| Line 1... |
Line 1... |
| 1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
| 2 |
# $Id: alcasar.sh 2416 2017-09-17 21:01:15Z richard $
|
2 |
# $Id: alcasar.sh 2419 2017-09-30 17:40:32Z richard $
|
| 3 |
|
3 |
|
| 4 |
# alcasar.sh
|
4 |
# alcasar.sh
|
| 5 |
|
5 |
|
| 6 |
# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
|
6 |
# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
|
| 7 |
# Ce programme est un logiciel libre ; This software is free and open source
|
7 |
# Ce programme est un logiciel libre ; This software is free and open source
|
| Line 382... |
Line 382... |
| 382 |
ORGANISME=!
|
382 |
ORGANISME=!
|
| 383 |
fi
|
383 |
fi
|
| 384 |
done
|
384 |
done
|
| 385 |
fi
|
385 |
fi
|
| 386 |
# On crée aléatoirement les mots de passe et les secrets partagés
|
386 |
# On crée aléatoirement les mots de passe et les secrets partagés
|
| - |
|
387 |
# We create random passwords and shared secrets
|
| 387 |
rm -f $PASSWD_FILE
|
388 |
rm -f $PASSWD_FILE
|
| - |
|
389 |
echo "##### ALCASAR ($ORGANISME) security passwords #####" > $PASSWD_FILE
|
| - |
|
390 |
grub2pwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
|
| - |
|
391 |
pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
|
| - |
|
392 |
LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
|
| - |
|
393 |
grep -v '[eE]nter password:' | \
|
| - |
|
394 |
sed -e "s/PBKDF2 hash of your password is //"`
|
| - |
|
395 |
echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
|
| - |
|
396 |
chmod 0600 /boot/grub2/user.cfg
|
| - |
|
397 |
echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
|
| - |
|
398 |
echo "GRUB2_user=root GRUB2_password=$grub2pwd" >> $PASSWD_FILE
|
| 388 |
mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
|
399 |
mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
|
| 389 |
echo "# Password of MariaDB administrator:" >> $PASSWD_FILE
|
400 |
echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
|
| 390 |
echo "db_root=$mysqlpwd" >> $PASSWD_FILE
|
401 |
echo "db_root=$mysqlpwd" >> $PASSWD_FILE
|
| 391 |
radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
|
402 |
radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
|
| 392 |
echo "# Name and password of MariaDB user:" >> $PASSWD_FILE
|
403 |
echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
|
| 393 |
echo "db_user=$DB_USER" >> $PASSWD_FILE
|
- |
|
| 394 |
echo "db_password=$radiuspwd" >> $PASSWD_FILE
|
404 |
echo "db_user=$DB_USER db_password=$radiuspwd" >> $PASSWD_FILE
|
| 395 |
secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
|
405 |
secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
|
| 396 |
echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
|
406 |
echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
|
| 397 |
echo "secret_uam=$secretuam" >> $PASSWD_FILE
|
407 |
echo "secret_uam=$secretuam" >> $PASSWD_FILE
|
| 398 |
secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
|
408 |
secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
|
| 399 |
echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
|
409 |
echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
|
| Line 1065... |
Line 1075... |
| 1065 |
$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
|
1075 |
$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
|
| 1066 |
$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
|
1076 |
$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
|
| 1067 |
# remove the proxy function
|
1077 |
# remove the proxy function
|
| 1068 |
$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf
|
1078 |
$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf
|
| 1069 |
$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
|
1079 |
$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
|
| - |
|
1080 |
|
| 1070 |
# remove EAP module
|
1081 |
# remove EAP module
|
| 1071 |
$SED "s?^[\t ]*\$INCLUDE eap.conf.*?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
|
1082 |
# $SED "s?^[\t ]*\$INCLUDE eap.conf.*?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
|
| 1072 |
# listen on loopback (should be modified later if EAP enabled)
|
1083 |
# listen on loopback (should be modified later if EAP enabled)
|
| 1073 |
$SED "s?^[\t ]*ipaddr =.*?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
|
1084 |
# $SED "s?^[\t ]*ipaddr =.*?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
|
| - |
|
1085 |
|
| 1074 |
# enable the SQL module (and SQL counter)
|
1086 |
# enable the SQL module (and SQL counter)
|
| 1075 |
$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
|
1087 |
$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
|
| 1076 |
$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
|
1088 |
$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
|
| 1077 |
$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
|
1089 |
$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
|
| 1078 |
# only include modules for ALCASAR needs
|
1090 |
# only include modules for ALCASAR needs
|
| Line 1087... |
Line 1099... |
| 1087 |
cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
|
1099 |
cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
|
| 1088 |
chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
|
1100 |
chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
|
| 1089 |
chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
|
1101 |
chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
|
| 1090 |
chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
|
1102 |
chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
|
| 1091 |
ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
|
1103 |
ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
|
| - |
|
1104 |
|
| 1092 |
# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
|
1105 |
# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
|
| 1093 |
touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
|
1106 |
# touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
|
| - |
|
1107 |
|
| 1094 |
# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
|
1108 |
# client.conf configuration (coova on 127.0.0.1)
|
| 1095 |
[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
|
1109 |
[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
|
| 1096 |
cat << EOF > /etc/raddb/clients.conf
|
1110 |
cat << EOF > /etc/raddb/clients.conf
|
| 1097 |
client 127.0.0.1 {
|
1111 |
client 127.0.0.1 {
|
| 1098 |
secret = $secretradius
|
1112 |
secret = $secretradius
|
| 1099 |
shortname = localhost
|
1113 |
shortname = localhost
|