(WIP) Directory Client Enrollment Script
Signed-off-by: Georg <georg@lysergic.dev>
This commit is contained in:
parent
46629fd39e
commit
c2da34bf96
132
scripts/sh/deploy_directory_client.sh
Normal file
132
scripts/sh/deploy_directory_client.sh
Normal file
@ -0,0 +1,132 @@
|
||||
#!/bin/sh
|
||||
echo "THIS SCRIPT IS NOT READY FOR USE IN PRODUCTION"
|
||||
echo "YOU HAVE 15 seconds to abort with Ctrl+C."
|
||||
sleep 15s
|
||||
if [ "$(id -u)" = "0" ]; then
|
||||
DISTRIB=$(awk -F= '/^NAME/{print $2}' /etc/os-release)
|
||||
if [ "${DISTRIB}" = '"openSUSE Leap"' ] || [ "${DISTRIB}" = '"openSUSE Tumbleweed"' ]; then
|
||||
if [ -f /etc/pki/trust/anchors/syscid-ca.crt ]; then
|
||||
echo "OK, enrolling client ..."
|
||||
zypper in --no-recommends -y sssd sssd-ldap sssd-tools
|
||||
sed -i "s/NETCONFIG_DNS_STATIC_SERVERS=.*/NETCONFIG_DNS_STATIC_SERVERS=\"192.168.0.115 10.0.0.1\"/g" /etc/sysconfig/network/config
|
||||
netconfig update -f
|
||||
mv /etc/sssd/sssd.conf /etc/sssd/sssd.conf.orig
|
||||
cat <<'EOF' >/etc/sssd/sssd.conf
|
||||
# SYSCID Directory and Authentication Service
|
||||
# System Security Services Daemon configuration
|
||||
# 12/08/2021 - georg@lysergic.dev
|
||||
#
|
||||
# WARNING - DEBUG LOGGING IS ENABLED
|
||||
#
|
||||
[sssd]
|
||||
debug_level = 5
|
||||
config_file_version = 2
|
||||
services = nss, pam, ssh, sudo
|
||||
domains = SYSCID
|
||||
|
||||
[nss]
|
||||
debug_level = 5
|
||||
homedir_substring = /home
|
||||
|
||||
[pam]
|
||||
debug_level = 5
|
||||
pam_pwd_expiration_warning = 1
|
||||
pam_account_expired_message = Permission denied - Your SYSCID or LibertaCasa Account EXPIRED.
|
||||
pam_account_locked_message = Permission denied - Your SYSCID or LibertaCasa Account is LOCKED.
|
||||
|
||||
[ssh]
|
||||
|
||||
[sudo]
|
||||
|
||||
[domain/SYSCID]
|
||||
ignore_group_members = False
|
||||
debug_level = 10
|
||||
cache_credentials= False
|
||||
id_provider = ldap
|
||||
auth_provider = ldap
|
||||
access_provider = ldap
|
||||
chpass_provider = ldap
|
||||
ldap_schema = rfc2307bis
|
||||
ldap_search_base = dc=syscid,dc=com
|
||||
ldap_uri = ldaps://ldap.syscid.com
|
||||
ldap_access_filter = (memberOf=cn=syscid_shell_users,ou=syscid-groups,dc=syscid,dc=com)
|
||||
access_provider = ldap
|
||||
ldap_user_member_of = memberof
|
||||
ldap_user_gecos = cn
|
||||
ldap_user_uuid = nsUniqueId
|
||||
ldap_group_uuid = nsUniqueId
|
||||
ldap_account_expire_policy = rhds
|
||||
ldap_access_order = filter, expire, pwd_expire_policy_renew
|
||||
ldap_user_ssh_public_key = sshPublicKey
|
||||
sudo_provider = ldap
|
||||
ldap_sudo_search_base = ou=SUDOers,ou=syscid-system,dc=syscid,dc=com
|
||||
EOF
|
||||
mv /etc/nsswitch.conf /etc/nsswitch.conf.orig
|
||||
cat <<'EOF' >/etc/nsswitch.conf
|
||||
# SYSCID Directory and Authentication Service
|
||||
# Name Service Switch configuration
|
||||
# 12/08/2021 - georg@lysergic.dev
|
||||
#
|
||||
passwd: sss files
|
||||
group: sss files
|
||||
shadow: sss compat
|
||||
hosts: files dns
|
||||
networks: files dns
|
||||
aliases: files usrfiles
|
||||
ethers: files usrfiles
|
||||
gshadow: files usrfiles
|
||||
netgroup: files nis
|
||||
protocols: files usrfiles
|
||||
publickey: files
|
||||
rpc: files usrfiles
|
||||
services: files usrfiles
|
||||
automount: files nis
|
||||
bootparams: files
|
||||
netmasks: files
|
||||
sudoers: sss
|
||||
EOF
|
||||
mv /etc/ssh/sshd_config /etc/ssh/sshd_config_local
|
||||
cat <<'EOF' >/etc/ssh/sshd_config
|
||||
# SYSCID Directory and Authentication Service
|
||||
# OpenSSH Daemon configuration
|
||||
# 12/08/2021 - georg@lysergic.dev
|
||||
#
|
||||
# WARNING - DEBUG LOGGING IS ENABLED
|
||||
#
|
||||
Port 28
|
||||
Protocol 2
|
||||
SyslogFacility AUTH
|
||||
LogLevel VERBOSE
|
||||
LoginGraceTime 1m
|
||||
PermitRootLogin no
|
||||
StrictModes yes
|
||||
MaxAuthTries 5
|
||||
MaxSessions 10
|
||||
PubkeyAuthentication yes
|
||||
AuthorizedKeysFile /etc/ssh/keys/%u
|
||||
AuthorizedKeysCommand /usr/bin/sh -c '/usr/bin/sss_ssh_authorizedkeys %u'
|
||||
AuthorizedKeysCommandUser nobody
|
||||
PasswordAuthentication no
|
||||
ChallengeResponseAuthentication no
|
||||
UsePAM yes
|
||||
X11Forwarding yes
|
||||
PrintMotd yes
|
||||
PrintLastLog yes
|
||||
Banner /etc/ssh/sshd-banner
|
||||
Subsystem sftp /usr/lib/ssh/sftp-server
|
||||
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
AcceptEnv LC_IDENTIFICATION LC_ALL
|
||||
EOF
|
||||
pam-config -a --sss --mkhomedir
|
||||
systemctl enable --now sssd.service
|
||||
echo "OK!"
|
||||
else
|
||||
echo "CA certificate not installed. Aborted. Consider 'deploy_syscid_ca.sh'."
|
||||
fi
|
||||
else
|
||||
echo "Unsupported operating system."
|
||||
fi
|
||||
else
|
||||
echo "This script must be run with root privileges."
|
||||
fi
|
Loading…
Reference in New Issue
Block a user