kudos/ssh_controls
2
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

fix for DO_SLAVE, improved check_root_user() calls (VRF 1.5.2) [Patrick Van der Veken]

Browse Source
This commit is contained in:
patvdv 2015-12-13 15:07:40 +01:00
parent b1db0c5a9b
commit 49229f9d55
3 changed files with 30 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
manage_ssh.conf
View File

@ -32,7 +32,8 @@ LOCAL_DIR="/etc/ssh_master"
REMOTE_DIR="/etc/ssh_controls/holding"
# name of the user account performing the SSH controls update
# (leave blank for current user but user should have remote sudo root privs)
# (leave blank for current user running script)
# user should have remote sudo root privs (except when using user 'root')
SSH_UPDATE_USER=""
# options to pass to update_ssh.pl when executing a key update

23
manage_ssh.sh
View File

@ -61,6 +61,8 @@
# @(#) (VRF 1.5.0) [Patrick Van der Veken]
# @(#) 2015-10-09: simplified handling of SSH agent handling, obsoleted
# @(#) DO_SLAVE_SSH_AGENT option (VRF 1.5.1) [Patrick Van der Veken]
# @(#) 2015-12-13: fix for DO_SLAVE, improved check_root_user() calls
# @(#) (VRF 1.5.2) [Patrick Van der Veken]
# -----------------------------------------------------------------------------
# DO NOT CHANGE THIS FILE UNLESS YOU KNOW WHAT YOU ARE DOING!
#******************************************************************************
@ -74,7 +76,7 @@
# or LOCAL_CONFIG_FILE instead
# define the V.R.F (version/release/fix)
MY_VRF="1.5.1"
MY_VRF="1.5.2"
# name of the global configuration file (script)
GLOBAL_CONFIG_FILE="manage_ssh.conf"
# name of the local configuration file (script)
@ -91,6 +93,7 @@ HOST_NAME="$(hostname)"
KEYS_FILE=""
KEYS_DIR=""
TARGETS_FILE=""
DO_SLAVE=0
FIX_CREATE=0
CAN_DISCOVER_KEYS=0
CAN_START_AGENT=1
@ -1451,7 +1454,11 @@ log "runtime info: LOCAL_DIR is set to: ${LOCAL_DIR}"
case ${ARG_ACTION} in
1) # apply SUDO controls remotely
log "ACTION: apply SSH controls remotely"
# check for root or non-root model
if [[ "${SSH_UPDATE_USER}" != "root" ]]
then
check_root_user && die "must NOT be run as user 'root'"
fi
# start SSH agent (if needed)
if (( DO_SSH_AGENT && CAN_START_AGENT ))
then
@ -1507,7 +1514,11 @@ case ${ARG_ACTION} in
;;
2) # copy/distribute SSH controls
log "ACTION: copy/distribute SSH controls"
# check for root or non-root model
if [[ "${SSH_TRANSFER_USER}" != "root" ]]
then
check_root_user && die "must NOT be run as user 'root'"
fi
# start SSH agent (if needed)
if (( DO_SSH_AGENT && CAN_START_AGENT ))
then
@ -1562,7 +1573,11 @@ case ${ARG_ACTION} in
log "finished copying/distributing SSH controls"
;;
3) # create key fingerprints
# check for root or non-root model
if [[ "${SSH_UPDATE_USER}" != "root" ]]
then
check_root_user && die "must NOT be run as user 'root'"
fi
log "ACTION: create key fingerprints into ${LOCAL_DIR}/fingerprints"
> "${LOCAL_DIR}/fingerprints"
@ -1612,7 +1627,7 @@ case ${ARG_ACTION} in
fi
# check if the SSH control repo is already there
if [[ ${FIX_CREATE} = 1 && ! -d "${FIX_DIR}" ]]
if [[ ${FIX_CREATE} -eq 1 && ! -d "${FIX_DIR}" ]]
then
# create stub directories
mkdir -p "${FIX_DIR}/holding" 2>/dev/null || \
@ -1698,7 +1713,11 @@ case ${ARG_ACTION} in
;;
6) # fix remote directory structure/perms/ownerships
log "ACTION: fix remote SSH controls repository"
# check for root or non-root model
if [[ "${SSH_UPDATE_USER}" != "root" ]]
then
check_root_user && die "must NOT be run as user 'root'"
fi
# start SSH agent (if needed)
if (( DO_SSH_AGENT && CAN_START_AGENT ))
then

4
update_ssh.conf
View File

@ -13,10 +13,10 @@
use_fqdn=1
# target directory for allowed SSH key files
access_dir=/etc/kudos/ssh_controls/keys.d
access_dir=/etc/ssh_controls/keys.d
# location of the keys blacklist file
blacklist_file=/etc/kudos/ssh_controls/keys.blacklisted
blacklist_file=/etc/ssh_controls/keys.blacklisted
#******************************************************************************
# End of FILE