Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 2418 → Rev 2419

/alcasar.sh
384,14 → 384,24
done
fi
# On crée aléatoirement les mots de passe et les secrets partagés
# We create random passwords and shared secrets
rm -f $PASSWD_FILE
echo "##### ALCASAR ($ORGANISME) security passwords #####" > $PASSWD_FILE
grub2pwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
grep -v '[eE]nter password:' | \
sed -e "s/PBKDF2 hash of your password is //"`
echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
chmod 0600 /boot/grub2/user.cfg
echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
echo "GRUB2_user=root GRUB2_password=$grub2pwd" >> $PASSWD_FILE
mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
echo "# Password of MariaDB administrator:" >> $PASSWD_FILE
echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
echo "db_root=$mysqlpwd" >> $PASSWD_FILE
radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
echo "# Name and password of MariaDB user:" >> $PASSWD_FILE
echo "db_user=$DB_USER" >> $PASSWD_FILE
echo "db_password=$radiuspwd" >> $PASSWD_FILE
echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
echo "db_user=$DB_USER db_password=$radiuspwd" >> $PASSWD_FILE
secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
echo "secret_uam=$secretuam" >> $PASSWD_FILE
1067,10 → 1077,12
# remove the proxy function
$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf
$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
 
# remove EAP module
$SED "s?^[\t ]*\$INCLUDE eap.conf.*?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
# $SED "s?^[\t ]*\$INCLUDE eap.conf.*?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
# listen on loopback (should be modified later if EAP enabled)
$SED "s?^[\t ]*ipaddr =.*?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
# $SED "s?^[\t ]*ipaddr =.*?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
 
# enable the SQL module (and SQL counter)
$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
1089,9 → 1101,11
chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
 
# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
# touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
 
# client.conf configuration (coova on 127.0.0.1)
[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
cat << EOF > /etc/raddb/clients.conf
client 127.0.0.1 {