Subversion Repositories ALCASAR

Rev

Rev 2416 | Rev 2420 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 2416 Rev 2419
Line 1... Line 1...
1
#!/bin/bash
1
#!/bin/bash
2
#  $Id: alcasar.sh 2416 2017-09-17 21:01:15Z richard $ 
2
#  $Id: alcasar.sh 2419 2017-09-30 17:40:32Z richard $ 
3
 
3
 
4
# alcasar.sh
4
# alcasar.sh
5
 
5
 
6
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...] 
6
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...] 
7
# Ce programme est un logiciel libre ; This software is free and open source
7
# Ce programme est un logiciel libre ; This software is free and open source
Line 382... Line 382...
382
				ORGANISME=!
382
				ORGANISME=!
383
			fi
383
			fi
384
		done
384
		done
385
	fi
385
	fi
386
# On crée aléatoirement les mots de passe et les secrets partagés
386
# On crée aléatoirement les mots de passe et les secrets partagés
-
 
387
# We create random passwords and shared secrets
387
	rm -f $PASSWD_FILE
388
	rm -f $PASSWD_FILE
-
 
389
	echo "#####  ALCASAR ($ORGANISME) security passwords  #####" > $PASSWD_FILE
-
 
390
	grub2pwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
-
 
391
    pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
-
 
392
        LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
-
 
393
        grep -v '[eE]nter password:' | \
-
 
394
        sed -e "s/PBKDF2 hash of your password is //"`
-
 
395
    echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
-
 
396
    chmod 0600 /boot/grub2/user.cfg
-
 
397
	echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
-
 
398
    echo "GRUB2_user=root  GRUB2_password=$grub2pwd" >> $PASSWD_FILE
388
	mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
399
	mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
389
	echo "# Password of MariaDB administrator:" >> $PASSWD_FILE
400
	echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
390
	echo "db_root=$mysqlpwd" >> $PASSWD_FILE
401
	echo "db_root=$mysqlpwd" >> $PASSWD_FILE
391
	radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
402
	radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
392
	echo "# Name and password of MariaDB user:" >> $PASSWD_FILE
403
	echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
393
	echo "db_user=$DB_USER" >> $PASSWD_FILE
-
 
394
	echo "db_password=$radiuspwd" >> $PASSWD_FILE
404
	echo "db_user=$DB_USER db_password=$radiuspwd" >> $PASSWD_FILE
395
	secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
405
	secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
396
	echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
406
	echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
397
	echo "secret_uam=$secretuam" >> $PASSWD_FILE
407
	echo "secret_uam=$secretuam" >> $PASSWD_FILE
398
	secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
408
	secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
399
	echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
409
	echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
Line 1065... Line 1075...
1065
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
1075
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
1066
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
1076
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
1067
# remove the proxy function
1077
# remove the proxy function
1068
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf
1078
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf
1069
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
1079
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
-
 
1080
 
1070
# remove EAP module
1081
# remove EAP module
1071
	$SED "s?^[\t ]*\$INCLUDE eap.conf.*?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
1082
#	$SED "s?^[\t ]*\$INCLUDE eap.conf.*?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
1072
# listen on loopback (should be modified later if EAP enabled)
1083
# listen on loopback (should be modified later if EAP enabled)
1073
	$SED "s?^[\t ]*ipaddr =.*?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
1084
#	$SED "s?^[\t ]*ipaddr =.*?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
-
 
1085
 
1074
# enable the  SQL module (and SQL counter)
1086
# enable the  SQL module (and SQL counter)
1075
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
1087
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
1076
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
1088
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
1077
	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
1089
	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
1078
# only include modules for ALCASAR needs
1090
# only include modules for ALCASAR needs
Line 1087... Line 1099...
1087
       	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
1099
       	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
1088
	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
1100
	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
1089
	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
1101
	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
1090
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
1102
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
1091
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
1103
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
-
 
1104
 
1092
# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
1105
# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
1093
	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
1106
#	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
-
 
1107
 
1094
# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
1108
# client.conf configuration (coova on 127.0.0.1)
1095
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
1109
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
1096
	cat << EOF > /etc/raddb/clients.conf
1110
	cat << EOF > /etc/raddb/clients.conf
1097
client 127.0.0.1 {
1111
client 127.0.0.1 {
1098
	secret = $secretradius
1112
	secret = $secretradius
1099
	shortname = localhost
1113
	shortname = localhost