From c482441d323f9762aaef41a3f1601018935b132b Mon Sep 17 00:00:00 2001 From: unknown Date: Thu, 4 Jul 2024 10:20:00 +0200 Subject: [PATCH] Added configuration script for pubkey --- PAM/ssh/CMakeLists.txt | 2 +- pack.cmake | 6 +++--- service/01-rublon-ssh_pubkey.conf.default | 3 +-- service/helpers/postinst_pubkey | 17 +++++++---------- service/helpers/postinst_rhel_8 | 4 +--- service/helpers/postrm_rhel | 4 +++- service/helpers/postrm_rhel_8 | 3 +-- 7 files changed, 17 insertions(+), 22 deletions(-) diff --git a/PAM/ssh/CMakeLists.txt b/PAM/ssh/CMakeLists.txt index 10e65db..cbe7956 100755 --- a/PAM/ssh/CMakeLists.txt +++ b/PAM/ssh/CMakeLists.txt @@ -59,7 +59,7 @@ install( ) add_subdirectory(lib) -add_subdirectory(bin) +#add_subdirectory(bin) # if(${ENABLE_TESTS}) # add_subdirectory(tests) diff --git a/pack.cmake b/pack.cmake index bc49275..cc558dc 100755 --- a/pack.cmake +++ b/pack.cmake @@ -23,7 +23,7 @@ set(CPACK_DEBIAN_PACKAGE_MAINTAINER "Bartosz Wieczorek") #set(CPACK_RESOURCE_FILE_LICENSE "${CMAKE_CURRENT_SOURCE_DIR}/LICENSE") #set(CPACK_RESOURCE_FILE_README "${CMAKE_CURRENT_SOURCE_DIR}/README.md") -set(CPACK_DEBIAN_FILE_NAME DEB-DEFAULT) +set(CPACK_DEBIAN_FILE_NAME ${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION_MAJOR}.${CPACK_PACKAGE_VERSION_MINOR}.${CPACK_PACKAGE_VERSION_PATCH}_${LSB_RELEASE_ID_SHORT}${os_version_suffix}.deb) set(CPACK_DEB_COMPONENT_INSTALL YES) set(CPACK_DEBIAN_PACKAGE_SHLIBDEPS YES) @@ -44,8 +44,8 @@ list(APPEND CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION "/usr/lib64/security" ) set(CPACK_RPM_SPEC_MORE_DEFINE "%define _build_id_links none") -set(CPACK_RPM_FILE_NAME RPM-DEFAULT) -set(CPACK_RPM_PACKAGE_REQUIRES_PRE "policycoreutils") +set(CPACK_RPM_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION_MAJOR}.${CPACK_PACKAGE_VERSION_MINOR}.${CPACK_PACKAGE_VERSION_PATCH}_${LSB_RELEASE_ID_SHORT}${os_version_suffix}.rpm" ) +set(CPACK_RPM_PACKAGE_REQUIRES_PRE "policycoreutils-python-utils") if(${os_version_suffix} MATCHES ".el8") set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CMAKE_CURRENT_SOURCE_DIR}/service/helpers/postinst_rhel_8") set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${CMAKE_CURRENT_SOURCE_DIR}/service/helpers/postrm_rhel_8") diff --git a/service/01-rublon-ssh_pubkey.conf.default b/service/01-rublon-ssh_pubkey.conf.default index c21ea58..93eb148 100644 --- a/service/01-rublon-ssh_pubkey.conf.default +++ b/service/01-rublon-ssh_pubkey.conf.default @@ -1,7 +1,6 @@ UsePAM yes ChallengeResponseAuthentication yes -#KbdInteractiveAuthentication no - +LoginGraceTime 15m AuthenticationMethods publickey,keyboard-interactive MaxAuthTries 3 PubkeyAuthentication yes diff --git a/service/helpers/postinst_pubkey b/service/helpers/postinst_pubkey index 916fef2..2442758 100644 --- a/service/helpers/postinst_pubkey +++ b/service/helpers/postinst_pubkey @@ -2,15 +2,8 @@ SSHD_CONF=/etc/ssh/sshd_config SSHD_PAM_CONF=/etc/pam.d/sshd -RUBLON_CONFIG=/etc/rublon.config RUBLON_SSH_CONFIG=/etc/ssh/sshd_config.d/01-rublon-ssh.conf -if [ ! -f $RUBLON_CONFIG ] -then - cp -a /usr/share/rublon/rublon.config.defaults $RUBLON_CONFIG - chown root:root $RUBLON_CONFIG - chmod 640 $RUBLON_CONFIG -fi cp -a /usr/share/rublon/01-rublon-ssh_pubkey.conf.default $RUBLON_SSH_CONFIG chown root:root $RUBLON_SSH_CONFIG chmod 640 $RUBLON_SSH_CONFIG @@ -19,10 +12,14 @@ if [ -f /etc/os-release ] then . /etc/os-release fi +grep -qe 'auth requisite pam_rublon.so' $SSHD_PAM_CONF || sed -i '$aauth requisite pam_rublon.so' $SSHD_PAM_CONF + +if [ ${OS} == "Ubuntu"] +then + grep -qe 'account required pam_rublon.so' $SSHD_PAM_CONF || sed -i '$aaccount required pam_rublon.so' $SSHD_PAM_CONF +fi -grep -qe 'auth required pam_rublon.so' $SSHD_PAM_CONF || sed -i '$aauth required pam_rublon.so' $SSHD_PAM_CONF -grep -qe 'account required pam_rublon.so' $SSHD_PAM_CONF || sed -i '$aaccount required pam_rublon.so' $SSHD_PAM_CONF grep -qe '@include common-auth' $SSHD_PAM_CONF || sed -i 's/@include common-auth/#@include common-auth/' $SSHD_PAM_CONF - deb-systemd-invoke restart ssh.service +systemctrl restart sshd diff --git a/service/helpers/postinst_rhel_8 b/service/helpers/postinst_rhel_8 index c4ab00e..d67cd42 100644 --- a/service/helpers/postinst_rhel_8 +++ b/service/helpers/postinst_rhel_8 @@ -23,9 +23,7 @@ checkmodule -M -m -o login_rublon.mod login_rublon.te semodule_package -o login_rublon.pp -m login_rublon.mod semodule -i login_rublon.pp -sed -i '1 i\Include 01-rublon-ssh.conf' $SSHD_CONF -grep -qe '#auth substack password-auth' $SSHD_PAM_CONF || sed -i -e 's/auth substack password-auth/#auth substack password-auth/g' $SSHD_PAM_CONF -grep -qe 'auth requisite pam_unix.so' $SSHD_PAM_CONF || sed -i '$aauth requisite pam_unix.so' $SSHD_PAM_CONF +sed -i '1 i\Include /etc/ssh/01-rublon-ssh.conf' $SSHD_CONF grep -qe 'auth required pam_rublon.so' $SSHD_PAM_CONF || sed -i '$aauth required pam_rublon.so' $SSHD_PAM_CONF grep -qe 'account required pam_rublon.so' $SSHD_PAM_CONF || sed -i '$aaccount required pam_rublon.so' $SSHD_PAM_CONF diff --git a/service/helpers/postrm_rhel b/service/helpers/postrm_rhel index e8dae08..f67856f 100644 --- a/service/helpers/postrm_rhel +++ b/service/helpers/postrm_rhel @@ -9,10 +9,12 @@ then fi if [ -f $RUBLON_SSH_CONFIG ] -then +theni:q + rm $RUBLON_SSH_CONFIG fi +grep -qe 'auth substack password-auth' $SSHD_PAM_CONF || sed -i -e 's/#auth substack password-auth/auth substack password-auth/g' $SSHD_PAM_CONF sed -i '/auth required pam_rublon.so/d' $SSHD_PAM_CONF sed -i '/account required pam_rublon.so/d' $SSHD_PAM_CONF diff --git a/service/helpers/postrm_rhel_8 b/service/helpers/postrm_rhel_8 index 0f916d6..e95bff6 100644 --- a/service/helpers/postrm_rhel_8 +++ b/service/helpers/postrm_rhel_8 @@ -17,5 +17,4 @@ grep -qe 'auth substack password-auth' $SSHD_PAM_CONF || sed -i -e 's/ sed -i '/auth required pam_rublon.so/d' $SSHD_PAM_CONF sed -i '/account required pam_rublon.so/d' $SSHD_PAM_CONF sed -i '/auth requisite pam_unix.so/d' $SSHD_PAM_CONF -sed -i '/Include 01-rublon-ssh.conf/d' $RUBLON_SSH_CONFIG_D - +sed -i '/01-rublon-ssh.conf/d' $RUBLON_SSH_CONFIG_D \ No newline at end of file