From a56af3ba087fa6adeb134e97db859810829ad579 Mon Sep 17 00:00:00 2001 From: Miguel Scapolla Date: Wed, 23 Aug 2017 12:16:38 -0300 Subject: [PATCH] Linux radius client. --- .../cisco-xrv-basic-config.txt | 0 .../cisco-xrv-with-qemu.sh | 0 qemu-asa-patch.sh => cisco/qemu-asa-patch.sh | 0 qemu-asa-shell.sh => cisco/qemu-asa-shell.sh | 0 bridge-stp.sh => linux/bridge-stp.sh | 0 .../delay-jitter-packetloss.sh | 0 grub.txt => linux/grub.txt | 7 +- interfaces.sh => linux/interfaces.sh | 0 linux/radius-client.sh | 85 +++++++++++++++++++ ssh-server.txt => linux/ssh-server.txt | 0 virtualbox.sh => linux/virtualbox.sh | 0 linux-vrf.sh => linux/vrf.sh | 0 .../xubuntu-read-only-filesystem.txt | 0 readme.text | 22 +---- 14 files changed, 90 insertions(+), 24 deletions(-) rename cisco-xrv-basic-config.txt => cisco/cisco-xrv-basic-config.txt (100%) rename cisco-xrv-with-qemu.sh => cisco/cisco-xrv-with-qemu.sh (100%) rename qemu-asa-patch.sh => cisco/qemu-asa-patch.sh (100%) rename qemu-asa-shell.sh => cisco/qemu-asa-shell.sh (100%) rename bridge-stp.sh => linux/bridge-stp.sh (100%) rename delay-jitter-packetloss.sh => linux/delay-jitter-packetloss.sh (100%) rename grub.txt => linux/grub.txt (70%) rename interfaces.sh => linux/interfaces.sh (100%) create mode 100644 linux/radius-client.sh rename ssh-server.txt => linux/ssh-server.txt (100%) rename virtualbox.sh => linux/virtualbox.sh (100%) rename linux-vrf.sh => linux/vrf.sh (100%) rename xubuntu-read-only-filesystem.txt => linux/xubuntu-read-only-filesystem.txt (100%) diff --git a/cisco-xrv-basic-config.txt b/cisco/cisco-xrv-basic-config.txt similarity index 100% rename from cisco-xrv-basic-config.txt rename to cisco/cisco-xrv-basic-config.txt diff --git a/cisco-xrv-with-qemu.sh b/cisco/cisco-xrv-with-qemu.sh similarity index 100% rename from cisco-xrv-with-qemu.sh rename to cisco/cisco-xrv-with-qemu.sh diff --git a/qemu-asa-patch.sh b/cisco/qemu-asa-patch.sh similarity index 100% rename from qemu-asa-patch.sh rename to cisco/qemu-asa-patch.sh diff --git a/qemu-asa-shell.sh b/cisco/qemu-asa-shell.sh similarity index 100% rename from qemu-asa-shell.sh rename to cisco/qemu-asa-shell.sh diff --git a/bridge-stp.sh b/linux/bridge-stp.sh similarity index 100% rename from bridge-stp.sh rename to linux/bridge-stp.sh diff --git a/delay-jitter-packetloss.sh b/linux/delay-jitter-packetloss.sh similarity index 100% rename from delay-jitter-packetloss.sh rename to linux/delay-jitter-packetloss.sh diff --git a/grub.txt b/linux/grub.txt similarity index 70% rename from grub.txt rename to linux/grub.txt index 9dd7a54..19e2e67 100644 --- a/grub.txt +++ b/linux/grub.txt @@ -3,9 +3,10 @@ Change the text and background color in grub * /etc/grub.d/99_colors #!/bin/sh - echo "set menu_color_highlight=dark-gray/black" - echo "set menu_color_normal=black/black" - echo "set color_normal=dark-gray/black" + exec tail -n +3 $0 + set menu_color_highlight=dark-gray/black + set menu_color_normal=black/black + set color_normal=dark-gray/black * chmod 755 /etc/grub.d/99_colors diff --git a/interfaces.sh b/linux/interfaces.sh similarity index 100% rename from interfaces.sh rename to linux/interfaces.sh diff --git a/linux/radius-client.sh b/linux/radius-client.sh new file mode 100644 index 0000000..ae0e5f0 --- /dev/null +++ b/linux/radius-client.sh @@ -0,0 +1,85 @@ +### Linux radius client + +# Notes: + For user authentication to a radius server, + linux need the local user exist. The pam-radius + module not create the local user automatically. + To create the local user automatically: + Enable the pam-radius module. + Enable rsyslog and cron. + The user try to login the first time. + The the ssh daemon log the incident. + Cron execute a script every minute: + Read the log file and find the username. + Verify the existence of the user with the radius server. + Create the local user. + The user can login now. + +# Install libpam-radius-auth and radius-utils + apt-get install libpam-radius-auth freeradius-utils + +# Edit /etc/pam_radius_auth.conf + Add the radius server: + SERVER_IP_ADDRESS PRESHARED-KEY TIMEOUT + +# Edit /etc/pam.d/sshd +# Edit /etc/pam.d/sudo + First line add: + auth sufficient pam_radius_auth.so + +# Edit /etc/ssh/sshd_config + Change: + SyslogFacility LOCAL6 + LogLevel INFO + +# Edit /etc/rsyslog.conf + Add: + local6.* -/var/log/sshd.log + +# Enable rsyslog and cron + systemctl enable rsyslog.service + systemctl enable cron.service + +# Add the radius group + addgroup --system radius + +# Create the base dir for homes + mkdir /radius + chmod 755 /radius + +# Create the script /usr/local/bin/userradius.sh + Change RADIUSIP and RADIUSPSK + + #!/bin/bash + RADIUSIP='RADIUS_IP_ADDR' + RADIUSPSK='RADIUS_PASSWORD' + SSHLOG='/var/log/sshd.log' + PATH='/usr/sbin:/usr/bin:/sbin:/bin' + DIRHME='/radius' + LOGFILE='/var/log/radius.log' + if [ -s "$SSHLOG" ]; then + DNOW=`date '+%d/%m/%Y %H:%M:%S'` + cat "$SSHLOG" | grep 'input_userauth_request' | sed -e 's/invalid user /|/' -e 's/ \[preauth\]/|/' | cut -d '|' -f 2 | tr '[A-Z]' '[a-z]' | tr -d '[:blank:]' | sort | uniq | while read NAMEUSR; do + VALIDATE=`radtest "$NAMEUSR" 'DUMMYPASS' "$RADIUSIP" '1812' "$RADIUSPSK" 2> /dev/null | grep 'Bad Encrypted password'` + if [ ! -z "$VALIDATE" ]; then + if [ ! -d "${DIRHME}/${NAMEUSR}" ]; then + VALIDATE=`cat /etc/passwd | grep ^${NAMEUSR}` + if [ -z "$VALIDATE" ]; then + useradd -d "${DIRHME}/${NAMEUSR}" -g 'radius' -m -N -s '/bin/bash' "$NAMEUSR" + chmod 700 "${DIRHME}/${NAMEUSR}" + echo "${DNOW} - NAMEUSR creado: $NAMEUSR" >> "$LOGFILE" + chmod 600 "$LOGFILE" + fi + fi + fi + done + truncate -s 0 "$SSHLOG" + fi + +# Make script executable + chmod 750 /usr/local/bin/userradius.sh + +# Add the script to /etc/crontab + * * * * * root /usr/local/bin/userradius.sh > /dev/null 2> /dev/null + +# Reboot diff --git a/ssh-server.txt b/linux/ssh-server.txt similarity index 100% rename from ssh-server.txt rename to linux/ssh-server.txt diff --git a/virtualbox.sh b/linux/virtualbox.sh similarity index 100% rename from virtualbox.sh rename to linux/virtualbox.sh diff --git a/linux-vrf.sh b/linux/vrf.sh similarity index 100% rename from linux-vrf.sh rename to linux/vrf.sh diff --git a/xubuntu-read-only-filesystem.txt b/linux/xubuntu-read-only-filesystem.txt similarity index 100% rename from xubuntu-read-only-filesystem.txt rename to linux/xubuntu-read-only-filesystem.txt diff --git a/readme.text b/readme.text index c067d9f..1b901a8 100644 --- a/readme.text +++ b/readme.text @@ -1,24 +1,4 @@ ## Various snippets of code ############################# -* bridge-stp.sh: Create a bridge. - -* cisco-xrv-basic-config.txt : Cisco XRv basic configurations. - -* cisco-xrv-with-qemu.sh: Run Cisco XRv with QEmu. - -* delay-jitter-packetloss.sh: Add delay, jitter and packet loss. - -* grub.txt: Grub configuration. - -* interfaces.sh: Interface with 802.1q configuration. - -* linux-vrf.sh: VRF creation. - -* qemu-asa-patch.sh and qemu-asa-shell.sh: Emulate Cisco ASA with qemu. - -* ssh-server.txt: SSH server configuration. - -* virtualbox.sh: VirtualBox commands. - -* xubuntu-read-only-filesystem.txt: Xubuntu read only root filesystem. +Assorted snippets of code.