start writing main program, finish ssh module, new authnz module, various cleanup

init.sh

@@ -12,6 +12,23 @@ for lib in $MYPATH/lib/*.sh; do
     . $lib
 done
 
+# Check if a function exists
+function_exists() {
+    declare -f -F $1 > /dev/null
+    return $?
+}
+
+function_exists prnt || (
+    echo "Il manque des fonctions vitales dans les bibliothèques !"
+    exit 2
+)
+
+# Vérifie qu'on soit root
+if [[ $EUID -ne 0 ]];
+   prnt E "Ce script doit être démarré en tant que root. Arrêt."
+   exit 1
+fi
+
 # Variables globales importantes
 export HOSTNAME=$(hostname)
 export LOGFILE=${LOGFILE:-"$MYPATH/log/init-$(uname -n)-$(stdtime).log"}
@@ -26,31 +43,14 @@ exec 1>$LOGFILE 2>&1
 
 # Récupère la configuration
 prnt I "Chargement de la configuration..."
-. $MYPATH/conf/init.conf.sh
-
-# Authentication
-#authnz()
-#{
-#    apt-get install nscd libpam-krb5 libnss-ldap libpam-ldap
-#
-#    backupdist /etc/krb5.conf /etc/libnss-ldap.conf /etc/pam_ldap.conf /etc/nsswitch.conf \
-#	       /etc/pam.d/common-session /etc/pam.d/common-account /etc/pam.d/common-password \
-#	       /etc/pam.d/common-auth
-#    installfile krb5.conf libnss-ldap.conf pam_ldap.conf nsswitch.conf /etc
-#    installfile common-session common-account common-password common-auth /etc/pam.d
-#
-#    /etc/init.d/nscd restart
-#}
-
-# Users (from Ldap)
-#add_users()
-#{
-#    backupdist /etc/passwd /etc/shadow /etc/group
-#    sed -i -e '/^fatal/d' /etc/passwd /etc/shadow /etc/group
-#    echo "+kroot::::::" >> /etc/passwd
-#    echo "+kroot::::::::" >> /etc/shadow
-#}
-
+if [[ -e $MYPATH/conf/$HOSTNAME.conf ]]; then
+    prnt I "Une configuration spécifique sera utilisé."
+    . $MYPATH/conf/$HOSTNAME.conf
+else
+    prnt I "Une configuration générique sera utilisé."
+    [[ -e $MYPATH/conf/init.conf.sh ]] && . $MYPATH/conf/init.conf.sh || (
+	    prnt E "Aucune configuration trouvée, impossible de continuer."
+fi
 
 # Additionnal packages (some are necessary to that script to end successfully)
 install_pkg()
@@ -58,17 +58,6 @@ install_pkg()
     apt install -y $INSTLIST
 }
 
-# SSH server
-conf_ssh()
-{
-    backupdist /etc/ssh/ssh{,d}_config
-    sed -i -e '/^#PermitRootLogin/s/^#//' /etc/ssh/sshd_config
-    sed -i -e '/^PermitRootLogin /s/ .*/ yes/' /etc/ssh/sshd_config
-    /etc/init.d/ssh restart || true
-    $BASEGPDIR/ssh/getpubkey.sh
-    installfile ssh_config /etc/ssh/ssh_config
-}
-
 # Profile
 install_profile()
 {
@@ -121,20 +110,6 @@ conf_mail()
 # ==== Main Program ====
 # ======================
 
-# Vérifie qu'on soit root
-if [[ $EUID -ne 0 ]];
-   prnt E "Ce script doit être démarré en root. Arrêt."
-   exit 1
-fi
-
-# Chargement de la configuration
-[[ -s conf/init.sh.conf ]] && . conf/init.sh.conf || (
-	prnt E "Impossible de charger la configuration."
-	exit 1
-)
-
-
-
 upgrade_dist
 [[ ! $PVEHST ]] && install_ceph && conf_ceph
 [[ ! $PVEHST ]] && apt_blacklist

lib/filefct.sh

@@ -45,6 +45,7 @@ installfile()
 	elif [[ -f $MYPATH/repo/common/$arg ]]; then
 	    filelist="$filelist $MYPATH/repo/common/$arg"
 	else
+	    # Not found in repository, we expect full name
 	    filelist="$filelist $arg"
 	fi
     done

lib/services.sh

@@ -5,7 +5,7 @@ exec_serv()
 {
     [[ $# -lt 2 ]] && (
 	prnt E "exec_serv(): Erreur de syntaxe !"
-	exit 11
+	exit 130
     )
 
     local svcname=$1 command=$2

modules/authnz.sh

@@ -0,0 +1,35 @@
+# Ajout de la gestion d'une authentification centralisé
+
+export VER_authnz=0.0.1
+
+# Users (from Ldap)
+add_users()
+{
+    backupdist /etc/passwd /etc/shadow /etc/group
+    sed -i -e '/^fatal/d' /etc/passwd /etc/shadow /etc/group
+    echo "+kroot::::::" >> /etc/passwd
+    echo "+kroot::::::::" >> /etc/shadow
+}
+
+# Authentication
+authnz()
+{
+    pkginst nscd libpam-krb5 libnss-ldap libpam-ldap
+
+    backupdist /etc/krb5.conf /etc/libnss-ldap.conf /etc/pam_ldap.conf \
+	       /etc/nsswitch.conf /etc/pam.d/common-session \
+	       /etc/pam.d/common-account /etc/pam.d/common-password \
+	       /etc/pam.d/common-auth
+    installfile krb5.conf libnss-ldap.conf pam_ldap.conf nsswitch.conf /etc
+    installfile common-session common-account common-password common-auth \
+		/etc/pam.d
+
+    scv_restart nscd
+
+    add_users
+}
+
+precheck_authnz()
+{
+    :
+}

modules/conf_ssh.sh

@@ -12,14 +12,8 @@ conf_ssh()
     
     prnt I "Installation des fichiers de configuration de SSH..."
     for f in /etc/ssh/ssh{,d}_config; do
-	dest="$f.work"
 	backupdist $f
-	installfile $(basename $f) $dest
-
-	# A finir
-	
-	echo "# Generated on $(date --rfc-3339=seconds)" >> $dest &&
-	    mv -fv $dest $f
+	installfile $(basename $f) /etc/ssh/$(basename $f)
     done
 
     prnt I "Démarrage du sevice ssh..."
@@ -28,7 +22,7 @@ conf_ssh()
 
 precheck_conf_ssh()
 {
-    # A finir
+    : # Rien à vérifier
 }
 
 export -f conf_ssh

repo/common/ssh_config

@@ -0,0 +1,52 @@
+# This is the ssh client system-wide configuration file.  See
+# ssh_config(5) for more information.  This file provides defaults for
+# users, and the values can be changed in per-user configuration files
+# or on the command line.
+
+# Configuration data is parsed as follows:
+#  1. command line options
+#  2. user-specific file
+#  3. system-wide file
+# Any configuration value is only changed the first time it is set.
+# Thus, host-specific definitions should be at the beginning of the
+# configuration file, and defaults at the end.
+
+# Site-wide defaults for some commonly used options.  For a comprehensive
+# list of available options, their meanings and defaults, please see the
+# ssh_config(5) man page.
+
+Host *
+   ForwardAgent no
+   ForwardX11 yes
+   ForwardX11Trusted yes
+#   RhostsRSAAuthentication no
+#   RSAAuthentication yes
+#   PasswordAuthentication yes
+#   HostbasedAuthentication no
+#   GSSAPIAuthentication no
+#   GSSAPIDelegateCredentials no
+#   GSSAPIKeyExchange no
+#   GSSAPITrustDNS no
+    GSSAPIAuthentication yes
+    GSSAPIDelegateCredentials yes
+#   BatchMode no
+#   CheckHostIP yes
+#   AddressFamily any
+#   ConnectTimeout 0
+#   StrictHostKeyChecking ask
+#   IdentityFile ~/.ssh/identity
+#   IdentityFile ~/.ssh/id_rsa
+#   IdentityFile ~/.ssh/id_dsa
+   Port 22
+   Protocol 2,1
+#   Cipher 3des
+#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
+#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
+#   EscapeChar ~
+#   Tunnel no
+#   TunnelDevice any:any
+#   PermitLocalCommand no
+#   VisualHostKey no
+#   ProxyCommand ssh -q -W %h:%p gateway.example.com
+    SendEnv LANG LC_*
+    HashKnownHosts yes

repo/common/sshd_config

@@ -0,0 +1,31 @@
+Port                            22
+Protocol                        2
+HostKey                         /etc/ssh/ssh_host_ed25519_key
+SyslogFacility                  AUTH
+LogLevel                        INFO
+LoginGraceTime                  120
+PermitRootLogin                 no
+StrictModes                     yes
+PubkeyAuthentication            yes
+AuthorizedKeysFile              %h/.ssh/authorized_keys
+IgnoreRhosts                    yes
+HostbasedAuthentication         no
+ChallengeResponseAuthentication no
+PasswordAuthentication          yes
+PermitEmptyPasswords            no
+KerberosAuthentication          yes
+KerberosOrLocalPasswd           yes
+KerberosTicketCleanup           yes
+GSSAPIAuthentication            yes
+GSSAPICleanupCredentials        yes
+GSSAPIStrictAcceptorCheck       no
+X11Forwarding                   yes
+X11DisplayOffset                10
+PrintMotd                       no
+PrintLastLog                    yes
+TCPKeepAlive                    yes
+AcceptEnv                       LANG LC_*
+AllowTcpForwarding              no
+Match   Address                 10.3.0.0/16
+        PermitRootLogin         yes
+