diff --git a/init.sh b/init.sh index 4b39c9c..9ba1626 100755 --- a/init.sh +++ b/init.sh @@ -12,6 +12,23 @@ for lib in $MYPATH/lib/*.sh; do . $lib done +# Check if a function exists +function_exists() { + declare -f -F $1 > /dev/null + return $? +} + +function_exists prnt || ( + echo "Il manque des fonctions vitales dans les bibliothèques !" + exit 2 +) + +# Vérifie qu'on soit root +if [[ $EUID -ne 0 ]]; + prnt E "Ce script doit être démarré en tant que root. Arrêt." + exit 1 +fi + # Variables globales importantes export HOSTNAME=$(hostname) export LOGFILE=${LOGFILE:-"$MYPATH/log/init-$(uname -n)-$(stdtime).log"} @@ -26,31 +43,14 @@ exec 1>$LOGFILE 2>&1 # Récupère la configuration prnt I "Chargement de la configuration..." -. $MYPATH/conf/init.conf.sh - -# Authentication -#authnz() -#{ -# apt-get install nscd libpam-krb5 libnss-ldap libpam-ldap -# -# backupdist /etc/krb5.conf /etc/libnss-ldap.conf /etc/pam_ldap.conf /etc/nsswitch.conf \ -# /etc/pam.d/common-session /etc/pam.d/common-account /etc/pam.d/common-password \ -# /etc/pam.d/common-auth -# installfile krb5.conf libnss-ldap.conf pam_ldap.conf nsswitch.conf /etc -# installfile common-session common-account common-password common-auth /etc/pam.d -# -# /etc/init.d/nscd restart -#} - -# Users (from Ldap) -#add_users() -#{ -# backupdist /etc/passwd /etc/shadow /etc/group -# sed -i -e '/^fatal/d' /etc/passwd /etc/shadow /etc/group -# echo "+kroot::::::" >> /etc/passwd -# echo "+kroot::::::::" >> /etc/shadow -#} - +if [[ -e $MYPATH/conf/$HOSTNAME.conf ]]; then + prnt I "Une configuration spécifique sera utilisé." + . $MYPATH/conf/$HOSTNAME.conf +else + prnt I "Une configuration générique sera utilisé." + [[ -e $MYPATH/conf/init.conf.sh ]] && . $MYPATH/conf/init.conf.sh || ( + prnt E "Aucune configuration trouvée, impossible de continuer." +fi # Additionnal packages (some are necessary to that script to end successfully) install_pkg() @@ -58,17 +58,6 @@ install_pkg() apt install -y $INSTLIST } -# SSH server -conf_ssh() -{ - backupdist /etc/ssh/ssh{,d}_config - sed -i -e '/^#PermitRootLogin/s/^#//' /etc/ssh/sshd_config - sed -i -e '/^PermitRootLogin /s/ .*/ yes/' /etc/ssh/sshd_config - /etc/init.d/ssh restart || true - $BASEGPDIR/ssh/getpubkey.sh - installfile ssh_config /etc/ssh/ssh_config -} - # Profile install_profile() { @@ -121,20 +110,6 @@ conf_mail() # ==== Main Program ==== # ====================== -# Vérifie qu'on soit root -if [[ $EUID -ne 0 ]]; - prnt E "Ce script doit être démarré en root. Arrêt." - exit 1 -fi - -# Chargement de la configuration -[[ -s conf/init.sh.conf ]] && . conf/init.sh.conf || ( - prnt E "Impossible de charger la configuration." - exit 1 -) - - - upgrade_dist [[ ! $PVEHST ]] && install_ceph && conf_ceph [[ ! $PVEHST ]] && apt_blacklist diff --git a/lib/filefct.sh b/lib/filefct.sh index ecf4756..4fb159f 100644 --- a/lib/filefct.sh +++ b/lib/filefct.sh @@ -45,6 +45,7 @@ installfile() elif [[ -f $MYPATH/repo/common/$arg ]]; then filelist="$filelist $MYPATH/repo/common/$arg" else + # Not found in repository, we expect full name filelist="$filelist $arg" fi done diff --git a/lib/services.sh b/lib/services.sh index 99a0e17..bb0d4b6 100644 --- a/lib/services.sh +++ b/lib/services.sh @@ -5,7 +5,7 @@ exec_serv() { [[ $# -lt 2 ]] && ( prnt E "exec_serv(): Erreur de syntaxe !" - exit 11 + exit 130 ) local svcname=$1 command=$2 diff --git a/modules/authnz.sh b/modules/authnz.sh new file mode 100644 index 0000000..9637674 --- /dev/null +++ b/modules/authnz.sh @@ -0,0 +1,35 @@ +# Ajout de la gestion d'une authentification centralisé + +export VER_authnz=0.0.1 + +# Users (from Ldap) +add_users() +{ + backupdist /etc/passwd /etc/shadow /etc/group + sed -i -e '/^fatal/d' /etc/passwd /etc/shadow /etc/group + echo "+kroot::::::" >> /etc/passwd + echo "+kroot::::::::" >> /etc/shadow +} + +# Authentication +authnz() +{ + pkginst nscd libpam-krb5 libnss-ldap libpam-ldap + + backupdist /etc/krb5.conf /etc/libnss-ldap.conf /etc/pam_ldap.conf \ + /etc/nsswitch.conf /etc/pam.d/common-session \ + /etc/pam.d/common-account /etc/pam.d/common-password \ + /etc/pam.d/common-auth + installfile krb5.conf libnss-ldap.conf pam_ldap.conf nsswitch.conf /etc + installfile common-session common-account common-password common-auth \ + /etc/pam.d + + scv_restart nscd + + add_users +} + +precheck_authnz() +{ + : +} diff --git a/modules/conf_ssh.sh b/modules/conf_ssh.sh index d002a5a..88aae5d 100644 --- a/modules/conf_ssh.sh +++ b/modules/conf_ssh.sh @@ -12,14 +12,8 @@ conf_ssh() prnt I "Installation des fichiers de configuration de SSH..." for f in /etc/ssh/ssh{,d}_config; do - dest="$f.work" backupdist $f - installfile $(basename $f) $dest - - # A finir - - echo "# Generated on $(date --rfc-3339=seconds)" >> $dest && - mv -fv $dest $f + installfile $(basename $f) /etc/ssh/$(basename $f) done prnt I "Démarrage du sevice ssh..." @@ -28,7 +22,7 @@ conf_ssh() precheck_conf_ssh() { - # A finir + : # Rien à vérifier } export -f conf_ssh diff --git a/repo/common/ssh_config b/repo/common/ssh_config new file mode 100644 index 0000000..7719d88 --- /dev/null +++ b/repo/common/ssh_config @@ -0,0 +1,52 @@ +# This is the ssh client system-wide configuration file. See +# ssh_config(5) for more information. This file provides defaults for +# users, and the values can be changed in per-user configuration files +# or on the command line. + +# Configuration data is parsed as follows: +# 1. command line options +# 2. user-specific file +# 3. system-wide file +# Any configuration value is only changed the first time it is set. +# Thus, host-specific definitions should be at the beginning of the +# configuration file, and defaults at the end. + +# Site-wide defaults for some commonly used options. For a comprehensive +# list of available options, their meanings and defaults, please see the +# ssh_config(5) man page. + +Host * + ForwardAgent no + ForwardX11 yes + ForwardX11Trusted yes +# RhostsRSAAuthentication no +# RSAAuthentication yes +# PasswordAuthentication yes +# HostbasedAuthentication no +# GSSAPIAuthentication no +# GSSAPIDelegateCredentials no +# GSSAPIKeyExchange no +# GSSAPITrustDNS no + GSSAPIAuthentication yes + GSSAPIDelegateCredentials yes +# BatchMode no +# CheckHostIP yes +# AddressFamily any +# ConnectTimeout 0 +# StrictHostKeyChecking ask +# IdentityFile ~/.ssh/identity +# IdentityFile ~/.ssh/id_rsa +# IdentityFile ~/.ssh/id_dsa + Port 22 + Protocol 2,1 +# Cipher 3des +# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc +# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 +# EscapeChar ~ +# Tunnel no +# TunnelDevice any:any +# PermitLocalCommand no +# VisualHostKey no +# ProxyCommand ssh -q -W %h:%p gateway.example.com + SendEnv LANG LC_* + HashKnownHosts yes diff --git a/repo/common/sshd_config b/repo/common/sshd_config new file mode 100644 index 0000000..6e0983d --- /dev/null +++ b/repo/common/sshd_config @@ -0,0 +1,31 @@ +Port 22 +Protocol 2 +HostKey /etc/ssh/ssh_host_ed25519_key +SyslogFacility AUTH +LogLevel INFO +LoginGraceTime 120 +PermitRootLogin no +StrictModes yes +PubkeyAuthentication yes +AuthorizedKeysFile %h/.ssh/authorized_keys +IgnoreRhosts yes +HostbasedAuthentication no +ChallengeResponseAuthentication no +PasswordAuthentication yes +PermitEmptyPasswords no +KerberosAuthentication yes +KerberosOrLocalPasswd yes +KerberosTicketCleanup yes +GSSAPIAuthentication yes +GSSAPICleanupCredentials yes +GSSAPIStrictAcceptorCheck no +X11Forwarding yes +X11DisplayOffset 10 +PrintMotd no +PrintLastLog yes +TCPKeepAlive yes +AcceptEnv LANG LC_* +AllowTcpForwarding no +Match Address 10.3.0.0/16 + PermitRootLogin yes +