1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
|
#!/bin/sh
echo "You have 10 seconds to abort with Ctrl+C."
sleep 10s
if [ "$(id -u)" = "0" ]; then
DISTRIB=$(awk -F= '/^NAME/{print $2}' /etc/os-release)
if [ "${DISTRIB}" = '"openSUSE Leap"' ] || [ "${DISTRIB}" = '"openSUSE Tumbleweed"' ]; then
if [ -f /etc/pki/trust/anchors/syscid-ca.crt ]; then
echo "OK, enrolling client ..."
zypper in --no-recommends -y sssd sssd-ldap sssd-tools
sed -i "s/NETCONFIG_DNS_STATIC_SERVERS=.*/NETCONFIG_DNS_STATIC_SERVERS=\"192.168.0.115 10.0.0.1\"/g" /etc/sysconfig/network/config
netconfig update -f
mv /etc/sssd/sssd.conf /etc/sssd/sssd.conf.orig
cat <<'EOF' >/etc/sssd/sssd.conf
# SYSCID Directory and Authentication Service
# System Security Services Daemon configuration
# 12/08/2021 - georg@lysergic.dev
#
# WARNING - DEBUG LOGGING IS ENABLED
#
[sssd]
debug_level = 5
config_file_version = 2
services = nss, pam, ssh, sudo
domains = SYSCID
[nss]
debug_level = 5
homedir_substring = /home
[pam]
debug_level = 5
pam_pwd_expiration_warning = 1
pam_account_expired_message = Permission denied - Your SYSCID or LibertaCasa Account EXPIRED.
pam_account_locked_message = Permission denied - Your SYSCID or LibertaCasa Account is LOCKED.
[ssh]
[sudo]
[domain/SYSCID]
ignore_group_members = False
debug_level = 10
cache_credentials= False
id_provider = ldap
auth_provider = ldap
access_provider = ldap
chpass_provider = ldap
ldap_schema = rfc2307bis
ldap_search_base = dc=syscid,dc=com
ldap_uri = ldaps://ldap.syscid.com
ldap_access_filter = (memberOf=cn=syscid_shell_users,ou=syscid-groups,dc=syscid,dc=com)
access_provider = ldap
ldap_user_member_of = memberof
ldap_user_gecos = cn
ldap_user_uuid = nsUniqueId
ldap_group_uuid = nsUniqueId
ldap_account_expire_policy = rhds
ldap_access_order = filter, expire, pwd_expire_policy_renew
ldap_user_ssh_public_key = sshPublicKey
sudo_provider = ldap
ldap_sudo_search_base = ou=SUDOers,ou=syscid-system,dc=syscid,dc=com
EOF
chmod 600 /etc/sssd/sssd.conf
mv /etc/nsswitch.conf /etc/nsswitch.conf.orig
cat <<'EOF' >/etc/nsswitch.conf
# SYSCID Directory and Authentication Service
# Name Service Switch configuration
# 12/08/2021 - georg@lysergic.dev
#
passwd: sss files
group: sss files
shadow: sss compat
hosts: files dns
networks: files dns
aliases: files usrfiles
ethers: files usrfiles
gshadow: files usrfiles
netgroup: files nis
protocols: files usrfiles
publickey: files
rpc: files usrfiles
services: files usrfiles
automount: files nis
bootparams: files
netmasks: files
sudoers: sss
EOF
mv /etc/ssh/sshd_config /etc/ssh/sshd_config_local
cat <<'EOF' >/etc/ssh/sshd_config
# SYSCID Directory and Authentication Service
# OpenSSH Daemon configuration
# 12/08/2021 - georg@lysergic.dev
#
# WARNING - DEBUG LOGGING IS ENABLED
#
Port 28
Protocol 2
SyslogFacility AUTH
LogLevel VERBOSE
LoginGraceTime 1m
PermitRootLogin no
StrictModes yes
MaxAuthTries 5
MaxSessions 10
PubkeyAuthentication yes
AuthorizedKeysFile /etc/ssh/keys/%u
AuthorizedKeysCommand /usr/bin/sh -c '/usr/bin/sss_ssh_authorizedkeys %u'
AuthorizedKeysCommandUser nobody
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd yes
PrintLastLog yes
Banner /etc/ssh/sshd-banner
Subsystem sftp /usr/lib/ssh/sftp-server
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
EOF
pam-config -a --sss --mkhomedir
systemctl enable --now sssd.service
echo "OK!"
else
echo "CA certificate not installed. Aborted. Consider 'deploy_syscid_ca.sh'."
fi
else
echo "Unsupported operating system."
fi
else
echo "This script must be run with root privileges."
fi
|