Deploy-Ldap-Auth-NFS-and-ssh-key-manager

1. #!/bin/bash
2. # +-----------------------------------------------------------------------------------------+
3. # |                                                                                         |
4. # |  DEPLOY LDAP ON ALL INTERNAL MACHINES                                                   |
5. # |                                                                                         |
6. # |                                                                                         |
7. # | July 2012 flip hess [email protected]                                             |
8. # +-----------------------------------------------------------------------------------------+
9.  
10. # Global variables:
11.  
12. PATH='/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin'
13. SCRIPT_PATH="${0}"
14. export ARGS="${#}"
15. export ARG1="${1}"
16. export ARG2="${2}"
17.  
18. BAK="/var/backup/pambak"
19.  
20. # Functions:
21.  
22.   # exit function
23.   function die()
24.   {
25.     echo -e "Error in${SCRIPT_PATH}:\n${1}"
26.     exit 1
27.   }
28.  
29.   # Shows usage function.
30.   function fShowUsage()
31.   {
32.     echo -e "Usage: ${SCRIPT_PATH} [all|nfs|ssh|ldap] YES\n
33.    all:         Run All Actions from script
34.    nfs:     Config NFS
35.    ssh:     Config ssh key auth for root
36.    auth:    Config ldap for host\n
37.    Config LDAP/SSH/NFS database - [email protected]\n\nVersie 1.0"
38.  
39.  
40.     exit 0
41.   }
42.  
43.   # check for.......
44.   function fCheck()
45.   {
46.    ###################################################################
47.    # CHECKS
48.    ###################################################################
49.  
50.     # user must be root:
51.     [ $(whoami) = root ] || die "User must be root!"
52.  
53.     # arguments must be yes
54.     { [ "${ARGS}" = 2 ] && [ "${ARG2}" = YES ]; } || { echo "To install run \"sudo ${0} [all|auth|nfs|ssh] YES\"" ; exit 1; }
55.  
56.     # get arguments
57.     read -p "What is the ip adres of the ldap server? --> " HOSTIP
58.  
59.     # check if host is a valid ip:
60.     if ! ( echo "${HOSTIP}" | grep -qE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' ) ; then
61.        die "Please enter a valid ip address for HOSTIP value!"
62.     fi
63.  
64.     # what is the ldap host alias of this machine?
65.     read -p "What is the machine host alias of this machine? *ex: webserver01.example.linux.virtual* --> " HOSTALIAS
66.  
67.     # validate input (more or less)
68.     if ! ( echo "${HOSTALIAS}" | grep -qE '.linux.' ) ; then
69.        die "Please enter a valid linux hostalias, you can find this in the CMDB or nagiosconfig!"
70.     fi
71.  
72.     echo "Checking is done, now proceeding"
73.  
74.     return 0
75.   }
76.  
77.    # NFS
78.   function fNfs()
79.   {
80.    ###################################################################
81.    # config NFS
82.    ###################################################################
83.  
84.      # packages
85.      read -p "Press ENTER to continue installing packages: portmap nfs-common"
86.      DEBIAN_FRONTEND=noninteractive apt-get install portmap nfs-common -y || die "Failed to install packages"
87.  
88.      # config  host entry
89.      { echo -n "${HOSTIP}   ldaphost.example.com" >> /etc/hosts; } || die "Failed to add ldap server to /etc/hosts"
90.  
91.      # config mounts
92.      if ! ( cat /etc/fstab | grep -qE '(home/config)' ) ; then
93.        # fstab
94.        echo "Adding NFS mounts to /etc/fstab"
95.        echo -e "\n
96. nfs.example.com:/home/    /home      nfs      rw,sync,hard,intr  0     0\n
97. nfs.example.com:/data/config/    /config      nfs      rw,sync,hard,intr  0     0\n" >> /etc/fstab || die "Failed to add NFS entries to /etc/fstab"
98.        # home dir backup
99.        echo "backing up homedir"
100.        { [ -d /home ] && cd / ; mv /home /home.old && mkdir /home ; } || die "Failed to move /home to /home.old"
101.        { [ ! -d /config ] && mkdir /config ; } || die "Failed create /config"
102.        # mounting share
103.        echo "mounting NFS shares"
104.        mount -a || die "Failed to mount NFS shares!"
105.      else
106.        echo "home or config mount found in /etc/fstab, please configure /etc/fstab mounts manually!"
107.      fi
108.  
109.     return 0
110.   }
111.  
112.   # LDAP AUTH
113.   function fAuth()
114.   {
115.    ###################################################################
116.    # CONFIG AUTH
117.    ###################################################################
118.  
119.    # Install Packages
120.    # set var
121.    export SUDO_FORCE_REMOVE=yes
122.  
123.    read -p "installing packages, wget ldap-utils libnss-ldap libpam-ldap nscd sudo-ldap libpam-foreground press ENTER to continue...... > "
124.    DEBIAN_FRONTEND=noninteractive apt-get install wget ldap-utils libnss-ldap libpam-ldap nscd sudo-ldap libpam-foreground -y  || die "Failed to install packages for ldap auth!"
125.  
126.    # config files
127.  
128.    # create dir
129.    { [ -d "${BAK}" ] || mkdir "${BAK}"; } || die "Failed to create ${BAK}"
130.    # replace file
131.    { [ -f /etc/libnss-ldap.conf ] && cp /etc/libnss-ldap.conf "${BAK}/libnss-ldap.conf"; }
132.    echo -e "\n
133. host ldaphost.example.com
134. base dc=example,dc=net
135. rootbinddn cn=Manager,dc=example,dc=net\n" > /etc/libnss-ldap.conf
136.  
137.    # next  /etc/libnss-ldap.secret
138.    [ -f /etc/libnss-ldap.secret ] && cp /etc/libnss-ldap.secret "${BAK}/libnss-ldap.secret"
139.    echo -e "EXfHDgI2AAu9dvKWYL2KDsNjmeU6YXZupIF3XTzr07HtkRXOUn" > /etc/libnss-ldap.secret
140.    chmod 600 /etc/libnss-ldap.secret
141.  
142.    # /etc/pam_ldap.secret
143.    [ -f /etc/ldap.secret ] && mv /etc/ldap.secret "${BAK}/ldap.secret"
144.    ln -s /etc/libnss-ldap.secret /etc/ldap.secret
145.  
146.    [ -f /etc/pam_ldap.secret ] && mv /etc/pam_ldap.secret "${BAK}/pam_ldap.secret"
147.    ln -s /etc/libnss-ldap.secret /etc/pam_ldap.secret
148.  
149.    # /etc/pam_ldap.conf
150.    [ -f /etc/pam_ldap.conf ] && cp /etc/pam_ldap.conf "${BAK}/pam_ldap.conf"
151.    echo -e "\n
152. host ldaphost.example.com
153. base dc=example,dc=net
154. rootbinddn cn=Manager,dc=example,dc=net\n" > /etc/pam_ldap.conf
155.  
156.    # /etc/pam.d/common-account
157.    [ -f /etc/pam.d/common-account ] && cp /etc/pam.d/common-account "${BAK}/common-account"
158.    echo -e "\n
159. account sufficient pam_ldap.so
160. account required pam_unix.so
161. session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ silent\n
162.   " > /etc/pam.d/common-account
163.  
164.    # /etc/pam.d/common-auth
165.    [ -f /etc/pam.d/common-auth ] && cp /etc/pam.d/common-auth "${BAK}/common-auth"
166.    echo -e "\n
167. auth sufficient pam_ldap.so
168. auth required pam_unix.so nullok_secure use_first_pass\n
169.   " > /etc/pam.d/common-auth
170.  
171.    # /etc/pam.d/common-password
172.    [ -f /etc/pam.d/common-password ] && cp /etc/pam.d/common-password "${BAK}/common-password"
173.    echo -e "\n
174. password sufficient pam_ldap.so
175. password required pam_unix.so nullok obscure min=6 ssha\n
176.   " > /etc/pam.d/common-password
177.  
178.    # /etc/pam.d/common-session
179.    [ -f /etc/pam.d/common-session ] && cp /etc/pam.d/common-session "${BAK}/common-session"
180.    echo -e "\n
181. session sufficient pam_ldap.so
182. session required pam_unix.so
183. session optional pam_foreground.so\n
184.   " > /etc/pam.d/common-session
185.  
186.    # /etc/nsswitch.conf
187.    [ -f /etc/nsswitch.conf ] && cp /etc/nsswitch.conf "${BAK}/nsswitch.conf"
188.    echo -e "\n
189. passwd:         files ldap
190. group:          files ldap
191. shadow:         files ldap
192. sudoers:        ldap files\n
193. hosts:          files dns
194. networks:       files\n
195. protocols:      db files
196. services:       db files
197. ethers:         db files
198. rpc:            db files\n
199. netgroup:       ldap\n
200.    " > /etc/nsswitch.conf
201.  
202.     # sudo-ldap
203.     [ -f /etc/sudo-ldap.conf ] && mv /etc/sudo-ldap.conf "${BAK}/sudo-ldap.conf"
204.     ln -s /etc/ldap/ldap.conf /etc/sudo-ldap.conf
205.  
206.     # /etc/ldap.conf
207.     [ -f /etc/ldap.conf ] && mv /etc/ldap.conf "${BAK}/ldap.conf"
208.     ln -s /etc/ldap/ldap.conf /etc/ldap.conf
209.  
210.     # /etc/ldap/ldap.conf
211.     [ -f /etc/ldap/ldap.conf ] && cp /etc/ldap/ldap.conf "${BAK}/ldap-ldap.conf"
212.     echo -e "\n
213. #
214. # LDAP Defaults
215. #
216. base dc=example,dc=net
217. uri ldap://ldaphost.example.com
218. ldap_version 3
219. rootbinddn cn=Manager,dc=example,dc=net
220. binddn cn=proxyuser,dc=example,dc=net
221. pam_password ssha
222. ssl start_tls
223. tls_checkpeer no\n
224. nss_base_passwd         ou=People,dc=example,dc=net?one
225. nss_base_shadow         ou=People,dc=example,dc=net?one
226. nss_base_group          ou=Group,dc=example,dc=net?one
227. nss_base_hosts          ou=Hosts,dc=example,dc=net?one
228. nss_base_hosts          ou=hosts,dc=example,dc=net?one
229. sudoers_base            ou=sudoers,dc=example,dc=net
230. pam_member_attribute    memberUid\n
231. TLS_REQCERT never"  > /etc/ldap/ldap.conf
232.  
233.    /etc/init.d/nscd restart || echo "Failed to restart the nscd daemon!"
234.  
235.     echo "Done editting pam.d files!"
236.  
237.     return 0
238.   }
239.  
240.   # SSH CONFIG
241.   function fSsh()
242.   {
243.    ###################################################################
244.    #  SSH CONFIG
245.    ###################################################################
246.  
247.    # random var under 9
248.    RAND="$(( $RANDOM % 9 +1 ))"
249.  
250.    # set cron file
251.    echo -e "\n
252. # /etc/cron.d/keycron: crontab fragment for root ssh access
253. # this cron entry downloads the public key for room from the key server\n
254. # download public key every night
255. ${RAND}   3 *     * * *     root  /usr/local/bin/pubkey_manager\n
256.   " > /etc/cron.d/keycron && chmod 644 /etc/cron.d/keycron
257.  
258.    # set hostid
259.    echo -e "ip:${HOSTIP}\nalias:${HOSTALIAS}" > /etc/example-auth && chmod 600 /etc/example-auth
260.  
261.    # get script
262.    wget -qq --no-check-certificate https://keyserver.example.com/keys/pubkey_manager --user=keys --password=BoemKapletter666 -O /tmp/pubkey_manager || die "failed to get keyscript"
263.    mv /tmp/pubkey_manager /usr/local/bin/pubkey_manager && chmod 700 /usr/local/bin/pubkey_manager  && chmod +x /usr/local/bin/pubkey_manager
264.  
265.    # get key
266.    wget -qq --no-check-certificate https://keyserver.example.com/keys/pubkeys/${HOSTALIAS}_id_rsa.pub --user=keys --password=BoemKapletter666 -O /tmp/key.pub || die "Failed to get ssh key"
267.    # process
268.    [ -f /root/.ssh/authorized_keys ] && cp /root/.ssh/authorized_keys /root/.ssh/authorized_keys.pre.ldap
269.    echo -e "from=\"${HOSTIP}\" $( cat /tmp/key.pub )" > /root/.ssh/authorized_keys && chmod 600 /root/.ssh/authorized_keys
270.  
271.    echo "SSH config is done"
272.  
273.   return 0
274.   }
275.  
276.  
277.   # function choice
278.   function fChoice()
279.   {
280.     # check for arguments:
281.     [ "${ARGS}" = 2 ] || fShowUsage
282.  
283.     # Do the Magic:
284.      #get options and set vars
285.       case "${ARG1}" in
286.  
287.         all)
288.           fCheck && fNfs && fSsh && fAuth
289.           ;;
290.         nfs)
291.           fCheck && fNfs
292.           ;;
293.         ssh)
294.           fCheck && fSsh
295.           ;;
296.         auth)
297.           fCheck && fAuth
298.      ;;
299.         help)
300.           fShowUsage
301.           ;;
302.         *)
303.           fShowUsage
304.           ;;
305.       esac
306.  
307.     return 0
308.    }
309.  
310.  
311.  
312.   # Check  the program:
313.    fChoice "${@}"
314.  
315.  # Exit with previous return code:
316.   exit "${?}"