Доработки

* добавелен пример conf.d * добавлена проверка контрольной суммы start на стороне клиента * добавлена возможность указывать несколько узлов доступа, с портами именами пользователей * добавлена возможность указывать количество попыток на подключение
6 years ago · 44135707a1
parent 15d5fb77d1
commit 44135707a1
4 changed files with 147 additions and 12 deletions
--- a/1
+++ b/1
@ -12,6 +12,7 @@ install: install_client install_server

 install_client:
 	@${INSTALL} -D -m 0755 init.d/access ${DESTDIR}/etc/init.d/access
+	@${INSTALL} -D -m 0644 conf.d/access ${DESTDIR}/etc/conf.d/access

 install_server:
 	@${INSTALL} -D -m 0755 scripts/cl-access-setup ${DESTDIR}/usr/sbin/cl-access-setup
--- a/access/bin/access-shell
+++ b/access/bin/access-shell
@ -9,5 +9,9 @@ case "$SSH_ORIGINAL_COMMAND" in
 	access)
 		access $1
 		;;
+	*)
+		echo "Commands:"
+		echo "    access"
+		;;
 esac

--- a/conf.d/access
+++ b/conf.d/access
@ -0,0 +1,16 @@
+# List of access hosts, separated by a space
+# You can define your host in several ways:
+# 	'example.org'		- access@example.org port 22
+#	'example.org:200'	- access@example.org port 200
+#	'user@1.2.3.4:333'	- user@1.2.3.4 port 333
+ACCESSHOST="access"
+
+# Path to the private SSL-key file for connection to the access host
+# The key must be accessible without a password
+KEYFILE=/var/lib/calculate/access_key
+
+# Connection timeout (in seconds)
+CONNECT_TIMEOUT=20
+
+# Maximum number of retries before disallowing access, -1 - infinity
+RETRY=5
--- a/init.d/access
+++ b/init.d/access
@ -1,32 +1,129 @@
 #!/sbin/openrc-run

-extra_commands="check add_hostkey"
+extra_commands="check add_hostkey check_verbose update_checksum"
+
+CHECKSUM_FILE=${CHECKSUM_FILE:-/var/lib/calculate/access_checksum}

 depend()
 {
        need net
+	keyword -timeout
 }

 ask_keystore() {
-	what=$1
-	strict=${2:-yes}
+	if [[ $1 =~ : ]]
+	then
+		host=${1/:*/}
+		port=${1/*:/}
+	else
+		host=$1
+		port=22
+	fi
+	if [[ $host =~ @ ]]
+	then
+		user=${host/@*/}
+		host=${host/*@/}
+	else
+		user=access
+	fi
+	what=$2
+	strict=${3:-yes}
 	/usr/bin/ssh -o KbdInteractiveAuthentication=no \
 		-o ControlPath=none \
 		-o ControlMaster=no \
+		-o ConnectTimeout=${CONNECT_TIMEOUT:-20} \
 		-o StrictHostKeyChecking=${strict} \
 		-o PasswordAuthentication=no \
 		-o BatchMode=yes \
 		-o PreferredAuthentications=publickey \
-		-i ${KEYFILE:-/root/id_rsa} \
-		access@${ACCESSHOST:-access} $what
+		-p $port -T \
+		-i ${KEYFILE:-/var/lib/calculate/access_key} \
+		$user@$host $what
 }

 add_hostkey() {
-	ask_keystore "" no
+	for host in ${ACCESSHOST:-access}
+	do
+		ask_keystore $host "" no 2>&1 | grep -oP "Permanently added.*"
+	done
 }

 check() {
-	ask_keystore access | tar tjf -
+	for host in ${ACCESSHOST:-access}
+	do
+		ebegin "Host: $host"
+		(ask_keystore $host access | tar tjf -) 2>&1 | grep -q ^start
+		eend $?
+	done
+}
+
+update_host_checksum() {
+	SHA512=$(ask_keystore $host access 2>/dev/null |
+		tar xjOf - start 2>/dev/null |
+		sha512sum | awk '{print $1}';exit ${PIPESTATUS[1]})
+	if [[ $? -ne 0 ]]
+	then
+		return 1
+	fi
+	sed -i "s/$host .*/$host $SHA512/" $CHECKSUM_FILE &>/dev/null || echo $host $SHA512 >>$CHECKSUM_FILE
+	return 0
+}
+
+wordremove() {
+	local word=$1;
+	sed -r "s/(^$word ?|$word | ?$word\$)//g";
+}
+
+check_host_data() {
+	host=$1
+	file=$2
+	sum=$(sha512sum $file | awk '{print $1}')
+	if ! grep -q "$host $sum" $CHECKSUM_FILE &>/dev/null
+	then
+		if grep -q "$host " $CHECKSUM_FILE &>/dev/null
+		then
+			ACCESSHOST=$(echo ${ACCESSHOST} | wordremove $host)
+			eerror "Wrong checksum"
+			return 1
+		fi
+		echo $host $sum >>$CHECKSUM_FILE
+	fi
+	return 0
+}
+
+update_checksum() {
+	#rm -f /var/lib/calculate/access_checksum
+	for host in ${ACCESSHOST:-access}
+	do
+		ebegin "Host: $host"
+		update_host_checksum $host
+		eend $?
+	done
+}
+
+check_verbose() {
+	for host in ${ACCESSHOST:-access}
+	do
+		ebegin "Host: $host"
+		(ask_keystore $host access | tar tjf -) 2>&1
+		eend $?
+	done
+}
+
+try_access() {
+	for host in ${ACCESSHOST:-access}
+	do
+		echo "Host: $host"
+		ask_keystore $host access | tar xjf - -C /dev/shm/access 2>/dev/null
+		if [[ ${PIPESTATUS[0]} -eq 0 ]]
+		then
+			if check_host_data $host /dev/shm/access/start
+			then
+				return 0
+			fi
+		fi
+	done
+	return 1
 }

 start() {
@ -36,11 +133,28 @@ start() {
 		rm -rf /dev/shm/access
 	fi
 	mkdir /dev/shm/access
-	ask_keystore access | tar xjf - -C /dev/shm/access 2>/dev/null
-	chmod 0700 /dev/shm/access
-	/bin/bash /dev/shm/access/start
-	res=$?
-	rm -rf /dev/shm/access/start /dev/shm/access/[0-9]*
+	local try=${RETRY:-6}
+	local stopfile=/run/stop_access
+	local res=1
+	while ! [[ -f $stopfile ]] &&  [[ $try -ne 0 ]]
+	do
+		
+		if try_access
+		then
+			chmod 0700 /dev/shm/access
+			/bin/bash /dev/shm/access/start
+			res=$?
+			rm -rf /dev/shm/access/start /dev/shm/access/[0-9]*
+			break
+		else
+			res=1
+		fi
+		if [[ $try -gt 0 ]]
+		then
+			try=$(( $try - 1 ))
+		fi
+	done
+	rm -f $stopfile
 	eend $res "Failed to start access" 
 }