[debian-lan-devel] [SCM] Debian-LAN development and packaging branch, master, updated. 0.7-26-g963f92d
Andreas B. Mundt
andi at debian.org
Wed Feb 13 09:40:17 UTC 2013
The following commit has been merged in the master branch:
commit d8cf7e8b08546d5c39edb723c03b3d5bb03ae161
Author: Andreas B. Mundt <andi at debian.org>
Date: Mon Feb 11 23:11:28 2013 +0100
Improve authentication. Disable root login on clients.
Prompt for the admin password during installation. Use that password
for GOsa and Icinga.
Disable root login on clients. This removes all password hashes from
the default config space.
diff --git a/fai/config/class/CLIENT_A.var b/fai/config/class/CLIENT_A.var
index 3cc9b34..6743e5b 100644
--- a/fai/config/class/CLIENT_A.var
+++ b/fai/config/class/CLIENT_A.var
@@ -12,7 +12,8 @@ TIMEZONE=Europe/Berlin
# Use: 'mkpasswd -Hsha-256 <PASSWORD>' to create the password hash
# pw is "fai":
-ROOTPW='$1$kBnWcO.E$djxB128U7dMkrltJHPf6d1'
+#ROOTPW='$1$kBnWcO.E$djxB128U7dMkrltJHPf6d1'
+ROOTPW='*'
## URL of the local site's APT repository.
## Set empty to skip this feature.
diff --git a/fai/config/files/etc/ldap/gosa.ldif/GOSA b/fai/config/files/etc/ldap/gosa.ldif/GOSA
index 6cce84c..1a72d46 100644
--- a/fai/config/files/etc/ldap/gosa.ldif/GOSA
+++ b/fai/config/files/etc/ldap/gosa.ldif/GOSA
@@ -49,7 +49,7 @@ homeDirectory: /lan/mainserver/home0/admin
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
-userPassword: @LDAP_ADMIN_PW_HASH@
+userPassword: @ADMIN_PW_HASH@
dn: cn=admin,ou=groups,ou=gosa,dc=intern
cn: admin
diff --git a/fai/config/hooks/install.DEFAULT.source b/fai/config/hooks/install.DEFAULT.source
index fd1baa5..fb40741 100755
--- a/fai/config/hooks/install.DEFAULT.source
+++ b/fai/config/hooks/install.DEFAULT.source
@@ -8,16 +8,16 @@ if [ -n "$ROOTPW" ] ; then
else
while [ -z "$ROOTPW" ] ; do
if ! { inp1=$(dialog --insecure --stdout --backtitle " Root Password " --passwordbox \
- "There is no password hash for root available. \nPlease enter a root password:" 10 49) &&
- inp2=$(dialog --insecure --stdout --backtitle " Root Password " --passwordbox \
- "Please enter the root password again:" 9 41); } ; then
+ "There is no password hash for root available. \nPlease enter a root password:" 10 49) &&
+ inp2=$(dialog --insecure --stdout --backtitle " Root Password " --passwordbox \
+ "Please enter the root password again:" 9 41); } ; then
dialog --stdout --msgbox "Entering passwords canceled, please try again." 5 50
elif [ "$inp1" == "$inp2" ] ; then
- ROOTPW=`mkpasswd -Hsha-256 "$inp1"`
+ ROOTPW=`mkpasswd -Hsha-256 "$inp1"`
echo "Password hash for root set."
else
dialog --stdout --msgbox "Passwords do not match, please try again." 5 45
fi
- unset inp1 inp2
+ unset inp1 inp2
done
fi
diff --git a/fai/config/hooks/install.GOSA.source b/fai/config/hooks/install.GOSA.source
new file mode 100755
index 0000000..6ed8b6e
--- /dev/null
+++ b/fai/config/hooks/install.GOSA.source
@@ -0,0 +1,23 @@
+#! /bin/bash
+#
+# Prompt for the admin password if $ADMINPW is empty.
+#
+
+if [ -n "$ADMINPW" ] ; then
+ echo "Admin password is set."
+else
+ while [ -z "$ADMINPW" ] ; do
+ if ! { inp1=$(dialog --insecure --stdout --backtitle " Admin Password " --passwordbox \
+ "There is no password for 'admin' available. \nPlease enter a password for 'admin':" 10 47) &&
+ inp2=$(dialog --insecure --stdout --backtitle " Admin Password " --passwordbox \
+ "Please enter the password for 'admin' again:" 9 48); } ; then
+ dialog --stdout --msgbox "Entering passwords canceled, please try again." 5 50
+ elif [ "$inp1" == "$inp2" ] ; then
+ ADMINPW=$inp1
+ echo "Password for admin set."
+ else
+ dialog --stdout --msgbox "Passwords do not match, please try again." 5 45
+ fi
+ unset inp1 inp2
+ done
+fi
diff --git a/fai/config/scripts/KDC_LDAP/10-slapd-KDC b/fai/config/scripts/KDC_LDAP/10-slapd-KDC
index 443c872..79de82b 100755
--- a/fai/config/scripts/KDC_LDAP/10-slapd-KDC
+++ b/fai/config/scripts/KDC_LDAP/10-slapd-KDC
@@ -74,6 +74,7 @@ init_LDAP () {
echo -n $LDAP_ADMIN_PW > $target$PWFILE
$ROOTCMD chmod -v 0600 $PWFILE
LDAP_ADMIN_PW_HASH=`$ROOTCMD slappasswd -v -s $LDAP_ADMIN_PW -h {SSHA}`
+ ADMIN_PW_HASH=`$ROOTCMD slappasswd -v -s "$ADMINPW" -h {SSHA}`
#### Kerberos KDC service principals:
KDCCONFDIR="/etc/krb5kdc/"
@@ -95,6 +96,7 @@ EOF
if $ROOTCMD cat $ldif | $ROOTCMD sed \
-e "s:@LDAP_ADMIN_PW_HASH@:$LDAP_ADMIN_PW_HASH:" \
-e "s:@KDC_SERVICE_PW_HASH@:$KDC_SERVICE_PW_HASH:" \
+ -e "s:@ADMIN_PW_HASH@:$ADMIN_PW_HASH:" \
| $ROOTCMD /usr/sbin/slapadd ; then
echo "Info: added '$ldif' to ldap database."
else
@@ -188,7 +190,7 @@ init_KDC() {
HOMEDIR=$(grep "^homeDirectory.*admin$" $GOSALDIF | cut -d ' ' -f 2)
USID=$(sed -n '/^dn: uid=admin,/,/^dn:/p' $GOSALDIF | grep "^uidNumber:" | cut -d " " -f 2)
GRID=$(sed -n '/^dn: uid=admin,/,/^dn:/p' $GOSALDIF | grep "^gidNumber:" | cut -d " " -f 2)
- $ROOTCMD kadmin.local -q "add_principal -pw $LDAP_ADMIN_PW -x $USERDN admin"
+ $ROOTCMD kadmin.local -q "add_principal -pw "$ADMINPW" -x $USERDN admin"
cp -r $target/etc/skel $target/$HOMEDIR
$ROOTCMD chmod -R o-rwx $HOMEDIR
$ROOTCMD chown -R $USID:$GRID $HOMEDIR
diff --git a/fai/config/scripts/LOG_SERVER/10-rsyslog_icinga.conf b/fai/config/scripts/LOG_SERVER/10-rsyslog_icinga.conf
index 6c754ab..7c21348 100755
--- a/fai/config/scripts/LOG_SERVER/10-rsyslog_icinga.conf
+++ b/fai/config/scripts/LOG_SERVER/10-rsyslog_icinga.conf
@@ -14,6 +14,5 @@ if [ "$FAI_ACTION" == "install" ] || [ "$CONVERT" == "true" ] ; then
## Machines are added here, so do not overwrite them on softupdate:
fcopy /etc/icinga/objects/hosts.cfg
mv $target/etc/icinga/objects/localhost_icinga.cfg $target/etc/icinga/objects/localhost_icinga.cfg_orig
- # FIXME: empty password for now:
- $ROOTCMD htpasswd -bc /etc/icinga/htpasswd.users icingaadmin ""
+ $ROOTCMD htpasswd -bc /etc/icinga/htpasswd.users admin "$ADMINPW"
fi
--
Debian-LAN development and packaging
More information about the debian-lan-devel
mailing list