diff --git a/CMakeLists.txt b/CMakeLists.txt index 76fad68..8a42cd1 100755 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -25,7 +25,6 @@ add_custom_target(INSTSCRIPTS_IDE SUORCES ${CMAKE_CURRENT_LIST_DIR}/service/post install( FILES ${CMAKE_CURRENT_LIST_DIR}/rsc/rublon.config.defaults - ${CMAKE_CURRENT_LIST_DIR}/service/01-rublon-ssh.conf.default DESTINATION share/rublon COMPONENT @@ -36,6 +35,16 @@ install( GROUP_READ ) +install( + DIRECTORY + ${CMAKE_CURRENT_LIST_DIR}/service/ + COMPONENT + PAM + DESTINATION + share/rublon/service + USE_SOURCE_PERMISSIONS +) + if (${ENABLE_TESTS}) enable_testing() endif() diff --git a/PAM/ssh/include/rublon/utils.hpp b/PAM/ssh/include/rublon/utils.hpp index d85f525..2b682aa 100755 --- a/PAM/ssh/include/rublon/utils.hpp +++ b/PAM/ssh/include/rublon/utils.hpp @@ -59,6 +59,7 @@ LogLevel g_level = LogLevel::Debug; constexpr bool syncLogFile = true; static const char * application = ""; + // #include // #include // #include @@ -85,22 +86,23 @@ static const char * application = ""; // int file_descript; // unsigned long file_size; // char* file_buffer; - + // file_descript = open(filename, O_RDONLY); // if(file_descript < 0) exit(-1); - + // file_size = get_size_by_fd(file_descript); // printf("file size:\t%lu\n", file_size); - + // file_buffer =(char*)mmap(nullptr, file_size, PROT_READ, MAP_SHARED, file_descript, 0); // MD5((unsigned char*) file_buffer, file_size, result); -// munmap(file_buffer, file_size); - +// munmap(file_buffer, file_size); + // return 0; // } namespace details { - + + std::pmr::string osName(std::pmr::memory_resource * mr) { memory::MonotonicStackResource< 8 * 1024 > stackResource; diff --git a/PAM/ssh/lib/CMakeLists.txt b/PAM/ssh/lib/CMakeLists.txt index aa21e87..2eee230 100755 --- a/PAM/ssh/lib/CMakeLists.txt +++ b/PAM/ssh/lib/CMakeLists.txt @@ -32,7 +32,7 @@ execute_process ( OUTPUT_VARIABLE outOS ) -if(${outOS} MATCHES "centos|rhel" ) +if(${outOS} MATCHES "centos|rhel|alma|rocky" ) message(INFO "detected rhen base system") set(_destination /usr/lib64/security/) elseif(${outOS} MATCHES "debian|ubuntu") diff --git a/pack.cmake b/pack.cmake index 5d4b447..6e264b1 100755 --- a/pack.cmake +++ b/pack.cmake @@ -36,5 +36,7 @@ set(CPACK_GENERATOR "DEB") # set(CPACK_DEBIAN_PACKAGE_DEPENDS "libcurl4(>= 7.0.0), libc(>= 2.0), libssl(>= 1.0)") set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA "${CMAKE_CURRENT_SOURCE_DIR}/service/postinst;${CMAKE_CURRENT_SOURCE_DIR}/service/postrm") +set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CMAKE_CURRENT_SOURCE_DIR}/service/postinst") +set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${CMAKE_CURRENT_SOURCE_DIR}/service/postrm_rhel") include(CPack) diff --git a/service/01-rublon-ssh.conf.default b/service/01-rublon-ssh.conf.default index 44faa24..373b21b 100644 --- a/service/01-rublon-ssh.conf.default +++ b/service/01-rublon-ssh.conf.default @@ -1,4 +1,14 @@ -UsePAM yes -PasswordAuthentication yes -ChallengeResponseAuthentication yes -#KbdInteractiveAuthentication no +UsePAM yes +PasswordAuthentication yes +ChallengeResponseAuthentication yes +#KbdInteractiveAuthentication no + +#Public key authentication (optional) +#uncomment this section to enable Public key authentication option +#comment above "PasswordAuthentication yes" +# important! You need to change /etc/pam.d/ssh file to enabled public key authentication + +#AuthenticationMethods publickey,keyboard-interactive +#MaxAuthTries 3 +#PubkeyAuthentication yes +#PasswordAuthentication no diff --git a/service/01-rublon-ssh_pubkey.conf.default b/service/01-rublon-ssh_pubkey.conf.default new file mode 100644 index 0000000..c21ea58 --- /dev/null +++ b/service/01-rublon-ssh_pubkey.conf.default @@ -0,0 +1,8 @@ +UsePAM yes +ChallengeResponseAuthentication yes +#KbdInteractiveAuthentication no + +AuthenticationMethods publickey,keyboard-interactive +MaxAuthTries 3 +PubkeyAuthentication yes +PasswordAuthentication no diff --git a/service/postinst b/service/postinst index c2be946..9e665d4 100755 --- a/service/postinst +++ b/service/postinst @@ -14,7 +14,7 @@ fi if [ ! -f $RUBLON_SSH_CONFIG ] then - cp -a /usr/share/rublon/01-rublon-ssh.conf.default $RUBLON_SSH_CONFIG + cp -a /usr/share/rublon/service/01-rublon-ssh.conf.default $RUBLON_SSH_CONFIG chown root:root $RUBLON_SSH_CONFIG chmod 640 $RUBLON_SSH_CONFIG fi @@ -24,10 +24,10 @@ then . /etc/os-release fi -#if [ $ID == "rhel" ] +#if [[ $ID == "rhel" || $ID=="alma" || $ID=="rocky" ]] #then -# cd /home/vagrant/Rublon-Linux/service -# checkmodule -M -m -o login_rublon.mod login_rublon.te +# cd /usr/share/rublon/service + # checkmodule -M -m -o login_rublon.mod login_rublon.te # semodule_package -o login_rublon.pp -m login_rublon.mod # semodule -i login_rublon.pp #fi @@ -35,4 +35,10 @@ fi grep -qe 'auth required pam_rublon.so' $SSHD_PAM_CONF || sed -i '$aauth required pam_rublon.so' $SSHD_PAM_CONF grep -qe 'account required pam_rublon.so' $SSHD_PAM_CONF || sed -i '$aaccount required pam_rublon.so' $SSHD_PAM_CONF -deb-systemd-invoke restart ssh.service +if [[ $ID == "rhel" || $ID=="alma" || $ID=="rocky" ]] +then + systemctl restart sshd +else + deb-systemd-invoke restart ssh.service +fi + diff --git a/service/postinst_pubkey b/service/postinst_pubkey new file mode 100644 index 0000000..1acc74b --- /dev/null +++ b/service/postinst_pubkey @@ -0,0 +1,41 @@ +#!/bin/bash + +SSHD_CONF=/etc/ssh/sshd_config +SSHD_PAM_CONF=/etc/pam.d/sshd +RUBLON_CONFIG=/etc/rublon.config +RUBLON_SSH_CONFIG=/etc/ssh/sshd_config.d/01-rublon-ssh.conf + +if [ ! -f $RUBLON_CONFIG ] +then + cp -a /usr/share/rublon/rublon.config.defaults $RUBLON_CONFIG + chown root:root $RUBLON_CONFIG + chmod 640 $RUBLON_CONFIG +fi +cp -a /usr/share/rublon/service/01-rublon-ssh_pubkey.conf.default $RUBLON_SSH_CONFIG +chown root:root $RUBLON_SSH_CONFIG +chmod 640 $RUBLON_SSH_CONFIG + +if [ -f /etc/os-release ] +then + . /etc/os-release +fi + +#if [[ $ID == "rhel" || $ID=="alma" || $ID=="rocky" ]] +#then +# cd /usr/share/rublon/service + # checkmodule -M -m -o login_rublon.mod login_rublon.te +# semodule_package -o login_rublon.pp -m login_rublon.mod +# semodule -i login_rublon.pp +#fi + +grep -qe 'auth required pam_rublon.so' $SSHD_PAM_CONF || sed -i '$aauth required pam_rublon.so' $SSHD_PAM_CONF +grep -qe 'account required pam_rublon.so' $SSHD_PAM_CONF || sed -i '$aaccount required pam_rublon.so' $SSHD_PAM_CONF +grep -qe '@include common-auth' $SSHD_PAM_CONF || sed -i 's/@include common-auth/#@include common-auth/' $SSHD_PAM_CONF + +if [[ $ID == "rhel" || $ID=="alma" || $ID=="rocky" ]] +then + systemctl restart sshd +else + deb-systemd-invoke restart ssh.service +fi +