Update password handling for user and luks setup to use ecryption
This commit is contained in:
parent
5416f553fc
commit
e6bbc6a999
@ -12,7 +12,7 @@
|
|||||||
# immutable variables {
|
# immutable variables {
|
||||||
|
|
||||||
readonly DIST="ArchLabs" # Linux distributor
|
readonly DIST="ArchLabs" # Linux distributor
|
||||||
readonly VER="1.6.76" # Installer version
|
readonly VER="1.6.77" # Installer version
|
||||||
readonly LIVE="liveuser" # Live session user
|
readonly LIVE="liveuser" # Live session user
|
||||||
readonly MNT="/mnt/install" # Install mountpoint
|
readonly MNT="/mnt/install" # Install mountpoint
|
||||||
readonly ERR="/tmp/errlog" # Built-in error log
|
readonly ERR="/tmp/errlog" # Built-in error log
|
||||||
@ -20,6 +20,7 @@ readonly EFI="/sys/firmware/efi/efivars"
|
|||||||
readonly TRN="/usr/share/archlabs/installer/lang"
|
readonly TRN="/usr/share/archlabs/installer/lang"
|
||||||
readonly RUN="/run/archiso/bootmnt/arch/boot"
|
readonly RUN="/run/archiso/bootmnt/arch/boot"
|
||||||
|
|
||||||
|
readonly SALT="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"
|
||||||
readonly VM="$(dmesg | grep -i "hypervisor")"
|
readonly VM="$(dmesg | grep -i "hypervisor")"
|
||||||
readonly KBD="$(find /usr/share/kbd/keymaps -name '*.map.gz')"
|
readonly KBD="$(find /usr/share/kbd/keymaps -name '*.map.gz')"
|
||||||
readonly LOCALES="$(awk '/\.UTF-8/ {gsub(/# .*|#/, ""); if($1) print $1 " -"}' /etc/locale.gen)"
|
readonly LOCALES="$(awk '/\.UTF-8/ {gsub(/# .*|#/, ""); if($1) print $1 " -"}' /etc/locale.gen)"
|
||||||
@ -149,7 +150,6 @@ source_file() {
|
|||||||
|
|
||||||
user_setup() {
|
user_setup() {
|
||||||
tput cnorm
|
tput cnorm
|
||||||
|
|
||||||
local values
|
local values
|
||||||
values="$(dialog --stdout --no-cancel --separator '~' --ok-label "Submit" --backtitle "$BT" \
|
values="$(dialog --stdout --no-cancel --separator '~' --ok-label "Submit" --backtitle "$BT" \
|
||||||
--title " $_UserTitle " --insecure --mixedform "$_UserBody" 27 75 10 \
|
--title " $_UserTitle " --insecure --mixedform "$_UserBody" 27 75 10 \
|
||||||
@ -158,26 +158,41 @@ user_setup() {
|
|||||||
"$_Password2" 3 1 "" 3 $((${#_Password2} + 2)) 71 0 1 \
|
"$_Password2" 3 1 "" 3 $((${#_Password2} + 2)) 71 0 1 \
|
||||||
"$_RootBody" 6 1 "" 6 $((${#_RootBody} + 1)) 71 0 2 \
|
"$_RootBody" 6 1 "" 6 $((${#_RootBody} + 1)) 71 0 2 \
|
||||||
"$_Password" 8 1 "" 8 $((${#_Password} + 2)) 71 0 1 \
|
"$_Password" 8 1 "" 8 $((${#_Password} + 2)) 71 0 1 \
|
||||||
"$_Password2" 9 1 "" 9 $((${#_Password2} + 2)) 71 0 1)"
|
"$_Password2" 9 1 "" 9 $((${#_Password2} + 2)) 71 0 1 |
|
||||||
|
openssl enc -pbkdf2 -a -salt -pass pass:$SALT)"
|
||||||
[[ $? != 0 || $values == "" ]] && return 1
|
[[ $? != 0 || $values == "" ]] && return 1
|
||||||
|
|
||||||
|
# username doesn't need to be re-encrypted
|
||||||
local user
|
local user
|
||||||
user="$(awk -F'~' '{print $1}' <<< "$values")"
|
user="$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$values" |
|
||||||
|
awk -F'~' '{print $1}')"
|
||||||
|
|
||||||
|
# all of this is a bit hacky, but we don't ever want the passwords to be stored in plain text
|
||||||
|
# so it decrypts the string '$values', gets the field we want, and re-encrypts it
|
||||||
local pass pass2
|
local pass pass2
|
||||||
pass="$(awk -F'~' '{print $2}' <<< "$values")"
|
pass="$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$values" |
|
||||||
pass2="$(awk -F'~' '{print $3}' <<< "$values")"
|
awk -F'~' '{print $2}' | openssl enc -pbkdf2 -a -salt -pass pass:$SALT)"
|
||||||
|
pass2="$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$values" |
|
||||||
|
awk -F'~' '{print $3}' | openssl enc -pbkdf2 -a -salt -pass pass:$SALT)"
|
||||||
|
|
||||||
local rpass rpass2
|
local rpass rpass2
|
||||||
rpass="$(awk -F'~' '{print $5}' <<< "$values")"
|
rpass="$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$values" |
|
||||||
rpass2="$(awk -F'~' '{print $6}' <<< "$values")"
|
awk -F'~' '{print $5}' | openssl enc -pbkdf2 -a -salt -pass pass:$SALT)"
|
||||||
|
rpass2="$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$values" |
|
||||||
|
awk -F'~' '{print $6}' | openssl enc -pbkdf2 -a -salt -pass pass:$SALT)"
|
||||||
|
|
||||||
|
# due to the encryption the string while encrypted will not be empty
|
||||||
|
local empty
|
||||||
|
empty="$(openssl enc -pbkdf2 -a -salt -pass pass:$SALT <<< "")"
|
||||||
|
|
||||||
# both root passwords are empty, so use the user passwords instead
|
# both root passwords are empty, so use the user passwords instead
|
||||||
[[ $rpass == "" && $rpass2 == "" ]] && { rpass="$pass"; rpass2="$pass2"; }
|
[[ $rpass == "" && $rpass2 == "" ]] && { rpass="$pass"; rpass2="$pass2"; }
|
||||||
|
|
||||||
# make sure a username was entered and that the passwords match
|
# make sure a username was entered and that the passwords match
|
||||||
if [[ ${#user} -eq 0 || $user =~ \ |\' || $user =~ [^a-z0-9\ ] || $pass == "" || "$pass" != "$pass2" || "$rpass" != "$rpass2" ]]; then
|
if [[ ${#user} -eq 0 || $user =~ \ |\' || $user =~ [^a-z0-9\ ] || $pass == "$empty" || "$pass" != "$pass2" || "$rpass" != "$rpass2" ]]; then
|
||||||
if [[ $pass == "" || "$pass" != "$pass2" || "$rpass" != "$rpass2" ]]; then
|
if [[ $pass == "" || "$pass" != "$pass2" || "$rpass" != "$rpass2" ]]; then
|
||||||
# password was left empty or doesn't match
|
# password was left empty or doesn't match
|
||||||
if [[ $pass == "" ]]; then
|
if [[ $pass == "$empty" ]]; then
|
||||||
msgbox "$_ErrTitle" "\nUser password CANNOT be left empty.\n$_TryAgain"
|
msgbox "$_ErrTitle" "\nUser password CANNOT be left empty.\n$_TryAgain"
|
||||||
elif [[ "$rpass" != "$rpass2" ]]; then
|
elif [[ "$rpass" != "$rpass2" ]]; then
|
||||||
msgbox "$_ErrTitle" "$_RootPassErr\n$_TryAgain"
|
msgbox "$_ErrTitle" "$_RootPassErr\n$_TryAgain"
|
||||||
@ -195,7 +210,6 @@ user_setup() {
|
|||||||
USER_PASS="$pass"
|
USER_PASS="$pass"
|
||||||
ROOT_PASS="$rpass"
|
ROOT_PASS="$rpass"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -119,7 +119,7 @@ EOF
|
|||||||
|
|
||||||
create_user() {
|
create_user() {
|
||||||
# set root password
|
# set root password
|
||||||
chroot_cmd "echo 'root:$ROOT_PASS' | chpasswd"
|
chroot_cmd "chpasswd <<< 'root:$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$ROOT_PASS")'"
|
||||||
|
|
||||||
# edit the group and passwd files in /etc/ to swap the liveuser account
|
# edit the group and passwd files in /etc/ to swap the liveuser account
|
||||||
sed -i "s/${LIVE}/${NEWUSER}/g" $MNT/etc/{group,gshadow,passwd,shadow}
|
sed -i "s/${LIVE}/${NEWUSER}/g" $MNT/etc/{group,gshadow,passwd,shadow}
|
||||||
@ -136,7 +136,7 @@ create_user() {
|
|||||||
chroot_cmd "mv -f /home/$LIVE /home/$NEWUSER"
|
chroot_cmd "mv -f /home/$LIVE /home/$NEWUSER"
|
||||||
fi
|
fi
|
||||||
chroot_cmd "usermod -aG rfkill,wheel,network,storage,power,video,audio,lp,autologin $NEWUSER"
|
chroot_cmd "usermod -aG rfkill,wheel,network,storage,power,video,audio,lp,autologin $NEWUSER"
|
||||||
chroot_cmd "echo '$NEWUSER:$USER_PASS' | chpasswd"
|
chroot_cmd "chpasswd <<< '$NEWUSER:$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$USER_PASS")'"
|
||||||
chroot_cmd "chown -Rf $NEWUSER:users /home/$NEWUSER"
|
chroot_cmd "chown -Rf $NEWUSER:users /home/$NEWUSER"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -34,7 +34,7 @@ luks_open() {
|
|||||||
luks_pass "$_LuksOpen" "$LUKS_NAME" || return 1
|
luks_pass "$_LuksOpen" "$LUKS_NAME" || return 1
|
||||||
|
|
||||||
infobox "$_LuksOpen" "$_LuksWaitBody $LUKS_NAME $_LuksWaitBody2 $LUKS_PART\n" 0
|
infobox "$_LuksOpen" "$_LuksWaitBody $LUKS_NAME $_LuksWaitBody2 $LUKS_PART\n" 0
|
||||||
echo "$LUKS_PASS" | cryptsetup open --type luks $LUKS_PART "$LUKS_NAME" 2>$ERR
|
cryptsetup open --type luks $LUKS_PART "$LUKS_NAME" <<< "$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$LUKS_PASS")" 2>$ERR
|
||||||
check_for_errors "cryptsetup open --type luks $LUKS_PART $LUKS_NAME"
|
check_for_errors "cryptsetup open --type luks $LUKS_PART $LUKS_NAME"
|
||||||
|
|
||||||
LUKS=1
|
LUKS=1
|
||||||
@ -54,16 +54,26 @@ luks_pass() {
|
|||||||
--title " $title " --insecure --mixedform "$_LuksOpenBody" 16 75 4 \
|
--title " $title " --insecure --mixedform "$_LuksOpenBody" 16 75 4 \
|
||||||
"$_Name" 1 1 "$name" 1 $((${#_Name} + 2)) 71 0 0 \
|
"$_Name" 1 1 "$name" 1 $((${#_Name} + 2)) 71 0 0 \
|
||||||
"$_Password" 2 1 "" 2 $((${#_Password} + 2)) 71 0 1 \
|
"$_Password" 2 1 "" 2 $((${#_Password} + 2)) 71 0 1 \
|
||||||
"$_Password2" 3 1 "" 3 $((${#_Password2} + 2)) 71 0 1)"
|
"$_Password2" 3 1 "" 3 $((${#_Password2} + 2)) 71 0 1 |
|
||||||
|
openssl enc -pbkdf2 -a -salt -pass pass:$SALT)"
|
||||||
[[ $? != 0 || $values == "" ]] && return 1
|
[[ $? != 0 || $values == "" ]] && return 1
|
||||||
|
|
||||||
name="$(awk -F'~' '{print $1}' <<< "$values")"
|
name="$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$values" |
|
||||||
|
awk -F'~' '{print $1}')"
|
||||||
|
|
||||||
|
# all of this is a bit hacky, but we don't ever want the passwords to be stored in plain text
|
||||||
|
# so it decrypts the string '$values', gets the field we want, and re-encrypts it
|
||||||
local pass pass2
|
local pass pass2
|
||||||
pass="$(awk -F'~' '{print $2}' <<< "$values")"
|
pass="$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$values" |
|
||||||
pass2="$(awk -F'~' '{print $3}' <<< "$values")"
|
awk -F'~' '{print $2}' | openssl enc -pbkdf2 -a -salt -pass pass:$SALT)"
|
||||||
|
pass2="$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$values" |
|
||||||
|
awk -F'~' '{print $3}' | openssl enc -pbkdf2 -a -salt -pass pass:$SALT)"
|
||||||
|
|
||||||
if [[ $pass == "" || "$pass" != "$pass2" ]]; then
|
# due to the encryption the string while encrypted will not be empty
|
||||||
|
local empty
|
||||||
|
empty="$(openssl enc -pbkdf2 -a -salt -pass pass:$SALT <<< "")"
|
||||||
|
|
||||||
|
if [[ $pass == "$empty" || "$pass" != "$pass2" ]]; then
|
||||||
msgbox "$_ErrTitle" "$_PassErr\n$_TryAgain"
|
msgbox "$_ErrTitle" "$_PassErr\n$_TryAgain"
|
||||||
luks_pass "$title" "$name" || return 1
|
luks_pass "$title" "$name" || return 1
|
||||||
fi
|
fi
|
||||||
@ -105,13 +115,13 @@ luks_default() {
|
|||||||
luks_setup || return 1
|
luks_setup || return 1
|
||||||
infobox "$_LuksEncrypt" "$_LuksWaitBody $LUKS_NAME $_LuksWaitBody2 $LUKS_PART\n" 0
|
infobox "$_LuksEncrypt" "$_LuksWaitBody $LUKS_NAME $_LuksWaitBody2 $LUKS_PART\n" 0
|
||||||
|
|
||||||
echo "$LUKS_PASS" | cryptsetup -q luksFormat "$LUKS_PART" 2>$ERR
|
cryptsetup -q luksFormat $LUKS_PART <<< "$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$LUKS_PASS")" 2>$ERR
|
||||||
check_for_errors "cryptsetup -q luksFormat $LUKS_PART"
|
check_for_errors "cryptsetup -q luksFormat $LUKS_PART"
|
||||||
|
|
||||||
echo "$LUKS_PASS" | cryptsetup open "$LUKS_PART" "$LUKS_NAME" 2>$ERR
|
cryptsetup open $LUKS_PART "$LUKS_NAME" <<< "$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$LUKS_PASS")" 2>$ERR
|
||||||
check_for_errors "cryptsetup open $LUKS_PART $LUKS_NAME"
|
check_for_errors "cryptsetup open $LUKS_PART $LUKS_NAME"
|
||||||
LUKS=1
|
|
||||||
|
|
||||||
|
LUKS=1
|
||||||
luks_show
|
luks_show
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
@ -125,10 +135,10 @@ luks_keycmd() {
|
|||||||
|
|
||||||
infobox "$_LuksEncryptAdv" "$_LuksWaitBody $LUKS_NAME $_LuksWaitBody2 $LUKS_PART\n" 0
|
infobox "$_LuksEncryptAdv" "$_LuksWaitBody $LUKS_NAME $_LuksWaitBody2 $LUKS_PART\n" 0
|
||||||
|
|
||||||
echo "$LUKS_PASS" | cryptsetup -q $cipher luksFormat $LUKS_PART 2>$ERR
|
cryptsetup -q $cipher luksFormat $LUKS_PART <<< "$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$LUKS_PASS")" 2>$ERR
|
||||||
check_for_errors "cryptsetup -q $cipher luksFormat $LUKS_PART"
|
check_for_errors "cryptsetup -q $cipher luksFormat $LUKS_PART"
|
||||||
|
|
||||||
echo "$LUKS_PASS" | cryptsetup open $LUKS_PART "$LUKS_NAME" 2>$ERR
|
cryptsetup open $LUKS_PART "$LUKS_NAME" <<< "$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$LUKS_PASS")" 2>$ERR
|
||||||
check_for_errors "cryptsetup open $LUKS_PART $LUKS_NAME"
|
check_for_errors "cryptsetup open $LUKS_PART $LUKS_NAME"
|
||||||
|
|
||||||
luks_show
|
luks_show
|
||||||
@ -179,7 +189,7 @@ luks_keyfile() {
|
|||||||
|
|
||||||
local mkkey="dd bs=512 count=8 if=/dev/urandom of=/crypto_keyfile.bin"
|
local mkkey="dd bs=512 count=8 if=/dev/urandom of=/crypto_keyfile.bin"
|
||||||
mkkey="$mkkey && chmod 000 /crypto_keyfile.bin"
|
mkkey="$mkkey && chmod 000 /crypto_keyfile.bin"
|
||||||
mkkey="$mkkey && echo '$LUKS_PASS' | cryptsetup luksAddKey /dev/$n /crypto_keyfile.bin"
|
mkkey="$mkkey && cryptsetup luksAddKey /dev/$n /crypto_keyfile.bin <<< '$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$LUKS_PASS")'"
|
||||||
|
|
||||||
chroot_cmd "$mkkey"
|
chroot_cmd "$mkkey"
|
||||||
sed -i 's/FILES=()/FILES=(\/crypto_keyfile.bin)/g' $MNT/etc/mkinitcpio.conf 2>$ERR
|
sed -i 's/FILES=()/FILES=(\/crypto_keyfile.bin)/g' $MNT/etc/mkinitcpio.conf 2>$ERR
|
||||||
|
Reference in New Issue
Block a user