diff --git a/linux/amzn/2.0/foxpass_setup.py b/linux/amzn/2.0/foxpass_setup.py index b5a509f..1e308c5 100644 --- a/linux/amzn/2.0/foxpass_setup.py +++ b/linux/amzn/2.0/foxpass_setup.py @@ -48,6 +48,7 @@ def main(): parser.add_argument('--update-sudoers', default=False, action='store_true', help='update 95-foxpass-sudo with new group') parser.add_argument('--keep-command', default=False, action='store_true', help='Do not replace sshd key command') parser.add_argument('--require-sudoers-pw', default=False, action='store_true', help='set sudoers default password requirement') + parser.add_argument('--allow-authorized-keys-file-for', default='*', type=str, help='allow authorized keys file for given user; by default all users are allowed. specify multiple users with comma.') parser.add_argument('--opt-timeout', default=6, help='option to set the sssd opt timeout') parser.add_argument('--debug', default=False, action='store_true', help='Turn on debug mode') # Foxpass SUDOers add-on @@ -82,7 +83,7 @@ def main(): write_foxpass_ssh_keys_script(apis, args.api_key) run_authconfig(args.ldap_uri, args.base_dn) configure_sssd(bind_dn, args.bind_pw, args.ldaps, args.opt_timeout) - augment_sshd_config(args.keep_command) + augment_sshd_config(args.keep_command, args.allow_authorized_keys_file_for) fix_sudo(args.sudoers_group, args.require_sudoers_pw, args.update_sudoers) if args.enable_ldap_sudoers: @@ -170,7 +171,7 @@ def write_foxpass_ssh_keys_script(apis, api_key): def run_authconfig(uri, base_dn): cmd = 'authconfig --enablesssd --enablesssdauth --enablelocauthorize --enableldap --enableldapauth --ldapserver={uri} --disableldaptls --ldapbasedn={base_dn} --enablemkhomedir --enablecachecreds --update'.format(uri=uri, base_dn=base_dn) - print 'Running %s' % cmd + print('Running {}'.format(cmd)) os.system(cmd) @@ -224,8 +225,25 @@ def configure_ldap_sudoers(base_dn, sudo_timed, full_refresh_interval, smart_ref augment_nsswitch() -def augment_sshd_config(keep_command): +def augment_sshd_config(keep_command, allow_authorized_keys_file_for): sshd_config_file = '/etc/ssh/sshd_config' + + if not file_contains(sshd_config_file, r'^AuthorizedKeysFile'): + with open('/etc/ssh/sshd_config', "a") as w: + w.write("\n") + w.write("AuthorizedKeysFile\tNone\n") + else: + os.system("sed -i 's/^AuthorizedKeysFile.*/AuthorizedKeysFile\tNone/' {}".format(sshd_config_file)) + + if not file_contains(sshd_config_file, r'^Match User'): + with open(sshd_config_file, "a") as w: + w.write("\n") + w.write("Match User {}\n".format(allow_authorized_keys_file_for)) + w.write("\tAuthorizedKeysFile .ssh/authorized_keys\n") + + # dynamically update the Match User value + os.system("sed -i 's/^Match User.*/Match User {}/' {}".format(allow_authorized_keys_file_for, sshd_config_file)) + key_command = 'AuthorizedKeysCommand\t\t/usr/local/sbin/foxpass_ssh_keys.sh\n' key_command_user = 'AuthorizedKeysCommandUser\troot\n' if not file_contains(sshd_config_file, r'^AuthorizedKeysCommand\w'): @@ -235,8 +253,7 @@ def augment_sshd_config(keep_command): clean_authorizedkeyscommand(sshd_config_file) write_authorizedkeyscommand(sshd_config_file, key_command, key_command_user) else: - print 'AuthorizedKeysCommand already set, will not use Foxpass for ssh key verification' - return + print('AuthorizedKeysCommand already set, will not use Foxpass for ssh key verification') def augment_openldap(bind_dn): diff --git a/linux/centos/7/foxpass_setup.py b/linux/centos/7/foxpass_setup.py index cb78105..2edefd0 100644 --- a/linux/centos/7/foxpass_setup.py +++ b/linux/centos/7/foxpass_setup.py @@ -47,6 +47,7 @@ def main(): parser.add_argument('--sudoers-group', default='foxpass-sudo', type=str, help='sudoers group with root access') parser.add_argument('--update-sudoers', default=False, action='store_true', help='update 95-foxpass-sudo with new group') parser.add_argument('--require-sudoers-pw', default=False, action='store_true', help='set sudoers default password requirement') + parser.add_argument('--allow-authorized-keys-file-for', default='*', type=str, help='allow authorized keys file for given user; by default all users are allowed. specify multiple users with comma.') parser.add_argument('--opt-timeout', default=6, help='option to set the sssd opt timeout') parser.add_argument('--debug', default=False, action='store_true', help='Turn on debug mode') # Foxpass SUDOers add-on @@ -81,7 +82,7 @@ def main(): write_foxpass_ssh_keys_script(apis, args.api_key) run_authconfig(args.ldap_uri, args.base_dn) configure_sssd(bind_dn, args.bind_pw, args.ldaps, args.opt_timeout) - augment_sshd_config() + augment_sshd_config(args.allow_authorized_keys_file_for) fix_sudo(args.sudoers_group, args.require_sudoers_pw, args.update_sudoers) if args.enable_ldap_sudoers: @@ -223,7 +224,23 @@ def configure_ldap_sudoers(base_dn, sudo_timed, full_refresh_interval, smart_ref augment_nsswitch() -def augment_sshd_config(): +def augment_sshd_config(allow_authorized_keys_file_for): + if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysFile'): + with open('/etc/ssh/sshd_config', "a") as w: + w.write("\n") + w.write("AuthorizedKeysFile\tNone\n") + else: + os.system("sed -i 's/^AuthorizedKeysFile.*/AuthorizedKeysFile\tNone/' /etc/ssh/sshd_config") + + if not file_contains('/etc/ssh/sshd_config', r'^Match User'): + with open('/etc/ssh/sshd_config', "a") as w: + w.write("\n") + w.write("Match User {}\n".format(allow_authorized_keys_file_for)) + w.write("\tAuthorizedKeysFile .ssh/authorized_keys\n") + + # dynamically update the Match User value + os.system("sed -i 's/^Match User.*/Match User {}/' /etc/ssh/sshd_config".format(allow_authorized_keys_file_for)) + if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysCommand\w'): with open('/etc/ssh/sshd_config', "a") as w: w.write("\n") diff --git a/linux/centos/8/foxpass_setup.py b/linux/centos/8/foxpass_setup.py index 2fbabe4..f5e7d1e 100644 --- a/linux/centos/8/foxpass_setup.py +++ b/linux/centos/8/foxpass_setup.py @@ -47,6 +47,7 @@ def main(): parser.add_argument('--sudoers-group', default='foxpass-sudo', type=str, help='sudoers group with root access') parser.add_argument('--update-sudoers', default=False, action='store_true', help='update 95-foxpass-sudo with new group') parser.add_argument('--require-sudoers-pw', default=False, action='store_true', help='set sudoers default password requirement') + parser.add_argument('--allow-authorized-keys-file-for', default='*', type=str, help='allow authorized keys file for given user; by default all users are allowed. specify multiple users with comma.') parser.add_argument('--opt-timeout', default=6, help='option to set the sssd opt timeout') parser.add_argument('--debug', default=False, action='store_true', help='Turn on debug mode') # Foxpass SUDOers add-on @@ -81,7 +82,7 @@ def main(): write_foxpass_ssh_keys_script(apis, args.api_key) run_authconfig(args.ldap_uri, args.base_dn) configure_sssd(bind_dn, args.bind_pw, args.ldaps, args.opt_timeout) - augment_sshd_config() + augment_sshd_config(args.allow_authorized_keys_file_for) fix_sudo(args.sudoers_group, args.require_sudoers_pw, args.update_sudoers) if args.enable_ldap_sudoers: @@ -228,7 +229,23 @@ def configure_ldap_sudoers(base_dn, sudo_timed, full_refresh_interval, smart_ref augment_nsswitch() -def augment_sshd_config(): +def augment_sshd_config(allow_authorized_keys_file_for): + if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysFile'): + with open('/etc/ssh/sshd_config', "a") as w: + w.write("\n") + w.write("AuthorizedKeysFile\tNone\n") + else: + os.system("sed -i 's/^AuthorizedKeysFile.*/AuthorizedKeysFile\tNone/' /etc/ssh/sshd_config") + + if not file_contains('/etc/ssh/sshd_config', r'^Match User'): + with open('/etc/ssh/sshd_config', "a") as w: + w.write("\n") + w.write("Match User {}\n".format(allow_authorized_keys_file_for)) + w.write("\tAuthorizedKeysFile .ssh/authorized_keys\n") + + # dynamically update the Match User value + os.system("sed -i 's/^Match User.*/Match User {}/' /etc/ssh/sshd_config".format(allow_authorized_keys_file_for)) + if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysCommand\w'): with open('/etc/ssh/sshd_config', "a") as w: w.write("\n") diff --git a/linux/debian/10/foxpass_setup.py b/linux/debian/10/foxpass_setup.py index 1fc1b92..87b2fda 100644 --- a/linux/debian/10/foxpass_setup.py +++ b/linux/debian/10/foxpass_setup.py @@ -49,6 +49,7 @@ def main(): parser.add_argument('--sudoers-group', default='foxpass-sudo', type=str, help='sudoers group with root access') parser.add_argument('--update-sudoers', default=False, action='store_true', help='update 95-foxpass-sudo with new group') parser.add_argument('--require-sudoers-pw', default=False, action='store_true', help='set sudoers default password requirement') + parser.add_argument('--allow-authorized-keys-file-for', default='*', type=str, help='allow authorized keys file for given user; by default all users are allowed. specify multiple users with comma.') parser.add_argument('--debug', default=False, action='store_true', help='Turn on debug mode') args = parser.parse_args() @@ -82,7 +83,7 @@ def main(): install_dependencies() write_foxpass_ssh_keys_script(apis, args.api_key) write_nslcd_conf(uris, args.base_dn, binddn, args.bind_pw, args.ldap_connections, args.idle_timelimit) - augment_sshd_config() + augment_sshd_config(args.allow_authorized_keys_file_for) augment_pam() fix_nsswitch() fix_sudo(args.sudoers_group, args.require_sudoers_pw, args.update_sudoers) @@ -228,7 +229,23 @@ def write_nslcd_conf(uris, basedn, binddn, bindpw, threads, idle_timelimit): bindpw=bindpw, sslstatus=sslstatus, threads=threads, idle_timelimit=idle_timelimit)) -def augment_sshd_config(): +def augment_sshd_config(allow_authorized_keys_file_for): + if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysFile'): + with open('/etc/ssh/sshd_config', "a") as w: + w.write("\n") + w.write("AuthorizedKeysFile\tNone\n") + else: + os.system("sed -i 's/^AuthorizedKeysFile.*/AuthorizedKeysFile\tNone/' /etc/ssh/sshd_config") + + if not file_contains('/etc/ssh/sshd_config', r'^Match User'): + with open('/etc/ssh/sshd_config', "a") as w: + w.write("\n") + w.write("Match User {}\n".format(allow_authorized_keys_file_for)) + w.write("\tAuthorizedKeysFile .ssh/authorized_keys\n") + + # dynamically update the Match User value + os.system("sed -i 's/^Match User.*/Match User {}/' /etc/ssh/sshd_config".format(allow_authorized_keys_file_for)) + if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysCommand\w'): with open('/etc/ssh/sshd_config', "a") as w: w.write("\n") diff --git a/linux/debian/9/foxpass_setup.py b/linux/debian/9/foxpass_setup.py index 012b709..8f999bc 100644 --- a/linux/debian/9/foxpass_setup.py +++ b/linux/debian/9/foxpass_setup.py @@ -50,6 +50,7 @@ def main(): parser.add_argument('--sudoers-group', default='foxpass-sudo', type=str, help='sudoers group with root access') parser.add_argument('--update-sudoers', default=False, action='store_true', help='update 95-foxpass-sudo with new group') parser.add_argument('--require-sudoers-pw', default=False, action='store_true', help='set sudoers default password requirement') + parser.add_argument('--allow-authorized-keys-file-for', default='*', type=str, help='allow authorized keys file for given user; by default all users are allowed. specify multiple users with comma.') parser.add_argument('--debug', default=False, action='store_true', help='Turn on debug mode') args = parser.parse_args() @@ -83,7 +84,7 @@ def main(): install_dependencies() write_foxpass_ssh_keys_script(apis, args.api_key) write_nslcd_conf(uris, args.base_dn, binddn, args.bind_pw, args.ldap_connections, args.idle_timelimit) - augment_sshd_config() + augment_sshd_config(args.allow_authorized_keys_file_for) augment_pam() fix_nsswitch() fix_sudo(args.sudoers_group, args.require_sudoers_pw, args.update_sudoers) @@ -228,8 +229,23 @@ def write_nslcd_conf(uris, basedn, binddn, bindpw, threads, idle_timelimit): w.write(content.format(uris='\nuri '.join(uris), basedn=basedn, binddn=binddn, bindpw=bindpw, sslstatus=sslstatus, threads=threads, idle_timelimit=idle_timelimit)) +def augment_sshd_config(allow_authorized_keys_file_for): + if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysFile'): + with open('/etc/ssh/sshd_config', "a") as w: + w.write("\n") + w.write("AuthorizedKeysFile\tNone\n") + else: + os.system("sed -i 's/^AuthorizedKeysFile.*/AuthorizedKeysFile\tNone/' /etc/ssh/sshd_config") + + if not file_contains('/etc/ssh/sshd_config', r'^Match User'): + with open('/etc/ssh/sshd_config', "a") as w: + w.write("\n") + w.write("Match User {}\n".format(allow_authorized_keys_file_for)) + w.write("\tAuthorizedKeysFile .ssh/authorized_keys\n") + + # dynamically update the Match User value + os.system("sed -i 's/^Match User.*/Match User {}/' /etc/ssh/sshd_config".format(allow_authorized_keys_file_for)) -def augment_sshd_config(): if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysCommand\w'): with open('/etc/ssh/sshd_config', "a") as w: w.write("\n") diff --git a/linux/redhat/foxpass_setup.py b/linux/redhat/foxpass_setup.py index 49e3260..f7f035b 100644 --- a/linux/redhat/foxpass_setup.py +++ b/linux/redhat/foxpass_setup.py @@ -47,6 +47,7 @@ def main(): parser.add_argument('--sudoers-group', default='foxpass-sudo', type=str, help='sudoers group with root access') parser.add_argument('--update-sudoers', default=False, action='store_true', help='update 95-foxpass-sudo with new group') parser.add_argument('--require-sudoers-pw', default=False, action='store_true', help='set sudoers default password requirement') + parser.add_argument('--allow-authorized-keys-file-for', default='*', type=str, help='allow authorized keys file for given user; by default all users are allowed. specify multiple users with comma.') parser.add_argument('--opt-timeout', default=6, help='option to set the sssd opt timeout') parser.add_argument('--debug', default=False, action='store_true', help='Turn on debug mode') # Foxpass SUDOers add-on @@ -81,7 +82,7 @@ def main(): write_foxpass_ssh_keys_script(apis, args.api_key) run_authconfig(args.ldap_uri, args.base_dn) configure_sssd(bind_dn, args.bind_pw, args.ldaps, args.opt_timeout) - augment_sshd_config() + augment_sshd_config(args.allow_authorized_keys_file_for) fix_sudo(args.sudoers_group, args.require_sudoers_pw, args.update_sudoers) if args.enable_ldap_sudoers: @@ -228,7 +229,23 @@ def configure_ldap_sudoers(base_dn, sudo_timed, full_refresh_interval, smart_ref augment_nsswitch() -def augment_sshd_config(): +def augment_sshd_config(allow_authorized_keys_file_for): + if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysFile'): + with open('/etc/ssh/sshd_config', "a") as w: + w.write("\n") + w.write("AuthorizedKeysFile\tNone\n") + else: + os.system("sed -i 's/^AuthorizedKeysFile.*/AuthorizedKeysFile\tNone/' /etc/ssh/sshd_config") + + if not file_contains('/etc/ssh/sshd_config', r'^Match User'): + with open('/etc/ssh/sshd_config', "a") as w: + w.write("\n") + w.write("Match User {}\n".format(allow_authorized_keys_file_for)) + w.write("\tAuthorizedKeysFile .ssh/authorized_keys\n") + + # dynamically update the Match User value + os.system("sed -i 's/^Match User.*/Match User {}/' /etc/ssh/sshd_config".format(allow_authorized_keys_file_for)) + if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysCommand\w'): with open('/etc/ssh/sshd_config', "a") as w: w.write("\n") diff --git a/linux/ubuntu/20.04/foxpass_setup.py b/linux/ubuntu/20.04/foxpass_setup.py index 7c9c399..9760216 100644 --- a/linux/ubuntu/20.04/foxpass_setup.py +++ b/linux/ubuntu/20.04/foxpass_setup.py @@ -48,6 +48,7 @@ def main(): parser.add_argument('--sudoers-group', default='foxpass-sudo', type=str, help='sudoers group with root access') parser.add_argument('--update-sudoers', default=False, action='store_true', help='update 95-foxpass-sudo with new group') parser.add_argument('--require-sudoers-pw', default=False, action='store_true', help='set sudoers default password requirement') + parser.add_argument('--allow-authorized-keys-file-for', default='*', type=str, help='allow authorized keys file for given user; by default all users are allowed. specify multiple users with comma.') parser.add_argument('--debug', default=False, action='store_true', help='Turn on debug mode') # Foxpass SUDOers add-on parser.add_argument('--enable-ldap-sudoers', default=False, action='store_true', help='Enable Foxpass SUDOers') @@ -86,7 +87,7 @@ def main(): install_dependencies() write_foxpass_ssh_keys_script(apis, args.api_key) write_nslcd_conf(uris, args.base_dn, binddn, args.bind_pw, args.ldap_connections, args.idle_timelimit) - augment_sshd_config() + augment_sshd_config(args.allow_authorized_keys_file_for) augment_pam() fix_nsswitch() fix_sudo(args.sudoers_group, args.require_sudoers_pw, args.update_sudoers) @@ -248,7 +249,23 @@ def write_nslcd_conf(uris, basedn, binddn, bindpw, threads, idle_timelimit): bindpw=bindpw, sslstatus=sslstatus, threads=threads, idle_timelimit=idle_timelimit)) -def augment_sshd_config(): +def augment_sshd_config(allow_authorized_keys_file_for): + if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysFile'): + with open('/etc/ssh/sshd_config', "a") as w: + w.write("\n") + w.write("AuthorizedKeysFile\tNone\n") + else: + os.system("sed -i 's/^AuthorizedKeysFile.*/AuthorizedKeysFile\tNone/' /etc/ssh/sshd_config") + + if not file_contains('/etc/ssh/sshd_config', r'^Match User'): + with open('/etc/ssh/sshd_config', "a") as w: + w.write("\n") + w.write("Match User {}\n".format(allow_authorized_keys_file_for)) + w.write("\tAuthorizedKeysFile .ssh/authorized_keys\n") + + # dynamically update the Match User value + os.system("sed -i 's/^Match User.*/Match User {}/' /etc/ssh/sshd_config".format(allow_authorized_keys_file_for)) + if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysCommand\w'): with open('/etc/ssh/sshd_config', "a") as w: w.write("\n")