERR + cryptsetup -q $cipher luksFormat $LUKS_PART <<< "$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$LUKS_PASS")" 2>$ERR check_for_errors "cryptsetup -q $cipher luksFormat $LUKS_PART" - echo "$LUKS_PASS" | cryptsetup open $LUKS_PART "$LUKS_NAME" 2>$ERR + cryptsetup open $LUKS_PART "$LUKS_NAME" <<< "$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$LUKS_PASS")" 2>$ERR check_for_errors "cryptsetup open $LUKS_PART $LUKS_NAME" luks_show @@ -179,7 +189,7 @@ luks_keyfile() { local mkkey="dd bs=512 count=8 if=/dev/urandom of=/crypto_keyfile.bin" mkkey="$mkkey && chmod 000 /crypto_keyfile.bin" - mkkey="$mkkey && echo '$LUKS_PASS' | cryptsetup luksAddKey /dev/$n /crypto_keyfile.bin" + mkkey="$mkkey && cryptsetup luksAddKey /dev/$n /crypto_keyfile.bin <<< '$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$LUKS_PASS")'" chroot_cmd "$mkkey" sed -i 's/FILES=()/FILES=(\/crypto_keyfile.bin)/g' $MNT/etc/mkinitcpio.conf 2>$ERR