From 93ca96e6bbc5a7d99cfc88fcb2f4bf9834643e09 Mon Sep 17 00:00:00 2001 From: Bryan Date: Fri, 16 Dec 2022 14:32:43 +0800 Subject: [PATCH 1/8] allow root authorized keys for given users --- linux/ubuntu/20.04/foxpass_setup.py | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/linux/ubuntu/20.04/foxpass_setup.py b/linux/ubuntu/20.04/foxpass_setup.py index 7c9c399..d1f01ff 100644 --- a/linux/ubuntu/20.04/foxpass_setup.py +++ b/linux/ubuntu/20.04/foxpass_setup.py @@ -48,6 +48,7 @@ def main(): parser.add_argument('--sudoers-group', default='foxpass-sudo', type=str, help='sudoers group with root access') parser.add_argument('--update-sudoers', default=False, action='store_true', help='update 95-foxpass-sudo with new group') parser.add_argument('--require-sudoers-pw', default=False, action='store_true', help='set sudoers default password requirement') + parser.add_argument('--allow-authorized-keys-for', default='*', type=str, help='allowed root authorized ssh keys for a given user') parser.add_argument('--debug', default=False, action='store_true', help='Turn on debug mode') # Foxpass SUDOers add-on parser.add_argument('--enable-ldap-sudoers', default=False, action='store_true', help='Enable Foxpass SUDOers') @@ -86,7 +87,7 @@ def main(): install_dependencies() write_foxpass_ssh_keys_script(apis, args.api_key) write_nslcd_conf(uris, args.base_dn, binddn, args.bind_pw, args.ldap_connections, args.idle_timelimit) - augment_sshd_config() + augment_sshd_config(args.allow_authorized_keys_for) augment_pam() fix_nsswitch() fix_sudo(args.sudoers_group, args.require_sudoers_pw, args.update_sudoers) @@ -248,7 +249,23 @@ def write_nslcd_conf(uris, basedn, binddn, bindpw, threads, idle_timelimit): bindpw=bindpw, sslstatus=sslstatus, threads=threads, idle_timelimit=idle_timelimit)) -def augment_sshd_config(): +def augment_sshd_config(allow_authorized_keys_for): + if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysFile'): + with open('/etc/ssh/sshd_config', "a") as w: + w.write("\n") + w.write("AuthorizedKeysFile\tnoner\n") + else: + os.system("sed -i 's/^AuthorizedKeysFile.*/AuthorizedKeysFile noner/' /etc/ssh/sshd_config") + + if not file_contains('/etc/ssh/sshd_config', r'^Match User'): + with open('/etc/ssh/sshd_config', "a") as w: + w.write("\n") + w.write("Match User {}\n".format(allow_authorized_keys_for)) + w.write("\tAuthorizedKeysFile ./ssh/authorized_keys\n") + + # dynamically update the Match User value + os.system("sed -i 's/^Match User.*/Match User {}/' /etc/ssh/sshd_config".format(allow_authorized_keys_for)) + if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysCommand\w'): with open('/etc/ssh/sshd_config', "a") as w: w.write("\n") From bff80903b8ddbf73d750150f61128da3ba6f6bae Mon Sep 17 00:00:00 2001 From: Bryan Date: Fri, 16 Dec 2022 14:37:53 +0800 Subject: [PATCH 2/8] update description --- linux/ubuntu/20.04/foxpass_setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux/ubuntu/20.04/foxpass_setup.py b/linux/ubuntu/20.04/foxpass_setup.py index d1f01ff..1852caf 100644 --- a/linux/ubuntu/20.04/foxpass_setup.py +++ b/linux/ubuntu/20.04/foxpass_setup.py @@ -48,7 +48,7 @@ def main(): parser.add_argument('--sudoers-group', default='foxpass-sudo', type=str, help='sudoers group with root access') parser.add_argument('--update-sudoers', default=False, action='store_true', help='update 95-foxpass-sudo with new group') parser.add_argument('--require-sudoers-pw', default=False, action='store_true', help='set sudoers default password requirement') - parser.add_argument('--allow-authorized-keys-for', default='*', type=str, help='allowed root authorized ssh keys for a given user') + parser.add_argument('--allow-authorized-keys-for', default='*', type=str, help='allow root authorized keys for a given user') parser.add_argument('--debug', default=False, action='store_true', help='Turn on debug mode') # Foxpass SUDOers add-on parser.add_argument('--enable-ldap-sudoers', default=False, action='store_true', help='Enable Foxpass SUDOers') From 39e555bfbe20acbe48f201b51a8242b3d72f5272 Mon Sep 17 00:00:00 2001 From: Bryan Date: Fri, 16 Dec 2022 14:48:21 +0800 Subject: [PATCH 3/8] update description --- linux/ubuntu/20.04/foxpass_setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux/ubuntu/20.04/foxpass_setup.py b/linux/ubuntu/20.04/foxpass_setup.py index 1852caf..dfdaabd 100644 --- a/linux/ubuntu/20.04/foxpass_setup.py +++ b/linux/ubuntu/20.04/foxpass_setup.py @@ -48,7 +48,7 @@ def main(): parser.add_argument('--sudoers-group', default='foxpass-sudo', type=str, help='sudoers group with root access') parser.add_argument('--update-sudoers', default=False, action='store_true', help='update 95-foxpass-sudo with new group') parser.add_argument('--require-sudoers-pw', default=False, action='store_true', help='set sudoers default password requirement') - parser.add_argument('--allow-authorized-keys-for', default='*', type=str, help='allow root authorized keys for a given user') + parser.add_argument('--allow-authorized-keys-for', default='*', type=str, help='allow authorized keys for any given user, by default all users are allowed.') parser.add_argument('--debug', default=False, action='store_true', help='Turn on debug mode') # Foxpass SUDOers add-on parser.add_argument('--enable-ldap-sudoers', default=False, action='store_true', help='Enable Foxpass SUDOers') From fa6967bbbcdc496a04a6249cd68e46b72bce9bcd Mon Sep 17 00:00:00 2001 From: Bryan Date: Fri, 16 Dec 2022 15:07:19 +0800 Subject: [PATCH 4/8] use tab escape character --- linux/ubuntu/20.04/foxpass_setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux/ubuntu/20.04/foxpass_setup.py b/linux/ubuntu/20.04/foxpass_setup.py index dfdaabd..e6a2d49 100644 --- a/linux/ubuntu/20.04/foxpass_setup.py +++ b/linux/ubuntu/20.04/foxpass_setup.py @@ -255,7 +255,7 @@ def augment_sshd_config(allow_authorized_keys_for): w.write("\n") w.write("AuthorizedKeysFile\tnoner\n") else: - os.system("sed -i 's/^AuthorizedKeysFile.*/AuthorizedKeysFile noner/' /etc/ssh/sshd_config") + os.system("sed -i 's/^AuthorizedKeysFile.*/AuthorizedKeysFile\tnoner/' /etc/ssh/sshd_config") if not file_contains('/etc/ssh/sshd_config', r'^Match User'): with open('/etc/ssh/sshd_config', "a") as w: From 29da4617e372ae15b422e4c4fe8708c24057e9c8 Mon Sep 17 00:00:00 2001 From: Bryan Date: Fri, 30 Dec 2022 20:30:20 +0800 Subject: [PATCH 5/8] address the feedback --- linux/ubuntu/20.04/foxpass_setup.py | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/linux/ubuntu/20.04/foxpass_setup.py b/linux/ubuntu/20.04/foxpass_setup.py index e6a2d49..aeb4d15 100644 --- a/linux/ubuntu/20.04/foxpass_setup.py +++ b/linux/ubuntu/20.04/foxpass_setup.py @@ -48,7 +48,7 @@ def main(): parser.add_argument('--sudoers-group', default='foxpass-sudo', type=str, help='sudoers group with root access') parser.add_argument('--update-sudoers', default=False, action='store_true', help='update 95-foxpass-sudo with new group') parser.add_argument('--require-sudoers-pw', default=False, action='store_true', help='set sudoers default password requirement') - parser.add_argument('--allow-authorized-keys-for', default='*', type=str, help='allow authorized keys for any given user, by default all users are allowed.') + parser.add_argument('--allow-authorized-keys-file-for', default='*', type=str, help='allow authorized keys file for given user; by default all users are allowed. specify multiple users with comma.') parser.add_argument('--debug', default=False, action='store_true', help='Turn on debug mode') # Foxpass SUDOers add-on parser.add_argument('--enable-ldap-sudoers', default=False, action='store_true', help='Enable Foxpass SUDOers') @@ -87,7 +87,7 @@ def main(): install_dependencies() write_foxpass_ssh_keys_script(apis, args.api_key) write_nslcd_conf(uris, args.base_dn, binddn, args.bind_pw, args.ldap_connections, args.idle_timelimit) - augment_sshd_config(args.allow_authorized_keys_for) + augment_sshd_config(args.allow_authorized_keys_file_for) augment_pam() fix_nsswitch() fix_sudo(args.sudoers_group, args.require_sudoers_pw, args.update_sudoers) @@ -249,22 +249,22 @@ def write_nslcd_conf(uris, basedn, binddn, bindpw, threads, idle_timelimit): bindpw=bindpw, sslstatus=sslstatus, threads=threads, idle_timelimit=idle_timelimit)) -def augment_sshd_config(allow_authorized_keys_for): +def augment_sshd_config(allow_authorized_keys_file_for): if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysFile'): with open('/etc/ssh/sshd_config', "a") as w: w.write("\n") - w.write("AuthorizedKeysFile\tnoner\n") + w.write("AuthorizedKeysFile\tNone\n") else: - os.system("sed -i 's/^AuthorizedKeysFile.*/AuthorizedKeysFile\tnoner/' /etc/ssh/sshd_config") + os.system("sed -i 's/^AuthorizedKeysFile.*/AuthorizedKeysFile\tNone/' /etc/ssh/sshd_config") if not file_contains('/etc/ssh/sshd_config', r'^Match User'): with open('/etc/ssh/sshd_config', "a") as w: w.write("\n") - w.write("Match User {}\n".format(allow_authorized_keys_for)) + w.write("Match User {}\n".format(allow_authorized_keys_file_for)) w.write("\tAuthorizedKeysFile ./ssh/authorized_keys\n") # dynamically update the Match User value - os.system("sed -i 's/^Match User.*/Match User {}/' /etc/ssh/sshd_config".format(allow_authorized_keys_for)) + os.system("sed -i 's/^Match User.*/Match User {}/' /etc/ssh/sshd_config".format(allow_authorized_keys_file_for)) if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysCommand\w'): with open('/etc/ssh/sshd_config', "a") as w: From 4dd4eb8dcc268cbbdb99f7d41e2e5d274b663f3d Mon Sep 17 00:00:00 2001 From: Bryan Date: Wed, 4 Jan 2023 11:41:48 +0800 Subject: [PATCH 6/8] relative path of the user --- linux/ubuntu/20.04/foxpass_setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux/ubuntu/20.04/foxpass_setup.py b/linux/ubuntu/20.04/foxpass_setup.py index aeb4d15..9760216 100644 --- a/linux/ubuntu/20.04/foxpass_setup.py +++ b/linux/ubuntu/20.04/foxpass_setup.py @@ -261,7 +261,7 @@ def augment_sshd_config(allow_authorized_keys_file_for): with open('/etc/ssh/sshd_config', "a") as w: w.write("\n") w.write("Match User {}\n".format(allow_authorized_keys_file_for)) - w.write("\tAuthorizedKeysFile ./ssh/authorized_keys\n") + w.write("\tAuthorizedKeysFile .ssh/authorized_keys\n") # dynamically update the Match User value os.system("sed -i 's/^Match User.*/Match User {}/' /etc/ssh/sshd_config".format(allow_authorized_keys_file_for)) From a958240cfbe07a41e8e66733bf1ad9fc4991cda6 Mon Sep 17 00:00:00 2001 From: Bryan Date: Fri, 6 Jan 2023 14:23:34 +0800 Subject: [PATCH 7/8] implement authorized keys file for in other distros --- linux/amzn/2.0/foxpass_setup.py | 39 ++++++++++++++++++++------------ linux/centos/7/foxpass_setup.py | 21 +++++++++++++++-- linux/centos/8/foxpass_setup.py | 21 +++++++++++++++-- linux/debian/10/foxpass_setup.py | 21 +++++++++++++++-- linux/debian/9/foxpass_setup.py | 20 ++++++++++++++-- linux/redhat/foxpass_setup.py | 21 +++++++++++++++-- 6 files changed, 118 insertions(+), 25 deletions(-) diff --git a/linux/amzn/2.0/foxpass_setup.py b/linux/amzn/2.0/foxpass_setup.py index b5a509f..9c5276e 100644 --- a/linux/amzn/2.0/foxpass_setup.py +++ b/linux/amzn/2.0/foxpass_setup.py @@ -46,8 +46,8 @@ def main(): parser.add_argument('--secondary-api', dest='apis', default=[], action='append', help='Secondary API Server(s)') parser.add_argument('--sudoers-group', default='foxpass-sudo', type=str, help='sudoers group with root access') parser.add_argument('--update-sudoers', default=False, action='store_true', help='update 95-foxpass-sudo with new group') - parser.add_argument('--keep-command', default=False, action='store_true', help='Do not replace sshd key command') parser.add_argument('--require-sudoers-pw', default=False, action='store_true', help='set sudoers default password requirement') + parser.add_argument('--allow-authorized-keys-file-for', default='*', type=str, help='allow authorized keys file for given user; by default all users are allowed. specify multiple users with comma.') parser.add_argument('--opt-timeout', default=6, help='option to set the sssd opt timeout') parser.add_argument('--debug', default=False, action='store_true', help='Turn on debug mode') # Foxpass SUDOers add-on @@ -82,7 +82,7 @@ def main(): write_foxpass_ssh_keys_script(apis, args.api_key) run_authconfig(args.ldap_uri, args.base_dn) configure_sssd(bind_dn, args.bind_pw, args.ldaps, args.opt_timeout) - augment_sshd_config(args.keep_command) + augment_sshd_config(args.allow_authorized_keys_file_for) fix_sudo(args.sudoers_group, args.require_sudoers_pw, args.update_sudoers) if args.enable_ldap_sudoers: @@ -170,7 +170,7 @@ def write_foxpass_ssh_keys_script(apis, api_key): def run_authconfig(uri, base_dn): cmd = 'authconfig --enablesssd --enablesssdauth --enablelocauthorize --enableldap --enableldapauth --ldapserver={uri} --disableldaptls --ldapbasedn={base_dn} --enablemkhomedir --enablecachecreds --update'.format(uri=uri, base_dn=base_dn) - print 'Running %s' % cmd + print('Running {}'.format(cmd)) os.system(cmd) @@ -224,19 +224,28 @@ def configure_ldap_sudoers(base_dn, sudo_timed, full_refresh_interval, smart_ref augment_nsswitch() -def augment_sshd_config(keep_command): - sshd_config_file = '/etc/ssh/sshd_config' - key_command = 'AuthorizedKeysCommand\t\t/usr/local/sbin/foxpass_ssh_keys.sh\n' - key_command_user = 'AuthorizedKeysCommandUser\troot\n' - if not file_contains(sshd_config_file, r'^AuthorizedKeysCommand\w'): - write_authorizedkeyscommand(sshd_config_file, key_command, key_command_user) - elif not keep_command: - if not file_contains(sshd_config_file, r'^AuthorizedKeysCommand\t\t/usr/local/sbin/foxpass_ssh_keys\.sh$'): - clean_authorizedkeyscommand(sshd_config_file) - write_authorizedkeyscommand(sshd_config_file, key_command, key_command_user) +def augment_sshd_config(allow_authorized_keys_file_for): + if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysFile'): + with open('/etc/ssh/sshd_config', "a") as w: + w.write("\n") + w.write("AuthorizedKeysFile\tNone\n") else: - print 'AuthorizedKeysCommand already set, will not use Foxpass for ssh key verification' - return + os.system("sed -i 's/^AuthorizedKeysFile.*/AuthorizedKeysFile\tNone/' /etc/ssh/sshd_config") + + if not file_contains('/etc/ssh/sshd_config', r'^Match User'): + with open('/etc/ssh/sshd_config', "a") as w: + w.write("\n") + w.write("Match User {}\n".format(allow_authorized_keys_file_for)) + w.write("\tAuthorizedKeysFile .ssh/authorized_keys\n") + + # dynamically update the Match User value + os.system("sed -i 's/^Match User.*/Match User {}/' /etc/ssh/sshd_config".format(allow_authorized_keys_file_for)) + + if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysCommand\w'): + with open('/etc/ssh/sshd_config', "a") as w: + w.write("\n") + w.write("AuthorizedKeysCommand\t\t/usr/local/sbin/foxpass_ssh_keys.sh\n") + w.write("AuthorizedKeysCommandUser\troot\n") def augment_openldap(bind_dn): diff --git a/linux/centos/7/foxpass_setup.py b/linux/centos/7/foxpass_setup.py index cb78105..2edefd0 100644 --- a/linux/centos/7/foxpass_setup.py +++ b/linux/centos/7/foxpass_setup.py @@ -47,6 +47,7 @@ def main(): parser.add_argument('--sudoers-group', default='foxpass-sudo', type=str, help='sudoers group with root access') parser.add_argument('--update-sudoers', default=False, action='store_true', help='update 95-foxpass-sudo with new group') parser.add_argument('--require-sudoers-pw', default=False, action='store_true', help='set sudoers default password requirement') + parser.add_argument('--allow-authorized-keys-file-for', default='*', type=str, help='allow authorized keys file for given user; by default all users are allowed. specify multiple users with comma.') parser.add_argument('--opt-timeout', default=6, help='option to set the sssd opt timeout') parser.add_argument('--debug', default=False, action='store_true', help='Turn on debug mode') # Foxpass SUDOers add-on @@ -81,7 +82,7 @@ def main(): write_foxpass_ssh_keys_script(apis, args.api_key) run_authconfig(args.ldap_uri, args.base_dn) configure_sssd(bind_dn, args.bind_pw, args.ldaps, args.opt_timeout) - augment_sshd_config() + augment_sshd_config(args.allow_authorized_keys_file_for) fix_sudo(args.sudoers_group, args.require_sudoers_pw, args.update_sudoers) if args.enable_ldap_sudoers: @@ -223,7 +224,23 @@ def configure_ldap_sudoers(base_dn, sudo_timed, full_refresh_interval, smart_ref augment_nsswitch() -def augment_sshd_config(): +def augment_sshd_config(allow_authorized_keys_file_for): + if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysFile'): + with open('/etc/ssh/sshd_config', "a") as w: + w.write("\n") + w.write("AuthorizedKeysFile\tNone\n") + else: + os.system("sed -i 's/^AuthorizedKeysFile.*/AuthorizedKeysFile\tNone/' /etc/ssh/sshd_config") + + if not file_contains('/etc/ssh/sshd_config', r'^Match User'): + with open('/etc/ssh/sshd_config', "a") as w: + w.write("\n") + w.write("Match User {}\n".format(allow_authorized_keys_file_for)) + w.write("\tAuthorizedKeysFile .ssh/authorized_keys\n") + + # dynamically update the Match User value + os.system("sed -i 's/^Match User.*/Match User {}/' /etc/ssh/sshd_config".format(allow_authorized_keys_file_for)) + if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysCommand\w'): with open('/etc/ssh/sshd_config', "a") as w: w.write("\n") diff --git a/linux/centos/8/foxpass_setup.py b/linux/centos/8/foxpass_setup.py index 2fbabe4..f5e7d1e 100644 --- a/linux/centos/8/foxpass_setup.py +++ b/linux/centos/8/foxpass_setup.py @@ -47,6 +47,7 @@ def main(): parser.add_argument('--sudoers-group', default='foxpass-sudo', type=str, help='sudoers group with root access') parser.add_argument('--update-sudoers', default=False, action='store_true', help='update 95-foxpass-sudo with new group') parser.add_argument('--require-sudoers-pw', default=False, action='store_true', help='set sudoers default password requirement') + parser.add_argument('--allow-authorized-keys-file-for', default='*', type=str, help='allow authorized keys file for given user; by default all users are allowed. specify multiple users with comma.') parser.add_argument('--opt-timeout', default=6, help='option to set the sssd opt timeout') parser.add_argument('--debug', default=False, action='store_true', help='Turn on debug mode') # Foxpass SUDOers add-on @@ -81,7 +82,7 @@ def main(): write_foxpass_ssh_keys_script(apis, args.api_key) run_authconfig(args.ldap_uri, args.base_dn) configure_sssd(bind_dn, args.bind_pw, args.ldaps, args.opt_timeout) - augment_sshd_config() + augment_sshd_config(args.allow_authorized_keys_file_for) fix_sudo(args.sudoers_group, args.require_sudoers_pw, args.update_sudoers) if args.enable_ldap_sudoers: @@ -228,7 +229,23 @@ def configure_ldap_sudoers(base_dn, sudo_timed, full_refresh_interval, smart_ref augment_nsswitch() -def augment_sshd_config(): +def augment_sshd_config(allow_authorized_keys_file_for): + if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysFile'): + with open('/etc/ssh/sshd_config', "a") as w: + w.write("\n") + w.write("AuthorizedKeysFile\tNone\n") + else: + os.system("sed -i 's/^AuthorizedKeysFile.*/AuthorizedKeysFile\tNone/' /etc/ssh/sshd_config") + + if not file_contains('/etc/ssh/sshd_config', r'^Match User'): + with open('/etc/ssh/sshd_config', "a") as w: + w.write("\n") + w.write("Match User {}\n".format(allow_authorized_keys_file_for)) + w.write("\tAuthorizedKeysFile .ssh/authorized_keys\n") + + # dynamically update the Match User value + os.system("sed -i 's/^Match User.*/Match User {}/' /etc/ssh/sshd_config".format(allow_authorized_keys_file_for)) + if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysCommand\w'): with open('/etc/ssh/sshd_config', "a") as w: w.write("\n") diff --git a/linux/debian/10/foxpass_setup.py b/linux/debian/10/foxpass_setup.py index 1fc1b92..87b2fda 100644 --- a/linux/debian/10/foxpass_setup.py +++ b/linux/debian/10/foxpass_setup.py @@ -49,6 +49,7 @@ def main(): parser.add_argument('--sudoers-group', default='foxpass-sudo', type=str, help='sudoers group with root access') parser.add_argument('--update-sudoers', default=False, action='store_true', help='update 95-foxpass-sudo with new group') parser.add_argument('--require-sudoers-pw', default=False, action='store_true', help='set sudoers default password requirement') + parser.add_argument('--allow-authorized-keys-file-for', default='*', type=str, help='allow authorized keys file for given user; by default all users are allowed. specify multiple users with comma.') parser.add_argument('--debug', default=False, action='store_true', help='Turn on debug mode') args = parser.parse_args() @@ -82,7 +83,7 @@ def main(): install_dependencies() write_foxpass_ssh_keys_script(apis, args.api_key) write_nslcd_conf(uris, args.base_dn, binddn, args.bind_pw, args.ldap_connections, args.idle_timelimit) - augment_sshd_config() + augment_sshd_config(args.allow_authorized_keys_file_for) augment_pam() fix_nsswitch() fix_sudo(args.sudoers_group, args.require_sudoers_pw, args.update_sudoers) @@ -228,7 +229,23 @@ def write_nslcd_conf(uris, basedn, binddn, bindpw, threads, idle_timelimit): bindpw=bindpw, sslstatus=sslstatus, threads=threads, idle_timelimit=idle_timelimit)) -def augment_sshd_config(): +def augment_sshd_config(allow_authorized_keys_file_for): + if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysFile'): + with open('/etc/ssh/sshd_config', "a") as w: + w.write("\n") + w.write("AuthorizedKeysFile\tNone\n") + else: + os.system("sed -i 's/^AuthorizedKeysFile.*/AuthorizedKeysFile\tNone/' /etc/ssh/sshd_config") + + if not file_contains('/etc/ssh/sshd_config', r'^Match User'): + with open('/etc/ssh/sshd_config', "a") as w: + w.write("\n") + w.write("Match User {}\n".format(allow_authorized_keys_file_for)) + w.write("\tAuthorizedKeysFile .ssh/authorized_keys\n") + + # dynamically update the Match User value + os.system("sed -i 's/^Match User.*/Match User {}/' /etc/ssh/sshd_config".format(allow_authorized_keys_file_for)) + if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysCommand\w'): with open('/etc/ssh/sshd_config', "a") as w: w.write("\n") diff --git a/linux/debian/9/foxpass_setup.py b/linux/debian/9/foxpass_setup.py index 012b709..8f999bc 100644 --- a/linux/debian/9/foxpass_setup.py +++ b/linux/debian/9/foxpass_setup.py @@ -50,6 +50,7 @@ def main(): parser.add_argument('--sudoers-group', default='foxpass-sudo', type=str, help='sudoers group with root access') parser.add_argument('--update-sudoers', default=False, action='store_true', help='update 95-foxpass-sudo with new group') parser.add_argument('--require-sudoers-pw', default=False, action='store_true', help='set sudoers default password requirement') + parser.add_argument('--allow-authorized-keys-file-for', default='*', type=str, help='allow authorized keys file for given user; by default all users are allowed. specify multiple users with comma.') parser.add_argument('--debug', default=False, action='store_true', help='Turn on debug mode') args = parser.parse_args() @@ -83,7 +84,7 @@ def main(): install_dependencies() write_foxpass_ssh_keys_script(apis, args.api_key) write_nslcd_conf(uris, args.base_dn, binddn, args.bind_pw, args.ldap_connections, args.idle_timelimit) - augment_sshd_config() + augment_sshd_config(args.allow_authorized_keys_file_for) augment_pam() fix_nsswitch() fix_sudo(args.sudoers_group, args.require_sudoers_pw, args.update_sudoers) @@ -228,8 +229,23 @@ def write_nslcd_conf(uris, basedn, binddn, bindpw, threads, idle_timelimit): w.write(content.format(uris='\nuri '.join(uris), basedn=basedn, binddn=binddn, bindpw=bindpw, sslstatus=sslstatus, threads=threads, idle_timelimit=idle_timelimit)) +def augment_sshd_config(allow_authorized_keys_file_for): + if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysFile'): + with open('/etc/ssh/sshd_config', "a") as w: + w.write("\n") + w.write("AuthorizedKeysFile\tNone\n") + else: + os.system("sed -i 's/^AuthorizedKeysFile.*/AuthorizedKeysFile\tNone/' /etc/ssh/sshd_config") + + if not file_contains('/etc/ssh/sshd_config', r'^Match User'): + with open('/etc/ssh/sshd_config', "a") as w: + w.write("\n") + w.write("Match User {}\n".format(allow_authorized_keys_file_for)) + w.write("\tAuthorizedKeysFile .ssh/authorized_keys\n") + + # dynamically update the Match User value + os.system("sed -i 's/^Match User.*/Match User {}/' /etc/ssh/sshd_config".format(allow_authorized_keys_file_for)) -def augment_sshd_config(): if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysCommand\w'): with open('/etc/ssh/sshd_config', "a") as w: w.write("\n") diff --git a/linux/redhat/foxpass_setup.py b/linux/redhat/foxpass_setup.py index 49e3260..f7f035b 100644 --- a/linux/redhat/foxpass_setup.py +++ b/linux/redhat/foxpass_setup.py @@ -47,6 +47,7 @@ def main(): parser.add_argument('--sudoers-group', default='foxpass-sudo', type=str, help='sudoers group with root access') parser.add_argument('--update-sudoers', default=False, action='store_true', help='update 95-foxpass-sudo with new group') parser.add_argument('--require-sudoers-pw', default=False, action='store_true', help='set sudoers default password requirement') + parser.add_argument('--allow-authorized-keys-file-for', default='*', type=str, help='allow authorized keys file for given user; by default all users are allowed. specify multiple users with comma.') parser.add_argument('--opt-timeout', default=6, help='option to set the sssd opt timeout') parser.add_argument('--debug', default=False, action='store_true', help='Turn on debug mode') # Foxpass SUDOers add-on @@ -81,7 +82,7 @@ def main(): write_foxpass_ssh_keys_script(apis, args.api_key) run_authconfig(args.ldap_uri, args.base_dn) configure_sssd(bind_dn, args.bind_pw, args.ldaps, args.opt_timeout) - augment_sshd_config() + augment_sshd_config(args.allow_authorized_keys_file_for) fix_sudo(args.sudoers_group, args.require_sudoers_pw, args.update_sudoers) if args.enable_ldap_sudoers: @@ -228,7 +229,23 @@ def configure_ldap_sudoers(base_dn, sudo_timed, full_refresh_interval, smart_ref augment_nsswitch() -def augment_sshd_config(): +def augment_sshd_config(allow_authorized_keys_file_for): + if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysFile'): + with open('/etc/ssh/sshd_config', "a") as w: + w.write("\n") + w.write("AuthorizedKeysFile\tNone\n") + else: + os.system("sed -i 's/^AuthorizedKeysFile.*/AuthorizedKeysFile\tNone/' /etc/ssh/sshd_config") + + if not file_contains('/etc/ssh/sshd_config', r'^Match User'): + with open('/etc/ssh/sshd_config', "a") as w: + w.write("\n") + w.write("Match User {}\n".format(allow_authorized_keys_file_for)) + w.write("\tAuthorizedKeysFile .ssh/authorized_keys\n") + + # dynamically update the Match User value + os.system("sed -i 's/^Match User.*/Match User {}/' /etc/ssh/sshd_config".format(allow_authorized_keys_file_for)) + if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysCommand\w'): with open('/etc/ssh/sshd_config', "a") as w: w.write("\n") From d48ed1ff83ab6aacd7ee3197a3b0fdfbb0208b9f Mon Sep 17 00:00:00 2001 From: Bryan Date: Mon, 9 Jan 2023 15:50:57 +0800 Subject: [PATCH 8/8] amazon linux 2 fixes --- linux/amzn/2.0/foxpass_setup.py | 34 ++++++++++++++++++++------------- 1 file changed, 21 insertions(+), 13 deletions(-) diff --git a/linux/amzn/2.0/foxpass_setup.py b/linux/amzn/2.0/foxpass_setup.py index 9c5276e..1e308c5 100644 --- a/linux/amzn/2.0/foxpass_setup.py +++ b/linux/amzn/2.0/foxpass_setup.py @@ -46,6 +46,7 @@ def main(): parser.add_argument('--secondary-api', dest='apis', default=[], action='append', help='Secondary API Server(s)') parser.add_argument('--sudoers-group', default='foxpass-sudo', type=str, help='sudoers group with root access') parser.add_argument('--update-sudoers', default=False, action='store_true', help='update 95-foxpass-sudo with new group') + parser.add_argument('--keep-command', default=False, action='store_true', help='Do not replace sshd key command') parser.add_argument('--require-sudoers-pw', default=False, action='store_true', help='set sudoers default password requirement') parser.add_argument('--allow-authorized-keys-file-for', default='*', type=str, help='allow authorized keys file for given user; by default all users are allowed. specify multiple users with comma.') parser.add_argument('--opt-timeout', default=6, help='option to set the sssd opt timeout') @@ -82,7 +83,7 @@ def main(): write_foxpass_ssh_keys_script(apis, args.api_key) run_authconfig(args.ldap_uri, args.base_dn) configure_sssd(bind_dn, args.bind_pw, args.ldaps, args.opt_timeout) - augment_sshd_config(args.allow_authorized_keys_file_for) + augment_sshd_config(args.keep_command, args.allow_authorized_keys_file_for) fix_sudo(args.sudoers_group, args.require_sudoers_pw, args.update_sudoers) if args.enable_ldap_sudoers: @@ -224,28 +225,35 @@ def configure_ldap_sudoers(base_dn, sudo_timed, full_refresh_interval, smart_ref augment_nsswitch() -def augment_sshd_config(allow_authorized_keys_file_for): - if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysFile'): +def augment_sshd_config(keep_command, allow_authorized_keys_file_for): + sshd_config_file = '/etc/ssh/sshd_config' + + if not file_contains(sshd_config_file, r'^AuthorizedKeysFile'): with open('/etc/ssh/sshd_config', "a") as w: w.write("\n") w.write("AuthorizedKeysFile\tNone\n") else: - os.system("sed -i 's/^AuthorizedKeysFile.*/AuthorizedKeysFile\tNone/' /etc/ssh/sshd_config") + os.system("sed -i 's/^AuthorizedKeysFile.*/AuthorizedKeysFile\tNone/' {}".format(sshd_config_file)) - if not file_contains('/etc/ssh/sshd_config', r'^Match User'): - with open('/etc/ssh/sshd_config', "a") as w: + if not file_contains(sshd_config_file, r'^Match User'): + with open(sshd_config_file, "a") as w: w.write("\n") w.write("Match User {}\n".format(allow_authorized_keys_file_for)) w.write("\tAuthorizedKeysFile .ssh/authorized_keys\n") # dynamically update the Match User value - os.system("sed -i 's/^Match User.*/Match User {}/' /etc/ssh/sshd_config".format(allow_authorized_keys_file_for)) - - if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysCommand\w'): - with open('/etc/ssh/sshd_config', "a") as w: - w.write("\n") - w.write("AuthorizedKeysCommand\t\t/usr/local/sbin/foxpass_ssh_keys.sh\n") - w.write("AuthorizedKeysCommandUser\troot\n") + os.system("sed -i 's/^Match User.*/Match User {}/' {}".format(allow_authorized_keys_file_for, sshd_config_file)) + + key_command = 'AuthorizedKeysCommand\t\t/usr/local/sbin/foxpass_ssh_keys.sh\n' + key_command_user = 'AuthorizedKeysCommandUser\troot\n' + if not file_contains(sshd_config_file, r'^AuthorizedKeysCommand\w'): + write_authorizedkeyscommand(sshd_config_file, key_command, key_command_user) + elif not keep_command: + if not file_contains(sshd_config_file, r'^AuthorizedKeysCommand\t\t/usr/local/sbin/foxpass_ssh_keys\.sh$'): + clean_authorizedkeyscommand(sshd_config_file) + write_authorizedkeyscommand(sshd_config_file, key_command, key_command_user) + else: + print('AuthorizedKeysCommand already set, will not use Foxpass for ssh key verification') def augment_openldap(bind_dn):