diff options
Diffstat (limited to 'scripts')
| -rwxr-xr-x | scripts/install-system | 40 | ||||
| -rwxr-xr-x | scripts/quick-install | 4 | ||||
| -rwxr-xr-x | scripts/rl-system.init | 34 | ||||
| -rwxr-xr-x | scripts/standalone_root_pw_reset | 27 | ||||
| -rwxr-xr-x | scripts/system/vyatta_update_login.pl | 178 | ||||
| -rwxr-xr-x | scripts/vyatta-grub-setup | 18 | ||||
| -rwxr-xr-x | scripts/vyatta_net_name | 2 |
7 files changed, 192 insertions, 111 deletions
diff --git a/scripts/install-system b/scripts/install-system index b941d9b6..65a31571 100755 --- a/scripts/install-system +++ b/scripts/install-system @@ -52,7 +52,7 @@ rootfsdir=/mnt/rootfs # install log file name INSTALL_LOG="install.log" # root partition minimum size in MB -ROOT_MIN="450" +ROOT_MIN=500 # the base install drive e.g. sda if [ -n "$INSTALL_DRIVE" ]; then INSTALL_DRIVE="" @@ -75,9 +75,6 @@ PARTITION='' # Process ID of this script for the lame marketing spinner SPID=$$ -# Path to standalone root password reset script -PWRESET=/opt/vyatta/sbin/standalone_root_pw_reset - # Grub options GRUB_OPTIONS="quiet" @@ -85,20 +82,6 @@ GRUB_OPTIONS="quiet" VTY_CONSOLE="console=ttyS0,9600 console=tty0" SERIAL_CONSOLE="console=tty0 console=ttyS0,9600" -# If VGA_LOGO is set, enable use of the VGA monitor for displaying the -# logo during boot. The "vga=" boot command specifies a VGA mode that -# is encoded as shown below. We pick a value that is likely to work -# on most systems: -# -# Color depth | 640x480 | 800x600 | 1024x768 | 1280x1024 -# -----------------+---------+---------+----------+---------- -# 256 (8bit) | 769 771 773 775 -# 32000 (15bit) | 784 787 790 793 -# 65000 (16bit) | 785 788 791 794 -# 16.7 Mill.(24bit)| 786 789 792 795 -# -VGA_LOGO="vga=788" - # trap signals so we can kill runaway progress indicators trap 'progress_indicator stop; exit 1' 1 trap 'progress_indicator stop; exit 1' 2 @@ -771,7 +754,7 @@ install_root_filesystem () { echo "Unable to read filesystem UUID. Exiting." exit 1 else - echo -e "UUID=$uuid\t/\text3\tdefaults\t0 1" >> $rootfsdir/etc/fstab + echo -e "UUID=$uuid\t/\text3\tnoatime\t0 1" >> $rootfsdir/etc/fstab fi #setup the hostname file @@ -888,17 +871,6 @@ change_password() { set_encrypted_password $user $epwd $rootfsdir$ofrconfdir/config.boot } -system_setup () { - echo -n "Would you like to set the passwords for system users (Yes/No) [Yes]: " - local response=$(get_response "Yes" "Yes No Y N") - - if [ "$response" == "yes" ] || [ "$response" == "y" ]; then - change_password root - change_password vyatta - fi -} - - # setup grub on the boot sector of a user queried drive install_grub () { # we now use INSTALL_DRIVE to reference the grub boot drive. @@ -1033,7 +1005,7 @@ setup_method_auto() { lsize=$(get_drive_size "$INSTALL_DRIVE") total=$ROOT_MIN if [ "$total" -gt "$lsize" ]; then - echo "Unfortunately, the OFR requires a total of at least $total"MB" to properly install." + echo "Unfortunately, Vyatta requires a total of at least $total"MB" to properly install." echo "$INSTALL_DRIVE is below the minimum required capacity and therefore, cannot be used to" echo -e "complete the installation.\n" echo "If other drives are present" @@ -1314,7 +1286,11 @@ copy_config "$CONFIG_PARTITION" # Modify config to match system # Assume user wants to keep password from old config if [ ! -d /mnt/config ]; then - system_setup + # Disable root login + set_encrypted_password root "*" $rootfsdir$ofrconfdir/config.boot + + echo "Enter password for administrator account" + change_password vyatta fi # check for xen part images in /var/xen diff --git a/scripts/quick-install b/scripts/quick-install index 347cafd2..82475cb1 100755 --- a/scripts/quick-install +++ b/scripts/quick-install @@ -571,7 +571,7 @@ install_grub () { # set serial console options echo -e "serial --unit=0 --speed=9600\nterminal --timeout=5 console serial\n\n" >> $grub_file # set primary boot option - echo -e "title Vyatta OFR\n\troot $root" >> $grub_file + echo -e "title Vyatta\n\troot $root" >> $grub_file echo -en "\tkernel /boot/vmlinuz root=/dev/$ROOT_PARTITION $ISCF console=ttyS0,9600 console=tty0\n" >> $grub_file echo -e "\tinitrd /boot/initrd.img" >> $grub_file @@ -675,7 +675,7 @@ setup_method_auto() { lsize=$(get_drive_size "$INSTALL_DRIVE") total=$(($ROOT_MIN + $CONFIG_MIN)) if [ "$total" -gt "$lsize" ]; then - echo "Unfortunately, the OFR requires a total of at least $total"MB" to properly install." + echo "Unfortunately, Vyatta requires a total of at least $total"MB" to properly install." echo "$INSTALL_DRIVE is below the minimum required capacity and therefore, cannot be used to" echo -e "complete the installation.\n" echo "If other drives are present" diff --git a/scripts/rl-system.init b/scripts/rl-system.init index 5391d409..0570924f 100755 --- a/scripts/rl-system.init +++ b/scripts/rl-system.init @@ -53,10 +53,16 @@ syslog () logger -p user.warning -t "$progname" "$*" } +# easy way to make empty file without any command +empty() +{ + >$1 +} + shopt -s extglob nullglob search_config_if_wan () { - grep "\<serial\>.*\<$1\>" $BOOTFILE >/dev/null + grep -q "\<serial\>.*\<$1\>" $BOOTFILE } add_new_serial_if () { @@ -85,23 +91,11 @@ update_version_info () { fi } -## Clear out apt config file--it will be filled in by rtrmgr -clear_apt_config() -{ - cat /dev/null >/etc/apt/sources.list || true -} - ## snmp should be a separate package, ## but for now load the kernel module here add_snmp_stats_module() { - modprobe ipt_rlsnmpstats || true -} - -set_reboot_on_panic() -{ - echo 1 > /proc/sys/kernel/panic_on_oops - echo 60 > /proc/sys/kernel/panic + modprobe ipt_rlsnmpstats & } clear_or_override_config_files () @@ -111,11 +105,9 @@ clear_or_override_config_files () ipvsadm.rules default/ipvsadm resolv.conf do if [ -f /etc/$conf ] ; then - cat /dev/null > /etc/$conf || true + empty /etc/$conf fi done - # ssh v1. remove the empty key file - rm -f /etc/ssh/ssh_host_key } udev_rescan () @@ -151,19 +143,19 @@ create_ssh_host_keys () { start () { udev_rescan + add_snmp_stats_module create_ssh_host_keys || \ log_failure_msg "can't initialize ssh host keys" clear_or_override_config_files || \ log_failure_msg "can\'t reset config files" - set_reboot_on_panic || \ - log_failure_msg "can\'t set reboot on panic" add_new_serial_if || \ log_failure_msg "can\'t add serial interfaces" sysctl -q -p /opt/vyatta/etc/vyatta-sysctl.conf || log_failure_msg "can\'t configure kernel settings" update_version_info - clear_apt_config - add_snmp_stats_module + + ## Clear out apt config file--it will be filled in by rtrmgr + empty /etc/apt/sources.list } case "$ACTION" in diff --git a/scripts/standalone_root_pw_reset b/scripts/standalone_root_pw_reset index d089b50d..b75d19df 100755 --- a/scripts/standalone_root_pw_reset +++ b/scripts/standalone_root_pw_reset @@ -14,7 +14,7 @@ # All Rights Reserved. # # Author: Bob Gilligan <gilligan@vyatta.com> -# Description: Standalone script to set the root passwd to new value +# Description: Standalone script to set the admin passwd to new value # value. Note: This script can ONLY be run as a standalone # init program by grub. # @@ -23,9 +23,11 @@ # The Vyatta config file: CF=/opt/vyatta/etc/config/config.boot +# Admin user name +ADMIN=vyatta set_encrypted_password() { sed -i \ - -e "/ user $1 {/,/}/s/encrypted-password.*\$/encrypted-password \"$2\"/" $3 + -e "/ user $1 {/,/}/s/encrypted-password .*\$/encrypted-password \"$2\"/" $3 } change_password() { @@ -65,18 +67,18 @@ fi # OK, now we know we are running in standalone mode. Talk to the # user. # -read -p "Do you wish to change the root password? " response +echo "Do you wish to reset the admin password?" +read response response=${response:0:1} - if [ "$response" != "y" -a "$response" != "Y" ]; then - echo "OK, the root password will not be changed." + echo "OK, the admin password will not be reset." echo -n "Rebooting in 5 seconds..." sleep 5 echo /sbin/reboot -f fi -echo "Starting process to change the root password..." +echo "Starting process to reset the admin password..." echo "Re-mounting root filesystem read/write..." mount -o remount,rw / @@ -88,14 +90,19 @@ then mount /opt/vyatta/etc/config/ fi +if ! grep -q " user $ADMIN " $CF +then + echo "Administrator account $ADMIN missing..." + exit 1 +fi + echo "Saving backup copy of config.boot..." cp $CF ${CF}.before_pwrecovery -echo -change_password root +echo "Setting the administrator ($ADMIN) password..." +change_password $ADMIN -echo "Root password changed" -echo $(date "+%b%e %T") $(hostname) "Root password changed" \ +echo $(date "+%b%e %T") $(hostname) "Admin password changed" \ | tee -a /var/log/auth.log >>/var/log/messages sync diff --git a/scripts/system/vyatta_update_login.pl b/scripts/system/vyatta_update_login.pl index 1f71434b..ad33412a 100755 --- a/scripts/system/vyatta_update_login.pl +++ b/scripts/system/vyatta_update_login.pl @@ -57,18 +57,48 @@ my %level_map = ( 'operator' => [ 'quaggavty', 'operator', 'adm', 'dip', ], ); +# Construct a map from existing users to group membership +# Use space seperated format +my %group_map; +while (my ($name, undef, undef, $members) = getgrent()) { + foreach my $user (split / /,$members) { + my $g = $group_map{$user}; + if ($g) { + my @l = split / /, $g; + push @l, $name; + $group_map{$user} = join(' ', sort @l); + } else { + $group_map{$user} = $name; + } + + } +} + # we have some users for my $user (@user_keys) { if ( $users{$user} eq 'deleted' ) { - system("sudo userdel -r '$user'"); - die "userdel failed\n" if ( $? >> 8 ); + system("sudo userdel -r '$user'") == 0 + or die "userdel failed: $?\n" } elsif ( $users{$user} eq 'added' || $users{$user} eq 'changed' ) { $uconfig->setLevel("system login user $user"); + my $pwd = $uconfig->returnValue('authentication encrypted-password'); + $pwd or die "Encrypted password not in configuration for $user"; + + my $level = $uconfig->returnValue('level'); + $level or die "Level not defined for $user"; - # See if this is a modification of existing account - my (undef, undef, $uid, undef, undef, - undef, undef, undef, $shell, undef) = getpwnam($user); + # map level to group membership + my @groups = @{$level_map{$level}}; + # add any additional groups from configuration + push( @groups, $uconfig->returnValues('group') ); + + my $fname = $uconfig->returnValue('full-name'); + my $home = $uconfig->returnValue('home-directory'); + + # Read existing settings + my (undef, $opwd, $uid, $gid, undef, $comment, + undef, $dir, $shell, undef) = getpwnam($user); my $cmd; # not found in existing passwd, must be new @@ -77,48 +107,124 @@ for my $user (@user_keys) { # and make home directory (-m) # and with default group of 100 (users) $cmd = 'useradd -s /bin/vbash -m -N'; - } - # TODO Add checks for attempts to put system users - # in configuration file + } else { + # If no part of password or group file changed + # then there is nothing to do here. + next if ( $opwd eq $pwd && + (!$fname || $fname eq $comment) && + (!$home || $home eq $dir) && + join(' ', sort @groups) eq $group_map{$user} ); - # TODO Check if nothing changed and just skip - else { $cmd = "usermod"; } - my $pwd = $uconfig->returnValue('authentication encrypted-password'); - $pwd or die 'encrypted password not set'; $cmd .= " -p '$pwd'"; - - my $fname = $uconfig->returnValue('full-name'); $cmd .= " -c \"$fname\"" if ( defined $fname ); - - my $home = $uconfig->returnValue('home-directory'); $cmd .= " -d \"$home\"" if ( defined $home ); + $cmd .= ' -G ' . join( ',', @groups ); + system("sudo $cmd $user") == 0 + or die "sudo $cmd $user failed: $?"; + } +} - # map level to group membership - my $level = $uconfig->returnValue('level'); - my $gref = $level_map{$level}; - my @groups = @{$gref}; +## setup tacacs+ server info +# add tacacs to PAM file +sub add_tacacs { + my $param_string = shift; + my $pam = shift; - # add any additional groups from configuration - push( @groups, $uconfig->returnValues('group') ); + my $cmd = + 'sudo sh -c "' + . 'sed -i \'s/^\(' + . "$pam" + . '\trequired\tpam_unix\.so.*\)$/' + . "$pam" + . '\tsufficient\tpam_tacplus.so\t' + . "$param_string # Vyatta" + . '\n\1/\' ' + . "/etc/pam.d/common-$pam\""; - $cmd .= ' -G ' . join( ',', @groups ); + system($cmd); + return 0 if ( $? >> 8 ); + return 1; +} - system("sudo $cmd $user"); - if ( $? == -1 ) { - die "failed to exec $cmd"; - } - elsif ( $? & 127 ) { - die "$cmd died with signal" . ( $? & 127 ); - } - elsif ( $? != 0 ) { - my $reason = $reasons{ $? >> 8 }; - die "$cmd failed: $reason\n"; - } +# remove tacacs from PAM files +sub remove_tacacs { + my $cmd = + 'sudo sh -c "' + . 'sed -i \'/\(.*pam_tacplus.*# Vyatta\)/ D\' ' + . '/etc/pam.d/common-auth ' + . '/etc/pam.d/common-account ' + . '/etc/pam.d/common-session "'; + + system($cmd); + return 0 if ($? >> 8); + return 1; +} + +# main tacacs +# There is a race confition in here betwen radius and tacacs currently. +# Also should probably add a chack to see if we ned to actually reconfig +# PAM rather than jusy doing it each commit. +# Finally, service and protocol will need to be removed. They are just +# in there for troubleshootig purposes right now. +# +my $tconfig = new VyattaConfig; +if ($tconfig->isDeleted("system login tacacs-plus")) { remove_tacacs; } +$tconfig->setLevel("system login tacacs-plus"); +my @tacacs_params = $tconfig->listNodes(); + +if ( scalar(@tacacs_params) > 0 ) { + remove_tacacs; + my ($acctall, $debug, $firsthit, $noencrypt); + if ( $tconfig->exists("acct-all") ) { $acctall = 1; } + if ( $tconfig->exists("debug") ) { $debug = 1; } + if ( $tconfig->exists("first-hit") ) { $firsthit = 1; } + if ( $tconfig->exists("no-encrypt") ) { $noencrypt = 1; } + my $protocol = $tconfig->returnValue("protocol"); + my $secret = $tconfig->returnValue("secret"); + my $server = $tconfig->returnValue("server"); + my $service = $tconfig->returnValue("service"); + + if ( $server ne '' && $secret ne '') { + my ($authstr, $accountstr, $sessionstr, $ip); + my @servers = split /\s/, $server; + + ## 3 common options + # encrypt this session + if (! $noencrypt ) { $authstr = "encrypt "; } + # single secret + $authstr .= "secret=$secret "; + # and debug + if ($debug) { $authstr .= "debug "; } + + ## now they get specific + $accountstr = $sessionstr = $authstr; + + # can be multiple servers for auth and session + foreach $ip (@servers) { + $authstr .= "server=$ip "; + $sessionstr .= "server=$ip "; + } + + # first hit for auth + if ($firsthit) { $authstr .= "firsthit "; } + + # acctall for session + if ($acctall) { $sessionstr .= "acctall "; } + + # service and protocol for account and session + if ($service) { $accountstr .= "service=$service "; $sessionstr .= "service=$service "; } + if ($protocol) { $accountstr .= "protocol=$protocol "; $sessionstr .= "protocol=$protocol "; } + + add_tacacs("$authstr", "auth"); + add_tacacs("$accountstr", "account"); + add_tacacs("$sessionstr", "session"); } + else { exit 1; } } +## end tacacs my $PAM_RAD_CFG = '/etc/pam_radius_auth.conf'; my $PAM_RAD_BEGIN = '# BEGIN Vyatta Radius servers'; @@ -214,11 +320,9 @@ if ($all_deleted) { # all radius servers deleted exit 1 if ( !remove_pam_radius() ); -} -else { +} else { exit 1 if ( !add_radius_servers($server_str) ); exit 1 if ( !add_pam_radius() ); } exit 0; - diff --git a/scripts/vyatta-grub-setup b/scripts/vyatta-grub-setup index c37bf7a8..26a322f2 100755 --- a/scripts/vyatta-grub-setup +++ b/scripts/vyatta-grub-setup @@ -69,7 +69,7 @@ serial_console="console=tty0 console=ttyS0,9600" # 65000 (16bit) | 785 788 791 794 # 16.7 Mill.(24bit)| 786 789 792 795 # -vga_logo="vga=785" +#vga_logo="vga=785" # get list of kernels, except Xen kernel_versions=$(ls $ROOTFSDIR/boot/vmlinuz-* 2> /dev/null | grep -v xen | awk -F/ '{ print $5 }' | sed 's/vmlinuz//g' | sort -r) @@ -178,7 +178,7 @@ fi if [ -f "$ROOTFSDIR/boot/vmlinuz" ] && ! eval $UNION ; then # Set first system boot option. Make KVM the default console in this one. - echo -e "menuentry \"Vyatta OFR (KVM console)\" {" + echo -e "menuentry \"Vyatta (KVM console)\" {" echo -e "\tlinux /boot/vmlinuz $GRUB_OPTIONS $vga_logo $vty_console" echo -e "\tinitrd /boot/initrd.img" echo -e "}" @@ -186,7 +186,7 @@ fi # Set the second system boot option. Make the serial port be the default # console in this one. echo - echo -e "menuentry \"Vyatta OFR (Serial console)\" {" + echo -e "menuentry \"Vyatta (Serial console)\" {" echo -e "\tlinux /boot/vmlinuz $GRUB_OPTIONS $serial_console" echo -e "\tinitrd /boot/initrd.img" echo -e "}" @@ -196,12 +196,12 @@ fi if [ -n "$union_kernel_versions" ]; then for kversion in $union_kernel_versions; do echo - echo -e "menuentry \"Vyatta OFR linux$kversion (KVM console)\" {" + echo -e "menuentry \"Vyatta linux$kversion (KVM console)\" {" echo -e "\tlinux /boot/$livedir/vmlinuz$kversion $GRUB_OPTIONS $vga_logo $vty_console" echo -e "\tinitrd /boot/$livedir/initrd.img$kversion" echo -e "}" echo - echo -e "menuentry \"Vyatta OFR linux$kversion (Serial console)\" {" + echo -e "menuentry \"Vyatta linux$kversion (Serial console)\" {" echo -e "\tlinux /boot/$livedir/vmlinuz$kversion $GRUB_OPTIONS $serial_console" echo -e "\tinitrd /boot/$livedir/initrd.img$kversion" echo -e "}" @@ -212,12 +212,12 @@ fi if [ -n "$kernel_versions" ]; then for kversion in $kernel_versions; do echo - echo -e "menuentry \"Vyatta OFR linux$kversion (KVM console)\" {" + echo -e "menuentry \"Vyatta linux$kversion (KVM console)\" {" echo -e "\tlinux /boot/vmlinuz$kversion $GRUB_OPTIONS $vga_logo $vty_console" echo -e "\tinitrd /boot/initrd.img$kversion" echo -e "}" echo - echo -e "menuentry \"Vyatta OFR linux$kversion (Serial console)\" {" + echo -e "menuentry \"Vyatta linux$kversion (Serial console)\" {" echo -e "\tlinux /boot/vmlinuz$kversion $GRUB_OPTIONS $serial_console" echo -e "\tinitrd /boot/initrd.img$kversion" echo -e "}" @@ -228,13 +228,13 @@ fi # options for both serial and KVM console. echo - echo -e "menuentry \"Root password reset to factory (KVM console)\" {" + echo -e "menuentry \"Lost password change (KVM console)\" {" echo -e "\tlinux /boot/vmlinuz $GRUB_OPTIONS $vga_logo $vty_console init=$pass_reset" echo -e "\tinitrd /boot/initrd.img" echo -e "}" echo - echo -e "menuentry \"Root password reset to factory (Serial console)\" {" + echo -e "menuentry \"Lost password change (Serial console)\" {" echo -e "\tlinux /boot/vmlinuz $GRUB_OPTIONS $serial_console init=$pass_reset" echo -e "\tinitrd /boot/initrd.img" echo -e "}" diff --git a/scripts/vyatta_net_name b/scripts/vyatta_net_name index ff8b9bf5..54f91f04 100755 --- a/scripts/vyatta_net_name +++ b/scripts/vyatta_net_name @@ -78,12 +78,14 @@ declare -a cfg_net_hwid=( $( sed -ne ' /^interfaces {/,/^}/ { /^ *ethernet eth[0-9]* {/,/^ $/ { /^ *ethernet/ { + s/\r// s/.* eth\([0-9]\+\) {$/ eth\1=/ # hold interface name h } /^.*hw-id:\?/ { # translate field name + s/\r// s/.*hw-id:\? *// # tolower hex mac address y/ABCDEF/abcdef/ |