diff options
author | Simon Rettberg | 2016-04-25 11:42:14 +0200 |
---|---|---|
committer | Simon Rettberg | 2016-04-25 11:42:14 +0200 |
commit | 9fe0323d0defaf4dbe1e118a282b331dc8a4d7c2 (patch) | |
tree | e470bbda16369322876d207d2c31e7a2c2a12239 | |
parent | [kernel-vanilla] 4.4.8 (diff) | |
download | tm-scripts-9fe0323d0defaf4dbe1e118a282b331dc8a4d7c2.tar.gz tm-scripts-9fe0323d0defaf4dbe1e118a282b331dc8a4d7c2.tar.xz tm-scripts-9fe0323d0defaf4dbe1e118a282b331dc8a4d7c2.zip |
[pam-bwidm] minor cleanup
3 files changed, 33 insertions, 46 deletions
diff --git a/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm b/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm index 869e92a9..179d61d8 100755 --- a/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm +++ b/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm @@ -8,13 +8,16 @@ # fix PATH as PAM clears it export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/sbin:/opt/openslx/bin" -if ! busybox which curl; then - echo "'curl' missing. This script won't work without it." +if ! busybox which curl || ! busybox which mktemp; then + echo "'curl/mktemp' missing. This script won't work without it." exit 1 fi # redirect stdout/stderr to temporary logfile readonly LOGFILE="$(mktemp)" +# URL to query masterserver for IDPs +readonly IDP_QUERY_URL="https://bwlp-masterserver.ruf.uni-freiburg.de/webif/pam.php" +readonly IDP_QUERY_CACHE="/run/openslx/bwlp-idp" # everything in a subshell in an effort to hide sensitive information # from this script's environment @@ -27,8 +30,9 @@ exec > "${LOGFILE}" 2>&1 [ -z "${SLX_BWIDM_AUTH}" -o "x${SLX_BWIDM_AUTH}" != "xyes" ] && echo "bwIDM login disabled in openslx-config." && exit 1 # grab the password from stdin asap, since there is no garantee some tool just reads it +unset USER_PASSWORD if [ "x$PAM_TYPE" == "xauth" ]; then - read USER_PASSWORD + read -r USER_PASSWORD > /dev/null 2>&1 readonly USER_PASSWORD [ -z "$USER_PASSWORD" ] && echo "No password given." && exit 1 fi @@ -43,14 +47,12 @@ fi # valid username, we can already split it here readonly USER_USERNAME="${PAM_USER%@*}" readonly USER_ORGANISATION="${PAM_USER#*@}" -[ -z "$USER_ORGANISATION" ] && echo "Could not parse organisation from given username: ${PAM_USER}. Aborting." && exit 1 +[ -z "$USER_ORGANISATION" ] && echo "Could not parse organisation from given login: ${PAM_USER}. Aborting." && exit 1 +[ -z "$USER_USERNAME" ] && echo "Could not parse user from given login: ${PAM_USER}. Aborting." && exit 1 # The given username is valid. Now we get the list of IdPs from the bwlp masterserver # and try to find the user's organisation -# URL to query masterserver for IDPs -readonly IDP_QUERY_URL="https://bwlp-masterserver.ruf.uni-freiburg.de/webif/pam.php" -readonly IDP_QUERY_CACHE="/run/openslx/bwlp-idp" mkdir -p /run/openslx # check if we have a (non-zero bytes) cached copy of the list @@ -58,12 +60,11 @@ if [ ! -s "${IDP_QUERY_CACHE}" ]; then idpret="$(curl -w "%{http_code}" -k -o "${IDP_QUERY_CACHE}" --connect-timeout 5 --max-time 15 "$IDP_QUERY_URL")" if [ "x$idpret" != "x200" ]; then echo "Could not download the list of identity providers from '$IDP_QUERY_URL'. Aborting." - rm -f "$IDP_QUERY_CACHE" + rm -f -- "$IDP_QUERY_CACHE" exit 7 fi fi # here we have the cache for sure, search for the given organisation's ECP URL -USER_ECP_URL="" USER_ECP_URL="$(awk -v idp="${USER_ORGANISATION}" -F '=' '{if($1==idp) print $2}' < "$IDP_QUERY_CACHE")" [ -z "$USER_ECP_URL" ] && echo "Could not determine ECP URL for '${USER_ORGANISATION}'" && exit 1 @@ -76,11 +77,11 @@ USER_ECP_URL="$(awk -v idp="${USER_ORGANISATION}" -F '=' '{if($1==idp) print $2} BWIDM_GROUP="$(getent group bwidm)" if [ -z "$BWIDM_GROUP" ]; then BWIDM_GID=1000 - while [ $BWIDM_GID -gt 100 ]; do - getent group $BWIDM_GID || break + while [ "$BWIDM_GID" -gt 100 ]; do + getent group "$BWIDM_GID" || break let BWIDM_GID-- done - if [ $BWIDM_GID -eq 100 ]; then + if [ "$BWIDM_GID" -eq 100 ]; then # use demo's gid as a fallback readonly BWIDM_GID="$(id -g "demo")" [ -z "$BWIDM_GID" ] && echo "Could not determine the GID of 'demo'. Cannot use it as fallback. Aborting." && exit 1 @@ -100,16 +101,16 @@ if [ -z "$BWIDM_GID" ]; then fi readonly USER_GID="$BWIDM_GID" -# path to the SOAP enveloppe we are gonna need soon -readonly SOAP_ENVELOPPE="/opt/openslx/bwidm_soap.xml" -[ ! -f "${SOAP_ENVELOPPE}" ] && echo "Failed to find the SOAP enveloppe at '${SOAP_ENVELOPPE}'. Aborting." && exit 1 +# path to the SOAP envelope we are gonna need soon +readonly SOAP_ENVELOPE="/opt/openslx/bwidm_soap.xml" +[ ! -f "${SOAP_ENVELOPE}" ] && echo "Failed to find the SOAP envelope at '${SOAP_ENVELOPE}'. Aborting." && exit 1 # now the pam-type specific part starts if [ "x$PAM_TYPE" == "xauth" ]; then # now we are ready to actually send the credentials to the IdP # to be sure everything is working as expected # we will first send a wrong password (by repeating the given password) and expect a 401 - ret=$(curl --connect-timeout 5 --max-time 15 -o /dev/null -w "%{http_code}" -k -d @"${SOAP_ENVELOPPE}" -H "Content-Type: application/vnd.paos+xml" --basic -u "${USER_USERNAME}:${USER_PASSWORD}${USER_PASSWORD}" "$USER_ECP_URL") + ret=$(curl --connect-timeout 5 --max-time 15 -o /dev/null -w "%{http_code}" -k -d @"${SOAP_ENVELOPE}" -H "Content-Type: application/vnd.paos+xml" --basic -u "${USER_USERNAME}:${USER_PASSWORD}${USER_PASSWORD}" "$USER_ECP_URL") if [ "x$ret" != "x401" ]; then # this means something else is bad, just exit @@ -117,28 +118,28 @@ if [ "x$PAM_TYPE" == "xauth" ]; then exit 7 fi # the fake auth call behaved as expected, do the actualy login - ret=$(curl --connect-timeout 5 --max-time 15 -o /dev/null -w "%{http_code}" -k -d @"${SOAP_ENVELOPPE}" -H "Content-Type: application/vnd.paos+xml" --basic -u "${USER_USERNAME}:${USER_PASSWORD}" "$USER_ECP_URL") + ret=$(curl --connect-timeout 5 --max-time 15 -o /dev/null -w "%{http_code}" -k -d @"${SOAP_ENVELOPE}" -H "Content-Type: application/vnd.paos+xml" --basic -u "${USER_USERNAME}:${USER_PASSWORD}" "$USER_ECP_URL") if [ "x$ret" == "x200" ]; then # auth succeeded, lets create a local user representing the bwIDM user echo "Login for '$USER_USERNAME' on '$USER_ORGANISATION' succeeded." # create a random 6digit UID LOOPS=0 - while [ $LOOPS -lt 5 ]; do + while [ "$LOOPS" -lt 5 ]; do USER_UID="$(( 100000 + $RANDOM ))" - # check existance of this UID, if its free, use it + # check existence of this UID, if its free, use it getent passwd "$USER_UID" || break let LOOPS++ done - if [ $LOOPS -eq 5 ]; then + if [ "$LOOPS" -eq 5 ]; then # could not find an empty random 6-digit UID, so we will use demo's UID... USER_UID="$(id -u demo)" [ -z "$USER_UID" ] && echo "Could not use UID of 'demo' as a fallback, aborting..." && exit 1 fi # we have a uid, gid, lets just create the local user now - if ! grep -q "$USER_USERNAME@$USER_ORGANISATION" /etc/passwd; then - echo "$USER_USERNAME@$USER_ORGANISATION:x:${USER_UID}:${USER_GID}:$USER_USERNAME@$USER_ORGANISATION:/home/${USER_USERNAME}@${USER_ORGANISATION}:/bin/bash" >> /etc/passwd + if ! grep -q "^${PAM_USER}:" /etc/passwd; then + echo "${PAM_USER}:x:${USER_UID}:${USER_GID}:${PAM_USER}:/home/${PAM_USER}:/bin/bash" >> /etc/passwd fi exit 0 elif [ "x$ret" != "x401" ]; then @@ -169,4 +170,4 @@ if [ "x$mainret" == "x7" ]; then ( sleep 1; rm -f -- "${LOGFILE}" ) & exit 1 fi -exit $mainret +exit "${mainret}" diff --git a/server/modules/pam-bwidm-freiburg/etc/pam.d/common-account b/server/modules/pam-bwidm-freiburg/etc/pam.d/common-account index da270620..d8c9be5e 100644 --- a/server/modules/pam-bwidm-freiburg/etc/pam.d/common-account +++ b/server/modules/pam-bwidm-freiburg/etc/pam.d/common-account @@ -6,22 +6,14 @@ # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired in /etc/shadow. # -# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. -# To take advantage of this, it is recommended that you configure any -# local modules either before or after the default block, and use -# pam-auth-update to manage selection of other modules. See -# pam-auth-update(8) for details. -# # here are the per-package modules (the "Primary" block) -account [success=3 new_authtok_reqd=done default=ignore] pam_exec.so quiet debug /opt/openslx/scripts/pam_bwidm -account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so use_first_pass -account [success=1 new_authtok_reqd=done default=ignore] pam_sss.so use_first_pass +account [success=3 new_authtok_reqd=done default=ignore] pam_unix.so +account [success=2 new_authtok_reqd=done default=ignore] pam_exec.so quiet /opt/openslx/scripts/pam_bwidm +account [success=1 new_authtok_reqd=done default=ignore] pam_sss.so # here's the fallback if no module succeeds account requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around account required pam_permit.so -# and here are more per-package modules (the "Additional" block) -# end of pam-auth-update config diff --git a/server/modules/pam-bwidm-freiburg/etc/pam.d/common-auth b/server/modules/pam-bwidm-freiburg/etc/pam.d/common-auth index dc10df3b..66185b71 100644 --- a/server/modules/pam-bwidm-freiburg/etc/pam.d/common-auth +++ b/server/modules/pam-bwidm-freiburg/etc/pam.d/common-auth @@ -7,23 +7,17 @@ # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # -# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. -# To take advantage of this, it is recommended that you configure any -# local modules either before or after the default block, and use -# pam-auth-update to manage selection of other modules. See -# pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) -auth [success=4 default=ignore] pam_exec.so quiet debug expose_authtok /opt/openslx/scripts/pam_bwidm -auth [success=ok default=ignore] pam_krb5.so minimum_uid=1000 try_first_pass -auth [success=2 default=ignore] pam_unix.so try_first_pass -auth [success=1 default=ignore] pam_sss.so use_first_pass +auth [success=6 default=ignore] pam_unix.so try_first_pass nodelay +auth [success=4 default=ignore] pam_exec.so quiet expose_authtok /opt/openslx/scripts/pam_bwidm +auth optional pam_krb5.so minimum_uid=1000 use_first_pass +auth [success=2 default=ignore] pam_sss.so use_first_pass # here's the fallback if no module succeeds +auth optional pam_faildelay.so delay=2123123 auth requisite pam_deny.so -auth optional pam_script.so expose=1 +auth optional pam_script.so expose=1 # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so -# and here are more per-package modules (the "Additional" block) -# end of pam-auth-update config |