| @@ -1,16 +1,16 @@ | | | @@ -1,16 +1,16 @@ |
1 | #!/bin/sh | | 1 | #!/bin/sh |
2 | # | | 2 | # |
3 | # $NetBSD: creds_msdos,v 1.2 2019/06/12 00:28:56 mrg Exp $ | | 3 | # $NetBSD: creds_msdos,v 1.3 2019/06/12 03:06:48 mrg Exp $ |
4 | # | | 4 | # |
5 | # Copyright (c) 2019 Matthew R. Green | | 5 | # Copyright (c) 2019 Matthew R. Green |
6 | # All rights reserved. | | 6 | # All rights reserved. |
7 | # | | 7 | # |
8 | # Redistribution and use in source and binary forms, with or without | | 8 | # Redistribution and use in source and binary forms, with or without |
9 | # modification, are permitted provided that the following conditions | | 9 | # modification, are permitted provided that the following conditions |
10 | # are met: | | 10 | # are met: |
11 | # 1. Redistributions of source code must retain the above copyright | | 11 | # 1. Redistributions of source code must retain the above copyright |
12 | # notice, this list of conditions and the following disclaimer. | | 12 | # notice, this list of conditions and the following disclaimer. |
13 | # 2. Redistributions in binary form must reproduce the above copyright | | 13 | # 2. Redistributions in binary form must reproduce the above copyright |
14 | # notice, this list of conditions and the following disclaimer in the | | 14 | # notice, this list of conditions and the following disclaimer in the |
15 | # documentation and/or other materials provided with the distribution. | | 15 | # documentation and/or other materials provided with the distribution. |
16 | # 3. The name of the author may not be used to endorse or promote products | | 16 | # 3. The name of the author may not be used to endorse or promote products |
| @@ -36,155 +36,155 @@ | | | @@ -36,155 +36,155 @@ |
36 | # "useraddhash <user> <passwd hash>" | | 36 | # "useraddhash <user> <passwd hash>" |
37 | # "useradd <user> <passwd>" | | 37 | # "useradd <user> <passwd>" |
38 | # If the "useradd" method is used, this the creds.txt file will be | | 38 | # If the "useradd" method is used, this the creds.txt file will be |
39 | # shredded and deleted with rm -P. | | 39 | # shredded and deleted with rm -P. |
40 | | | 40 | |
41 | # PROVIDE: creds_msdos | | 41 | # PROVIDE: creds_msdos |
42 | # REQUIRE: mountall | | 42 | # REQUIRE: mountall |
43 | | | 43 | |
44 | $_rc_subr_loaded . /etc/rc.subr | | 44 | $_rc_subr_loaded . /etc/rc.subr |
45 | | | 45 | |
46 | name="creds_msdos" | | 46 | name="creds_msdos" |
47 | start_cmd="creds_msdos_start" | | 47 | start_cmd="creds_msdos_start" |
48 | stop_cmd=":" | | 48 | stop_cmd=":" |
49 | fstab_file=/etc/fstab | | | |
50 | | | 49 | |
51 | fail() { | | 50 | fail() { |
52 | echo "$@" 1>&2 | | 51 | echo "$@" 1>&2 |
53 | exit 1 | | 52 | exit 1 |
54 | } | | 53 | } |
55 | | | 54 | |
| | | 55 | # This uses $ssh_userkeys global |
56 | sshkey_setup() { | | 56 | sshkey_setup() { |
57 | local user="$1" | | 57 | local user="$1" |
58 | local group="wheel" | | 58 | local group="wheel" |
59 | | | 59 | |
60 | # don't create existing users | | 60 | # don't create existing users |
61 | id=$(id -u $user 2>/dev/null) | | 61 | if ! id -u "${user}" > /dev/null 2>&1; then |
62 | if [ $? -ne 0 ]; then | | 62 | useradd -m -G "${group}" "${user}" || fail "Useradd failed." |
63 | useradd -m -G "${group}" "$user" || fail "Useradd failed." | | | |
64 | fi | | 63 | fi |
65 | | | 64 | |
66 | eval sshdir=~"${user}/.ssh" | | 65 | eval ssh_userdir=~"${user}/.ssh" |
67 | eval mkdir -p -m 755 "${sshdir}" || fail "mkdir ~/.ssh failed." | | 66 | mkdir -p -m 755 "${ssh_userdir}" || fail "mkdir ~/.ssh failed." |
68 | chown "${user}" "${sshdir}" | | 67 | chmod 755 "${ssh_userdir}" |
69 | eval userkeys="${sshdir}/authorized_keys" | | 68 | chown "${user}" "${ssh_userdir}" |
| | | 69 | |
| | | 70 | ssh_userkeys="${ssh_userdir}/authorized_keys" |
70 | } | | 71 | } |
71 | | | 72 | |
72 | sshkey_finish() { | | 73 | sshkey_finish() { |
73 | local user="$1" | | 74 | local user="$1" |
74 | local userkeys="$2" | | | |
75 | | | 75 | |
76 | chmod 644 "${userkeys}" | | 76 | chmod 644 "${ssh_userkeys}" |
77 | chown "${user}" "${userkeys}" | | 77 | chown "${user}" "${ssh_userkeys}" |
78 | } | | 78 | } |
79 | | | 79 | |
80 | do_sshkeyfile() { | | 80 | do_sshkeyfile() { |
81 | local user="$1" | | 81 | local user="$1" |
82 | local newkeys="${creds_msdos_partition}/$2" | | 82 | local newkeys="${creds_msdos_partition}/$2" |
83 | | | 83 | |
84 | if [ ! -f "${newkeys}" ]; then | | 84 | if [ ! -f "${newkeys}" ]; then |
85 | return | | 85 | return |
86 | fi | | 86 | fi |
87 | | | 87 | |
88 | sshkey_setup "$user" | | 88 | sshkey_setup "${user}" |
89 | | | 89 | |
90 | # check entry is not present | | 90 | # check entry is not present |
91 | while read type keydata name; do | | 91 | while read type keydata name; do |
92 | if fgrep -q "${keydata}" "${userkeys}" 2>/dev/null; then | | 92 | if fgrep -q "${keydata}" "${ssh_userkeys}" 2>/dev/null; then |
93 | continue | | 93 | continue |
94 | fi | | 94 | fi |
95 | echo "${type} ${keydata} ${name}" >> "${userkeys}" | | 95 | echo "${type} ${keydata} ${name}" >> "${ssh_userkeys}" |
96 | done < "${newkeys}" | | 96 | done < "${newkeys}" |
97 | | | 97 | |
98 | sshkey_finish "$user" "${userkeys}" | | 98 | sshkey_finish "${user}" |
99 | } | | 99 | } |
100 | | | 100 | |
101 | do_sshkey() { | | 101 | do_sshkey() { |
102 | local user="$1" | | 102 | local user="$1" |
103 | local newkey="$2" | | 103 | local newkey="$2" |
104 | | | 104 | |
105 | sshkey_setup "$user" | | 105 | sshkey_setup "${user}" |
106 | | | 106 | |
107 | echo "${newkey}" >> "${userkeys}" | | 107 | echo "${newkey}" >> "${ssh_userkeys}" |
108 | | | 108 | |
109 | sshkey_finish "$user" "${userkeys}" | | 109 | sshkey_finish "${user}" |
110 | } | | 110 | } |
111 | | | 111 | |
112 | do_useraddpwhash() { | | 112 | do_useraddpwhash() { |
113 | local user="$1" | | 113 | local user="$1" |
114 | local pwhash="$2" | | 114 | local pwhash="$2" |
115 | local group="wheel" | | 115 | local group="wheel" |
116 | | | 116 | |
117 | # don't add to existing users | | 117 | # don't add to existing users |
118 | id=$(id -u "${user}" 2>/dev/null) | | 118 | if id -u "${user}" > /dev/null 2>&1; then |
119 | if [ $? -eq 0 ]; then | | | |
120 | return | | 119 | return |
121 | fi | | 120 | fi |
122 | | | 121 | |
123 | useradd -m -p "${pwhash}" -G "${group}" "${user}" || fail "Useradd failed." | | 122 | useradd -m -p "${pwhash}" -G "${group}" "${user}" || fail "Useradd failed." |
124 | } | | 123 | } |
125 | | | 124 | |
126 | do_useradd() { | | 125 | do_useradd() { |
127 | local user="$1" | | 126 | local user="$1" |
128 | local password="$2" | | 127 | local password="$2" |
129 | | | 128 | |
130 | local pwhash=$(pwhash "$password") | | 129 | local pwhash=$(pwhash "$password") |
131 | do_useraddpwhash "${user}" "${pwhash}" | | 130 | do_useraddpwhash "${user}" "${pwhash}" |
132 | } | | 131 | } |
133 | | | 132 | |
134 | creds_msdos_start() | | 133 | creds_msdos_start() |
135 | { | | 134 | { |
| | | 135 | local fstab_file=/etc/fstab |
| | | 136 | |
136 | if [ -z "${creds_msdos_partition}" ]; then | | 137 | if [ -z "${creds_msdos_partition}" ]; then |
137 | echo "Not looking for credientials on msdos" | | 138 | echo "Not looking for credientials on msdos" |
138 | return; | | 139 | return |
139 | fi | | 140 | fi |
140 | check_fs= | | | |
141 | while read junk1 mp fstype junk2; do | | 141 | while read junk1 mp fstype junk2; do |
142 | if [ "${mp}" != "${creds_msdos_partition}" ]; then | | 142 | if [ "${mp}" != "${creds_msdos_partition}" ]; then |
143 | continue | | 143 | continue |
144 | fi | | 144 | fi |
145 | if [ "${fstype}" != "msdos" ]; then | | 145 | if [ "${fstype}" != "msdos" ]; then |
146 | echo "Not checking for creds on ${creds_msdos_partition}: not an msdos file system" | | 146 | echo "Not checking for creds on ${creds_msdos_partition}: not an msdos file system" |
147 | return; | | 147 | return |
148 | fi | | 148 | fi |
149 | break | | 149 | break |
150 | done < "${fstab_file}" | | 150 | done < "${fstab_file}" |
151 | | | 151 | |
152 | delete_creds=no | | 152 | local delete_creds=no |
153 | creds_file="${creds_msdos_partition}/creds.txt" | | 153 | local creds_file="${creds_msdos_partition}/creds.txt" |
154 | | | 154 | |
155 | if [ -f "${creds_file}" ]; then | | 155 | if [ -f "${creds_file}" ]; then |
156 | while read type user arg1; do | | 156 | while read type user args; do |
157 | # strip cr | | 157 | # strip cr |
158 | arg1=$(echo "$arg1" | tr -d '\015') | | 158 | local clean_args=$(echo "$args" | tr -d '\015') |
159 | case "$type" in | | 159 | case "$type" in |
160 | \#*|'') | | 160 | \#*|'') |
161 | continue | | 161 | continue |
162 | ;; | | 162 | ;; |
163 | sshkeyfile) | | 163 | sshkeyfile) |
164 | echo "Added user ${user} via ssh key file method." | | 164 | echo "Added user ${user} via ssh key file method." |
165 | do_sshkeyfile "${user}" "${arg1}" | | 165 | do_sshkeyfile "${user}" "${clean_args}" |
166 | ;; | | 166 | ;; |
167 | sshkey) | | 167 | sshkey) |
168 | echo "Added user ${user} via ssh key string method." | | 168 | echo "Added user ${user} via ssh key string method." |
169 | do_sshkey "${user}" "${arg1}" | | 169 | do_sshkey "${user}" "${clean_args}" |
170 | ;; | | 170 | ;; |
171 | useraddpwhash) | | 171 | useraddpwhash) |
172 | echo "Added user ${user} via password hash method." | | 172 | echo "Added user ${user} via password hash method." |
173 | do_useraddpwhash "${user}" "${arg1}" | | 173 | do_useraddpwhash "${user}" "${clean_args}" |
174 | ;; | | 174 | ;; |
175 | useradd) | | 175 | useradd) |
176 | echo "Added user ${user} via password method, shredding credentials file." | | 176 | echo "Added user ${user} via password method, shredding credentials file." |
177 | do_useradd "${user}" "${arg1}" | | 177 | do_useradd "${user}" "${clean_args}" |
178 | delete_creds=yes | | 178 | delete_creds=yes |
179 | ;; | | 179 | ;; |
180 | *) | | 180 | *) |
181 | echo "Do not understand '$type' creds" 1>&2 | | 181 | echo "Do not understand '$type' creds" 1>&2 |
182 | exit 1 | | 182 | exit 1 |
183 | ;; | | 183 | ;; |
184 | esac | | 184 | esac |
185 | done < "${creds_file}" | | 185 | done < "${creds_file}" |
186 | fi | | 186 | fi |
187 | | | 187 | |
188 | if [ $delete_creds = yes ]; then | | 188 | if [ $delete_creds = yes ]; then |
189 | rm -P -f "${creds_file}" | | 189 | rm -P -f "${creds_file}" |
190 | fi | | 190 | fi |