Update default.conf

In default.conf cleaned up all cases of config variables for secret values i.e. have a generic explanation comment at the beginning instead of several similar comments at each place
rear · May 9, 2023 · da0cd3b · da0cd3b
1 parent db9302e
commit da0cd3b
Showing 1 changed file with 47 additions and 44 deletions.
diff --git a/usr/share/rear/conf/default.conf b/usr/share/rear/conf/default.conf
@@ -10,7 +10,39 @@
 # where you need a different value than the default which is set here
 # (in particular configuration variables for OUTPUT and BACKUP).
 #
-# Some variables are set to a default value here via
+# Some variables are for secret values (like passwords or encryption keys)
+# which are set to a default value in general in a confidential way via
+#   { VAR='secret_value' ; } 2>/dev/null
+# to provide a template how to set such variables properly
+# in the etc/rear/local.conf or etc/rear/site.conf config files.
+# The output via STDERR must be discarded via a compound group command
+#   { confidential_command ; } 2>/dev/null
+# even for a single command to discard STDERR also for 'set -x'.
+# Otherwise the confidential command and its arguments would be shown
+# in the ReaR log file when usr/sbin/rear is run in debugscript mode
+# where scripts and config files are run (sourced) with 'set -x'.
+#
+# Some variables are for a password as a salted hash.
+# To generate a password hash:
+# 1. Run
+#      openssl passwd -6
+#    if openssl 1.1.1 or newer is available,
+#    alternatively run
+#      openssl passwd -1
+#    Do not use something like
+#      echo 'my_secret_password' | openssl passwd -6 -stdin
+#    because that stores the whole command in a history file (e.g. ~/.bash_history)
+#    (unless you know how to run commands without keeping the history).
+#    openssl 1.1.0 only supports MD5 hashes (-1) and some exotic variants.
+#    openssl 1.1.1 also supports -5 (SHA256) and -6 (SHA512).
+#    See https://github.com/rear/rear/pull/2455#discussion_r453613086
+#    for information on the implications of MD5 cryptographic weakness
+#    cf. https://en.wikipedia.org/wiki/MD5#Security
+# 2. Copy the entire openssl output line between single quotes
+#    in a confidential variable assignment command like
+#      { PASSWORD='$6$96u44a5mgLn9fNBy$pyNnCvw...' ; } 2>/dev/null
+#
+# Several variables are set to a default value via
 #   VAR="${VAR:-default value}"
 # so VAR gets the default value assigned only if VAR is unset or null
 # which means you can set VAR to a non-empty value via
@@ -713,13 +745,7 @@ OPAL_PBA_UNLOCK_MODE="transient"
 # PBA debug password as a salted hash (empty for not using the debug shell facility).
 # If the debug password is entered when the PBA asks for a password to unlock disks,
 # an interactive emergency shell will be started, which can be used to debug the PBA system.
-# To generate a password hash,
-# 1. run
-#    - 'openssl passwd -6', if openssl 1.1.1 or newer is available, or
-#    - 'openssl passwd -1', otherwise (see https://github.com/rear/rear/pull/2455#discussion_r453613086 for information
-#      on the implications of its cryptographic weakness),
-# 2. copy its entire output line between single quotes and assign it to this variable.
-OPAL_PBA_DEBUG_PASSWORD=''
+{ OPAL_PBA_DEBUG_PASSWORD='' ; } 2>/dev/null
 #
 # When not empty, OPAL_PBA_DEBUG_DEVICE_COUNT overrides the number of TCG Opal 2-compliant self-encrypting disks
 # installed. To test the PBA system on a machine without any Opal 2-compliant disk, set OPAL_PBA_DEBUG_DEVICE_COUNT=1.
@@ -754,7 +780,7 @@ OPAL_PBA_TKNOFFSET=0
 #      https://www.freedesktop.org/software/systemd/man/systemd-stub.html
 #      https://www.freedesktop.org/software/systemd/man/systemd-creds.html
 #      https://www.freedesktop.org/software/systemd/man/systemd-cryptenroll.html
-OPAL_PBA_TKNKEY="tpm:opalauthtoken:7"
+{ OPAL_PBA_TKNKEY='tpm:opalauthtoken:7' ; } 2>/dev/null
 #
 # Poor man's alternative for AT <-> PBA binding, additionaly encrypts Opal password using PBA image hash as a key
 # Optional, may be used independently of TKNKEY type
@@ -1416,15 +1442,8 @@ BACKUP_PROG_CRYPT_ENABLED="false"
 # cf. the reasoning about SSH_UNPROTECTED_PRIVATE_KEYS below
 # and see https://github.com/rear/rear/issues/2155
 # Therefore BACKUP_PROG_CRYPT_KEY must be manually set before running "rear recover".
-# Avoid that the BACKUP_PROG_CRYPT_KEY value is shown when usr/sbin/rear was called with 'set -x'
-# for debugging usr/sbin/rear cf. https://github.com/rear/rear/issues/2144#issuecomment-493908133
-# and see the comment of the UserInput function in lib/_input-output-functions.sh
-# how to keep things confidential when usr/sbin/rear is run in debugscript mode.
-# In debugscript mode only scripts sourced by the Source function in lib/framework-functions.sh
-# are run with 'set -x' but default.conf is sourced by usr/sbin/rear directly.
-# Nevertheless the confidential way via { confidential_command ; } 2>/dev/null
-# is also used here to provide a template how to do it properly in etc/rear/local.conf:
-{ BACKUP_PROG_CRYPT_KEY="${BACKUP_PROG_CRYPT_KEY:-}" ; } 2>/dev/null
+# In local.conf set it confidentially via { BACKUP_PROG_CRYPT_KEY='secret_key' ; } 2>/dev/null
+BACKUP_PROG_CRYPT_KEY="${BACKUP_PROG_CRYPT_KEY:-}"
 # The command for backup encryption during "rear mkbackup" will be basically
 #    tar ... | BACKUP_PROG_CRYPT_OPTIONS BACKUP_PROG_CRYPT_KEY
 # for details see the backup/NETFS/default/500_make_backup.sh script:
@@ -1903,18 +1922,6 @@ CLONE_ALL_USERS_GROUPS="true"
 # A terminal login password as a salted hash.
 # If empty, a root login into the ReaR recovery system via the system console or a serial terminal
 # is possible without being asked for a password.
-# To generate a password hash,
-# 1. run
-#    - 'openssl passwd -6', if openssl 1.1.1 or newer is available, or
-#    - 'openssl passwd -1', otherwise, see
-#       https://github.com/rear/rear/pull/2455#discussion_r453613086
-#       for information on the implications of its cryptographic weakness,
-# 2. copy its entire output line and insert it between the single quotes of a line like
-#        { TTY_ROOT_PASSWORD='$6$96u44a5mgLn9fNBy$pyNnCvw...'; } 2>/dev/null
-#    NOTE: stderr is redirected in the above line to avoid exposing the password hash
-#          in the log file when ReaR runs in debugscript mode (with 'set -x').
-#          The confidential way via { confidential_command ; } 2>/dev/null
-#          is used here as template how to do it properly in etc/rear/local.conf
 { TTY_ROOT_PASSWORD='' ; } 2>/dev/null
 
 ####
@@ -1976,20 +1983,15 @@ CLONE_ALL_USERS_GROUPS="true"
 # from /root/.ssh only authorized_keys and known_hosts are copied into the recovery system.
 SSH_FILES='avoid_sensitive_files'
 #
-# SSH_ROOT_PASSWORD defines a password for remote access to the recovery system as 'root' via SSH
-# without requiring a public/private key pair. This password is valid only while the recovery system
-# is running and will not allow access afterwards to the restored target system.
-# In the recovery system the password is stored in hashed MD5 format (do not forget the password).
+# SSH_ROOT_PASSWORD defines a password for remote access to the recovery system
+# as 'root' via SSH without requiring a public/private key pair.
+# This password is valid only while the recovery system is running and
+# will not allow access afterwards to the restored target system.
+# In the recovery system the password is stored in hashed MD5 format.
 # Both SSH_ROOT_PASSWORD='plain_text_password' and SSH_ROOT_PASSWORD='hashed_password' are possible.
 # To avoid a plain text password in the etc/rear/local.conf config file
-# generate a hashed password with the command (cf. TTY_ROOT_PASSWORD above)
-#   echo 'my_recovery_system_root_password' | openssl passwd -6 -stdin
-# and use the output of openssl to set SSH_ROOT_PASSWORD in etc/rear/local.conf via
-#   { SSH_ROOT_PASSWORD='output_of_openssl' ; } 2>/dev/null
-# (single quotes avoid issues with the special bash character $ in the openssl output).
+# generate a MD5 hashed password with the openssl command.
 # SSH_ROOT_PASSWORD is ignored when SSH_FILES is set to a 'false' value.
-# The confidential way via { confidential_command ; } 2>/dev/null
-# is used here as template how to do it properly in etc/rear/local.conf
 { SSH_ROOT_PASSWORD='' ; } 2>/dev/null
 #
 # SSH_UNPROTECTED_PRIVATE_KEYS="yes" makes ReaR also include SSH keys without a passphrase
@@ -2244,7 +2246,7 @@ GALAXY11_LOG_DIRECTORY=
 GALAXY11_TEMP_DIRECTORY=
 GALAXY11_JOBS_RESULTS_DIRECTORY=
 GALAXY11_CONFIG_DIRECTORY=/etc/CommVaultRegistry
-
+#
 # add additional copy include/excludes for Galaxy 11, the content of the GALAXY_*_DIRECTORY
 # variables will be added automatically
 COPY_AS_IS_GALAXY11=()
@@ -2265,6 +2267,7 @@ GALAXY11_Q_ARGUMENTFILE=
 # Remember to adequately protect the rescue media if you include credentials in it
 GALAXY11_USER=${GALAXY11_USER:-}
 GALAXY11_PASSWORD=${GALAXY11_PASSWORD:-}
+# In local.conf set it confidentially via { GALAXY11_PASSWORD='secret_password' ; } 2>/dev/null
 
 ##
 # BACKUP=TSM stuff
@@ -2939,7 +2942,7 @@ PROGS_ZYPPER=()
 # As fallback "rear recover" sets 'root' as root password in the target system.
 # If SSH_ROOT_PASSWORD is specified it is used as root password in the target system
 # unless ZYPPER_ROOT_PASSWORD is specified which is used with highest priority:
-ZYPPER_ROOT_PASSWORD='root'
+{ ZYPPER_ROOT_PASSWORD='root' ; } 2>/dev/null
 # ZYPPER_NETWORK_SETUP_COMMANDS specifies the initial network setup in the target system for BACKUP=ZYPPER:
 # This initial network setup is only meant to make the target system
 # accessible from remote in a very basic way (e.g. for 'ssh').
@@ -2973,7 +2976,7 @@ COPY_AS_IS_YUM=( '/etc/yum*' '/etc/logrotate.d/yum*' '/usr/bin/python*' '/bin/py
 COPY_AS_IS_EXCLUDE_YUM=()
 REQUIRED_PROGS_YUM=( yum rpm rpm2cpio rpmdb rpmquery rpmverify chpasswd )
 PROGS_YUM=()
-YUM_ROOT_PASSWORD='root'
+{ YUM_ROOT_PASSWORD='root' ; } 2>/dev/null
 YUM_NETWORK_SETUP_COMMANDS=()
 YUM_EXCLUDE_PKGS=("")
 ##