From 44135707a1c63e86fc8aa7dd69973d31f7be29e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=A5=D0=B8=D1=80=D0=B5=D1=86=D0=BA=D0=B8=D0=B9=20=D0=9C?= =?UTF-8?q?=D0=B8=D1=85=D0=B0=D0=B8=D0=BB?= Date: Wed, 25 Apr 2018 14:08:23 +0300 Subject: [PATCH] =?UTF-8?q?=D0=94=D0=BE=D1=80=D0=B0=D0=B1=D0=BE=D1=82?= =?UTF-8?q?=D0=BA=D0=B8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * добавелен пример conf.d * добавлена проверка контрольной суммы start на стороне клиента * добавлена возможность указывать несколько узлов доступа, с портами именами пользователей * добавлена возможность указывать количество попыток на подключение --- Makefile | 1 + access/bin/access-shell | 4 ++ conf.d/access | 16 +++++ init.d/access | 138 ++++++++++++++++++++++++++++++++++++---- 4 files changed, 147 insertions(+), 12 deletions(-) create mode 100644 conf.d/access diff --git a/Makefile b/Makefile index c4f5360..0eb94b7 100644 --- a/Makefile +++ b/Makefile @@ -12,6 +12,7 @@ install: install_client install_server install_client: @${INSTALL} -D -m 0755 init.d/access ${DESTDIR}/etc/init.d/access + @${INSTALL} -D -m 0644 conf.d/access ${DESTDIR}/etc/conf.d/access install_server: @${INSTALL} -D -m 0755 scripts/cl-access-setup ${DESTDIR}/usr/sbin/cl-access-setup diff --git a/access/bin/access-shell b/access/bin/access-shell index 96a0533..2c1bbac 100644 --- a/access/bin/access-shell +++ b/access/bin/access-shell @@ -9,5 +9,9 @@ case "$SSH_ORIGINAL_COMMAND" in access) access $1 ;; + *) + echo "Commands:" + echo " access" + ;; esac diff --git a/conf.d/access b/conf.d/access new file mode 100644 index 0000000..0d5f972 --- /dev/null +++ b/conf.d/access @@ -0,0 +1,16 @@ +# List of access hosts, separated by a space +# You can define your host in several ways: +# 'example.org' - access@example.org port 22 +# 'example.org:200' - access@example.org port 200 +# 'user@1.2.3.4:333' - user@1.2.3.4 port 333 +ACCESSHOST="access" + +# Path to the private SSL-key file for connection to the access host +# The key must be accessible without a password +KEYFILE=/var/lib/calculate/access_key + +# Connection timeout (in seconds) +CONNECT_TIMEOUT=20 + +# Maximum number of retries before disallowing access, -1 - infinity +RETRY=5 diff --git a/init.d/access b/init.d/access index 4b2ba89..642280d 100755 --- a/init.d/access +++ b/init.d/access @@ -1,32 +1,129 @@ #!/sbin/openrc-run -extra_commands="check add_hostkey" +extra_commands="check add_hostkey check_verbose update_checksum" + +CHECKSUM_FILE=${CHECKSUM_FILE:-/var/lib/calculate/access_checksum} depend() { need net + keyword -timeout } ask_keystore() { - what=$1 - strict=${2:-yes} + if [[ $1 =~ : ]] + then + host=${1/:*/} + port=${1/*:/} + else + host=$1 + port=22 + fi + if [[ $host =~ @ ]] + then + user=${host/@*/} + host=${host/*@/} + else + user=access + fi + what=$2 + strict=${3:-yes} /usr/bin/ssh -o KbdInteractiveAuthentication=no \ -o ControlPath=none \ -o ControlMaster=no \ + -o ConnectTimeout=${CONNECT_TIMEOUT:-20} \ -o StrictHostKeyChecking=${strict} \ -o PasswordAuthentication=no \ -o BatchMode=yes \ -o PreferredAuthentications=publickey \ - -i ${KEYFILE:-/root/id_rsa} \ - access@${ACCESSHOST:-access} $what + -p $port -T \ + -i ${KEYFILE:-/var/lib/calculate/access_key} \ + $user@$host $what } add_hostkey() { - ask_keystore "" no + for host in ${ACCESSHOST:-access} + do + ask_keystore $host "" no 2>&1 | grep -oP "Permanently added.*" + done } check() { - ask_keystore access | tar tjf - + for host in ${ACCESSHOST:-access} + do + ebegin "Host: $host" + (ask_keystore $host access | tar tjf -) 2>&1 | grep -q ^start + eend $? + done +} + +update_host_checksum() { + SHA512=$(ask_keystore $host access 2>/dev/null | + tar xjOf - start 2>/dev/null | + sha512sum | awk '{print $1}';exit ${PIPESTATUS[1]}) + if [[ $? -ne 0 ]] + then + return 1 + fi + sed -i "s/$host .*/$host $SHA512/" $CHECKSUM_FILE &>/dev/null || echo $host $SHA512 >>$CHECKSUM_FILE + return 0 +} + +wordremove() { + local word=$1; + sed -r "s/(^$word ?|$word | ?$word\$)//g"; +} + +check_host_data() { + host=$1 + file=$2 + sum=$(sha512sum $file | awk '{print $1}') + if ! grep -q "$host $sum" $CHECKSUM_FILE &>/dev/null + then + if grep -q "$host " $CHECKSUM_FILE &>/dev/null + then + ACCESSHOST=$(echo ${ACCESSHOST} | wordremove $host) + eerror "Wrong checksum" + return 1 + fi + echo $host $sum >>$CHECKSUM_FILE + fi + return 0 +} + +update_checksum() { + #rm -f /var/lib/calculate/access_checksum + for host in ${ACCESSHOST:-access} + do + ebegin "Host: $host" + update_host_checksum $host + eend $? + done +} + +check_verbose() { + for host in ${ACCESSHOST:-access} + do + ebegin "Host: $host" + (ask_keystore $host access | tar tjf -) 2>&1 + eend $? + done +} + +try_access() { + for host in ${ACCESSHOST:-access} + do + echo "Host: $host" + ask_keystore $host access | tar xjf - -C /dev/shm/access 2>/dev/null + if [[ ${PIPESTATUS[0]} -eq 0 ]] + then + if check_host_data $host /dev/shm/access/start + then + return 0 + fi + fi + done + return 1 } start() { @@ -36,11 +133,28 @@ start() { rm -rf /dev/shm/access fi mkdir /dev/shm/access - ask_keystore access | tar xjf - -C /dev/shm/access 2>/dev/null - chmod 0700 /dev/shm/access - /bin/bash /dev/shm/access/start - res=$? - rm -rf /dev/shm/access/start /dev/shm/access/[0-9]* + local try=${RETRY:-6} + local stopfile=/run/stop_access + local res=1 + while ! [[ -f $stopfile ]] && [[ $try -ne 0 ]] + do + + if try_access + then + chmod 0700 /dev/shm/access + /bin/bash /dev/shm/access/start + res=$? + rm -rf /dev/shm/access/start /dev/shm/access/[0-9]* + break + else + res=1 + fi + if [[ $try -gt 0 ]] + then + try=$(( $try - 1 )) + fi + done + rm -f $stopfile eend $res "Failed to start access" }