Update password handling for user and luks setup to use ecryption

This commit is contained in:
natemaia 2018-10-12 01:07:32 -07:00
parent 5416f553fc
commit e6bbc6a999
3 changed files with 49 additions and 25 deletions

View File

@ -12,7 +12,7 @@
# immutable variables { # immutable variables {
readonly DIST="ArchLabs" # Linux distributor readonly DIST="ArchLabs" # Linux distributor
readonly VER="1.6.76" # Installer version readonly VER="1.6.77" # Installer version
readonly LIVE="liveuser" # Live session user readonly LIVE="liveuser" # Live session user
readonly MNT="/mnt/install" # Install mountpoint readonly MNT="/mnt/install" # Install mountpoint
readonly ERR="/tmp/errlog" # Built-in error log readonly ERR="/tmp/errlog" # Built-in error log
@ -20,6 +20,7 @@ readonly EFI="/sys/firmware/efi/efivars"
readonly TRN="/usr/share/archlabs/installer/lang" readonly TRN="/usr/share/archlabs/installer/lang"
readonly RUN="/run/archiso/bootmnt/arch/boot" readonly RUN="/run/archiso/bootmnt/arch/boot"
readonly SALT="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"
readonly VM="$(dmesg | grep -i "hypervisor")" readonly VM="$(dmesg | grep -i "hypervisor")"
readonly KBD="$(find /usr/share/kbd/keymaps -name '*.map.gz')" readonly KBD="$(find /usr/share/kbd/keymaps -name '*.map.gz')"
readonly LOCALES="$(awk '/\.UTF-8/ {gsub(/# .*|#/, ""); if($1) print $1 " -"}' /etc/locale.gen)" readonly LOCALES="$(awk '/\.UTF-8/ {gsub(/# .*|#/, ""); if($1) print $1 " -"}' /etc/locale.gen)"
@ -149,7 +150,6 @@ source_file() {
user_setup() { user_setup() {
tput cnorm tput cnorm
local values local values
values="$(dialog --stdout --no-cancel --separator '~' --ok-label "Submit" --backtitle "$BT" \ values="$(dialog --stdout --no-cancel --separator '~' --ok-label "Submit" --backtitle "$BT" \
--title " $_UserTitle " --insecure --mixedform "$_UserBody" 27 75 10 \ --title " $_UserTitle " --insecure --mixedform "$_UserBody" 27 75 10 \
@ -158,26 +158,41 @@ user_setup() {
"$_Password2" 3 1 "" 3 $((${#_Password2} + 2)) 71 0 1 \ "$_Password2" 3 1 "" 3 $((${#_Password2} + 2)) 71 0 1 \
"$_RootBody" 6 1 "" 6 $((${#_RootBody} + 1)) 71 0 2 \ "$_RootBody" 6 1 "" 6 $((${#_RootBody} + 1)) 71 0 2 \
"$_Password" 8 1 "" 8 $((${#_Password} + 2)) 71 0 1 \ "$_Password" 8 1 "" 8 $((${#_Password} + 2)) 71 0 1 \
"$_Password2" 9 1 "" 9 $((${#_Password2} + 2)) 71 0 1)" "$_Password2" 9 1 "" 9 $((${#_Password2} + 2)) 71 0 1 |
openssl enc -pbkdf2 -a -salt -pass pass:$SALT)"
[[ $? != 0 || $values == "" ]] && return 1 [[ $? != 0 || $values == "" ]] && return 1
# username doesn't need to be re-encrypted
local user local user
user="$(awk -F'~' '{print $1}' <<< "$values")" user="$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$values" |
awk -F'~' '{print $1}')"
# all of this is a bit hacky, but we don't ever want the passwords to be stored in plain text
# so it decrypts the string '$values', gets the field we want, and re-encrypts it
local pass pass2 local pass pass2
pass="$(awk -F'~' '{print $2}' <<< "$values")" pass="$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$values" |
pass2="$(awk -F'~' '{print $3}' <<< "$values")" awk -F'~' '{print $2}' | openssl enc -pbkdf2 -a -salt -pass pass:$SALT)"
pass2="$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$values" |
awk -F'~' '{print $3}' | openssl enc -pbkdf2 -a -salt -pass pass:$SALT)"
local rpass rpass2 local rpass rpass2
rpass="$(awk -F'~' '{print $5}' <<< "$values")" rpass="$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$values" |
rpass2="$(awk -F'~' '{print $6}' <<< "$values")" awk -F'~' '{print $5}' | openssl enc -pbkdf2 -a -salt -pass pass:$SALT)"
rpass2="$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$values" |
awk -F'~' '{print $6}' | openssl enc -pbkdf2 -a -salt -pass pass:$SALT)"
# due to the encryption the string while encrypted will not be empty
local empty
empty="$(openssl enc -pbkdf2 -a -salt -pass pass:$SALT <<< "")"
# both root passwords are empty, so use the user passwords instead # both root passwords are empty, so use the user passwords instead
[[ $rpass == "" && $rpass2 == "" ]] && { rpass="$pass"; rpass2="$pass2"; } [[ $rpass == "" && $rpass2 == "" ]] && { rpass="$pass"; rpass2="$pass2"; }
# make sure a username was entered and that the passwords match # make sure a username was entered and that the passwords match
if [[ ${#user} -eq 0 || $user =~ \ |\' || $user =~ [^a-z0-9\ ] || $pass == "" || "$pass" != "$pass2" || "$rpass" != "$rpass2" ]]; then if [[ ${#user} -eq 0 || $user =~ \ |\' || $user =~ [^a-z0-9\ ] || $pass == "$empty" || "$pass" != "$pass2" || "$rpass" != "$rpass2" ]]; then
if [[ $pass == "" || "$pass" != "$pass2" || "$rpass" != "$rpass2" ]]; then if [[ $pass == "" || "$pass" != "$pass2" || "$rpass" != "$rpass2" ]]; then
# password was left empty or doesn't match # password was left empty or doesn't match
if [[ $pass == "" ]]; then if [[ $pass == "$empty" ]]; then
msgbox "$_ErrTitle" "\nUser password CANNOT be left empty.\n$_TryAgain" msgbox "$_ErrTitle" "\nUser password CANNOT be left empty.\n$_TryAgain"
elif [[ "$rpass" != "$rpass2" ]]; then elif [[ "$rpass" != "$rpass2" ]]; then
msgbox "$_ErrTitle" "$_RootPassErr\n$_TryAgain" msgbox "$_ErrTitle" "$_RootPassErr\n$_TryAgain"
@ -195,7 +210,6 @@ user_setup() {
USER_PASS="$pass" USER_PASS="$pass"
ROOT_PASS="$rpass" ROOT_PASS="$rpass"
fi fi
return 0 return 0
} }

View File

@ -119,7 +119,7 @@ EOF
create_user() { create_user() {
# set root password # set root password
chroot_cmd "echo 'root:$ROOT_PASS' | chpasswd" chroot_cmd "chpasswd <<< 'root:$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$ROOT_PASS")'"
# edit the group and passwd files in /etc/ to swap the liveuser account # edit the group and passwd files in /etc/ to swap the liveuser account
sed -i "s/${LIVE}/${NEWUSER}/g" $MNT/etc/{group,gshadow,passwd,shadow} sed -i "s/${LIVE}/${NEWUSER}/g" $MNT/etc/{group,gshadow,passwd,shadow}
@ -136,7 +136,7 @@ create_user() {
chroot_cmd "mv -f /home/$LIVE /home/$NEWUSER" chroot_cmd "mv -f /home/$LIVE /home/$NEWUSER"
fi fi
chroot_cmd "usermod -aG rfkill,wheel,network,storage,power,video,audio,lp,autologin $NEWUSER" chroot_cmd "usermod -aG rfkill,wheel,network,storage,power,video,audio,lp,autologin $NEWUSER"
chroot_cmd "echo '$NEWUSER:$USER_PASS' | chpasswd" chroot_cmd "chpasswd <<< '$NEWUSER:$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$USER_PASS")'"
chroot_cmd "chown -Rf $NEWUSER:users /home/$NEWUSER" chroot_cmd "chown -Rf $NEWUSER:users /home/$NEWUSER"
} }

View File

@ -34,7 +34,7 @@ luks_open() {
luks_pass "$_LuksOpen" "$LUKS_NAME" || return 1 luks_pass "$_LuksOpen" "$LUKS_NAME" || return 1
infobox "$_LuksOpen" "$_LuksWaitBody $LUKS_NAME $_LuksWaitBody2 $LUKS_PART\n" 0 infobox "$_LuksOpen" "$_LuksWaitBody $LUKS_NAME $_LuksWaitBody2 $LUKS_PART\n" 0
echo "$LUKS_PASS" | cryptsetup open --type luks $LUKS_PART "$LUKS_NAME" 2>$ERR cryptsetup open --type luks $LUKS_PART "$LUKS_NAME" <<< "$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$LUKS_PASS")" 2>$ERR
check_for_errors "cryptsetup open --type luks $LUKS_PART $LUKS_NAME" check_for_errors "cryptsetup open --type luks $LUKS_PART $LUKS_NAME"
LUKS=1 LUKS=1
@ -54,16 +54,26 @@ luks_pass() {
--title " $title " --insecure --mixedform "$_LuksOpenBody" 16 75 4 \ --title " $title " --insecure --mixedform "$_LuksOpenBody" 16 75 4 \
"$_Name" 1 1 "$name" 1 $((${#_Name} + 2)) 71 0 0 \ "$_Name" 1 1 "$name" 1 $((${#_Name} + 2)) 71 0 0 \
"$_Password" 2 1 "" 2 $((${#_Password} + 2)) 71 0 1 \ "$_Password" 2 1 "" 2 $((${#_Password} + 2)) 71 0 1 \
"$_Password2" 3 1 "" 3 $((${#_Password2} + 2)) 71 0 1)" "$_Password2" 3 1 "" 3 $((${#_Password2} + 2)) 71 0 1 |
openssl enc -pbkdf2 -a -salt -pass pass:$SALT)"
[[ $? != 0 || $values == "" ]] && return 1 [[ $? != 0 || $values == "" ]] && return 1
name="$(awk -F'~' '{print $1}' <<< "$values")" name="$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$values" |
awk -F'~' '{print $1}')"
# all of this is a bit hacky, but we don't ever want the passwords to be stored in plain text
# so it decrypts the string '$values', gets the field we want, and re-encrypts it
local pass pass2 local pass pass2
pass="$(awk -F'~' '{print $2}' <<< "$values")" pass="$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$values" |
pass2="$(awk -F'~' '{print $3}' <<< "$values")" awk -F'~' '{print $2}' | openssl enc -pbkdf2 -a -salt -pass pass:$SALT)"
pass2="$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$values" |
awk -F'~' '{print $3}' | openssl enc -pbkdf2 -a -salt -pass pass:$SALT)"
if [[ $pass == "" || "$pass" != "$pass2" ]]; then # due to the encryption the string while encrypted will not be empty
local empty
empty="$(openssl enc -pbkdf2 -a -salt -pass pass:$SALT <<< "")"
if [[ $pass == "$empty" || "$pass" != "$pass2" ]]; then
msgbox "$_ErrTitle" "$_PassErr\n$_TryAgain" msgbox "$_ErrTitle" "$_PassErr\n$_TryAgain"
luks_pass "$title" "$name" || return 1 luks_pass "$title" "$name" || return 1
fi fi
@ -105,13 +115,13 @@ luks_default() {
luks_setup || return 1 luks_setup || return 1
infobox "$_LuksEncrypt" "$_LuksWaitBody $LUKS_NAME $_LuksWaitBody2 $LUKS_PART\n" 0 infobox "$_LuksEncrypt" "$_LuksWaitBody $LUKS_NAME $_LuksWaitBody2 $LUKS_PART\n" 0
echo "$LUKS_PASS" | cryptsetup -q luksFormat "$LUKS_PART" 2>$ERR cryptsetup -q luksFormat $LUKS_PART <<< "$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$LUKS_PASS")" 2>$ERR
check_for_errors "cryptsetup -q luksFormat $LUKS_PART" check_for_errors "cryptsetup -q luksFormat $LUKS_PART"
echo "$LUKS_PASS" | cryptsetup open "$LUKS_PART" "$LUKS_NAME" 2>$ERR cryptsetup open $LUKS_PART "$LUKS_NAME" <<< "$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$LUKS_PASS")" 2>$ERR
check_for_errors "cryptsetup open $LUKS_PART $LUKS_NAME" check_for_errors "cryptsetup open $LUKS_PART $LUKS_NAME"
LUKS=1
LUKS=1
luks_show luks_show
return 0 return 0
} }
@ -125,10 +135,10 @@ luks_keycmd() {
infobox "$_LuksEncryptAdv" "$_LuksWaitBody $LUKS_NAME $_LuksWaitBody2 $LUKS_PART\n" 0 infobox "$_LuksEncryptAdv" "$_LuksWaitBody $LUKS_NAME $_LuksWaitBody2 $LUKS_PART\n" 0
echo "$LUKS_PASS" | cryptsetup -q $cipher luksFormat $LUKS_PART 2>$ERR cryptsetup -q $cipher luksFormat $LUKS_PART <<< "$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$LUKS_PASS")" 2>$ERR
check_for_errors "cryptsetup -q $cipher luksFormat $LUKS_PART" check_for_errors "cryptsetup -q $cipher luksFormat $LUKS_PART"
echo "$LUKS_PASS" | cryptsetup open $LUKS_PART "$LUKS_NAME" 2>$ERR cryptsetup open $LUKS_PART "$LUKS_NAME" <<< "$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$LUKS_PASS")" 2>$ERR
check_for_errors "cryptsetup open $LUKS_PART $LUKS_NAME" check_for_errors "cryptsetup open $LUKS_PART $LUKS_NAME"
luks_show luks_show
@ -179,7 +189,7 @@ luks_keyfile() {
local mkkey="dd bs=512 count=8 if=/dev/urandom of=/crypto_keyfile.bin" local mkkey="dd bs=512 count=8 if=/dev/urandom of=/crypto_keyfile.bin"
mkkey="$mkkey && chmod 000 /crypto_keyfile.bin" mkkey="$mkkey && chmod 000 /crypto_keyfile.bin"
mkkey="$mkkey && echo '$LUKS_PASS' | cryptsetup luksAddKey /dev/$n /crypto_keyfile.bin" mkkey="$mkkey && cryptsetup luksAddKey /dev/$n /crypto_keyfile.bin <<< '$(openssl enc -pbkdf2 -a -d -salt -pass pass:$SALT <<< "$LUKS_PASS")'"
chroot_cmd "$mkkey" chroot_cmd "$mkkey"
sed -i 's/FILES=()/FILES=(\/crypto_keyfile.bin)/g' $MNT/etc/mkinitcpio.conf 2>$ERR sed -i 's/FILES=()/FILES=(\/crypto_keyfile.bin)/g' $MNT/etc/mkinitcpio.conf 2>$ERR