kudos/ssh_controls
2
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

fix for DO_SLAVE, improved check_root_user() calls (VRF 1.5.2) [Patrick Van der Veken]

Browse Source
This commit is contained in:
patvdv 2015-12-13 15:07:40 +01:00
parent b1db0c5a9b
commit 49229f9d55
3 changed files with 30 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
manage_ssh.conf
View File

@ -32,7 +32,8 @@ LOCAL_DIR="/etc/ssh_master"
REMOTE_DIR="/etc/ssh_controls/holding" REMOTE_DIR="/etc/ssh_controls/holding"
# name of the user account performing the SSH controls update # name of the user account performing the SSH controls update
# (leave blank for current user but user should have remote sudo root privs) # (leave blank for current user running script)
# user should have remote sudo root privs (except when using user 'root')
SSH_UPDATE_USER="" SSH_UPDATE_USER=""
# options to pass to update_ssh.pl when executing a key update # options to pass to update_ssh.pl when executing a key update

31
manage_ssh.sh
View File

@ -61,6 +61,8 @@
# @(#) (VRF 1.5.0) [Patrick Van der Veken] # @(#) (VRF 1.5.0) [Patrick Van der Veken]
# @(#) 2015-10-09: simplified handling of SSH agent handling, obsoleted # @(#) 2015-10-09: simplified handling of SSH agent handling, obsoleted
# @(#) DO_SLAVE_SSH_AGENT option (VRF 1.5.1) [Patrick Van der Veken] # @(#) DO_SLAVE_SSH_AGENT option (VRF 1.5.1) [Patrick Van der Veken]
# @(#) 2015-12-13: fix for DO_SLAVE, improved check_root_user() calls
# @(#) (VRF 1.5.2) [Patrick Van der Veken]
# ----------------------------------------------------------------------------- # -----------------------------------------------------------------------------
# DO NOT CHANGE THIS FILE UNLESS YOU KNOW WHAT YOU ARE DOING! # DO NOT CHANGE THIS FILE UNLESS YOU KNOW WHAT YOU ARE DOING!
#****************************************************************************** #******************************************************************************
@ -74,7 +76,7 @@
# or LOCAL_CONFIG_FILE instead # or LOCAL_CONFIG_FILE instead
# define the V.R.F (version/release/fix) # define the V.R.F (version/release/fix)
MY_VRF="1.5.1" MY_VRF="1.5.2"
# name of the global configuration file (script) # name of the global configuration file (script)
GLOBAL_CONFIG_FILE="manage_ssh.conf" GLOBAL_CONFIG_FILE="manage_ssh.conf"
# name of the local configuration file (script) # name of the local configuration file (script)
@ -91,6 +93,7 @@ HOST_NAME="$(hostname)"
KEYS_FILE="" KEYS_FILE=""
KEYS_DIR="" KEYS_DIR=""
TARGETS_FILE="" TARGETS_FILE=""
DO_SLAVE=0
FIX_CREATE=0 FIX_CREATE=0
CAN_DISCOVER_KEYS=0 CAN_DISCOVER_KEYS=0
CAN_START_AGENT=1 CAN_START_AGENT=1
@ -1451,7 +1454,11 @@ log "runtime info: LOCAL_DIR is set to: ${LOCAL_DIR}"
case ${ARG_ACTION} in case ${ARG_ACTION} in
1) # apply SUDO controls remotely 1) # apply SUDO controls remotely
log "ACTION: apply SSH controls remotely" log "ACTION: apply SSH controls remotely"
check_root_user && die "must NOT be run as user 'root'" # check for root or non-root model
if [[ "${SSH_UPDATE_USER}" != "root" ]]
then
check_root_user && die "must NOT be run as user 'root'"
fi
# start SSH agent (if needed) # start SSH agent (if needed)
if (( DO_SSH_AGENT && CAN_START_AGENT )) if (( DO_SSH_AGENT && CAN_START_AGENT ))
then then
@ -1507,7 +1514,11 @@ case ${ARG_ACTION} in
;; ;;
2) # copy/distribute SSH controls 2) # copy/distribute SSH controls
log "ACTION: copy/distribute SSH controls" log "ACTION: copy/distribute SSH controls"
check_root_user && die "must NOT be run as user 'root'" # check for root or non-root model
if [[ "${SSH_TRANSFER_USER}" != "root" ]]
then
check_root_user && die "must NOT be run as user 'root'"
fi
# start SSH agent (if needed) # start SSH agent (if needed)
if (( DO_SSH_AGENT && CAN_START_AGENT )) if (( DO_SSH_AGENT && CAN_START_AGENT ))
then then
@ -1562,7 +1573,11 @@ case ${ARG_ACTION} in
log "finished copying/distributing SSH controls" log "finished copying/distributing SSH controls"
;; ;;
3) # create key fingerprints 3) # create key fingerprints
check_root_user && die "must NOT be run as user 'root'" # check for root or non-root model
if [[ "${SSH_UPDATE_USER}" != "root" ]]
then
check_root_user && die "must NOT be run as user 'root'"
fi
log "ACTION: create key fingerprints into ${LOCAL_DIR}/fingerprints" log "ACTION: create key fingerprints into ${LOCAL_DIR}/fingerprints"
> "${LOCAL_DIR}/fingerprints" > "${LOCAL_DIR}/fingerprints"
@ -1612,7 +1627,7 @@ case ${ARG_ACTION} in
fi fi
# check if the SSH control repo is already there # check if the SSH control repo is already there
if [[ ${FIX_CREATE} = 1 && ! -d "${FIX_DIR}" ]] if [[ ${FIX_CREATE} -eq 1 && ! -d "${FIX_DIR}" ]]
then then
# create stub directories # create stub directories
mkdir -p "${FIX_DIR}/holding" 2>/dev/null || \ mkdir -p "${FIX_DIR}/holding" 2>/dev/null || \
@ -1698,7 +1713,11 @@ case ${ARG_ACTION} in
;; ;;
6) # fix remote directory structure/perms/ownerships 6) # fix remote directory structure/perms/ownerships
log "ACTION: fix remote SSH controls repository" log "ACTION: fix remote SSH controls repository"
check_root_user && die "must NOT be run as user 'root'" # check for root or non-root model
if [[ "${SSH_UPDATE_USER}" != "root" ]]
then
check_root_user && die "must NOT be run as user 'root'"
fi
# start SSH agent (if needed) # start SSH agent (if needed)
if (( DO_SSH_AGENT && CAN_START_AGENT )) if (( DO_SSH_AGENT && CAN_START_AGENT ))
then then

6
update_ssh.conf
View File

@ -13,11 +13,11 @@
use_fqdn=1 use_fqdn=1
# target directory for allowed SSH key files # target directory for allowed SSH key files
access_dir=/etc/kudos/ssh_controls/keys.d access_dir=/etc/ssh_controls/keys.d
# location of the keys blacklist file # location of the keys blacklist file
blacklist_file=/etc/kudos/ssh_controls/keys.blacklisted blacklist_file=/etc/ssh_controls/keys.blacklisted
#****************************************************************************** #******************************************************************************
# End of FILE # End of FILE
#****************************************************************************** #******************************************************************************