From a832478d41adfbaefe184af76a92dafacdba9f29 Mon Sep 17 00:00:00 2001 From: Bartosz Wieczorek Date: Tue, 28 May 2024 12:12:50 +0200 Subject: [PATCH 01/17] Remove unused options from rublon default config --- rsc/rublon.config.defaults | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/rsc/rublon.config.defaults b/rsc/rublon.config.defaults index 583f45e..684afdf 100755 --- a/rsc/rublon.config.defaults +++ b/rsc/rublon.config.defaults @@ -1,9 +1,6 @@ systemToken= secretKey= -userDomain= rublonApiServer=https://core.rublon.net -failMode=safe +failMode=deny prompt=1 logging=true -enablePasswdEmail=true -autopushPrompt=false From c1dbb7ba78aaf931de9afa1bf1f8a062820d9918 Mon Sep 17 00:00:00 2001 From: Bartosz Wieczorek Date: Tue, 28 May 2024 12:13:28 +0200 Subject: [PATCH 02/17] Remove safe|secure options --- PAM/ssh/include/rublon/configuration.hpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/PAM/ssh/include/rublon/configuration.hpp b/PAM/ssh/include/rublon/configuration.hpp index 26d6d7c..4835def 100755 --- a/PAM/ssh/include/rublon/configuration.hpp +++ b/PAM/ssh/include/rublon/configuration.hpp @@ -64,9 +64,9 @@ namespace { template <> auto to(std::string_view arg) -> tl::expected< FailMode, ConfigurationError > { - if(arg == "safe" || "bypass") + if(arg == "bypass") return FailMode::bypass; - if(arg == "secure" || arg == "deny") + if(arg == "deny") return FailMode::deny; return tl::unexpected{ConfigurationError{ConfigurationError::ErrorClass::BadFailMode}}; } From 4c6c1dd485513b8846a4688d7f8abd4d1300f9b7 Mon Sep 17 00:00:00 2001 From: Bartosz Wieczorek Date: Tue, 28 May 2024 12:14:15 +0200 Subject: [PATCH 03/17] Allow 9 digits long passcode for passcode bypass --- PAM/ssh/include/rublon/method/passcode_based_auth.hpp | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/PAM/ssh/include/rublon/method/passcode_based_auth.hpp b/PAM/ssh/include/rublon/method/passcode_based_auth.hpp index 53dd05d..5db917a 100755 --- a/PAM/ssh/include/rublon/method/passcode_based_auth.hpp +++ b/PAM/ssh/include/rublon/method/passcode_based_auth.hpp @@ -20,7 +20,9 @@ class PasscodeBasedAuth : public AuthenticationStep { static constexpr const char * fieldVericode = "vericode"; static constexpr const char * fieldOtp = "otp"; - + + static constexpr auto _bypassCodeLength = 9; + const char * userMessage{nullptr}; const uint_fast8_t length; @@ -36,11 +38,11 @@ class PasscodeBasedAuth : public AuthenticationStep { } bool hasValidLength(std::string_view userInput) const { - if(userInput.size() == length) { + if(userInput.size() == length || userInput.size() == _bypassCodeLength) { log(LogLevel::Debug, "User input size %d is correct", userInput.size()); return true; } else { - log(LogLevel::Warning, "User input size %d is different then %d", userInput.size(), length); + log(LogLevel::Warning, "User input size %d is different than %d", userInput.size(), length); return false; } } @@ -50,7 +52,7 @@ class PasscodeBasedAuth : public AuthenticationStep { log(LogLevel::Debug, "User input contains valid characters"); return true; } else { - log(LogLevel::Warning, "User input contains characters different then digits"); + log(LogLevel::Warning, "User input contains characters different than digits"); return false; } } From 815d7535024863f6d9dc429c3b0ee045954c04a0 Mon Sep 17 00:00:00 2001 From: Bartosz Wieczorek Date: Tue, 28 May 2024 12:14:53 +0200 Subject: [PATCH 04/17] Change name of 'Mobile Passcode' to 'Passcode' --- PAM/ssh/include/rublon/method/method_select.hpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/PAM/ssh/include/rublon/method/method_select.hpp b/PAM/ssh/include/rublon/method/method_select.hpp index 0bc585c..53e0177 100755 --- a/PAM/ssh/include/rublon/method/method_select.hpp +++ b/PAM/ssh/include/rublon/method/method_select.hpp @@ -139,9 +139,9 @@ class MethodSelect { for(const auto & method : _methods) { if(method == "totp") { logMethodAvailable(method); - pam.print("%d: Mobile Passcode", i + 1); + pam.print("%d: Passcode", i + 1); methods_id[++i] = method; - methods_names[i] = "Mobile Passcode"; + methods_names[i] = "Passcode"; continue; } From 54d9bde5864515bf527932c8a7da6c6f8149efbb Mon Sep 17 00:00:00 2001 From: Bartosz Wieczorek Date: Tue, 28 May 2024 12:15:53 +0200 Subject: [PATCH 05/17] Do not display any prompt when user is waiting --- PAM/ssh/include/rublon/init.hpp | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/PAM/ssh/include/rublon/init.hpp b/PAM/ssh/include/rublon/init.hpp index 1021209..a17018a 100755 --- a/PAM/ssh/include/rublon/init.hpp +++ b/PAM/ssh/include/rublon/init.hpp @@ -68,16 +68,22 @@ class Init : public AuthenticationStep { tl::expected< std::reference_wrapper< const Document >, Error > checkEnrolement(const Document & coreResponse, const Pam_T pam) const { using namespace std::string_view_literals; const auto & resp = coreResponse; - + + ///TODO refactor this if(resp.HasMember("result") and resp["result"].IsObject() and resp["result"].HasMember("status")) { const auto & status = resp["result"]["status"].GetString(); log(LogLevel::Warning, "Got enrolement message with stats %s", status); - if((status == "pending"sv || status == "waiting"sv) and resp["result"].HasMember("webURI")) { - const auto & weburi = resp["result"]["webURI"].GetString(); - pam.print("Visit %s", weburi); + if(status == "pending"sv ) { + if(resp["result"].HasMember("webURI")){ + const auto & weburi = resp["result"]["webURI"].GetString(); + pam.print("Visit %s", weburi); + } return tl::unexpected{Error{RublonAuthenticationInterrupt{RublonAuthenticationInterrupt::UserPending}}}; } - if(status == "denied"sv) { + else if(status == "waiting"sv){ + return tl::unexpected{Error{RublonAuthenticationInterrupt{RublonAuthenticationInterrupt::UserWaiting}}}; + } + else if(status == "denied"sv) { return tl::unexpected{Error{RublonAuthenticationInterrupt{RublonAuthenticationInterrupt::UserDenied}}}; } } From d9f8f8da063ad5d858a6ee8f0667da103a964ab8 Mon Sep 17 00:00:00 2001 From: Bartosz Wieczorek Date: Tue, 28 May 2024 12:18:58 +0200 Subject: [PATCH 06/17] remove unused alloca.h header --- PAM/ssh/include/rublon/utils.hpp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/PAM/ssh/include/rublon/utils.hpp b/PAM/ssh/include/rublon/utils.hpp index 51cb751..81aff98 100755 --- a/PAM/ssh/include/rublon/utils.hpp +++ b/PAM/ssh/include/rublon/utils.hpp @@ -1,6 +1,7 @@ #pragma once #include "tl/expected.hpp" + #include #include #include @@ -13,8 +14,6 @@ #include #include -#include - #include #include #include From 5538dc2536fd5f92f26e1243d38a5c7952148366 Mon Sep 17 00:00:00 2001 From: Bartosz Wieczorek Date: Wed, 29 May 2024 08:33:47 +0200 Subject: [PATCH 07/17] Add autopushPrompt option --- CMakeLists.txt | 2 +- PAM/ssh/include/rublon/init.hpp | 2 +- PAM/ssh/include/rublon/method/PUSH.hpp | 4 ++-- PAM/ssh/include/rublon/method/method_select.hpp | 16 +++++++++------- .../rublon/method/websocket_based_auth.hpp | 13 +++++++++---- PAM/ssh/lib/pam.cpp | 2 +- rsc/rublon.config.defaults | 1 + 7 files changed, 24 insertions(+), 16 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index fbfcd79..3d7ce94 100755 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -7,7 +7,7 @@ include(GNUInstallDirs) set(PROJECT_VERSION_MAJOR 2) set(PROJECT_VERSION_MINOR 0) -set(PROJECT_VERSION_PATCH 1) +set(PROJECT_VERSION_PATCH 2) set(CMAKE_CXX_STANDARD 17) set(CMAKE_CXX_STANDARD_REQUIRED YES) diff --git a/PAM/ssh/include/rublon/init.hpp b/PAM/ssh/include/rublon/init.hpp index a17018a..3a364f5 100755 --- a/PAM/ssh/include/rublon/init.hpp +++ b/PAM/ssh/include/rublon/init.hpp @@ -32,7 +32,7 @@ class Init : public AuthenticationStep { const auto & rublonResponse = coreResponse["result"]; std::string tid = rublonResponse["tid"].GetString(); g_tid = tid; - return MethodSelect_t{this->_systemToken, tid, rublonResponse["methods"], _session.config().prompt}; + return MethodSelect_t{this->_systemToken, tid, rublonResponse["methods"], _session.config().prompt, _session.config().autopushPrompt}; } template < typename PamInfo_t > diff --git a/PAM/ssh/include/rublon/method/PUSH.hpp b/PAM/ssh/include/rublon/method/PUSH.hpp index 5eefece..aca5e8c 100755 --- a/PAM/ssh/include/rublon/method/PUSH.hpp +++ b/PAM/ssh/include/rublon/method/PUSH.hpp @@ -12,8 +12,8 @@ namespace rublon::method { class PUSH : public WebsocketBasedAuth { public: - PUSH(std::string systemToken, std::string tid) - : WebsocketBasedAuth(std::move(systemToken), std::move(tid), "Mobile PUSH") {} + PUSH(std::string systemToken, std::string tid, bool autopush) + : WebsocketBasedAuth(std::move(systemToken), std::move(tid), "Mobile PUSH", autopush) {} }; } // namespace rublon::method diff --git a/PAM/ssh/include/rublon/method/method_select.hpp b/PAM/ssh/include/rublon/method/method_select.hpp index 53e0177..8cd7f5b 100755 --- a/PAM/ssh/include/rublon/method/method_select.hpp +++ b/PAM/ssh/include/rublon/method/method_select.hpp @@ -47,6 +47,7 @@ class PostMethod : public AuthenticationStep { const char * uri = "/api/transaction/methodSSH"; std::string _method; int _prompts; + bool _autopushPrompt; tl::expected< MethodProxy, Error > createMethod(const Document & coreResponse) const { const auto & rublonResponse = coreResponse["result"]; @@ -58,9 +59,9 @@ class PostMethod : public AuthenticationStep { } else if(_method == "sms") { return MethodProxy{method::SMS{this->_systemToken, std::move(tid), _prompts}}; } else if(_method == "push") { - return MethodProxy{method::PUSH{this->_systemToken, std::move(tid)}}; + return MethodProxy{method::PUSH{this->_systemToken, std::move(tid), _autopushPrompt}}; } else if(_method == "email") { - return MethodProxy{method::PUSH{this->_systemToken, std::move(tid)}}; + return MethodProxy{method::EMAIL{this->_systemToken, std::move(tid)}}; } else if(_method == "smsLink") { return MethodProxy{method::SmsLink{this->_systemToken, std::move(tid)}}; } else if(_method == "yotp") { @@ -77,8 +78,8 @@ class PostMethod : public AuthenticationStep { public: const char * name = "Confirm Method"; - PostMethod(std::string systemToken, std::string tid, std::string method, int prompts) - : base_t(std::move(systemToken), std::move(tid)), _method{method}, _prompts{prompts} {} + PostMethod(std::string systemToken, std::string tid, std::string method, int prompts, bool autopushPrompt) + : base_t(std::move(systemToken), std::move(tid)), _method{method}, _prompts{prompts}, _autopushPrompt{autopushPrompt} {} template < typename Hander_t, typename PamInfo_t = LinuxPam > tl::expected< MethodProxy, Error > handle(const CoreHandlerInterface< Hander_t > & coreHandler) const { @@ -102,13 +103,14 @@ class MethodSelect { std::string _accessToken; std::string _tid; int _prompts; + bool _autopushPrompt; std::vector< std::string > _methods; public: template < typename Array_t > - MethodSelect(std::string systemToken, std::string tid, const Array_t & methodsAvailableForUser, int prompts) - : _systemToken{std::move(systemToken)}, _tid{std::move(tid)}, _prompts{prompts} { + MethodSelect(std::string systemToken, std::string tid, const Array_t & methodsAvailableForUser, int prompts, bool autopushPrompt) + : _systemToken{std::move(systemToken)}, _tid{std::move(tid)}, _prompts{prompts}, _autopushPrompt{autopushPrompt} { _methods.reserve(std::size(methodsAvailableForUser)); std::transform( std::begin(methodsAvailableForUser), std::end(methodsAvailableForUser), std::back_inserter(_methods), [](const auto & method) { @@ -207,7 +209,7 @@ class MethodSelect { return tl::unexpected{MethodError(MethodError::BadMethod)}; } else { log(LogLevel::Info, "User selected option %d{%s}", methodid, methods_names.at(methodid).c_str()); - return PostMethod{_systemToken, _tid, methods_id.at(methodid), _prompts}; + return PostMethod{_systemToken, _tid, methods_id.at(methodid), _prompts, _autopushPrompt}; } }; diff --git a/PAM/ssh/include/rublon/method/websocket_based_auth.hpp b/PAM/ssh/include/rublon/method/websocket_based_auth.hpp index edf0c0e..e714106 100755 --- a/PAM/ssh/include/rublon/method/websocket_based_auth.hpp +++ b/PAM/ssh/include/rublon/method/websocket_based_auth.hpp @@ -13,16 +13,21 @@ namespace rublon::method { class WebsocketBasedAuth : public AuthenticationStep { public: - const char * name = ""; + const char * _name = ""; + const bool _autopushPrompt = true; - WebsocketBasedAuth(std::string systemToken, std::string tid, const char * name) - : AuthenticationStep(std::move(systemToken), std::move(tid)), name{name} {} + WebsocketBasedAuth(std::string systemToken, std::string tid, const char * name, bool autopushPrompt = true) + : AuthenticationStep(std::move(systemToken), std::move(tid)), _name{name}, _autopushPrompt{autopushPrompt} {} template < typename Hander_t, typename PamInfo_t = LinuxPam > tl::expected< AuthenticationStatus, Error > verify(const CoreHandlerInterface< Hander_t > & coreHandler, const PamInfo_t & pam) const { log(LogLevel::Info, "starting WS"); auto listener = coreHandler.listen(); - pam.scan([](const auto/*ignored userinput*/){return "";}, "Rublon authentication initiated. Complete the authentication and press Enter to proceed"); + if(not _autopushPrompt) + pam.print("Autopush"); + else + pam.scan([](const auto /*ignored userinput*/) { return ""; }, + "Rublon authentication initiated. Complete the authentication and press Enter to proceed"); return listener->waitForEvent(); } }; diff --git a/PAM/ssh/lib/pam.cpp b/PAM/ssh/lib/pam.cpp index b41f3a7..345d76c 100755 --- a/PAM/ssh/lib/pam.cpp +++ b/PAM/ssh/lib/pam.cpp @@ -89,7 +89,7 @@ pam_sm_authenticate(pam_handle_t * pamh, [[maybe_unused]] int flags, [[maybe_unu case RublonAuthenticationInterrupt::ErrorClass::UserWaiting: case RublonAuthenticationInterrupt::ErrorClass::UserPending: pam.print( - "Your account is awaiting administrator's approval. \n" + "Your account is awaiting administrator's approval.\n" "Contact your administrator and ask them to approve your account"); return printAuthMessageAndExit(AuthenticationStatus::Action::Denied); case RublonAuthenticationInterrupt::ErrorClass::UserNotFound: diff --git a/rsc/rublon.config.defaults b/rsc/rublon.config.defaults index 684afdf..b651134 100755 --- a/rsc/rublon.config.defaults +++ b/rsc/rublon.config.defaults @@ -4,3 +4,4 @@ rublonApiServer=https://core.rublon.net failMode=deny prompt=1 logging=true +autopushPrompt=false From bc381f4b944d2b36f28ccd8616848276835bce7e Mon Sep 17 00:00:00 2001 From: Bartosz Wieczorek Date: Wed, 29 May 2024 08:34:16 +0200 Subject: [PATCH 08/17] Change name OTP method --- PAM/ssh/include/rublon/method/OTP.hpp | 2 +- PAM/ssh/include/rublon/sign.hpp | 23 +++++++++++++++++++++++ 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/PAM/ssh/include/rublon/method/OTP.hpp b/PAM/ssh/include/rublon/method/OTP.hpp index 4f08300..8c5e60b 100755 --- a/PAM/ssh/include/rublon/method/OTP.hpp +++ b/PAM/ssh/include/rublon/method/OTP.hpp @@ -17,7 +17,7 @@ class OTP : public PasscodeBasedAuth { std::move(tid), "", "Mobile Passcode", - "Enter the passcode from the Rublon Authenticator mobile app: ", + "Enter the passcode from the Authenticator app: ", 6, true, PasscodeBasedAuth::Endpoint::ConfirmCode, diff --git a/PAM/ssh/include/rublon/sign.hpp b/PAM/ssh/include/rublon/sign.hpp index afae01c..7d61362 100755 --- a/PAM/ssh/include/rublon/sign.hpp +++ b/PAM/ssh/include/rublon/sign.hpp @@ -1,13 +1,36 @@ #pragma once #include +#include #include #include #include +#include + +#include namespace rublon { +inline std::array< char, SHA256_DIGEST_LENGTH * 2 + 1 > SHA256(const char * const path) { + std::string fileContent; + readFile(path, fileContent); + + std::array< char, SHA256_DIGEST_LENGTH * 2 + 1 > xRublon{}; + std::array< unsigned char, SHA256_DIGEST_LENGTH + 1 > hash{}; + + SHA256_CTX ctx; + SHA256_Init(&ctx); + + SHA256_Update(&ctx, fileContent.data(), fileContent.size()); + SHA256_Final(hash.data(), &ctx); + + for(unsigned int i = 0; i < SHA256_DIGEST_LENGTH; i++) + sprintf(&xRublon[i * 2], "%02x", ( unsigned int ) hash[i]); + + return xRublon; +} + // +1 for \0 inline std::array< char, 64 + 1 > signData(std::string_view data, std::string_view secretKey) { std::array< char, 64 + 1 > xRublon; From 12e20333a0585fdc37862db3da57a798658c7fa2 Mon Sep 17 00:00:00 2001 From: Bartosz Wieczorek Date: Wed, 29 May 2024 10:25:18 +0200 Subject: [PATCH 09/17] Change enrolement message handling --- PAM/ssh/include/rublon/error.hpp | 1 + PAM/ssh/include/rublon/init.hpp | 5 +-- .../include/rublon/method/method_select.hpp | 45 +++++++++++++------ .../rublon/method/passcode_based_auth.hpp | 6 +-- PAM/ssh/include/rublon/static_string.hpp | 7 ++- PAM/ssh/include/rublon/utils.hpp | 17 +++++++ PAM/ssh/lib/pam.cpp | 2 +- 7 files changed, 58 insertions(+), 25 deletions(-) diff --git a/PAM/ssh/include/rublon/error.hpp b/PAM/ssh/include/rublon/error.hpp index cbf5aa4..827ac7c 100755 --- a/PAM/ssh/include/rublon/error.hpp +++ b/PAM/ssh/include/rublon/error.hpp @@ -117,6 +117,7 @@ class WerificationError { class RublonAuthenticationInterrupt { public: + // UserPending -> user has no methods configured enum ErrorClass { UserBaypass, UserDenied, UserPending, UserWaiting, UserNotFound }; constexpr static auto errorClassPrettyName = make_array("UserBypassedException", "UserDenied", "UserPending", "UserWaiting", "UserNotFoundException"); diff --git a/PAM/ssh/include/rublon/init.hpp b/PAM/ssh/include/rublon/init.hpp index 3a364f5..ff116d5 100755 --- a/PAM/ssh/include/rublon/init.hpp +++ b/PAM/ssh/include/rublon/init.hpp @@ -31,7 +31,7 @@ class Init : public AuthenticationStep { tl::expected< MethodSelect_t, Error > createMethod(const Document & coreResponse) const { const auto & rublonResponse = coreResponse["result"]; std::string tid = rublonResponse["tid"].GetString(); - g_tid = tid; + g_tid = tid; ///TODO set tid in session return MethodSelect_t{this->_systemToken, tid, rublonResponse["methods"], _session.config().prompt, _session.config().autopushPrompt}; } @@ -78,7 +78,6 @@ class Init : public AuthenticationStep { const auto & weburi = resp["result"]["webURI"].GetString(); pam.print("Visit %s", weburi); } - return tl::unexpected{Error{RublonAuthenticationInterrupt{RublonAuthenticationInterrupt::UserPending}}}; } else if(status == "waiting"sv){ return tl::unexpected{Error{RublonAuthenticationInterrupt{RublonAuthenticationInterrupt::UserWaiting}}}; @@ -92,7 +91,7 @@ class Init : public AuthenticationStep { } public: - const char * name = "Initialization"; + const char * _name = "Initialization"; const Session & _session; diff --git a/PAM/ssh/include/rublon/method/method_select.hpp b/PAM/ssh/include/rublon/method/method_select.hpp index 8cd7f5b..5e6b72c 100755 --- a/PAM/ssh/include/rublon/method/method_select.hpp +++ b/PAM/ssh/include/rublon/method/method_select.hpp @@ -1,11 +1,15 @@ #pragma once #include +#include +#include +#include + #include -#include - #include +#include +#include #include #include @@ -21,7 +25,6 @@ extern std::string g_tid; namespace rublon { - class MethodProxy { public: template < typename Method_t > @@ -32,7 +35,7 @@ class MethodProxy { coreHandler.createWSConnection(g_tid); return std::visit( [&](const auto & method) { - rublon::log(LogLevel::Info, "Using '%s' method", method.name); + log(LogLevel::Info, "Using '%s' method", method._name); return method.verify(coreHandler, pam); }, _impl); @@ -76,7 +79,7 @@ class PostMethod : public AuthenticationStep { } public: - const char * name = "Confirm Method"; + const char * _name = "Confirm Method"; PostMethod(std::string systemToken, std::string tid, std::string method, int prompts, bool autopushPrompt) : base_t(std::move(systemToken), std::move(tid)), _method{method}, _prompts{prompts}, _autopushPrompt{autopushPrompt} {} @@ -105,18 +108,27 @@ class MethodSelect { int _prompts; bool _autopushPrompt; - std::vector< std::string > _methods; + std::vector< std::string > _methodsAvailable; public: template < typename Array_t > MethodSelect(std::string systemToken, std::string tid, const Array_t & methodsAvailableForUser, int prompts, bool autopushPrompt) : _systemToken{std::move(systemToken)}, _tid{std::move(tid)}, _prompts{prompts}, _autopushPrompt{autopushPrompt} { - _methods.reserve(std::size(methodsAvailableForUser)); - std::transform( - std::begin(methodsAvailableForUser), std::end(methodsAvailableForUser), std::back_inserter(_methods), [](const auto & method) { - return method.GetString(); - }); - rublon::log(LogLevel::Debug, "User has %d methods available", _methods.size()); + using namespace std::string_view_literals; + memory::MonotonicStackResource< 2024 > stackResource; + std::pmr::vector< std::string_view > _methods; + _methodsAvailable.reserve(std::size(methodsAvailableForUser)); + + std::pmr::set< std::string_view > methodsSupported{{"totp"sv, "email"sv, "yotp"sv, "sms"sv, "push"sv, "smsLink"sv}, &stackResource}; + + transform_if( + std::begin(methodsAvailableForUser), + std::end(methodsAvailableForUser), + std::back_inserter(_methodsAvailable), + [&](const auto & method) { return method.GetString(); }, + [&](const auto & method) { return methodsSupported.find(method.GetString()) != methodsSupported.end(); }); + + rublon::log(LogLevel::Debug, "User has %d methods available", _methodsAvailable.size()); } template < typename Pam_t > @@ -124,9 +136,14 @@ class MethodSelect { rublon::log(LogLevel::Debug, "prompting user to select method"); memory::StrictMonotonic_4k_HeapResource memoryResource; std::pmr::map< int, std::string > methods_id{&memoryResource}; - std::pmr::map< int, std::string > methods_names{&memoryResource}; + std::pmr::map< int, std::pmr::string > methods_names{&memoryResource}; int prompts = _prompts; + if(_methodsAvailable.size() == 0) { + log(LogLevel::Warning, "None of provided methods are supported by the connector"); + return tl::unexpected(MethodError(MethodError::ErrorClass::NoMethodAvailable)); + } + pam.print("Select the authentication method to verify your identity: "); auto logMethodAvailable = [](auto & method) { // @@ -138,7 +155,7 @@ class MethodSelect { auto printAvailableMethods = [&]() -> tl::expected< int, MethodError > { int i{}; - for(const auto & method : _methods) { + for(const auto & method : _methodsAvailable) { if(method == "totp") { logMethodAvailable(method); pam.print("%d: Passcode", i + 1); diff --git a/PAM/ssh/include/rublon/method/passcode_based_auth.hpp b/PAM/ssh/include/rublon/method/passcode_based_auth.hpp index 5db917a..49d56e1 100755 --- a/PAM/ssh/include/rublon/method/passcode_based_auth.hpp +++ b/PAM/ssh/include/rublon/method/passcode_based_auth.hpp @@ -103,7 +103,7 @@ class PasscodeBasedAuth : public AuthenticationStep { } public: - const char * name; + const char * _name; std::string token; enum class Endpoint { ConfirmCode, SecurityKeySSH }; @@ -111,7 +111,7 @@ class PasscodeBasedAuth : public AuthenticationStep { PasscodeBasedAuth(std::string systemToken, std::string tid, std::string token, - const char * name, + const char * _name, const char * userMessage, uint_fast8_t length, @@ -125,7 +125,7 @@ class PasscodeBasedAuth : public AuthenticationStep { length{length}, onlyDigits{numbersOnly}, _prompts{prompts}, - name{name}, + _name{_name}, token{std::move(token)} {} template < typename Hander_t, typename PamInfo_t = LinuxPam > diff --git a/PAM/ssh/include/rublon/static_string.hpp b/PAM/ssh/include/rublon/static_string.hpp index 43542f0..cd4dec3 100644 --- a/PAM/ssh/include/rublon/static_string.hpp +++ b/PAM/ssh/include/rublon/static_string.hpp @@ -18,13 +18,12 @@ class StaticString { } const char * c_str() const noexcept { - return &m_str[0]; + return m_str.data(); } - + const char * data() const noexcept { - return &m_str[0]; + return m_str.data(); } - std::size_t size() const { return strlen(m_str.data()); diff --git a/PAM/ssh/include/rublon/utils.hpp b/PAM/ssh/include/rublon/utils.hpp index 81aff98..3828571 100755 --- a/PAM/ssh/include/rublon/utils.hpp +++ b/PAM/ssh/include/rublon/utils.hpp @@ -284,4 +284,21 @@ namespace details { } // namespace details +template < + class InputIterator, class OutputIterator, + class UnaryOperator, class Pred + > +OutputIterator transform_if(InputIterator first1, InputIterator last1, + OutputIterator result, UnaryOperator op, Pred pred) +{ + while (first1 != last1) + { + if (pred(*first1)) { + *result = op(*first1); + ++result; + } + ++first1; + } + return result; +} } // namespace rublon diff --git a/PAM/ssh/lib/pam.cpp b/PAM/ssh/lib/pam.cpp index 345d76c..e798714 100755 --- a/PAM/ssh/lib/pam.cpp +++ b/PAM/ssh/lib/pam.cpp @@ -104,7 +104,7 @@ pam_sm_authenticate(pam_handle_t * pamh, [[maybe_unused]] int flags, [[maybe_unu case MethodError::ErrorClass::BadUserInput: return printAuthMessageAndExit(AuthenticationStatus::Action::Denied); case MethodError::ErrorClass::NoMethodAvailable: - return printAuthMessageAndExit(AuthenticationStatus::Action::Bypass); + return printAuthMessageAndExit(AuthenticationStatus::Action::Denied); } } From f112ca157ddd1ca510f334a1c0b6a052fe6d935f Mon Sep 17 00:00:00 2001 From: Bartosz Wieczorek Date: Wed, 29 May 2024 11:22:21 +0200 Subject: [PATCH 10/17] ad static string ctor --- PAM/ssh/include/rublon/static_string.hpp | 40 +++++++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/PAM/ssh/include/rublon/static_string.hpp b/PAM/ssh/include/rublon/static_string.hpp index cd4dec3..1d79624 100644 --- a/PAM/ssh/include/rublon/static_string.hpp +++ b/PAM/ssh/include/rublon/static_string.hpp @@ -3,12 +3,41 @@ #include #include #include +#include + +template +constexpr std::array toStdArray(T (&arr)[N], std::index_sequence) +{ + return {arr[Idx]...}; +} + +template +constexpr std::array resize(const std::array& arr, std::index_sequence) +{ + return {arr[Indexes]...}; +} + +template +constexpr std::array resize(const std::array& arr) +{ + constexpr std::size_t minSize = std::min(OldSize, NewSize); + return resize(arr, std::make_index_sequence()); +} // statically allocates a string buffer of (N+1) chars template < size_t N > class StaticString { public: constexpr StaticString() = default; + constexpr StaticString(const char (&chars)[N]) + : m_str(toStdArray(chars)) + { + } + + constexpr StaticString(std::array chars) + : m_str(std::move(chars)) + { + } constexpr StaticString(const char * str) { std::strncpy(m_str.data(), str, N); } @@ -28,7 +57,16 @@ class StaticString { std::size_t size() const { return strlen(m_str.data()); } - + + template + constexpr StaticString operator+(const StaticString &rhs) const + { + return join(resize(m_str), rhs.m_str); + } + + template + friend class StaticString; private: std::array< char, N + 1 > m_str{}; }; + From 09bbff7abaf7c48dd2bd55c362a78aca5bb8abbf Mon Sep 17 00:00:00 2001 From: unknown Date: Wed, 29 May 2024 11:10:31 +0200 Subject: [PATCH 11/17] Addded postrm script --- CMakeLists.txt | 15 +++++++++++++-- pack.cmake | 6 +++++- service/01_rublon_ssh.conf.default | 4 ++++ service/postinst | 27 ++++++++++++++------------- service/postrm | 22 ++++++++++++++++++++++ 5 files changed, 58 insertions(+), 16 deletions(-) create mode 100644 service/01_rublon_ssh.conf.default create mode 100644 service/postrm diff --git a/CMakeLists.txt b/CMakeLists.txt index 3d7ce94..d23af8a 100755 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -16,7 +16,6 @@ set(CMAKE_CXX_EXTENSIONS NO) add_compile_options(-Wall -Wextra -Wpedantic -Wno-format-security) option(ENABLE_TESTS "Enable tests" OFF) - add_custom_target(CONFIG_IDE SOURCES ${CMAKE_CURRENT_LIST_DIR}/rsc/rublon.config.defaults) add_custom_target(INSTSCRIPTS_IDE SUORCES ${CMAKE_CURRENT_LIST_DIR}/service/postinst) @@ -36,10 +35,22 @@ install( GROUP_READ ) +install( + FILES + ${CMAKE_CURRENT_LIST_DIR}/service/01_rublon_ssh.conf.default + DESTINATION + share/rublon + COMPONENT + PAM + PERMISSIONS + OWNER_READ + OWNER_WRITE + GROUP_READ +) + if (${ENABLE_TESTS}) enable_testing() endif() add_subdirectory(PAM/ssh) - include(pack.cmake) diff --git a/pack.cmake b/pack.cmake index 6b8b484..9fa3f53 100755 --- a/pack.cmake +++ b/pack.cmake @@ -28,8 +28,12 @@ set(CPACK_DEB_COMPONENT_INSTALL YES) set(CPACK_DEBIAN_PACKAGE_SHLIBDEPS YES) set(CPACK_GENERATOR "DEB") +#set(CPACK_GENERATOR "RPM") +#set(CPACK_RPM_SPEC_MORE_DEFINE "%define _build_id_links none") +#set(CPACK_RPM_FILE_NAME RPM-DEFAULT) # set(CPACK_DEBIAN_DEV_PACKAGE_DEPENDS "libcurl4(>= 7.0.0), libc(>= 2.0)") # set(CPACK_DEBIAN_PACKAGE_DEPENDS "libcurl4(>= 7.0.0), libc(>= 2.0), libssl(>= 1.0)") -set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA "${CMAKE_CURRENT_SOURCE_DIR}/service/postinst") +set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA + "${CMAKE_CURRENT_SOURCE_DIR}/service/postinst;${CMAKE_CURRENT_SOURCE_DIR}/service/postrm") include(CPack) diff --git a/service/01_rublon_ssh.conf.default b/service/01_rublon_ssh.conf.default new file mode 100644 index 0000000..57bf611 --- /dev/null +++ b/service/01_rublon_ssh.conf.default @@ -0,0 +1,4 @@ +UsePAM yes +PasswordAuthentication yes +ChallengeResponseAuthentication yes +#KbdInteractiveAuthentication no \ No newline at end of file diff --git a/service/postinst b/service/postinst index 1bd2921..cfc7710 100755 --- a/service/postinst +++ b/service/postinst @@ -3,6 +3,7 @@ SSHD_CONF=/etc/ssh/sshd_config SSHD_PAM_CONF=/etc/pam.d/sshd RUBLON_CONFIG=/etc/rublon.config +RUBLON_SSH_CONFIG=/etc/ssh/sshd_config.d/01_rublon_ssh.conf if [ ! -f /etc/rublon.config ] then @@ -11,24 +12,24 @@ then chmod 640 $RUBLON_CONFIG fi +if [ ! -f /etc/ssh/sshd_config.d/01_rublon_ssh.conf ] +then + cp -a /usr/share/rublon/01_rublon_ssh.conf.default $RUBLON_SSH_CONFIG + chown root:root $RUBLON_SSH_CONFIG + chmod 640 $RUBLON_SSH_CONFIG +fi if [ -f /etc/os-release ] then . /etc/os-release fi -grep -qe "^PasswordAuthentication" $SSHD_CONF && \ - sed -i 's/^#*PasswordAuthentication[[:space:]]\+.*/PasswordAuthentication yes/' $SSHD_CONF || \ - echo "PasswordAuthentication yes" >> $SSHD_CONF - -grep -qe "^ChallengeResponseAuthentication" $SSHD_CONF && \ - sed -i 's/^#*ChallengeResponseAuthentication[[:space:]]\+.*/ChallengeResponseAuthentication yes/' $SSHD_CONF || \ - echo "ChallengeResponseAuthentication yes" >> $SSHD_CONF - -grep -qe "^UsePAM" $SSHD_CONF && \ - sed -i 's/^#*UsePAM[[:space:]]\+.*/UsePAM yes/' $SSHD_CONF || \ - echo "UsePAM yes" >> $SSHD_CONF - -sed -i 's/KbdInteractiveAuthentication/#KbdInteractiveAuthentication/' $SSHD_CONF +if [ $ID == "rhel" ] +then + cd /home/vagrant/Rublon-Linux/service + checkmodule -M -m -o login_rublon.mod login_rublon.te + semodule_package -o login_rublon.pp -m login_rublon.mod + semodule -i login_rublon.pp +fi grep -qe 'auth required pam_rublon.so' $SSHD_PAM_CONF || sed -i '$aauth required pam_rublon.so' $SSHD_PAM_CONF grep -qe 'account required pam_rublon.so' $SSHD_PAM_CONF || sed -i '$aaccount required pam_rublon.so' $SSHD_PAM_CONF diff --git a/service/postrm b/service/postrm new file mode 100644 index 0000000..5d5f817 --- /dev/null +++ b/service/postrm @@ -0,0 +1,22 @@ +#!/bin/bash + +RUBLON_CONFIG=/etc/rublon.config +RUBLON_SSH_CONFIG=/etc/ssh/sshd_config.d/01_rublon_ssh.conf +SSHD_PAM_CONF=/etc/pam.d/sshd + +if [ $1 == 'purge' ] +then + if [ -f $RUBLON_CONFIG ] + then + rm $RUBLON_CONFIG + fi + + if [ -f $RUBLON_SSH_CONFIG ] + then + rm $RUBLON_SSH_CONFIG + fi +fi + +sed -i '/auth required pam_rublon.so/d' $SSHD_PAM_CONF +sed -i '/account required pam_rublon.so/d' $SSHD_PAM_CONF + From 175300113dc11ac568247ced6b15f76dfd632e35 Mon Sep 17 00:00:00 2001 From: unknown Date: Wed, 29 May 2024 14:30:21 +0200 Subject: [PATCH 12/17] Rename 01_rublon_ssh.conf to 01-rublon-ssh.conf --- ...1_rublon_ssh.conf.default => 01-rublon-ssh.conf.default} | 6 +++--- service/postinst | 6 +++--- service/postrm | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) rename service/{01_rublon_ssh.conf.default => 01-rublon-ssh.conf.default} (97%) diff --git a/service/01_rublon_ssh.conf.default b/service/01-rublon-ssh.conf.default similarity index 97% rename from service/01_rublon_ssh.conf.default rename to service/01-rublon-ssh.conf.default index 57bf611..b2f131a 100644 --- a/service/01_rublon_ssh.conf.default +++ b/service/01-rublon-ssh.conf.default @@ -1,4 +1,4 @@ -UsePAM yes -PasswordAuthentication yes -ChallengeResponseAuthentication yes +UsePAM yes +PasswordAuthentication yes +ChallengeResponseAuthentication yes #KbdInteractiveAuthentication no \ No newline at end of file diff --git a/service/postinst b/service/postinst index cfc7710..48653a2 100755 --- a/service/postinst +++ b/service/postinst @@ -3,7 +3,7 @@ SSHD_CONF=/etc/ssh/sshd_config SSHD_PAM_CONF=/etc/pam.d/sshd RUBLON_CONFIG=/etc/rublon.config -RUBLON_SSH_CONFIG=/etc/ssh/sshd_config.d/01_rublon_ssh.conf +RUBLON_SSH_CONFIG=/etc/ssh/sshd_config.d/01-rublon-ssh.conf if [ ! -f /etc/rublon.config ] then @@ -12,9 +12,9 @@ then chmod 640 $RUBLON_CONFIG fi -if [ ! -f /etc/ssh/sshd_config.d/01_rublon_ssh.conf ] +if [ ! -f $RUBLON_SSH_CONFIG ] then - cp -a /usr/share/rublon/01_rublon_ssh.conf.default $RUBLON_SSH_CONFIG + cp -a /usr/share/rublon/01-rublon-ssh.conf.default $RUBLON_SSH_CONFIG chown root:root $RUBLON_SSH_CONFIG chmod 640 $RUBLON_SSH_CONFIG fi diff --git a/service/postrm b/service/postrm index 5d5f817..ee1ca06 100644 --- a/service/postrm +++ b/service/postrm @@ -1,7 +1,7 @@ #!/bin/bash RUBLON_CONFIG=/etc/rublon.config -RUBLON_SSH_CONFIG=/etc/ssh/sshd_config.d/01_rublon_ssh.conf +RUBLON_SSH_CONFIG=/etc/ssh/sshd_config.d/01-rublon-ssh.conf SSHD_PAM_CONF=/etc/pam.d/sshd if [ $1 == 'purge' ] From 769b1a2f7d64855232d46ac5bf503ff08432c94c Mon Sep 17 00:00:00 2001 From: Bartosz Wieczorek Date: Wed, 29 May 2024 16:07:25 +0200 Subject: [PATCH 13/17] restart sshd service after rublon package instalation --- CMakeLists.txt | 14 +---------- .../include/rublon/method/method_select.hpp | 2 +- ...onf.default => 01-rublon-ssh.conf.default} | 8 +++--- service/postinst | 25 +++++++++++-------- service/postrm | 19 +++++++------- 5 files changed, 30 insertions(+), 38 deletions(-) rename service/{01_rublon_ssh.conf.default => 01-rublon-ssh.conf.default} (67%) diff --git a/CMakeLists.txt b/CMakeLists.txt index d23af8a..207d5a1 100755 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -25,19 +25,7 @@ add_custom_target(INSTSCRIPTS_IDE SUORCES ${CMAKE_CURRENT_LIST_DIR}/service/post install( FILES ${CMAKE_CURRENT_LIST_DIR}/rsc/rublon.config.defaults - DESTINATION - share/rublon - COMPONENT - PAM - PERMISSIONS - OWNER_READ - OWNER_WRITE - GROUP_READ -) - -install( - FILES - ${CMAKE_CURRENT_LIST_DIR}/service/01_rublon_ssh.conf.default + ${CMAKE_CURRENT_LIST_DIR}/service/01-rublon-ssh.conf.default DESTINATION share/rublon COMPONENT diff --git a/PAM/ssh/include/rublon/method/method_select.hpp b/PAM/ssh/include/rublon/method/method_select.hpp index 5e6b72c..95f36ca 100755 --- a/PAM/ssh/include/rublon/method/method_select.hpp +++ b/PAM/ssh/include/rublon/method/method_select.hpp @@ -222,7 +222,7 @@ class MethodSelect { auto hasMethod = methods_id.find(methodid) != methods_id.end(); // pam.print("\t selected: %s", hasMethod ? methods_id.at(methodid).c_str() : "unknown option"); if(!hasMethod) { - log(LogLevel::Error, "User selected option %d, which is not corrent", methodid); + log(LogLevel::Error, "User selected option %d, which is not correct", methodid); return tl::unexpected{MethodError(MethodError::BadMethod)}; } else { log(LogLevel::Info, "User selected option %d{%s}", methodid, methods_names.at(methodid).c_str()); diff --git a/service/01_rublon_ssh.conf.default b/service/01-rublon-ssh.conf.default similarity index 67% rename from service/01_rublon_ssh.conf.default rename to service/01-rublon-ssh.conf.default index 57bf611..d6c8265 100644 --- a/service/01_rublon_ssh.conf.default +++ b/service/01-rublon-ssh.conf.default @@ -1,4 +1,4 @@ -UsePAM yes -PasswordAuthentication yes -ChallengeResponseAuthentication yes -#KbdInteractiveAuthentication no \ No newline at end of file +UsePAM yes +PasswordAuthentication yes +ChallengeResponseAuthentication yes +#KbdInteractiveAuthentication no diff --git a/service/postinst b/service/postinst index cfc7710..e5fc385 100755 --- a/service/postinst +++ b/service/postinst @@ -3,33 +3,36 @@ SSHD_CONF=/etc/ssh/sshd_config SSHD_PAM_CONF=/etc/pam.d/sshd RUBLON_CONFIG=/etc/rublon.config -RUBLON_SSH_CONFIG=/etc/ssh/sshd_config.d/01_rublon_ssh.conf +RUBLON_SSH_CONFIG=/etc/ssh/sshd_config.d/01-rublon-ssh.conf -if [ ! -f /etc/rublon.config ] +if [ ! -f $RUBLON_CONFIG ] then cp -a /usr/share/rublon/rublon.config.defaults $RUBLON_CONFIG chown root:root $RUBLON_CONFIG chmod 640 $RUBLON_CONFIG fi -if [ ! -f /etc/ssh/sshd_config.d/01_rublon_ssh.conf ] +if [ ! -f $RUBLON_SSH_CONFIG ] then - cp -a /usr/share/rublon/01_rublon_ssh.conf.default $RUBLON_SSH_CONFIG + cp -a /usr/share/rublon/01-rublon-ssh.conf.default $RUBLON_SSH_CONFIG chown root:root $RUBLON_SSH_CONFIG chmod 640 $RUBLON_SSH_CONFIG fi + if [ -f /etc/os-release ] then . /etc/os-release fi -if [ $ID == "rhel" ] -then - cd /home/vagrant/Rublon-Linux/service - checkmodule -M -m -o login_rublon.mod login_rublon.te - semodule_package -o login_rublon.pp -m login_rublon.mod - semodule -i login_rublon.pp -fi +#if [ $ID == "rhel" ] +#then +# cd /home/vagrant/Rublon-Linux/service +# checkmodule -M -m -o login_rublon.mod login_rublon.te +# semodule_package -o login_rublon.pp -m login_rublon.mod +# semodule -i login_rublon.pp +#fi grep -qe 'auth required pam_rublon.so' $SSHD_PAM_CONF || sed -i '$aauth required pam_rublon.so' $SSHD_PAM_CONF grep -qe 'account required pam_rublon.so' $SSHD_PAM_CONF || sed -i '$aaccount required pam_rublon.so' $SSHD_PAM_CONF + +deb-systemd-invoke restart sshd.service diff --git a/service/postrm b/service/postrm index 5d5f817..8720caa 100644 --- a/service/postrm +++ b/service/postrm @@ -1,22 +1,23 @@ #!/bin/bash RUBLON_CONFIG=/etc/rublon.config -RUBLON_SSH_CONFIG=/etc/ssh/sshd_config.d/01_rublon_ssh.conf +RUBLON_SSH_CONFIG=/etc/ssh/sshd_config.d/01-rublon-ssh.conf SSHD_PAM_CONF=/etc/pam.d/sshd if [ $1 == 'purge' ] then - if [ -f $RUBLON_CONFIG ] - then - rm $RUBLON_CONFIG - fi + if [ -f $RUBLON_CONFIG ] + then + rm $RUBLON_CONFIG + fi - if [ -f $RUBLON_SSH_CONFIG ] - then - rm $RUBLON_SSH_CONFIG - fi + if [ -f $RUBLON_SSH_CONFIG ] + then + rm $RUBLON_SSH_CONFIG + fi fi sed -i '/auth required pam_rublon.so/d' $SSHD_PAM_CONF sed -i '/account required pam_rublon.so/d' $SSHD_PAM_CONF +deb-systemd-invoke restart sshd.service From b018c84f10985bcc36d39b6470f0429adec6e5e9 Mon Sep 17 00:00:00 2001 From: unknown Date: Wed, 29 May 2024 14:30:21 +0200 Subject: [PATCH 14/17] Rename 01_rublon_ssh.conf to 01-rublon-ssh.conf --- CMakeLists.txt | 2 +- ...1_rublon_ssh.conf.default => 01-rublon-ssh.conf.default} | 6 +++--- service/postinst | 6 +++--- service/postrm | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) rename service/{01_rublon_ssh.conf.default => 01-rublon-ssh.conf.default} (97%) diff --git a/CMakeLists.txt b/CMakeLists.txt index d23af8a..2543cf6 100755 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -37,7 +37,7 @@ install( install( FILES - ${CMAKE_CURRENT_LIST_DIR}/service/01_rublon_ssh.conf.default + ${CMAKE_CURRENT_LIST_DIR}/service/01-rublon-ssh.conf.default DESTINATION share/rublon COMPONENT diff --git a/service/01_rublon_ssh.conf.default b/service/01-rublon-ssh.conf.default similarity index 97% rename from service/01_rublon_ssh.conf.default rename to service/01-rublon-ssh.conf.default index 57bf611..b2f131a 100644 --- a/service/01_rublon_ssh.conf.default +++ b/service/01-rublon-ssh.conf.default @@ -1,4 +1,4 @@ -UsePAM yes -PasswordAuthentication yes -ChallengeResponseAuthentication yes +UsePAM yes +PasswordAuthentication yes +ChallengeResponseAuthentication yes #KbdInteractiveAuthentication no \ No newline at end of file diff --git a/service/postinst b/service/postinst index cfc7710..48653a2 100755 --- a/service/postinst +++ b/service/postinst @@ -3,7 +3,7 @@ SSHD_CONF=/etc/ssh/sshd_config SSHD_PAM_CONF=/etc/pam.d/sshd RUBLON_CONFIG=/etc/rublon.config -RUBLON_SSH_CONFIG=/etc/ssh/sshd_config.d/01_rublon_ssh.conf +RUBLON_SSH_CONFIG=/etc/ssh/sshd_config.d/01-rublon-ssh.conf if [ ! -f /etc/rublon.config ] then @@ -12,9 +12,9 @@ then chmod 640 $RUBLON_CONFIG fi -if [ ! -f /etc/ssh/sshd_config.d/01_rublon_ssh.conf ] +if [ ! -f $RUBLON_SSH_CONFIG ] then - cp -a /usr/share/rublon/01_rublon_ssh.conf.default $RUBLON_SSH_CONFIG + cp -a /usr/share/rublon/01-rublon-ssh.conf.default $RUBLON_SSH_CONFIG chown root:root $RUBLON_SSH_CONFIG chmod 640 $RUBLON_SSH_CONFIG fi diff --git a/service/postrm b/service/postrm index 5d5f817..ee1ca06 100644 --- a/service/postrm +++ b/service/postrm @@ -1,7 +1,7 @@ #!/bin/bash RUBLON_CONFIG=/etc/rublon.config -RUBLON_SSH_CONFIG=/etc/ssh/sshd_config.d/01_rublon_ssh.conf +RUBLON_SSH_CONFIG=/etc/ssh/sshd_config.d/01-rublon-ssh.conf SSHD_PAM_CONF=/etc/pam.d/sshd if [ $1 == 'purge' ] From 4919bd57a86a8af2e60b4fb11fe1d8fa8202da05 Mon Sep 17 00:00:00 2001 From: unknown Date: Tue, 4 Jun 2024 14:52:47 +0200 Subject: [PATCH 15/17] prepared scripts for generating rpm for alma nad rocky --- CMakeLists.txt | 13 ++++--------- PAM/ssh/lib/CMakeLists.txt | 2 +- pack.cmake | 8 +++++--- service/postinst | 13 ++++++++++--- 4 files changed, 20 insertions(+), 16 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 2543cf6..c759abd 100755 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -36,16 +36,11 @@ install( ) install( - FILES - ${CMAKE_CURRENT_LIST_DIR}/service/01-rublon-ssh.conf.default + DIRECTORY + ${CMAKE_CURRENT_LIST_DIR}/service/ DESTINATION - share/rublon - COMPONENT - PAM - PERMISSIONS - OWNER_READ - OWNER_WRITE - GROUP_READ + share/rublon/service + USE_SOURCE_PERMISSIONS ) if (${ENABLE_TESTS}) diff --git a/PAM/ssh/lib/CMakeLists.txt b/PAM/ssh/lib/CMakeLists.txt index 6f31017..30c2837 100755 --- a/PAM/ssh/lib/CMakeLists.txt +++ b/PAM/ssh/lib/CMakeLists.txt @@ -32,7 +32,7 @@ execute_process ( OUTPUT_VARIABLE outOS ) -if(${outOS} MATCHES "centos|rhel" ) +if(${outOS} MATCHES "centos|rhel|alma|rocky" ) message(INFO "detected rhen base system") set(_destination /usr/lib64/security/) elseif(${outOS} MATCHES "debian|ubuntu") diff --git a/pack.cmake b/pack.cmake index 9fa3f53..aeb5350 100755 --- a/pack.cmake +++ b/pack.cmake @@ -28,12 +28,14 @@ set(CPACK_DEB_COMPONENT_INSTALL YES) set(CPACK_DEBIAN_PACKAGE_SHLIBDEPS YES) set(CPACK_GENERATOR "DEB") -#set(CPACK_GENERATOR "RPM") -#set(CPACK_RPM_SPEC_MORE_DEFINE "%define _build_id_links none") -#set(CPACK_RPM_FILE_NAME RPM-DEFAULT) +set(CPACK_GENERATOR "RPM") +set(CPACK_RPM_SPEC_MORE_DEFINE "%define _build_id_links none") +set(CPACK_RPM_FILE_NAME RPM-DEFAULT) # set(CPACK_DEBIAN_DEV_PACKAGE_DEPENDS "libcurl4(>= 7.0.0), libc(>= 2.0)") # set(CPACK_DEBIAN_PACKAGE_DEPENDS "libcurl4(>= 7.0.0), libc(>= 2.0), libssl(>= 1.0)") set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA "${CMAKE_CURRENT_SOURCE_DIR}/service/postinst;${CMAKE_CURRENT_SOURCE_DIR}/service/postrm") +set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CMAKE_CURRENT_SOURCE_DIR}/service/postinst") +set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${CMAKE_CURRENT_SOURCE_DIR}/service/postrm_rhel") include(CPack) diff --git a/service/postinst b/service/postinst index 48653a2..9d341d6 100755 --- a/service/postinst +++ b/service/postinst @@ -14,7 +14,7 @@ fi if [ ! -f $RUBLON_SSH_CONFIG ] then - cp -a /usr/share/rublon/01-rublon-ssh.conf.default $RUBLON_SSH_CONFIG + cp -a /usr/share/rublon/service/01-rublon-ssh.conf.default $RUBLON_SSH_CONFIG chown root:root $RUBLON_SSH_CONFIG chmod 640 $RUBLON_SSH_CONFIG fi @@ -23,9 +23,9 @@ then . /etc/os-release fi -if [ $ID == "rhel" ] +if [[ $ID == "rhel" || $ID=="alma" || $ID=="rocky" ]] then - cd /home/vagrant/Rublon-Linux/service + cd /usr/share/rublon/service checkmodule -M -m -o login_rublon.mod login_rublon.te semodule_package -o login_rublon.pp -m login_rublon.mod semodule -i login_rublon.pp @@ -33,3 +33,10 @@ fi grep -qe 'auth required pam_rublon.so' $SSHD_PAM_CONF || sed -i '$aauth required pam_rublon.so' $SSHD_PAM_CONF grep -qe 'account required pam_rublon.so' $SSHD_PAM_CONF || sed -i '$aaccount required pam_rublon.so' $SSHD_PAM_CONF + +if [[ $ID == "rhel" || $ID=="alma" || $ID=="rocky" ]] +then + systemctl restart sshd +elif then + deb-systemd-invoke restart sshd.service +fi \ No newline at end of file From 00ed1f9e1718639f94824d1bec64fc0bf6414e62 Mon Sep 17 00:00:00 2001 From: madzik Date: Tue, 11 Jun 2024 09:44:31 +0000 Subject: [PATCH 16/17] adding public key authentication option --- service/01-rublon-ssh.conf.default | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/service/01-rublon-ssh.conf.default b/service/01-rublon-ssh.conf.default index 44faa24..ee5ebf5 100644 --- a/service/01-rublon-ssh.conf.default +++ b/service/01-rublon-ssh.conf.default @@ -1,4 +1,14 @@ -UsePAM yes -PasswordAuthentication yes -ChallengeResponseAuthentication yes -#KbdInteractiveAuthentication no +UsePAM yes +PasswordAuthentication yes +ChallengeResponseAuthentication yes +#KbdInteractiveAuthentication no + +#Public key authentication (optional) +#comment "PasswordAuthentication yes" in 2nd line +#uncomment below section +# important! You need to change /etc/pam.d/ssh file to enabled public key authentication + +#AuthenticationMethods publickey,keyboard-interactive +#MaxAuthTries 3 +#PubkeyAuthentication yes +#PasswordAuthentication no \ No newline at end of file From 9dc4904f98d34c9c5df17467a492c1c343be52bb Mon Sep 17 00:00:00 2001 From: unknown Date: Thu, 13 Jun 2024 13:44:13 +0200 Subject: [PATCH 17/17] Add postinst script and ssh configuration for using pubkey --- CMakeLists.txt | 2 ++ pack.cmake | 6 ++-- service/01-rublon-ssh.conf.default | 19 ++++++++--- service/01-rublon-ssh_pubkey.conf.default | 8 +++++ service/postinst | 26 ++++++++------ service/postinst_pubkey | 41 +++++++++++++++++++++++ 6 files changed, 85 insertions(+), 17 deletions(-) create mode 100644 service/01-rublon-ssh_pubkey.conf.default create mode 100644 service/postinst_pubkey diff --git a/CMakeLists.txt b/CMakeLists.txt index c759abd..15b67d7 100755 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -38,6 +38,8 @@ install( install( DIRECTORY ${CMAKE_CURRENT_LIST_DIR}/service/ + COMPONENT + PAM DESTINATION share/rublon/service USE_SOURCE_PERMISSIONS diff --git a/pack.cmake b/pack.cmake index aeb5350..777a69a 100755 --- a/pack.cmake +++ b/pack.cmake @@ -28,9 +28,9 @@ set(CPACK_DEB_COMPONENT_INSTALL YES) set(CPACK_DEBIAN_PACKAGE_SHLIBDEPS YES) set(CPACK_GENERATOR "DEB") -set(CPACK_GENERATOR "RPM") -set(CPACK_RPM_SPEC_MORE_DEFINE "%define _build_id_links none") -set(CPACK_RPM_FILE_NAME RPM-DEFAULT) +#set(CPACK_GENERATOR "RPM") +#set(CPACK_RPM_SPEC_MORE_DEFINE "%define _build_id_links none") +#set(CPACK_RPM_FILE_NAME RPM-DEFAULT) # set(CPACK_DEBIAN_DEV_PACKAGE_DEPENDS "libcurl4(>= 7.0.0), libc(>= 2.0)") # set(CPACK_DEBIAN_PACKAGE_DEPENDS "libcurl4(>= 7.0.0), libc(>= 2.0), libssl(>= 1.0)") set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA diff --git a/service/01-rublon-ssh.conf.default b/service/01-rublon-ssh.conf.default index 44faa24..071685b 100644 --- a/service/01-rublon-ssh.conf.default +++ b/service/01-rublon-ssh.conf.default @@ -1,4 +1,15 @@ -UsePAM yes -PasswordAuthentication yes -ChallengeResponseAuthentication yes -#KbdInteractiveAuthentication no +UsePAM yes +PasswordAuthentication yes +ChallengeResponseAuthentication yes +#KbdInteractiveAuthentication no + + +#Public key authentication (optional) +#uncomment this section to enable Public key authentication option +#comment above "PasswordAuthentication yes" +# important! You need to change /etc/pam.d/ssh file to enabled public key authentication + +#AuthenticationMethods publickey,keyboard-interactive +#MaxAuthTries 3 +#PubkeyAuthentication yes +#PasswordAuthentication no diff --git a/service/01-rublon-ssh_pubkey.conf.default b/service/01-rublon-ssh_pubkey.conf.default new file mode 100644 index 0000000..c21ea58 --- /dev/null +++ b/service/01-rublon-ssh_pubkey.conf.default @@ -0,0 +1,8 @@ +UsePAM yes +ChallengeResponseAuthentication yes +#KbdInteractiveAuthentication no + +AuthenticationMethods publickey,keyboard-interactive +MaxAuthTries 3 +PubkeyAuthentication yes +PasswordAuthentication no diff --git a/service/postinst b/service/postinst index b4abddc..a0c7805 100755 --- a/service/postinst +++ b/service/postinst @@ -12,7 +12,13 @@ then chmod 640 $RUBLON_CONFIG fi -if [ ! -f $RUBLON_SSH_CONFIG ] +if sshd -T | grep -q 'passwordauthentication no' && sshd -T | grep -q 'pubkeyauthentication yes' +then + cp -a /usr/share/rublon/service/01-rublon-ssh_pubkey.conf.default $RUBLON_SSH_CONFIG + chown root:root $RUBLON_SSH_CONFIG + chmod 640 $RUBLON_SSH_CONFIG + sed -i 's/@include common-auth/#@include common-auth/' $SSHD_PAM_CONF +elif [ ! -f $RUBLON_SSH_CONFIG ] then cp -a /usr/share/rublon/service/01-rublon-ssh.conf.default $RUBLON_SSH_CONFIG chown root:root $RUBLON_SSH_CONFIG @@ -24,13 +30,13 @@ then . /etc/os-release fi -if [[ $ID == "rhel" || $ID=="alma" || $ID=="rocky" ]] -then - cd /usr/share/rublon/service - checkmodule -M -m -o login_rublon.mod login_rublon.te - semodule_package -o login_rublon.pp -m login_rublon.mod - semodule -i login_rublon.pp -fi +#if [[ $ID == "rhel" || $ID=="alma" || $ID=="rocky" ]] +#then +# cd /usr/share/rublon/service + # checkmodule -M -m -o login_rublon.mod login_rublon.te +# semodule_package -o login_rublon.pp -m login_rublon.mod +# semodule -i login_rublon.pp +#fi grep -qe 'auth required pam_rublon.so' $SSHD_PAM_CONF || sed -i '$aauth required pam_rublon.so' $SSHD_PAM_CONF grep -qe 'account required pam_rublon.so' $SSHD_PAM_CONF || sed -i '$aaccount required pam_rublon.so' $SSHD_PAM_CONF @@ -38,7 +44,7 @@ grep -qe 'account required pam_rublon.so' $SSHD_PAM_CONF || sed -i '$aaccount re if [[ $ID == "rhel" || $ID=="alma" || $ID=="rocky" ]] then systemctl restart sshd -elif then - deb-systemd-invoke restart sshd.service +else + deb-systemd-invoke restart ssh.service fi diff --git a/service/postinst_pubkey b/service/postinst_pubkey new file mode 100644 index 0000000..1acc74b --- /dev/null +++ b/service/postinst_pubkey @@ -0,0 +1,41 @@ +#!/bin/bash + +SSHD_CONF=/etc/ssh/sshd_config +SSHD_PAM_CONF=/etc/pam.d/sshd +RUBLON_CONFIG=/etc/rublon.config +RUBLON_SSH_CONFIG=/etc/ssh/sshd_config.d/01-rublon-ssh.conf + +if [ ! -f $RUBLON_CONFIG ] +then + cp -a /usr/share/rublon/rublon.config.defaults $RUBLON_CONFIG + chown root:root $RUBLON_CONFIG + chmod 640 $RUBLON_CONFIG +fi +cp -a /usr/share/rublon/service/01-rublon-ssh_pubkey.conf.default $RUBLON_SSH_CONFIG +chown root:root $RUBLON_SSH_CONFIG +chmod 640 $RUBLON_SSH_CONFIG + +if [ -f /etc/os-release ] +then + . /etc/os-release +fi + +#if [[ $ID == "rhel" || $ID=="alma" || $ID=="rocky" ]] +#then +# cd /usr/share/rublon/service + # checkmodule -M -m -o login_rublon.mod login_rublon.te +# semodule_package -o login_rublon.pp -m login_rublon.mod +# semodule -i login_rublon.pp +#fi + +grep -qe 'auth required pam_rublon.so' $SSHD_PAM_CONF || sed -i '$aauth required pam_rublon.so' $SSHD_PAM_CONF +grep -qe 'account required pam_rublon.so' $SSHD_PAM_CONF || sed -i '$aaccount required pam_rublon.so' $SSHD_PAM_CONF +grep -qe '@include common-auth' $SSHD_PAM_CONF || sed -i 's/@include common-auth/#@include common-auth/' $SSHD_PAM_CONF + +if [[ $ID == "rhel" || $ID=="alma" || $ID=="rocky" ]] +then + systemctl restart sshd +else + deb-systemd-invoke restart ssh.service +fi +