Directory Script and Repaired If-Clause in CA Script #5
132
scripts/sh/deploy_directory_client.sh
Normal file
132
scripts/sh/deploy_directory_client.sh
Normal file
@ -0,0 +1,132 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
echo "THIS SCRIPT IS NOT READY FOR USE IN PRODUCTION"
|
||||||
|
echo "YOU HAVE 15 seconds to abort with Ctrl+C."
|
||||||
|
sleep 15s
|
||||||
|
if [ "$(id -u)" = "0" ]; then
|
||||||
|
DISTRIB=$(awk -F= '/^NAME/{print $2}' /etc/os-release)
|
||||||
|
if [ "${DISTRIB}" = '"openSUSE Leap"' ] || [ "${DISTRIB}" = '"openSUSE Tumbleweed"' ]; then
|
||||||
|
if [ -f /etc/pki/trust/anchors/syscid-ca.crt ]; then
|
||||||
|
echo "OK, enrolling client ..."
|
||||||
|
zypper in --no-recommends -y sssd sssd-ldap sssd-tools
|
||||||
|
sed -i "s/NETCONFIG_DNS_STATIC_SERVERS=.*/NETCONFIG_DNS_STATIC_SERVERS=\"192.168.0.115 10.0.0.1\"/g" /etc/sysconfig/network/config
|
||||||
|
netconfig update -f
|
||||||
|
mv /etc/sssd/sssd.conf /etc/sssd/sssd.conf.orig
|
||||||
|
cat <<'EOF' >/etc/sssd/sssd.conf
|
||||||
|
# SYSCID Directory and Authentication Service
|
||||||
|
# System Security Services Daemon configuration
|
||||||
|
# 12/08/2021 - georg@lysergic.dev
|
||||||
|
#
|
||||||
|
# WARNING - DEBUG LOGGING IS ENABLED
|
||||||
|
#
|
||||||
|
[sssd]
|
||||||
|
debug_level = 5
|
||||||
|
config_file_version = 2
|
||||||
|
services = nss, pam, ssh, sudo
|
||||||
|
domains = SYSCID
|
||||||
|
|
||||||
|
[nss]
|
||||||
|
debug_level = 5
|
||||||
|
homedir_substring = /home
|
||||||
|
|
||||||
|
[pam]
|
||||||
|
debug_level = 5
|
||||||
|
pam_pwd_expiration_warning = 1
|
||||||
|
pam_account_expired_message = Permission denied - Your SYSCID or LibertaCasa Account EXPIRED.
|
||||||
|
pam_account_locked_message = Permission denied - Your SYSCID or LibertaCasa Account is LOCKED.
|
||||||
|
|
||||||
|
[ssh]
|
||||||
|
|
||||||
|
[sudo]
|
||||||
|
|
||||||
|
[domain/SYSCID]
|
||||||
|
ignore_group_members = False
|
||||||
|
debug_level = 10
|
||||||
|
cache_credentials= False
|
||||||
|
id_provider = ldap
|
||||||
|
auth_provider = ldap
|
||||||
|
access_provider = ldap
|
||||||
|
chpass_provider = ldap
|
||||||
|
ldap_schema = rfc2307bis
|
||||||
|
ldap_search_base = dc=syscid,dc=com
|
||||||
|
ldap_uri = ldaps://ldap.syscid.com
|
||||||
|
ldap_access_filter = (memberOf=cn=syscid_shell_users,ou=syscid-groups,dc=syscid,dc=com)
|
||||||
|
access_provider = ldap
|
||||||
|
ldap_user_member_of = memberof
|
||||||
|
ldap_user_gecos = cn
|
||||||
|
ldap_user_uuid = nsUniqueId
|
||||||
|
ldap_group_uuid = nsUniqueId
|
||||||
|
ldap_account_expire_policy = rhds
|
||||||
|
ldap_access_order = filter, expire, pwd_expire_policy_renew
|
||||||
|
ldap_user_ssh_public_key = sshPublicKey
|
||||||
|
sudo_provider = ldap
|
||||||
|
ldap_sudo_search_base = ou=SUDOers,ou=syscid-system,dc=syscid,dc=com
|
||||||
|
EOF
|
||||||
|
mv /etc/nsswitch.conf /etc/nsswitch.conf.orig
|
||||||
|
cat <<'EOF' >/etc/nsswitch.conf
|
||||||
|
# SYSCID Directory and Authentication Service
|
||||||
|
# Name Service Switch configuration
|
||||||
|
# 12/08/2021 - georg@lysergic.dev
|
||||||
|
#
|
||||||
|
passwd: sss files
|
||||||
|
group: sss files
|
||||||
|
shadow: sss compat
|
||||||
|
hosts: files dns
|
||||||
|
networks: files dns
|
||||||
|
aliases: files usrfiles
|
||||||
|
ethers: files usrfiles
|
||||||
|
gshadow: files usrfiles
|
||||||
|
netgroup: files nis
|
||||||
|
protocols: files usrfiles
|
||||||
|
publickey: files
|
||||||
|
rpc: files usrfiles
|
||||||
|
services: files usrfiles
|
||||||
|
automount: files nis
|
||||||
|
bootparams: files
|
||||||
|
netmasks: files
|
||||||
|
sudoers: sss
|
||||||
|
EOF
|
||||||
|
mv /etc/ssh/sshd_config /etc/ssh/sshd_config_local
|
||||||
|
cat <<'EOF' >/etc/ssh/sshd_config
|
||||||
|
# SYSCID Directory and Authentication Service
|
||||||
|
# OpenSSH Daemon configuration
|
||||||
|
# 12/08/2021 - georg@lysergic.dev
|
||||||
|
#
|
||||||
|
# WARNING - DEBUG LOGGING IS ENABLED
|
||||||
|
#
|
||||||
|
Port 28
|
||||||
|
Protocol 2
|
||||||
|
SyslogFacility AUTH
|
||||||
|
LogLevel VERBOSE
|
||||||
|
LoginGraceTime 1m
|
||||||
|
PermitRootLogin no
|
||||||
|
StrictModes yes
|
||||||
|
MaxAuthTries 5
|
||||||
|
MaxSessions 10
|
||||||
|
PubkeyAuthentication yes
|
||||||
|
AuthorizedKeysFile /etc/ssh/keys/%u
|
||||||
|
AuthorizedKeysCommand /usr/bin/sh -c '/usr/bin/sss_ssh_authorizedkeys %u'
|
||||||
|
AuthorizedKeysCommandUser nobody
|
||||||
|
PasswordAuthentication no
|
||||||
|
ChallengeResponseAuthentication no
|
||||||
|
UsePAM yes
|
||||||
|
X11Forwarding yes
|
||||||
|
PrintMotd yes
|
||||||
|
PrintLastLog yes
|
||||||
|
Banner /etc/ssh/sshd-banner
|
||||||
|
Subsystem sftp /usr/lib/ssh/sftp-server
|
||||||
|
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||||
|
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||||
|
AcceptEnv LC_IDENTIFICATION LC_ALL
|
||||||
|
EOF
|
||||||
|
pam-config -a --sss --mkhomedir
|
||||||
|
systemctl enable --now sssd.service
|
||||||
|
echo "OK!"
|
||||||
|
else
|
||||||
|
echo "CA certificate not installed. Aborted. Consider 'deploy_syscid_ca.sh'."
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
echo "Unsupported operating system."
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
echo "This script must be run with root privileges."
|
||||||
|
fi
|
@ -31,6 +31,7 @@ elif [ "${DISTRIB}" = '"Arch Linux"' ]; then
|
|||||||
else
|
else
|
||||||
echo "Fingerpring mismatch. Operation aborted."
|
echo "Fingerpring mismatch. Operation aborted."
|
||||||
rm -f $CRT
|
rm -f $CRT
|
||||||
|
fi
|
||||||
else
|
else
|
||||||
echo "Unsupported operating system."
|
echo "Unsupported operating system."
|
||||||
fi
|
fi
|
||||||
|
Loading…
Reference in New Issue
Block a user