Handle password securely, needs htpasswd to create user:password:

- Update tpotinit and entrypoint.sh to reflect this - Update install.sh to reflect this - Update .env / env.example to reflect this Reorder recommended packages in T-Pot Playbook Add packages to T-Pot Playbook to ensure manual deployment via Ansible will offer the same environment as manual local installation via install.sh and local Ansible deployment.
2025-07-01 12:32:12 +00:00 · 2023-07-05 23:03:41 +02:00 · 2023-07-05 23:03:41 +02:00 · 12af5c9d46
commit 12af5c9d46
parent b3f1b71054
5 changed files with 40 additions and 34 deletions
--- a/.env
+++ b/.env
@ -1,11 +1,10 @@
 # T-Pot config file. Do not remove.
-# Set Web username and password here, only required for first run
+# Set Web username and password here, it will be used to create the Nginx password file nginxpasswd.
-#  Removing the password after first run is recommended
+#  Use 'htpasswd -n <username>' to create the WEB_USER if you want to manually deploy T-Pot
-#  You can always add or remove users as you see fit using htpasswd:
+#  Example: 'htpasswd -n tsec' will print tsec:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0
-#  htpasswd -b -c /<data_folder>/nginx/conf/nginxpasswd <username> <password>
+#  Copy the string and replace WEB_USER='tsec:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0'
-WEB_USER='changeme'
+WEB_USER='change:me'
 WEB_PW='changeme'
 # T-Pot Blackhole
 #  ENABLED: T-Pot will download a db of known mass scanners and nullroute them
--- a/docker/tpotinit/dist/entrypoint.sh
+++ b/docker/tpotinit/dist/entrypoint.sh
@ -34,9 +34,9 @@ if [ -f "/data/uuid" ];
    figlet "${VERSION}"
    echo
    echo "# Checking for default user."
-    if [ "${WEB_USER}" == "changeme" ] || [ "${WEB_PW}" == "changeme" ];
+    if [ "${WEB_USER}" == "change:me" ];
      then
-        echo "# Please change WEB_USER and WEB_PW in the hidden \".env\" file."
+        echo "# Please change WEB_USER in the hidden \".env\" file."
 	      echo "# Aborting."
      	echo
        exit 1
@ -66,7 +66,7 @@ if [ -f "/data/uuid" ];
    echo
    echo "# Creating web user from tpot.env, make sure to erase the password from the .env ..."
    echo
-    htpasswd -b -c /data/nginx/conf/nginxpasswd "${WEB_USER}" "${WEB_PW}"
+    echo "${WEB_USER}" > /data/nginx/conf/nginxpasswd
    echo
    echo "# Extracting objects, final touches and permissions ..."
    echo
--- a/env.example
+++ b/env.example
@ -1,11 +1,10 @@
 # T-Pot config file. Do not remove.
-# Set Web username and password here, only required for first run
+# Set Web username and password here, it will be used to create the Nginx password file nginxpasswd.
-#  Removing the password after first run is recommended
+#  Use 'htpasswd -n <username>' to create the WEB_USER if you want to manually deploy T-Pot
-#  You can always add or remove users as you see fit using htpasswd:
+#  Example: 'htpasswd -n tsec' will print tsec:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0
-#  htpasswd -b -c /<data_folder>/nginx/conf/nginxpasswd <username> <password>
+#  Copy the string and replace WEB_USER='tsec:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0'
-WEB_USER='changeme'
+WEB_USER='change:me'
 WEB_PW='changeme'
 # T-Pot Blackhole
 #  ENABLED: T-Pot will download a db of known mass scanners and nullroute them
@ -32,9 +31,9 @@ TPOT_DOCKER_ENV=./.env
 TPOT_DOCKER_COMPOSE=./docker-compose.yml
 # T-Pot Repo
-#  Depending on where you are located you may choose between DockerHub and GHCR
+# Depending on where you are located you may choose between DockerHub and GHCR
-#  dtagdevsec: This will use the DockerHub image registry
+# dtagdevsec: This will use the DockerHub image registry
-#  ghcr.io/telekom-security: This will use the GitHub container registry
+# ghcr.io/telekom-security: This will use the GitHub container registry
 TPOT_REPO=dtagdevsec
 # T-Pot Version Tag
--- a/install.sh
+++ b/install.sh
@ -3,10 +3,10 @@
 myINSTALL_NOTIFICATION="### Now installing required packages ..."
 myUSER=$(whoami)
 myTPOT_CONF_FILE="/home/${myUSER}/tpotce/.env"
-myPACKAGES_DEBIAN="ansible cracklib-runtime wget"
+myPACKAGES_DEBIAN="ansible apache2-utils cracklib-runtime wget"
-myPACKAGES_FEDORA="ansible cracklib wget"
+myPACKAGES_FEDORA="ansible cracklib httpd-tools wget"
-myPACKAGES_ROCKY="ansible-core ansible-collection-redhat-rhel_mgmt cracklib wget"
+myPACKAGES_ROCKY="ansible-core ansible-collection-redhat-rhel_mgmt cracklib httpd-tools wget"
-myPACKAGES_OPENSUSE="ansible cracklib wget"
+myPACKAGES_OPENSUSE="ansible apache2-utils cracklib wget"
 myINSTALLER=$(cat << "EOF"
@ -74,7 +74,7 @@ case ${myCURRENT_DISTRIBUTION} in
        echo "### or press CTRL-C to manually install ‘sudo‘ and add your user to the sudoers."
        echo
        su -c "apt -y update && \
-               apt -y install sudo ${myPACKAGES_DEBIAN} && \
+               NEEDRESTART_SUSPEND=1 apt -y install sudo ${myPACKAGES_DEBIAN} && \
               /usr/sbin/usermod -aG sudo ${myUSER} && \
               echo '${myUSER} ALL=(ALL:ALL) ALL' | tee /etc/sudoers.d/${myUSER} >/dev/null && \
               chmod 440 /etc/sudoers.d/${myUSER}"
@ -83,7 +83,7 @@ case ${myCURRENT_DISTRIBUTION} in
        echo
      else
        sudo apt update
-        sudo apt install -y ${myPACKAGES_DEBIAN}
+        sudo NEEDRESTART_SUSPEND=1 apt install -y ${myPACKAGES_DEBIAN}
    fi
    ;;
  "openSUSE Tumbleweed")
@ -204,11 +204,10 @@ while [ "${myWEB_PW}" != "${myWEB_PW2}"  ] && [ "${mySECURE}" == "0" ]
 done
 # Write username and password to T-Pot config file
-echo "### Writing username and password to T-Pot config file: ${myTPOT_CONF_FILE}"
+echo "### Creating htpasswd username and password for T-Pot config file: ${myTPOT_CONF_FILE}"
-echo "### You can empty the password <WEB_PW=''> after the first start of T-Pot."
+myWEB_USER_ENC=$(htpasswd -b -n "${myWEB_USER}" "${myWEB_PW}")
 echo
-sed -i "/^WEB_USER=/s/.*/WEB_USER='${myWEB_USER}'/" ${myTPOT_CONF_FILE}
+sed -i "s|^WEB_USER=.*|WEB_USER='${myWEB_USER_ENC}'|" ${myTPOT_CONF_FILE}
 sed -i "/^WEB_PW=/s/.*/WEB_PW='${myWEB_PW}'/" ${myTPOT_CONF_FILE}
 # Pull docker images
 echo "### Now pulling images ..."
--- a/installer/install/tpot.yml
+++ b/installer/install/tpot.yml
@ -58,11 +58,11 @@
      tags:
        - "openSUSE Tumbleweed"
-################################
+#####################################################################
-# T-Pot - Abort if run as root #
+# T-Pot - Abort if run as tpot, root or on unsupported distribution #
-################################
+#####################################################################
- name: T-Pot - Abort if run as root
+- name: T-Pot - Abort if run as tpot, root or on unsupported distribution
  hosts: all
  gather_facts: true
  become: false
@ -117,14 +117,17 @@
    - name: Install recommended packages (Debian, Ubuntu)
      package:
        name:
          - apache2-utils
          - bash-completion
          - ca-certificates
          - cracklib-runtime
          - curl 
          - git
          - gnupg
          - grc
          - vim
          - net-tools
          - vim
          - wget
        state: latest
        update_cache: yes
      when: ansible_distribution in ["Debian", "Ubuntu"]
@ -147,12 +150,15 @@
        name:
          - bash-completion
          - ca-certificates
          - cracklib
          - curl
          - dnf-plugins-core
          - git
          - grc
-          - vim
+          - httpd-tools
          - net-tools
          - vim
          - wget
        state: latest
        update_cache: yes
      when: ansible_distribution in ["AlmaLinux", "Fedora", "Rocky"]
@ -178,13 +184,16 @@
    - name: Install recommended packages (openSUSE Tumbleweed)
      package:
        name:
          - apache2-utils
          - bash-completion
          - busybox-net-tools
          - ca-certificates
          - cracklib
          - curl
          - git
          - grc
          - vim
          - wget
        state: latest
        update_cache: yes
      when: ansible_distribution in ["openSUSE Tumbleweed"]