kudos/sudo_controls
2
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

added SSH host keys discovery, re-assigned '-d' command-line option to this function, 2 new parameters in manage_sudo.conf (VRF 1.4.0) [Patrick Van der Veken]

Browse Source
This commit is contained in:
patvdv 2015-09-27 17:53:53 +02:00
parent 194c2cf5b4
commit 33f2c00db0
2 changed files with 91 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
manage_sudo.conf
View File

@ -41,6 +41,13 @@ SUDO_UPDATE_OPTS="--verbose"
# path to the visudo tool # path to the visudo tool
VISUDO_BIN="/usr/sbin/visudo" VISUDO_BIN="/usr/sbin/visudo"
# path to the ssh-keyscan too
SSH_KEYSCAN_BIN="/usr/bin/ssh-keyscan"
# extra arguments/options for the ssh-keyscan command
# by default -f <file> is used by manage_sudo.sh to supply hostnames, do not add here
SSH_KEYSCAN_ARGS="-t rsa"
# maximum number of background process to spawn (~maxuprc, ~nstrpty etc) # maximum number of background process to spawn (~maxuprc, ~nstrpty etc)
MAX_BACKGROUND_PROCS=30 MAX_BACKGROUND_PROCS=30

92
manage_sudo.sh
View File

@ -52,6 +52,8 @@
# @(#) 2015-09-15: small fix in wait_for_children() (VRF 1.3.2) [Patrick Van der Veken] # @(#) 2015-09-15: small fix in wait_for_children() (VRF 1.3.2) [Patrick Van der Veken]
# @(#) 2015-09-23: added $GLOBAL_CONFIG_FILE to fix ownership/permissions routine # @(#) 2015-09-23: added $GLOBAL_CONFIG_FILE to fix ownership/permissions routine
# @(#) (VRF 1.3.3) [Patrick Van der Veken] # @(#) (VRF 1.3.3) [Patrick Van der Veken]
# @(#) 2015-09-27: added SSH host keys discovery, re-assigned '-d' command-line
# @(#) option to this function (VRF 1.4.0) [Patrick Van der Veken]
# ----------------------------------------------------------------------------- # -----------------------------------------------------------------------------
# DO NOT CHANGE THIS FILE UNLESS YOU KNOW WHAT YOU ARE DOING! # DO NOT CHANGE THIS FILE UNLESS YOU KNOW WHAT YOU ARE DOING!
#****************************************************************************** #******************************************************************************
@ -65,7 +67,7 @@
# or LOCAL_CONFIG_FILE instead # or LOCAL_CONFIG_FILE instead
# define the V.R.F (version/release/fix) # define the V.R.F (version/release/fix)
MY_VRF="1.3.3" MY_VRF="1.4.0"
# name of the global configuration file (script) # name of the global configuration file (script)
GLOBAL_CONFIG_FILE="manage_sudo.conf" GLOBAL_CONFIG_FILE="manage_sudo.conf"
# name of the local configuration file (script) # name of the local configuration file (script)
@ -83,6 +85,7 @@ FRAGS_DIR=""
TARGETS_FILE="" TARGETS_FILE=""
FIX_CREATE=0 FIX_CREATE=0
CAN_CHECK_SYNTAX=1 CAN_CHECK_SYNTAX=1
CAN_DISCOVER_KEYS=1
CAN_REMOVE_TEMP=1 CAN_REMOVE_TEMP=1
TMP_FILE="${TMP_DIR}/.${SCRIPT_NAME}.$$" TMP_FILE="${TMP_DIR}/.${SCRIPT_NAME}.$$"
TMP_RC_FILE="${TMP_DIR}/.${SCRIPT_NAME}.rc.$$" TMP_RC_FILE="${TMP_DIR}/.${SCRIPT_NAME}.rc.$$"
@ -149,6 +152,12 @@ then
print -u2 "ERROR: no value for the VISUDO_BIN setting in the configuration file" print -u2 "ERROR: no value for the VISUDO_BIN setting in the configuration file"
exit 1 exit 1
fi fi
# SSH_KEYSCAN_BIN
if [[ -z "${SSH_KEYSCAN_BIN}" ]]
then
print -u2 "ERROR: no value for the SSH_KEYSCAN_BIN setting in the configuration file"
exit 1
fi
# MAX_BACKGROUND_PROCS # MAX_BACKGROUND_PROCS
if [[ -z "${MAX_BACKGROUND_PROCS}" ]] if [[ -z "${MAX_BACKGROUND_PROCS}" ]]
then then
@ -197,7 +206,7 @@ return 0
function check_params function check_params
{ {
# -- ALL # -- ALL
if (( ARG_ACTION < 1 || ARG_ACTION > 9 )) if (( ARG_ACTION < 1 || ARG_ACTION > 10 ))
then then
display_usage display_usage
exit 0 exit 0
@ -286,7 +295,7 @@ do
fi fi
done done
# check for basic SUDO control file(s): targets, /var/tmp/targets.$USER (or $TMP_FILE) # check for basic SUDO control file(s): targets, /var/tmp/targets.$USER (or $TMP_FILE)
if (( ARG_ACTION == 1 || ARG_ACTION == 2 || ARG_ACTION == 6 )) if (( ARG_ACTION == 1 || ARG_ACTION == 2 || ARG_ACTION == 6 || ARG_ACTION == 10 ))
then then
if [[ -z "${ARG_TARGETS}" ]] if [[ -z "${ARG_TARGETS}" ]]
then then
@ -348,6 +357,12 @@ then
print -u2 "WARN: 'visudo' tool not found, syntax checking is not available" print -u2 "WARN: 'visudo' tool not found, syntax checking is not available"
CAN_CHECK_SYNTAX=0 CAN_CHECK_SYNTAX=0
fi fi
# check if 'ssh-keyscan' exists
if [[ ! -x "${SSH_KEYSCAN_BIN}" ]]
then
print -u2 "WARN: 'ssh-keyscan' tool not found, host key discovery is not possible"
CAN_DISCOVER_KEYS=0
fi
return 0 return 0
} }
@ -451,9 +466,10 @@ remote, validate SUDO syntax or copy/distribute the SUDO controls files
Syntax: ${SCRIPT_DIR}/${SCRIPT_NAME} [--help] | (--backup | --check-syntax | --check-sudo | --preview-global | --update) | Syntax: ${SCRIPT_DIR}/${SCRIPT_NAME} [--help] | (--backup | --check-syntax | --check-sudo | --preview-global | --update) |
(--apply [--remote-dir=<remote_directory>] [--targets=<host1>,<host2>,...]) | (--apply [--remote-dir=<remote_directory>] [--targets=<host1>,<host2>,...]) |
((--copy|--distribute) [--remote-dir=<remote_directory> [--targets=<host1>,<host2>,...]]) | ((--copy|--distribute) [--remote-dir=<remote_directory> [--targets=<host1>,<host2>,...]]) |
([--fix-local --fix-dir=<repository_dir> [--create-dir]] | [--fix-remote [--create-dir] [--targets=<host1>,<host2>,...]]) (--discover [--targets=<host1>,<host2>,...]) |
[--preview-global] [--local-dir=<local_directory>] ([--fix-local --fix-dir=<repository_dir> [--create-dir]] | [--fix-remote [--create-dir] [--targets=<host1>,<host2>,...]])
[--no-log] [--log-dir=<log_directory>] [--debug] [--preview-global] [--local-dir=<local_directory>]
[--no-log] [--log-dir=<log_directory>] [--debug]
Parameters: Parameters:
@ -466,7 +482,8 @@ Parameters:
--create-dir : also create missing directories when fixing the SUDO controls --create-dir : also create missing directories when fixing the SUDO controls
repository (see also --fix-local/--fix-remote) repository (see also --fix-local/--fix-remote)
--debug : print extra status messages on STDERR --debug : print extra status messages on STDERR
--distribute|-d : same as --copy --discover|-d : discover SSH host keys (STDOUT)
--distribute : same as --copy
--fix-dir : location of the local SUDO controls client repository --fix-dir : location of the local SUDO controls client repository
--fix-local : fix permissions on the local SUDO controls repository --fix-local : fix permissions on the local SUDO controls repository
(local SUDO controls repository given by --fix-dir) (local SUDO controls repository given by --fix-dir)
@ -1012,39 +1029,89 @@ for PARAMETER in ${CMD_LINE}
do do
case ${PARAMETER} in case ${PARAMETER} in
-a|-apply|--apply) -a|-apply|--apply)
(( ARG_ACTION )) && {
print -u2 "ERROR: multiple actions specified"
exit 1
}
ARG_ACTION=1 ARG_ACTION=1
;; ;;
-b|-backup|--backup) -b|-backup|--backup)
(( ARG_ACTION )) && {
print -u2 "ERROR: multiple actions specified"
exit 1
}
ARG_ACTION=9 ARG_ACTION=9
;; ;;
-c|-copy|--copy) -c|-copy|--copy)
(( ARG_ACTION )) && {
print -u2 "ERROR: multiple actions specified"
exit 1
}
ARG_ACTION=2 ARG_ACTION=2
;; ;;
-debug|--debug) -debug|--debug)
ARG_DEBUG=1 ARG_DEBUG=1
;; ;;
-d|-distribute|--distribute) -distribute|--distribute)
(( ARG_ACTION )) && {
print -u2 "ERROR: multiple actions specified"
exit 1
}
ARG_ACTION=2 ARG_ACTION=2
;; ;;
-d|-discover|--discover)
(( ARG_ACTION )) && {
print -u2 "ERROR: multiple actions specified"
exit 1
}
ARG_ACTION=10
ARG_LOG=0
ARG_VERBOSE=0
CAN_DISCOVER_KEYS=1
;;
-p|--preview-global|-preview-global) -p|--preview-global|-preview-global)
(( ARG_ACTION )) && {
print -u2 "ERROR: multiple actions specified"
exit 1
}
ARG_ACTION=7 ARG_ACTION=7
;; ;;
-fix-local|--fix-local) -fix-local|--fix-local)
(( ARG_ACTION )) && {
print -u2 "ERROR: multiple actions specified"
exit 1
}
ARG_ACTION=5 ARG_ACTION=5
;; ;;
-fix-remote|--fix-remote) -fix-remote|--fix-remote)
(( ARG_ACTION )) && {
print -u2 "ERROR: multiple actions specified"
exit 1
}
ARG_ACTION=6 ARG_ACTION=6
;; ;;
-s|-check-syntax|--check-syntax) -s|-check-syntax|--check-syntax)
(( ARG_ACTION )) && {
print -u2 "ERROR: multiple actions specified"
exit 1
}
ARG_ACTION=8 ARG_ACTION=8
;; ;;
-check-sudo|--check-sudo) -check-sudo|--check-sudo)
(( ARG_ACTION )) && {
print -u2 "ERROR: multiple actions specified"
exit 1
}
ARG_ACTION=3 ARG_ACTION=3
ARG_LOG=0 ARG_LOG=0
CAN_CHECK_SYNTAX=1 CAN_CHECK_SYNTAX=1
CAN_REMOVE_TEMP=1 CAN_REMOVE_TEMP=1
;; ;;
-u|-update|--update) -u|-update|--update)
(( ARG_ACTION )) && {
print -u2 "ERROR: multiple actions specified"
exit 1
}
ARG_ACTION=4 ARG_ACTION=4
;; ;;
-create-dir|--create-dir) -create-dir|--create-dir)
@ -1413,6 +1480,15 @@ case ${ARG_ACTION} in
fi fi
log "finished backing up the current configuration & fragment files" log "finished backing up the current configuration & fragment files"
;; ;;
10) # gather SSH host keys
log "ACTION: gathering SSH host keys ..."
if (( CAN_DISCOVER_KEYS ))
then
cat "${TARGETS_FILE}" | grep -v -E -e '^#' -e '^$' |\
${SSH_KEYSCAN_BIN} ${SSH_KEYSCAN_ARGS} -f -
fi
log "finished gathering SSH host keys"
;;
esac esac
# finish up work # finish up work