Merge remote-tracking branch 'local/bwi/v2.0.2-rc1' into bwi/v2.0.3

CMakeLists.txt

@@ -25,7 +25,6 @@ add_custom_target(INSTSCRIPTS_IDE SUORCES ${CMAKE_CURRENT_LIST_DIR}/service/post
 install(
     FILES
         ${CMAKE_CURRENT_LIST_DIR}/rsc/rublon.config.defaults
-        ${CMAKE_CURRENT_LIST_DIR}/service/01-rublon-ssh.conf.default
     DESTINATION
         share/rublon
     COMPONENT
@@ -36,6 +35,16 @@ install(
         GROUP_READ
 )
 
+install(
+    DIRECTORY
+        ${CMAKE_CURRENT_LIST_DIR}/service/
+    COMPONENT
+	PAM
+    DESTINATION
+        share/rublon/service
+    USE_SOURCE_PERMISSIONS
+)
+
 if (${ENABLE_TESTS})
     enable_testing()
 endif()

PAM/ssh/include/rublon/utils.hpp

@@ -59,6 +59,7 @@ LogLevel g_level                = LogLevel::Debug;
 constexpr bool syncLogFile      = true;
 static const char * application = "";
 
+
 // #include <openssl/md5.h>
 // #include <sys/types.h>
 // #include <sys/stat.h>
@@ -85,22 +86,23 @@ static const char * application = "";
 //     int file_descript;
 //     unsigned long file_size;
 //     char* file_buffer;
-
+    
 //     file_descript = open(filename, O_RDONLY);
 //     if(file_descript < 0) exit(-1);
-
+    
 //     file_size = get_size_by_fd(file_descript);
 //     printf("file size:\t%lu\n", file_size);
-
+    
 //     file_buffer =(char*)mmap(nullptr, file_size, PROT_READ, MAP_SHARED, file_descript, 0);
 //     MD5((unsigned char*) file_buffer, file_size, result);
-//     munmap(file_buffer, file_size);
-
+//     munmap(file_buffer, file_size); 
+    
 //     return 0;
 // }
 
 namespace details {
-
+    
+    
     std::pmr::string osName(std::pmr::memory_resource * mr) {
         memory::MonotonicStackResource< 8 * 1024 > stackResource;
 

PAM/ssh/lib/CMakeLists.txt

@@ -32,7 +32,7 @@ execute_process (
     OUTPUT_VARIABLE outOS
 )
 
-if(${outOS} MATCHES "centos|rhel" )
+if(${outOS} MATCHES "centos|rhel|alma|rocky" )
     message(INFO "detected rhen base system")
     set(_destination /usr/lib64/security/)
 elseif(${outOS} MATCHES "debian|ubuntu")

pack.cmake

@@ -36,5 +36,7 @@ set(CPACK_GENERATOR "DEB")
 # set(CPACK_DEBIAN_PACKAGE_DEPENDS "libcurl4(>= 7.0.0), libc(>= 2.0), libssl(>= 1.0)")
 set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA 
 	"${CMAKE_CURRENT_SOURCE_DIR}/service/postinst;${CMAKE_CURRENT_SOURCE_DIR}/service/postrm")
+set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CMAKE_CURRENT_SOURCE_DIR}/service/postinst")
+set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${CMAKE_CURRENT_SOURCE_DIR}/service/postrm_rhel")
 
 include(CPack)

service/01-rublon-ssh.conf.default

@@ -1,4 +1,14 @@
-UsePAM yes
-PasswordAuthentication yes
-ChallengeResponseAuthentication yes
-#KbdInteractiveAuthentication no
+UsePAM yes
+PasswordAuthentication yes
+ChallengeResponseAuthentication yes
+#KbdInteractiveAuthentication no
+
+#Public key authentication (optional)
+#uncomment this section to enable Public key authentication option
+#comment above "PasswordAuthentication yes"
+# important! You need to change /etc/pam.d/ssh file to enabled public key authentication
+
+#AuthenticationMethods publickey,keyboard-interactive
+#MaxAuthTries 3
+#PubkeyAuthentication yes
+#PasswordAuthentication no

service/01-rublon-ssh_pubkey.conf.default

@@ -0,0 +1,8 @@
+UsePAM yes
+ChallengeResponseAuthentication yes
+#KbdInteractiveAuthentication no
+
+AuthenticationMethods publickey,keyboard-interactive
+MaxAuthTries 3
+PubkeyAuthentication yes
+PasswordAuthentication no

service/postinst

@@ -14,7 +14,7 @@ fi
 
 if [ ! -f $RUBLON_SSH_CONFIG ]
 then
-    cp -a /usr/share/rublon/01-rublon-ssh.conf.default $RUBLON_SSH_CONFIG
+    cp -a /usr/share/rublon/service/01-rublon-ssh.conf.default $RUBLON_SSH_CONFIG
     chown root:root $RUBLON_SSH_CONFIG
     chmod 640 $RUBLON_SSH_CONFIG
 fi
@@ -24,10 +24,10 @@ then
     . /etc/os-release
 fi
 
-#if [ $ID == "rhel" ]
+#if [[ $ID == "rhel" || $ID=="alma" || $ID=="rocky" ]]
 #then
-#	cd /home/vagrant/Rublon-Linux/service
-#    	checkmodule -M -m -o login_rublon.mod login_rublon.te
+#	cd /usr/share/rublon/service
+ #   	checkmodule -M -m -o login_rublon.mod login_rublon.te
 #	semodule_package -o login_rublon.pp -m login_rublon.mod
 #	semodule -i login_rublon.pp
 #fi
@@ -35,4 +35,10 @@ fi
 grep -qe 'auth required pam_rublon.so' $SSHD_PAM_CONF || sed -i '$aauth required pam_rublon.so' $SSHD_PAM_CONF
 grep -qe 'account required pam_rublon.so' $SSHD_PAM_CONF || sed -i '$aaccount required pam_rublon.so' $SSHD_PAM_CONF
 
-deb-systemd-invoke restart ssh.service
+if [[ $ID == "rhel" || $ID=="alma" || $ID=="rocky" ]]
+then
+	systemctl restart sshd
+else 
+	deb-systemd-invoke restart ssh.service
+fi
+

service/postinst_pubkey

@@ -0,0 +1,41 @@
+#!/bin/bash
+
+SSHD_CONF=/etc/ssh/sshd_config
+SSHD_PAM_CONF=/etc/pam.d/sshd
+RUBLON_CONFIG=/etc/rublon.config
+RUBLON_SSH_CONFIG=/etc/ssh/sshd_config.d/01-rublon-ssh.conf
+
+if [ ! -f $RUBLON_CONFIG ]
+then
+    cp -a /usr/share/rublon/rublon.config.defaults $RUBLON_CONFIG
+    chown root:root $RUBLON_CONFIG
+    chmod 640 $RUBLON_CONFIG
+fi
+cp -a /usr/share/rublon/service/01-rublon-ssh_pubkey.conf.default $RUBLON_SSH_CONFIG
+chown root:root $RUBLON_SSH_CONFIG
+chmod 640 $RUBLON_SSH_CONFIG
+
+if [ -f /etc/os-release ]
+then
+    . /etc/os-release
+fi
+
+#if [[ $ID == "rhel" || $ID=="alma" || $ID=="rocky" ]]
+#then
+#	cd /usr/share/rublon/service
+ #   	checkmodule -M -m -o login_rublon.mod login_rublon.te
+#	semodule_package -o login_rublon.pp -m login_rublon.mod
+#	semodule -i login_rublon.pp
+#fi
+
+grep -qe 'auth required pam_rublon.so' $SSHD_PAM_CONF || sed -i '$aauth required pam_rublon.so' $SSHD_PAM_CONF
+grep -qe 'account required pam_rublon.so' $SSHD_PAM_CONF || sed -i '$aaccount required pam_rublon.so' $SSHD_PAM_CONF
+grep -qe '@include common-auth' $SSHD_PAM_CONF || sed -i 's/@include common-auth/#@include common-auth/' $SSHD_PAM_CONF
+
+if [[ $ID == "rhel" || $ID=="alma" || $ID=="rocky" ]]
+then
+	systemctl restart sshd
+else 
+	deb-systemd-invoke restart ssh.service
+fi
+