384,14 → 384,24 |
done |
fi |
# On crée aléatoirement les mots de passe et les secrets partagés |
# We create random passwords and shared secrets |
rm -f $PASSWD_FILE |
echo "##### ALCASAR ($ORGANISME) security passwords #####" > $PASSWD_FILE |
grub2pwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8` |
pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \ |
LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \ |
grep -v '[eE]nter password:' | \ |
sed -e "s/PBKDF2 hash of your password is //"` |
echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg |
chmod 0600 /boot/grub2/user.cfg |
echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE |
echo "GRUB2_user=root GRUB2_password=$grub2pwd" >> $PASSWD_FILE |
mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16` |
echo "# Password of MariaDB administrator:" >> $PASSWD_FILE |
echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE |
echo "db_root=$mysqlpwd" >> $PASSWD_FILE |
radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16` |
echo "# Name and password of MariaDB user:" >> $PASSWD_FILE |
echo "db_user=$DB_USER" >> $PASSWD_FILE |
echo "db_password=$radiuspwd" >> $PASSWD_FILE |
echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE |
echo "db_user=$DB_USER db_password=$radiuspwd" >> $PASSWD_FILE |
secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c16` |
echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE |
echo "secret_uam=$secretuam" >> $PASSWD_FILE |
1067,10 → 1077,12 |
# remove the proxy function |
$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf |
$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf |
|
# remove EAP module |
$SED "s?^[\t ]*\$INCLUDE eap.conf.*?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf |
# $SED "s?^[\t ]*\$INCLUDE eap.conf.*?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf |
# listen on loopback (should be modified later if EAP enabled) |
$SED "s?^[\t ]*ipaddr =.*?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf |
# $SED "s?^[\t ]*ipaddr =.*?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf |
|
# enable the SQL module (and SQL counter) |
$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf |
$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf |
1089,9 → 1101,11 |
chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap |
chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules |
ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar |
|
# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide' |
touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default} |
# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP) |
# touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default} |
|
# client.conf configuration (coova on 127.0.0.1) |
[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default |
cat << EOF > /etc/raddb/clients.conf |
client 127.0.0.1 { |