fatalerrors/init.sh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

start writing main program, finish ssh module, new authnz module, various cleanup

Browse Source
This commit is contained in:
levasseur
2021-06-14 17:46:59 +02:00
parent e970f24a5c
commit 2f9eb19ebe
7 changed files with 147 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

75
init.sh
View File

@@ -12,6 +12,23 @@ for lib in $MYPATH/lib/*.sh; do
. $lib . $lib
done done
# Check if a function exists
function_exists() {
declare -f -F $1 > /dev/null
return $?
}
function_exists prnt || (
echo "Il manque des fonctions vitales dans les bibliothèques !"
exit 2
)
# Vérifie qu'on soit root
if [[ $EUID -ne 0 ]];
prnt E "Ce script doit être démarré en tant que root. Arrêt."
exit 1
fi
# Variables globales importantes # Variables globales importantes
export HOSTNAME=$(hostname) export HOSTNAME=$(hostname)
export LOGFILE=${LOGFILE:-"$MYPATH/log/init-$(uname -n)-$(stdtime).log"} export LOGFILE=${LOGFILE:-"$MYPATH/log/init-$(uname -n)-$(stdtime).log"}
@@ -26,31 +43,14 @@ exec 1>$LOGFILE 2>&1
# Récupère la configuration # Récupère la configuration
prnt I "Chargement de la configuration..." prnt I "Chargement de la configuration..."
. $MYPATH/conf/init.conf.sh if [[ -e $MYPATH/conf/$HOSTNAME.conf ]]; then
prnt I "Une configuration spécifique sera utilisé."
# Authentication . $MYPATH/conf/$HOSTNAME.conf
#authnz() else
#{ prnt I "Une configuration générique sera utilisé."
# apt-get install nscd libpam-krb5 libnss-ldap libpam-ldap [[ -e $MYPATH/conf/init.conf.sh ]] && . $MYPATH/conf/init.conf.sh || (
# prnt E "Aucune configuration trouvée, impossible de continuer."
# backupdist /etc/krb5.conf /etc/libnss-ldap.conf /etc/pam_ldap.conf /etc/nsswitch.conf \ fi
# /etc/pam.d/common-session /etc/pam.d/common-account /etc/pam.d/common-password \
# /etc/pam.d/common-auth
# installfile krb5.conf libnss-ldap.conf pam_ldap.conf nsswitch.conf /etc
# installfile common-session common-account common-password common-auth /etc/pam.d
#
# /etc/init.d/nscd restart
#}
# Users (from Ldap)
#add_users()
#{
# backupdist /etc/passwd /etc/shadow /etc/group
# sed -i -e '/^fatal/d' /etc/passwd /etc/shadow /etc/group
# echo "+kroot::::::" >> /etc/passwd
# echo "+kroot::::::::" >> /etc/shadow
#}
# Additionnal packages (some are necessary to that script to end successfully) # Additionnal packages (some are necessary to that script to end successfully)
install_pkg() install_pkg()
@@ -58,17 +58,6 @@ install_pkg()
apt install -y $INSTLIST apt install -y $INSTLIST
} }
# SSH server
conf_ssh()
{
backupdist /etc/ssh/ssh{,d}_config
sed -i -e '/^#PermitRootLogin/s/^#//' /etc/ssh/sshd_config
sed -i -e '/^PermitRootLogin /s/ .*/ yes/' /etc/ssh/sshd_config
/etc/init.d/ssh restart || true
$BASEGPDIR/ssh/getpubkey.sh
installfile ssh_config /etc/ssh/ssh_config
}
# Profile # Profile
install_profile() install_profile()
{ {
@@ -121,20 +110,6 @@ conf_mail()
# ==== Main Program ==== # ==== Main Program ====
# ====================== # ======================
# Vérifie qu'on soit root
if [[ $EUID -ne 0 ]];
prnt E "Ce script doit être démarré en root. Arrêt."
exit 1
fi
# Chargement de la configuration
[[ -s conf/init.sh.conf ]] && . conf/init.sh.conf || (
prnt E "Impossible de charger la configuration."
exit 1
)
upgrade_dist upgrade_dist
[[ ! $PVEHST ]] && install_ceph && conf_ceph [[ ! $PVEHST ]] && install_ceph && conf_ceph
[[ ! $PVEHST ]] && apt_blacklist [[ ! $PVEHST ]] && apt_blacklist

1
lib/filefct.sh
View File

@@ -45,6 +45,7 @@ installfile()
elif [[ -f $MYPATH/repo/common/$arg ]]; then elif [[ -f $MYPATH/repo/common/$arg ]]; then
filelist="$filelist $MYPATH/repo/common/$arg" filelist="$filelist $MYPATH/repo/common/$arg"
else else
# Not found in repository, we expect full name
filelist="$filelist $arg" filelist="$filelist $arg"
fi fi
done done

2
lib/services.sh
View File

@@ -5,7 +5,7 @@ exec_serv()
{ {
[[ $# -lt 2 ]] && ( [[ $# -lt 2 ]] && (
prnt E "exec_serv(): Erreur de syntaxe !" prnt E "exec_serv(): Erreur de syntaxe !"
exit 11 exit 130
) )
local svcname=$1 command=$2 local svcname=$1 command=$2

35
modules/authnz.sh Normal file
View File

@@ -0,0 +1,35 @@
# Ajout de la gestion d'une authentification centralisé
export VER_authnz=0.0.1
# Users (from Ldap)
add_users()
{
backupdist /etc/passwd /etc/shadow /etc/group
sed -i -e '/^fatal/d' /etc/passwd /etc/shadow /etc/group
echo "+kroot::::::" >> /etc/passwd
echo "+kroot::::::::" >> /etc/shadow
}
# Authentication
authnz()
{
pkginst nscd libpam-krb5 libnss-ldap libpam-ldap
backupdist /etc/krb5.conf /etc/libnss-ldap.conf /etc/pam_ldap.conf \
/etc/nsswitch.conf /etc/pam.d/common-session \
/etc/pam.d/common-account /etc/pam.d/common-password \
/etc/pam.d/common-auth
installfile krb5.conf libnss-ldap.conf pam_ldap.conf nsswitch.conf /etc
installfile common-session common-account common-password common-auth \
/etc/pam.d
scv_restart nscd
add_users
}
precheck_authnz()
{
:
}

10
modules/conf_ssh.sh
View File

@@ -12,14 +12,8 @@ conf_ssh()
prnt I "Installation des fichiers de configuration de SSH..." prnt I "Installation des fichiers de configuration de SSH..."
for f in /etc/ssh/ssh{,d}_config; do for f in /etc/ssh/ssh{,d}_config; do
dest="$f.work"
backupdist $f backupdist $f
installfile $(basename $f) $dest installfile $(basename $f) /etc/ssh/$(basename $f)
# A finir
echo "# Generated on $(date --rfc-3339=seconds)" >> $dest &&
mv -fv $dest $f
done done
prnt I "Démarrage du sevice ssh..." prnt I "Démarrage du sevice ssh..."
@@ -28,7 +22,7 @@ conf_ssh()
precheck_conf_ssh() precheck_conf_ssh()
{ {
# A finir : # Rien à vérifier
} }
export -f conf_ssh export -f conf_ssh

52
repo/common/ssh_config Normal file
View File

@@ -0,0 +1,52 @@
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
Host *
ForwardAgent no
ForwardX11 yes
ForwardX11Trusted yes
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
Port 22
Protocol 2,1
# Cipher 3des
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
SendEnv LANG LC_*
HashKnownHosts yes

31
repo/common/sshd_config Normal file
View File

@@ -0,0 +1,31 @@
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
IgnoreRhosts yes
HostbasedAuthentication no
ChallengeResponseAuthentication no
PasswordAuthentication yes
PermitEmptyPasswords no
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
AllowTcpForwarding no
Match Address 10.3.0.0/16
PermitRootLogin yes