diff options
Diffstat (limited to 'scripts')
-rwxr-xr-x | scripts/system/vyatta_update_login.pl | 327 | ||||
-rwxr-xr-x | scripts/system/vyatta_update_radius.pl | 122 | ||||
-rwxr-xr-x | scripts/system/vyatta_update_tacacs.pl | 129 | ||||
-rwxr-xr-x | scripts/system/vyatta_update_users.pl | 136 |
4 files changed, 327 insertions, 387 deletions
diff --git a/scripts/system/vyatta_update_login.pl b/scripts/system/vyatta_update_login.pl new file mode 100755 index 00000000..a28224f8 --- /dev/null +++ b/scripts/system/vyatta_update_login.pl @@ -0,0 +1,327 @@ +#!/usr/bin/perl + +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc. +# All Rights Reserved. +# +# **** End License **** + +use strict; +use lib "/opt/vyatta/share/perl5"; +use Vyatta::Config; + +# handle "user" +my $uconfig = new Vyatta::Config; +$uconfig->setLevel("system login user"); + +my %users = $uconfig->listNodeStatus(); +my @user_keys = sort keys %users; + +if ( ( scalar(@user_keys) <= 0 ) + || !( grep /^root$/, @user_keys ) + || ( $users{'root'} eq 'deleted' ) ) +{ + + # root is deleted + print STDERR "User \"root\" cannot be deleted\n"; + exit 1; +} + +# Exit codes form useradd.8 man page +my %reasons = ( + 0 => 'success', + 1 => 'can´t update password file', + 2 => 'invalid command syntax', + 3 => 'invalid argument to option', + 4 => 'UID already in use (and no -o)', + 6 => 'specified group doesn´t exist', + 9 => 'username already in use', + 10 => 'can´t update group file', + 12 => 'can´t create home directory', + 13 => 'can´t create mail spool', +); + +# Map of level to additional groups +my %level_map = ( + 'admin' => [ 'quaggavty', 'vyattacfg', 'sudo', 'adm', 'dip', 'disk'], + 'operator' => [ 'quaggavty', 'operator', 'adm', 'dip', ], +); + +# Construct a map from existing users to group membership +# Use space seperated format +my %group_map; +while (my ($name, undef, undef, $members) = getgrent()) { + foreach my $user (split / /,$members) { + my $g = $group_map{$user}; + if ($g) { + my @l = split / /, $g; + push @l, $name; + $group_map{$user} = join(' ', sort @l); + } else { + $group_map{$user} = $name; + } + + } +} + +# we have some users +for my $user (@user_keys) { + if ( $users{$user} eq 'deleted' ) { + system("sudo userdel -r '$user'") == 0 + or die "userdel failed: $?\n" + } + elsif ( $users{$user} eq 'added' || $users{$user} eq 'changed' ) { + $uconfig->setLevel("system login user $user"); + my $pwd = $uconfig->returnValue('authentication encrypted-password'); + $pwd or die "Encrypted password not in configuration for $user"; + + my $level = $uconfig->returnValue('level'); + $level or die "Level not defined for $user"; + + # map level to group membership + my @groups = @{$level_map{$level}}; + # add any additional groups from configuration + push( @groups, $uconfig->returnValues('group') ); + + my $fname = $uconfig->returnValue('full-name'); + my $home = $uconfig->returnValue('home-directory'); + + # Read existing settings + my (undef, $opwd, $uid, $gid, undef, $comment, + undef, $dir, $shell, undef) = getpwnam($user); + + my $cmd; + # not found in existing passwd, must be new + if ( !defined $uid ) { + # make new user using vyatta shell + # and make home directory (-m) + # and with default group of 100 (users) + $cmd = 'useradd -s /bin/vbash -m -N'; + } else { + # If no part of password or group file changed + # then there is nothing to do here. + next if ( $opwd eq $pwd && + (!$fname || $fname eq $comment) && + (!$home || $home eq $dir) && + join(' ', sort @groups) eq $group_map{$user} ); + + $cmd = "usermod"; + } + + $cmd .= " -p '$pwd'"; + $cmd .= " -c \"$fname\"" if ( defined $fname ); + $cmd .= " -d \"$home\"" if ( defined $home ); + $cmd .= ' -G ' . join( ',', @groups ); + system("sudo $cmd $user") == 0 + or die "sudo $cmd $user failed: $?"; + } +} + +## setup tacacs+ server info +# add tacacs to PAM file +sub add_tacacs { + my $param_string = shift; + my $pam = shift; + + my $cmd = + 'sudo sh -c "' + . 'sed -i \'s/^\(' + . "$pam" + . '\trequired\tpam_unix\.so.*\)$/' + . "$pam" + . '\tsufficient\tpam_tacplus.so\t' + . "$param_string # Vyatta" + . '\n\1/\' ' + . "/etc/pam.d/common-$pam\""; + + system($cmd); + return 0 if ( $? >> 8 ); + return 1; +} + +# remove tacacs from PAM files +sub remove_tacacs { + my $cmd = + 'sudo sh -c "' + . 'sed -i \'/\(.*pam_tacplus.*# Vyatta\)/ D\' ' + . '/etc/pam.d/common-auth ' + . '/etc/pam.d/common-account ' + . '/etc/pam.d/common-session "'; + + system($cmd); + return 0 if ($? >> 8); + return 1; +} + +# main tacacs +# There is a race confition in here betwen radius and tacacs currently. +# Also should probably add a chack to see if we ned to actually reconfig +# PAM rather than jusy doing it each commit. +# Finally, service and protocol will need to be removed. They are just +# in there for troubleshootig purposes right now. +# +my $tconfig = new Vyatta::Config; +if ($tconfig->isDeleted("system login tacacs-plus")) { remove_tacacs; } +$tconfig->setLevel("system login tacacs-plus"); +my @tacacs_params = $tconfig->listNodes(); + +if ( scalar(@tacacs_params) > 0 ) { + remove_tacacs; + my ($acctall, $debug, $firsthit, $noencrypt); + if ( $tconfig->exists("acct-all") ) { $acctall = 1; } + if ( $tconfig->exists("debug") ) { $debug = 1; } + if ( $tconfig->exists("first-hit") ) { $firsthit = 1; } + if ( $tconfig->exists("no-encrypt") ) { $noencrypt = 1; } + my $protocol = $tconfig->returnValue("protocol"); + my $secret = $tconfig->returnValue("secret"); + my $server = $tconfig->returnValue("server"); + my $service = $tconfig->returnValue("service"); + + if ( $server ne '' && $secret ne '') { + my ($authstr, $accountstr, $sessionstr, $ip); + my @servers = split /\s/, $server; + + ## 3 common options + # encrypt this session + if (! $noencrypt ) { $authstr = "encrypt "; } + # single secret + $authstr .= "secret=$secret "; + # and debug + if ($debug) { $authstr .= "debug "; } + + ## now they get specific + $accountstr = $sessionstr = $authstr; + + # can be multiple servers for auth and session + foreach my $ip (@servers) { + $authstr .= "server=$ip "; + $sessionstr .= "server=$ip "; + } + + # first hit for auth + if ($firsthit) { $authstr .= "firsthit "; } + + # acctall for session + if ($acctall) { $sessionstr .= "acctall "; } + + # service and protocol for account and session + if ($service) { $accountstr .= "service=$service "; $sessionstr .= "service=$service "; } + if ($protocol) { $accountstr .= "protocol=$protocol "; $sessionstr .= "protocol=$protocol "; } + + add_tacacs("$authstr", "auth"); + add_tacacs("$accountstr", "account"); + add_tacacs("$sessionstr", "session"); + } + else { exit 1; } +} +## end tacacs + +my $PAM_RAD_CFG = '/etc/pam_radius_auth.conf'; +my $PAM_RAD_BEGIN = '# BEGIN Vyatta Radius servers'; +my $PAM_RAD_END = '# END Vyatta Radius servers'; + +sub is_pam_radius_present { + open( my $auth , '<' , '/etc/pam.d/common-auth' ) + or die "Cannot open /etc/pam.d/common-auth\n"; + + my $present; + while (<$auth>) { + if (/\ssufficient\spam_radius_auth\.so$/) { + $present = 1; + last; + } + } + close $auth; + return $present; +} + +sub remove_pam_radius { + return 1 if ( !is_pam_radius_present() ); + my $cmd = + 'sudo sh -c "' + . 'sed -i \'/\tsufficient\tpam_radius_auth\.so$/d;' + . '/\tpam_unix\.so /{s/ use_first_pass$//}\' ' + . '/etc/pam.d/common-auth && ' + . 'sed -i \'/\tsufficient\tpam_radius_auth\.so$/d\' ' + . '/etc/pam.d/common-account"'; + system($cmd); + return 0 if ( $? >> 8 ); + return 1; +} + +sub add_pam_radius { + return 1 if ( is_pam_radius_present() ); + my $cmd = + 'sudo sh -c "' + . 'sed -i \'s/^\(auth\trequired\tpam_unix\.so.*\)$' + . '/auth\tsufficient\tpam_radius_auth.so\n\1 use_first_pass/\' ' + . '/etc/pam.d/common-auth && ' + . 'sed -i \'s/^\(account\trequired\tpam_unix\.so.*\)$' + . '/account\tsufficient\tpam_radius_auth.so\n\1/\' ' + . '/etc/pam.d/common-account"'; + system($cmd); + return 0 if ( $? >> 8 ); + return 1; +} + +sub remove_radius_servers { + system( "sudo sed -i '/^$PAM_RAD_BEGIN\$/,/^$PAM_RAD_END\$/{d}' " + . "$PAM_RAD_CFG" ); + return 0 if ( $? >> 8 ); + return 1; +} + +sub add_radius_servers { + my $str = shift; + system( "sudo sh -c \"" + . "echo '$PAM_RAD_BEGIN\n$str$PAM_RAD_END\n' >> $PAM_RAD_CFG\"" ); + return 0 if ( $? >> 8 ); + return 1; +} + +# handle "radius-server" +my $rconfig = new Vyatta::Config; +$rconfig->setLevel("system login radius-server"); +my %servers = $rconfig->listNodeStatus(); +my @server_keys = sort keys %servers; +if ( scalar(@server_keys) <= 0 ) { + + # all radius servers deleted + exit 1 if ( !remove_pam_radius() ); + exit 0; +} + +# we have some servers +my $all_deleted = 1; +my $server_str = ''; +remove_radius_servers(); +for my $server (@server_keys) { + if ( $servers{$server} ne 'deleted' ) { + $all_deleted = 0; + my $port = $rconfig->returnValue("$server port"); + my $secret = $rconfig->returnValue("$server secret"); + my $timeout = $rconfig->returnValue("$server timeout"); + $server_str .= "$server:$port\t$secret\t$timeout\n"; + } +} + +if ($all_deleted) { + + # all radius servers deleted + exit 1 if ( !remove_pam_radius() ); +} else { + exit 1 if ( !add_radius_servers($server_str) ); + exit 1 if ( !add_pam_radius() ); +} + +exit 0; diff --git a/scripts/system/vyatta_update_radius.pl b/scripts/system/vyatta_update_radius.pl deleted file mode 100755 index 018a3e5d..00000000 --- a/scripts/system/vyatta_update_radius.pl +++ /dev/null @@ -1,122 +0,0 @@ -#!/usr/bin/perl - -# **** License **** -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# This code was originally developed by Vyatta, Inc. -# Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc. -# All Rights Reserved. -# -# **** End License **** - -use strict; -use warnings; - -use lib "/opt/vyatta/share/perl5"; -use Vyatta::Config; - -my $PAM_RAD_CFG = '/etc/pam_radius_auth.conf'; -my $PAM_RAD_BEGIN = '# BEGIN Vyatta Radius servers'; -my $PAM_RAD_END = '# END Vyatta Radius servers'; - -sub is_pam_radius_present { - open( my $auth, '<', '/etc/pam.d/common-auth' ) - or die "Cannot open /etc/pam.d/common-auth\n"; - - my $present; - while (<$auth>) { - if (/\ssufficient\spam_radius_auth\.so$/) { - $present = 1; - last; - } - } - close $auth; - return $present; -} - -sub remove_pam_radius { - return 1 if ( !is_pam_radius_present() ); - my $cmd = - 'sudo sh -c "' - . 'sed -i \'/\tsufficient\tpam_radius_auth\.so$/d;' - . '/\tpam_unix\.so /{s/ use_first_pass$//}\' ' - . '/etc/pam.d/common-auth && ' - . 'sed -i \'/\tsufficient\tpam_radius_auth\.so$/d\' ' - . '/etc/pam.d/common-account"'; - system($cmd); - return 0 if ( $? >> 8 ); - return 1; -} - -sub add_pam_radius { - return 1 if ( is_pam_radius_present() ); - my $cmd = - 'sudo sh -c "' - . 'sed -i \'s/^\(auth\trequired\tpam_unix\.so.*\)$' - . '/auth\tsufficient\tpam_radius_auth.so\n\1 use_first_pass/\' ' - . '/etc/pam.d/common-auth && ' - . 'sed -i \'s/^\(account\trequired\tpam_unix\.so.*\)$' - . '/account\tsufficient\tpam_radius_auth.so\n\1/\' ' - . '/etc/pam.d/common-account"'; - system($cmd); - return 0 if ( $? >> 8 ); - return 1; -} - -sub remove_radius_servers { - system( "sudo sed -i '/^$PAM_RAD_BEGIN\$/,/^$PAM_RAD_END\$/{d}' " - . "$PAM_RAD_CFG" ); - return 0 if ( $? >> 8 ); - return 1; -} - -sub add_radius_servers { - my $str = shift; - system( "sudo sh -c \"" - . "echo '$PAM_RAD_BEGIN\n$str$PAM_RAD_END\n' >> $PAM_RAD_CFG\"" ); - return 0 if ( $? >> 8 ); - return 1; -} - -# handle "radius-server" -my $rconfig = new Vyatta::Config; -$rconfig->setLevel("system login radius-server"); -my %servers = $rconfig->listNodeStatus(); -my @server_keys = sort keys %servers; -if ( scalar(@server_keys) <= 0 ) { - - # all radius servers deleted - exit 1 if ( !remove_pam_radius() ); - exit 0; -} - -# we have some servers -my $all_deleted = 1; -my $server_str = ''; -remove_radius_servers(); -for my $server (@server_keys) { - if ( $servers{$server} ne 'deleted' ) { - $all_deleted = 0; - my $port = $rconfig->returnValue("$server port"); - my $secret = $rconfig->returnValue("$server secret"); - my $timeout = $rconfig->returnValue("$server timeout"); - $server_str .= "$server:$port\t$secret\t$timeout\n"; - } -} - -if ($all_deleted) { - - # all radius servers deleted - exit 1 if ( !remove_pam_radius() ); -} -else { - exit 1 if ( !add_radius_servers($server_str) ); - exit 1 if ( !add_pam_radius() ); -} diff --git a/scripts/system/vyatta_update_tacacs.pl b/scripts/system/vyatta_update_tacacs.pl deleted file mode 100755 index c4684efe..00000000 --- a/scripts/system/vyatta_update_tacacs.pl +++ /dev/null @@ -1,129 +0,0 @@ -#!/usr/bin/perl - -# **** License **** -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# This code was originally developed by Vyatta, Inc. -# Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc. -# All Rights Reserved. -# -# **** End License **** - -use strict; -use warnings; - -use lib "/opt/vyatta/share/perl5"; -use Vyatta::Config; - -## setup tacacs+ server info -# add tacacs to PAM file -sub add_tacacs { - my $param_string = shift; - my $pam = shift; - - my $cmd = - 'sudo sh -c "' - . 'sed -i \'s/^\(' . "$pam" - . '\trequired\tpam_unix\.so.*\)$/' . "$pam" - . '\tsufficient\tpam_tacplus.so\t' - . "$param_string # Vyatta" - . '\n\1/\' ' - . "/etc/pam.d/common-$pam\""; - - system($cmd); - return 0 if ( $? >> 8 ); - return 1; -} - -# remove tacacs from PAM files -sub remove_tacacs { - my $cmd = - 'sudo sh -c "' - . 'sed -i \'/\(.*pam_tacplus.*# Vyatta\)/ D\' ' - . '/etc/pam.d/common-auth ' - . '/etc/pam.d/common-account ' - . '/etc/pam.d/common-session "'; - - system($cmd); - return 0 if ( $? >> 8 ); - return 1; -} - -# main tacacs -# There is a race condition in here betwen radius and tacacs currently. -# Also should probably add a chack to see if we ned to actually reconfig -# PAM rather than jusy doing it each commit. -# Finally, service and protocol will need to be removed. They are just -# in there for troubleshootig purposes right now. -# -my $tconfig = new Vyatta::Config; -if ( $tconfig->isDeleted("system login tacacs-plus") ) { remove_tacacs; } -$tconfig->setLevel("system login tacacs-plus"); -my @tacacs_params = $tconfig->listNodes(); - -if ( scalar(@tacacs_params) > 0 ) { - remove_tacacs; - my ( $acctall, $debug, $firsthit, $noencrypt ); - if ( $tconfig->exists("acct-all") ) { $acctall = 1; } - if ( $tconfig->exists("debug") ) { $debug = 1; } - if ( $tconfig->exists("first-hit") ) { $firsthit = 1; } - if ( $tconfig->exists("no-encrypt") ) { $noencrypt = 1; } - my $protocol = $tconfig->returnValue("protocol"); - my $secret = $tconfig->returnValue("secret"); - my $server = $tconfig->returnValue("server"); - my $service = $tconfig->returnValue("service"); - - if ( $server ne '' && $secret ne '' ) { - my ( $authstr, $accountstr, $sessionstr, $ip ); - my @servers = split /\s/, $server; - - ## 3 common options - # encrypt this session - if ( !$noencrypt ) { $authstr = "encrypt "; } - - # single secret - $authstr .= "secret=$secret "; - - # and debug - if ($debug) { $authstr .= "debug "; } - - ## now they get specific - $accountstr = $sessionstr = $authstr; - - # can be multiple servers for auth and session - foreach my $ip (@servers) { - $authstr .= "server=$ip "; - $sessionstr .= "server=$ip "; - } - - # first hit for auth - if ($firsthit) { $authstr .= "firsthit "; } - - # acctall for session - if ($acctall) { $sessionstr .= "acctall "; } - - # service and protocol for account and session - if ($service) { - $accountstr .= "service=$service "; - $sessionstr .= "service=$service "; - } - if ($protocol) { - $accountstr .= "protocol=$protocol "; - $sessionstr .= "protocol=$protocol "; - } - - add_tacacs( "$authstr", "auth" ); - add_tacacs( "$accountstr", "account" ); - add_tacacs( "$sessionstr", "session" ); - } - else { exit 1; } -} - -exit 0; diff --git a/scripts/system/vyatta_update_users.pl b/scripts/system/vyatta_update_users.pl deleted file mode 100755 index d610aacf..00000000 --- a/scripts/system/vyatta_update_users.pl +++ /dev/null @@ -1,136 +0,0 @@ -#!/usr/bin/perl - -# **** License **** -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# This code was originally developed by Vyatta, Inc. -# Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc. -# All Rights Reserved. -# -# **** End License **** - -use strict; -use warnings; - -use lib "/opt/vyatta/share/perl5"; -use Vyatta::Config; - -# Exit codes form useradd.8 man page -my %reasons = ( - 0 => 'success', - 1 => 'can´t update password file', - 2 => 'invalid command syntax', - 3 => 'invalid argument to option', - 4 => 'UID already in use (and no -o)', - 6 => 'specified group doesn´t exist', - 9 => 'username already in use', - 10 => 'can´t update group file', - 12 => 'can´t create home directory', - 13 => 'can´t create mail spool', -); - -# Map of level to additional groups -my %level_map = ( - 'admin' => [ 'quaggavty', 'vyattacfg', 'sudo', 'adm', 'dip', 'disk' ], - 'operator' => [ 'quaggavty', 'operator', 'adm', 'dip', ], -); - -# Construct a map from existing users to group membership -# Use space seperated format -my %group_map; - -while ( my ( $name, undef, undef, $members ) = getgrent() ) { - foreach my $user ( split / /, $members ) { - my $g = $group_map{$user}; - if ($g) { - my @l = split / /, $g; - push @l, $name; - $group_map{$user} = join( ' ', sort @l ); - } - else { - $group_map{$user} = $name; - } - - } -} - -my $uconfig = new Vyatta::Config; -$uconfig->setLevel("system login user"); -my %users = $uconfig->listNodeStatus(); - -# we have some users -for my $user ( keys %users ) { - my $status = $users{$user}; - - if ( $status eq 'deleted' ) { - if ( $user eq 'root' ) { - warn "User \"root\" can really be deleted\n"; - } - else { - system("sudo userdel -r '$user'") == 0 - or die "userdel failed: $?\n"; - } - } - elsif ( $status eq 'added' || $status eq 'changed' ) { - $uconfig->setLevel("system login user $user"); - my $pwd = $uconfig->returnValue('authentication encrypted-password'); - $pwd or die "Encrypted password not in configuration for $user"; - - my $level = $uconfig->returnValue('level'); - $level or die "Level not defined for $user"; - - # map level to group membership - my @groups = @{ $level_map{$level} }; - - # add any additional groups from configuration - push( @groups, $uconfig->returnValues('group') ); - - my $fname = $uconfig->returnValue('full-name'); - my $home = $uconfig->returnValue('home-directory'); - - # Read existing settings - my ( - undef, $opwd, $uid, $gid, undef, - $comment, undef, $dir, $shell, undef - ) = getpwnam($user); - - my $cmd; - - # not found in existing passwd, must be new - if ( !defined $uid ) { - - # make new user using vyatta shell - # and make home directory (-m) - # and with default group of 100 (users) - $cmd = 'useradd -s /bin/vbash -m -N'; - } - else { - - # If no part of password or group file changed - # then there is nothing to do here. - next - if ( $opwd eq $pwd - && ( !$fname || $fname eq $comment ) - && ( !$home || $home eq $dir ) - && join( ' ', sort @groups ) eq $group_map{$user} ); - - $cmd = "usermod"; - } - - $cmd .= " -p '$pwd'"; - $cmd .= " -c \"$fname\"" if ( defined $fname ); - $cmd .= " -d \"$home\"" if ( defined $home ); - $cmd .= ' -G ' . join( ',', @groups ); - system("sudo $cmd $user") == 0 - or die "sudo $cmd $user failed: $?"; - } -} - -exit 0; |