Compare commits
No commits in common. "ef765d9a5a82ea92e0a77795202317bf90ea40bf" and "f70cbe773ae4362ced85678cdbcb8910ca36fbb4" have entirely different histories.
ef765d9a5a
...
f70cbe773a
@ -1,132 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
echo "THIS SCRIPT IS NOT READY FOR USE IN PRODUCTION"
|
|
||||||
echo "YOU HAVE 15 seconds to abort with Ctrl+C."
|
|
||||||
sleep 15s
|
|
||||||
if [ "$(id -u)" = "0" ]; then
|
|
||||||
DISTRIB=$(awk -F= '/^NAME/{print $2}' /etc/os-release)
|
|
||||||
if [ "${DISTRIB}" = '"openSUSE Leap"' ] || [ "${DISTRIB}" = '"openSUSE Tumbleweed"' ]; then
|
|
||||||
if [ -f /etc/pki/trust/anchors/syscid-ca.crt ]; then
|
|
||||||
echo "OK, enrolling client ..."
|
|
||||||
zypper in --no-recommends -y sssd sssd-ldap sssd-tools
|
|
||||||
sed -i "s/NETCONFIG_DNS_STATIC_SERVERS=.*/NETCONFIG_DNS_STATIC_SERVERS=\"192.168.0.115 10.0.0.1\"/g" /etc/sysconfig/network/config
|
|
||||||
netconfig update -f
|
|
||||||
mv /etc/sssd/sssd.conf /etc/sssd/sssd.conf.orig
|
|
||||||
cat <<'EOF' >/etc/sssd/sssd.conf
|
|
||||||
# SYSCID Directory and Authentication Service
|
|
||||||
# System Security Services Daemon configuration
|
|
||||||
# 12/08/2021 - georg@lysergic.dev
|
|
||||||
#
|
|
||||||
# WARNING - DEBUG LOGGING IS ENABLED
|
|
||||||
#
|
|
||||||
[sssd]
|
|
||||||
debug_level = 5
|
|
||||||
config_file_version = 2
|
|
||||||
services = nss, pam, ssh, sudo
|
|
||||||
domains = SYSCID
|
|
||||||
|
|
||||||
[nss]
|
|
||||||
debug_level = 5
|
|
||||||
homedir_substring = /home
|
|
||||||
|
|
||||||
[pam]
|
|
||||||
debug_level = 5
|
|
||||||
pam_pwd_expiration_warning = 1
|
|
||||||
pam_account_expired_message = Permission denied - Your SYSCID or LibertaCasa Account EXPIRED.
|
|
||||||
pam_account_locked_message = Permission denied - Your SYSCID or LibertaCasa Account is LOCKED.
|
|
||||||
|
|
||||||
[ssh]
|
|
||||||
|
|
||||||
[sudo]
|
|
||||||
|
|
||||||
[domain/SYSCID]
|
|
||||||
ignore_group_members = False
|
|
||||||
debug_level = 10
|
|
||||||
cache_credentials= False
|
|
||||||
id_provider = ldap
|
|
||||||
auth_provider = ldap
|
|
||||||
access_provider = ldap
|
|
||||||
chpass_provider = ldap
|
|
||||||
ldap_schema = rfc2307bis
|
|
||||||
ldap_search_base = dc=syscid,dc=com
|
|
||||||
ldap_uri = ldaps://ldap.syscid.com
|
|
||||||
ldap_access_filter = (memberOf=cn=syscid_shell_users,ou=syscid-groups,dc=syscid,dc=com)
|
|
||||||
access_provider = ldap
|
|
||||||
ldap_user_member_of = memberof
|
|
||||||
ldap_user_gecos = cn
|
|
||||||
ldap_user_uuid = nsUniqueId
|
|
||||||
ldap_group_uuid = nsUniqueId
|
|
||||||
ldap_account_expire_policy = rhds
|
|
||||||
ldap_access_order = filter, expire, pwd_expire_policy_renew
|
|
||||||
ldap_user_ssh_public_key = sshPublicKey
|
|
||||||
sudo_provider = ldap
|
|
||||||
ldap_sudo_search_base = ou=SUDOers,ou=syscid-system,dc=syscid,dc=com
|
|
||||||
EOF
|
|
||||||
mv /etc/nsswitch.conf /etc/nsswitch.conf.orig
|
|
||||||
cat <<'EOF' >/etc/nsswitch.conf
|
|
||||||
# SYSCID Directory and Authentication Service
|
|
||||||
# Name Service Switch configuration
|
|
||||||
# 12/08/2021 - georg@lysergic.dev
|
|
||||||
#
|
|
||||||
passwd: sss files
|
|
||||||
group: sss files
|
|
||||||
shadow: sss compat
|
|
||||||
hosts: files dns
|
|
||||||
networks: files dns
|
|
||||||
aliases: files usrfiles
|
|
||||||
ethers: files usrfiles
|
|
||||||
gshadow: files usrfiles
|
|
||||||
netgroup: files nis
|
|
||||||
protocols: files usrfiles
|
|
||||||
publickey: files
|
|
||||||
rpc: files usrfiles
|
|
||||||
services: files usrfiles
|
|
||||||
automount: files nis
|
|
||||||
bootparams: files
|
|
||||||
netmasks: files
|
|
||||||
sudoers: sss
|
|
||||||
EOF
|
|
||||||
mv /etc/ssh/sshd_config /etc/ssh/sshd_config_local
|
|
||||||
cat <<'EOF' >/etc/ssh/sshd_config
|
|
||||||
# SYSCID Directory and Authentication Service
|
|
||||||
# OpenSSH Daemon configuration
|
|
||||||
# 12/08/2021 - georg@lysergic.dev
|
|
||||||
#
|
|
||||||
# WARNING - DEBUG LOGGING IS ENABLED
|
|
||||||
#
|
|
||||||
Port 28
|
|
||||||
Protocol 2
|
|
||||||
SyslogFacility AUTH
|
|
||||||
LogLevel VERBOSE
|
|
||||||
LoginGraceTime 1m
|
|
||||||
PermitRootLogin no
|
|
||||||
StrictModes yes
|
|
||||||
MaxAuthTries 5
|
|
||||||
MaxSessions 10
|
|
||||||
PubkeyAuthentication yes
|
|
||||||
AuthorizedKeysFile /etc/ssh/keys/%u
|
|
||||||
AuthorizedKeysCommand /usr/bin/sh -c '/usr/bin/sss_ssh_authorizedkeys %u'
|
|
||||||
AuthorizedKeysCommandUser nobody
|
|
||||||
PasswordAuthentication no
|
|
||||||
ChallengeResponseAuthentication no
|
|
||||||
UsePAM yes
|
|
||||||
X11Forwarding yes
|
|
||||||
PrintMotd yes
|
|
||||||
PrintLastLog yes
|
|
||||||
Banner /etc/ssh/sshd-banner
|
|
||||||
Subsystem sftp /usr/lib/ssh/sftp-server
|
|
||||||
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
|
||||||
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
|
||||||
AcceptEnv LC_IDENTIFICATION LC_ALL
|
|
||||||
EOF
|
|
||||||
pam-config -a --sss --mkhomedir
|
|
||||||
systemctl enable --now sssd.service
|
|
||||||
echo "OK!"
|
|
||||||
else
|
|
||||||
echo "CA certificate not installed. Aborted. Consider 'deploy_syscid_ca.sh'."
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
echo "Unsupported operating system."
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
echo "This script must be run with root privileges."
|
|
||||||
fi
|
|
||||||
@ -31,7 +31,6 @@ elif [ "${DISTRIB}" = '"Arch Linux"' ]; then
|
|||||||
else
|
else
|
||||||
echo "Fingerpring mismatch. Operation aborted."
|
echo "Fingerpring mismatch. Operation aborted."
|
||||||
rm -f $CRT
|
rm -f $CRT
|
||||||
fi
|
|
||||||
else
|
else
|
||||||
echo "Unsupported operating system."
|
echo "Unsupported operating system."
|
||||||
fi
|
fi
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user