# Clean exit if CTRL-C !
function_trap_ctlc()
{
echo ""
echo "[ $MACHINE ] CTRL-C detecte: la clef SSH V2 de PROD doit etre creee."
echo "Merci de laisser finir le processus de generation de la clef id_dsa/id_dsa.pub"
echo "Vous devez vous re-logguer !"
read
/bin/rm /tmp/.id_dsa_lock
exit 1
}
function_change_passphrase_ctlc()
{
echo ""
echo "[ $MACHINE ] CTRL-C detecte: Vous DEVEZ changer votre passphrase."
echo "[ $MACHINE ] CTRL-C detected: You MUST change your SSH keys passphrase."
exit 1
}
function_logout_rsync()
{
RSYNC=/usr/local/bin/rsync
SSH="/usr/local/openssh/bin/ssh -o protocol=2 -o port=22000 -o passwordauthentication=no -o pubkeyauthentication=yes -l $USER"
if [ "$USER" != "root" ] && [ "$HOST" != "bastion01s" ]
then
[ -d $HOME/mirror ] && $RSYNC -avu --exclude-from=/usr/local/bastions/etc/rsync.excluded -e "$SSH" $HOME/mirror/ bastion01s:$HOME/mirror/
$RSYNC -avu --exclude-from=/usr/local/bastions/etc/rsync.excluded -e "$SSH" $HOME/.ssh/ bastion01s:$HOME/.ssh/
fi
}
remove_start_ssh_agent()
{
username="$LOGNAME"
SSH_AGENT_PID=`ps -e -o user,pid,comm | /bin/grep -w $username | grep ssh-agent | awk '{print $2}' | head -1 2>/dev/null`
if [ ! -z "$SSH_AGENT_PID" ]
then
echo "Ssh agent running (pid $SSH_AGENT_PID)"
echo
if [ -f $HOME/.ssh/.agent.ssh.tmp ]
then
SSH_AUTH_SOCK=`awk '{print $1}' $HOME/.ssh/.agent.ssh.tmp`
SSH_AGENT_PID=`awk '{print $2}' $HOME/.ssh/.agent.ssh.tmp`
fi
else
eval `ssh-agent`; ssh-add
echo "${SSH_AUTH_SOCK} ${SSH_AGENT_PID}" > $HOME/.ssh/.agent.ssh.tmp
fi
export SSH_AUTH_SOCK SSH_AGENT_PID
}
generate_rsa_keypair()
{
printf "\nGenerating RSA key pair ... \n"
fullname=`awk -F: '$1=="'$LOGNAME'" {print $5}' /etc/passwd`
ssh-keygen -t rsa -f $HOME/.ssh/id_rsa -C "$fullname SSH V2"
return $?
}
generate_rsa_pubkey_for_signing()
{
printf "\nGenerating RSA Pubkey for signing operations ...\n"
openssl rsa -in $HOME/.ssh/id_rsa -pubout -out $HOME/.ssh/${LOGNAME}_PSSI.pub
return $?
}
generate_signature()
{
SUCCESS=1
while [ $SUCCESS -ne 0 ]
do
> $HOME/.ssh/${LOGNAME}_PSSI.txt
timestamp=`date`
echo ""
echo "### BEGIN PSSI Procedure: $timestamp ###" | tee -a $HOME/.ssh/${LOGNAME}_PSSI.txt
echo "" | tee -a $HOME/.ssh/${LOGNAME}_PSSI.txt
cat /opt/local/isaac/warning.txt | tee -a $HOME/.ssh/${LOGNAME}_PSSI.txt
echo ""
printf " --- Press any key to continue. ---"
read text
echo "" >> $HOME/.ssh/${LOGNAME}_PSSI.txt
echo "" >> $HOME/.ssh/${LOGNAME}_PSSI.txt
cat $HOME/.ssh/${LOGNAME}_PSSI.pub >> $HOME/.ssh/${LOGNAME}_PSSI.txt
echo "" >> $HOME/.ssh/${LOGNAME}_PSSI.txt
timestamp=`date`
echo "### END PSSI Procedure: $timestamp ###" >> $HOME/.ssh/${LOGNAME}_PSSI.txt
openssl dgst -sha1 -out $HOME/.ssh/${LOGNAME}_PSSI.hash $HOME/.ssh/${LOGNAME}_PSSI.txt
openssl rsautl -sign -in $HOME/.ssh/${LOGNAME}_PSSI.hash -inkey $HOME/.ssh/id_rsa -out $HOME/.ssh/${LOGNAME}_PSSI.signed
SUCCESS=$?
if [ $SUCCESS -ne 0 ]
then
printf "\n !!! ERROR: PSSI procedure failed. Bad passphrass ?\n\n"
else
printf "\nPSSI procedure completed.\n\n"
fi
done
echo "### END PSSI Procedure: $timestamp ###"
echo
}
check_signature()
{
USER=$1
openssl rsautl -verify -in /home/$USER/.ssh/${USER}_PSSI.signed -pubin -inkey /home/$USER/.ssh/${USER}_PSSI.pub -out /tmp/result.$$
lv_ret=$?
if [ ${lv_ret} -ne 0 ]
then
print "\nPSSI signature check for $USER: Failed.\n"
else
echo
echo "Check result: `cat /tmp/result.$$`"
diff /tmp/result.$$ /home/$USER/.ssh/${USER}_PSSI.hash
tmp=$?
[ $tmp -eq 0 ] && printf "\n----> PSSI signature check. OK <----\n\n"
rm /tmp/result.$$
fi
}
####################### MAIN Processing #######################
echo ""
# Create identity file
if [ ! -f ${HOME}/.ssh/identity ] && ( [ `hostname` == "bastion01s" ] || [ `hostname` == "bastion10s" ] )
then
if [ ! -d ${HOME}/.ssh ]
then
mkdir ${HOME}/.ssh
fi
echo ""
echo "[ $MACHINE ] Premiere Connexion: creation clef SSH V1 identity/identity. Merci de patienter."
echo "(Recommandation pour la passphrase: 10 caracteres minimum avec des caracteres speciaux.)"
echo ""
echo "[ $MACHINE ] First Connexion: SSH V1 keypair creation."
echo "(please use a passphrase with at least 10 characters and special charaters.)"
echo ""
fullname=`awk -F: '$1=="'$LOGNAME'" {print $5}' /etc/passwd`
/opt/local/openssh/bin/ssh-keygen -t rsa1 -f ${HOME}/.ssh/identity -C "$fullname SSH V1"
echo ""
if [ ! -f ${HOME}/.ssh/id_dsa ]
then
echo "[ $MACHINE ] Creation clef SSH V2: merci de patienter (cela peut durer plusieurs minutes)."
echo "(Recommandation pour la passphrase: 10 caracteres minimum avec des caracteres speciaux.)"
echo ""
fullname=`awk -F: '$1=="'$LOGNAME'" {print $5}' /etc/passwd`
/usr/local/openssh/bin/ssh-keygen -t dsa -f ${HOME}/.ssh/id_dsa -C "$fullname SSH V2"
fi
echo
echo "Configuration SSH complete. Pour vous logguer sur une machine, utiliser:"
echo "ssh -l <login> <host> ou ssh <login>@<host>"
echo "Vous pouvez aussi editer votre propre .ssh/config. [man ssh(1)]"
echo "Pour tester la connexion � une machine : test_ssh <host>"
echo " "
echo "Merci de lire attentivement ces differents documents:"
echo "http://wiki.priv.atos.fr/wiki/index.php/Connexion_sur_les_Bastions"
echo
fi
# Create id_dsa file
if [ ! -f ${HOME}/.ssh/id_dsa ] && ( [ `hostname` == "bastion01s" ] || [ `hostname` == "bastion10s" ] )
then
trap "function_trap_ctlc" 2
if [ ! -d ${HOME}/.ssh ]
then
mkdir ${HOME}/.ssh
fi
echo ""
echo "[ $MACHINE ] Creation clef SSH V2: merci de patienter (cela peut durer plusieurs minutes)."
echo "(Recommandation pour la passphrase: 10 caracteres minimum avec des caracteres speciaux.)"
echo ""
fullname=`awk -F: '$1=="'$LOGNAME'" {print $5}' /etc/passwd`
/usr/local/openssh/bin/ssh-keygen -t dsa -f ${HOME}/.ssh/id_dsa -C "$fullname SSH V2"
echo
echo "Configuration SSH V2 complete. Pour vous logguer sur une machine, utiliser:"
echo "ssh -l <login> <host>"
echo "Vous pouvez aussi editer votre propre .ssh/config. [man ssh(1)]"
echo
echo "Merci de lire attentivement ces differents documents:"
echo "http://wiki.priv.atos.fr/wiki/index.php/Connexion_sur_les_Bastions"
echo
# Cancel CRTL-C
trap "" 2
fi
# Try to retrieve ssh-agent
if [ "$LOGNAME" != "root" ] && [ ! -f $HOME/.ssh/.no.ssh-agent ]
then
username="$LOGNAME"
[ ! -z $HOME ] && username=`/usr/bin/basename $HOME`
SSH_AGENT_PID=`ps -e -o user,pid,comm | /bin/grep -w $username | grep ssh-agent | awk '{print $2}' | head -1 2>/dev/null`
# Trying with UID ...
if [ -z "$SSH_AGENT_PID" ]
then
useruid=$(grep -w ^$username /etc/passwd | cut -f3 -d":")
SSH_AGENT_PID=`ps -e -o user,pid,comm | /bin/grep -w ^$useruid | grep ssh-agent | awk '{print $2}' | head -1 2>/dev/null`
fi
# Over Quota
trap "" 2
if quota -q|grep lv_homes; then
echo " "
echo " "
echo " "
echo " "
echo "######################################"
echo "#### WARNING ####"
echo " Your are over quota in your HOMEDIR"
echo " Over quota may break some of your SSH accesses and other processes"
echo " please cleanup some files and use 'quota' to see your quota usage "
echo "#### WARNING ####"
echo "######################################"
echo " "
c=60
while [[ c -gt 0 ]];
do
echo -n -e "$c \r"
sleep 1
c=$(($c-1))
done
else
if [ -f ${HOME}/.ssh/id_rsa.pub ] ; then
# Bastion's authorized_keys construction
# Do not use DSA anymore
#cat ${HOME}/.ssh/id_dsa.pub > ${HOME}/.ssh/authorized_keys.tmp
cat ${HOME}/.ssh/id_rsa.pub >> ${HOME}/.ssh/authorized_keys.tmp
cat ${HOME}/.ssh/identity.pub >> ${HOME}/.ssh/authorized_keys.tmp
if [ $? -eq 0 ]; then
mv ${HOME}/.ssh/authorized_keys.tmp ${HOME}/.ssh/authorized_keys
chmod a+r ${HOME}/.ssh/authorized_keys
echo " ${HOME}/.ssh/authorized_keys created"
fi
else
/usr/local/security/bin/check_rsa.sh
fi
fi
trap 2
if [ ! -z "$SSH_AGENT_PID" ]
then
echo "You have a ssh agent running (pid $SSH_AGENT_PID)"
echo
if [ -f $HOME/.ssh/.agent.ssh.tmp ]
then
SSH_AUTH_SOCK=`awk '{print $1}' $HOME/.ssh/.agent.ssh.tmp`
SSH_AGENT_PID=`awk '{print $2}' $HOME/.ssh/.agent.ssh.tmp`
fi
else
echo "Starting a ssh agent: it will ask you a passphrase for your identity and one for your id_dsa key pairs"
eval `/usr/local/openssh/bin/ssh-agent`
/usr/local/openssh/bin/ssh-add
echo ""
echo "${SSH_AUTH_SOCK} ${SSH_AGENT_PID}" > $HOME/.ssh/.agent.ssh.tmp
fi
export SSH_AUTH_SOCK
export SSH_AGENT_PID
fi
# Check for passhprase change policy
if [ "$LOGNAME" != "root" ]
then
USERNAME=`basename $HOME`
USERS_LIST="/usr/local/security/etc/change_passphrase_users.list"
tmp=`grep -w "$USERNAME" ${USERS_LIST}`
tmp=""
if [ ! -z "$tmp" ]
then
# Deny CRTL-C
trap "function_change_passphrase_ctlc" 2
echo "********************************************************************"
echo "* Votre dernier changement de passphrases date de plus de 90 jours *"
echo "* Merci de changer les passphrases de vos clefs SSH V1 et V2 avant *"
echo "* de continuer. *"
echo "********************************************************************"
echo "* Your last passphrase change procedure for your SSH keys was done *"
echo "* more than 90 days ago. *"
echo "* Starting procedure to cipher your SSH keys with a new passphrase *"
echo "********************************************************************"
type change_passphrase
change_passphrase FORCED
# Cancel CTRL-C
trap "" 2
fi
fi
# Check for PSSI procedure
if [ "$LOGNAME" != "root" ] && [ `hostname` == "bastion01s" ]
then
USERNAME=`basename $HOME`
USERS_LIST="/usr/local/security/etc/isaac_users.list"
tmp=`grep -w "^$USERNAME" ${USERS_LIST}`
if [[ (! -z "$tmp") && (! -f $HOME/.ssh/${LOGNAME}_PSSI.signed) ]]
then
SUCCESS=1
RETRY=1
ABORT=0
if [ ! -f ${HOME}/.ssh/id_rsa ]
then
while [ $SUCCESS -ne 0 ]
do
generate_rsa_keypair
SUCCESS=$?
echo "DEBUG: SUCCESS=$SUCCESS - RETRY=$RETRY"
[ $RETRY -eq 4 ] && printf "\nAborting PSSI Procedure. Contact Support!\n" && SUCCESS=0 && ABORT=1
[ $SUCCESS -ne 0 ] && printf "\nERROR generating RSA Key pair. Re-trying $RETRY." && ((RETRY+=1))
done
fi
if [ $ABORT -eq 1 ]
then
printf "\nPSSI procedure aborted.\n"
else
generate_rsa_pubkey_for_signing
SUCCESS=$?
[ $SUCCESS -eq 0 ] && generate_signature
fi
fi
fi
alias ll='ls -lrt'
alias la='ls -al'
#
# To avoid chmod problem with id_dsa/identity
#
if [ "$LOGNAME" != "root" ]
then
[ -f $HOME/.ssh/identity ] && chmod 600 $HOME/.ssh/identity
[ -f $HOME/.ssh/id_dsa ] && chmod 600 $HOME/.ssh/id_dsa
[ -f $HOME/.ssh/id_rsa ] && chmod 600 $HOME/.ssh/id_rsa
chmod 755 $HOME
chmod 755 $HOME/.ssh
fi
# TRAP exit for $HOME/mirror rsync
trap "function_logout_rsync" EXIT
TERM=xterm; export TERM
Last active
March 4, 2017 14:30
-
-
Save DaffyDuke/7031c5888836701dee7eb7dcb71e247f to your computer and use it in GitHub Desktop.
Some personnal config files
# exporting DISPLAY for X11Forwarding
DISPLAY=172.18.7.240:0.0; export DISPLAY
# Try to retrieve ssh-agent
if [ -d /tmp/ssh-$LOGNAME ]
then
SSH_AUTH_SOCK=`find /tmp/ssh-$LOGNAME -type s`
SSH_AGENT_PID=`ps -o pid,comm -u $LOGNAME | awk '{if ($2=="/usr/local/bin/ssh-agent") {print $1}}'`
nsock=`echo $SSH_AUTH_SOCK | wc -w`
npid=`echo $SSH_AGENT_PID | wc -w`
agentfound=1
if [ $nsock -ne 1 ]
then
agentfound=0
fi
if [ $npid -ne 1 ]
then
agentfound=0
fi
if [ $agentfound -eq 1 ]
then
echo "\nYou have an ssh agent running (pid $SSH_AGENT_PID)\n"
export SSH_AUTH_SOCK
export SSH_AGENT_PID
fi
else
/usr/local/bin/ssh-agent > .env_ssh_agent
. .env_ssh_agent
/usr/bin/rm .env_ssh_agent
/usr/local/bin/ssh-add
fi
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment