Authentication exploitation: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| (5 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
== Guide rapide == | == Guide rapide == | ||
* Configurer | * Configurer [[#authentication.mail.cfg|authentication.mail.cfg]] | ||
* Configurer | * Configurer [[#authentication.cfg|authentication.cfg]] | ||
* Lancer | * Lancer [[#authentication-update|authentication-update]] avec le compte d exploitation | ||
== Description == | == Description == | ||
| Line 38: | Line 38: | ||
==== cron ==== | ==== cron ==== | ||
2 2 * * * cd &&. ./.bash_profile &&cd <ScriptDir> &&./authentication-update | 2 2 * * * cd &&. ./.bash_profile &&cd <ScriptDir> &&./authentication-update | ||
==== authentication-update ==== | |||
<syntaxhighlight lang="bash"> | |||
#!/bin/bash | |||
#http://infocepo.com/wiki/index.php/Authentication_exploitation | |||
#20161103 APA UPDATE | |||
#20161202 APA ADD | |||
#V2 optimization :date expire | |||
#Debug | |||
# == settings == | |||
MyRemoteDir="/" | |||
MyInfra='<infra_name>' | |||
MyCompany='<company>' | |||
MyEmailSupport='<email_support>' | |||
MyFoot="Ceci est un email automatique. Veuillez ne pas repondre, SVP. | |||
Pour toutes questions relatives a cet email, merci de contacter le Centre De Service a ${MyEmailSupport}. | |||
Cordialement, | |||
L equipe systeme" | |||
# === Policies settings === | |||
MyExpireLenght="90" | |||
# == Init == | |||
cd $(dirname $0) | |||
if [ ! -f .htpasswd ] ;then | |||
touch .htpasswd | |||
chmod 600 .htpasswd | |||
fi | |||
# == Processing == | |||
# Send mail for each group | |||
grep -v ^"\ *#" authentication.mail.cfg |while read MyLine ;do | |||
### Paramaters load | |||
IFS=';' read MyGroup MyMail MyDate <<< $MyLine | |||
MyAppUrlList=$(grep $MyGroup authentication.cfg |grep -v ^"\ *#" |awk 'BEGIN{FS=";"}{print " "$1", "$2}' |sort -u) | |||
MyHtpasswdOld=$(grep "^${MyGroup}:" .htpasswd) | |||
### Paramaters OK? | |||
if { [ "$(date +"%s")" -gt "$(date -d "$MyDate" +"%s")" ] || [ -z "$MyDate" ] || [ -z "${MyHtpasswdOld}" ] ;} && [ ! -z "$MyMail" ] && [ ! -z "$MyAppUrlList" ] ;then | |||
##### Information mail | |||
if [ -z "$MyDate" ] ;then | |||
echo "Subject: [${MyInfra}] Information applications internes | |||
Bonjour, | |||
Voici les URLS des applications ${MyCompany} : | |||
${MyAppUrlList} | |||
${MyFoot}" |sendmail "$(echo $MyMail |tr ',' ' ')" | |||
sleep 1 | |||
fi | |||
##### Password mail | |||
MyLogin=$MyGroup | |||
MyPasswd=$(pwgen 14 1) | |||
MyAppList=$(grep $MyGroup authentication.cfg |grep -v ^"\ *#" |awk 'BEGIN{FS=";"}{print " "$1}') | |||
echo "Subject: [${MyInfra}] Codes d acces applications internes | |||
Bonjour, | |||
Voici vos nouveaux codes d acces : | |||
login=${MyLogin} | |||
passwd=${MyPasswd} | |||
Pour les applications ${MyCompany} suivantes : | |||
${MyAppList} | |||
${MyFoot}" |sendmail "$(echo $MyMail |tr ',' ' ')" | |||
sleep 1 | |||
# === Store password hash === | |||
echo "${MyHtpasswdOld}" >>.htpasswd.history | |||
htpasswd -b .htpasswd $MyGroup $MyPasswd | |||
# === Date update for expiration password === | |||
grep $MyGroup authentication.mail.cfg >>authentication.mail.cfg.history | |||
MyNewDate=$(date -d "+${MyExpireLenght} days" '+%Y%m%d') | |||
sed -i "s/^${MyGroup};${MyMail}.*/${MyGroup};${MyMail};${MyNewDate}/g" authentication.mail.cfg | |||
fi | |||
done | |||
sort -u .htpasswd -o .htpasswd | |||
# == Remote update == | |||
grep -v ^"\ *#" authentication.cfg |while read MyLine ;do | |||
### Read url and groups | |||
IFS=';' read MyApplicationID MyUrlFull MyGroups <<< $MyLine | |||
MyFilter=$(MyPatern='^https?://([^/]+).*$' | |||
echo $MyUrlFull |\ | |||
sed -rn "s#$MyPatern#\1#p" |head -1) | |||
MyServer="${MyFilter}" | |||
>/tmp/.$$ ;chmod 600 /tmp/.$$ | |||
MyGroupList="$(echo $MyGroups |tr ',' ' ')" | |||
for MyGroup in $MyGroupList ;do | |||
grep "^$MyGroup:" .htpasswd >>/tmp/.$$ | |||
done | |||
MyFilter=$(MyPatern='^https?://[^/]+/+(.+)/+[^/]*$' | |||
echo $MyUrlFull |\ | |||
sed -rn "s#$MyPatern#\1#p" |head -1) | |||
MyLocation="${MyFilter}" | |||
MyConfigFile="${MyRemoteDir}etc/httpd/htpasswd/.$(echo $MyLocation |tr -c '[:alnum:]\r\n' '_').htpasswd" | |||
sort -u /tmp/.$$ -o /tmp/.$$ | |||
scp -p /tmp/.$$ ${MyServer}:/tmp/.$$ &&\ | |||
rm -f /tmp/.$$ &&\ | |||
sleep 1 &&\ | |||
ssh $MyServer "diff /tmp/.$$ $MyConfigFile ||cat /tmp/.$$ >$MyConfigFile ;rm -f /tmp/.$$" </dev/null &&\ | |||
sleep 1 | |||
done | |||
# End init | |||
cd - | |||
</syntaxhighlight> | |||
Latest revision as of 20:48, 4 March 2022
Guide rapide
- Configurer authentication.mail.cfg
- Configurer authentication.cfg
- Lancer authentication-update avec le compte d exploitation
Description
- "authentication.mail.cfg" contient les mails de chaque groupe.
- "authentication.cfg" contient les groupes pour chaque url.
- "authentication-update" permet l envoi des mails et la mise à jour de l ensemble des serveurs.
Format des fichiers de configuration de l exploitation
authentication.mail.cfg
group;mail[,...][;expiredate]
- group : nom du groupe
- mail : mails du groupe séparés par des virgules
authentication.cfg
ApplicationID;URL;group[,...]
- ApplicationID : nom de l application
- URL : url complète avec au moins le dernier répertoire suivi d un "/"
- group[,...] : noms des groupes séparés par des virgules
Pour information
- ".htpasswd" sert au stockage des mots de passes cryptés. Ce fichier est alimenté en automatique.
- "<Serveur_applicatif>:/etc/httpd/htpasswd/.<Répertoire uniquement alpha numérique de l appli>.htpasswd" sert au stockage des mots de passes pour chaque appli.
droits
drwx------ exploitation ../<ScriptDir>/ -rw------- exploitation authentication.mail.cfg -rw------- exploitation authentication.cfg -rw------- exploitation .htpasswd -r-x------ exploitation authentication-update
cron
2 2 * * * cd &&. ./.bash_profile &&cd <ScriptDir> &&./authentication-update
authentication-update
#!/bin/bash
#http://infocepo.com/wiki/index.php/Authentication_exploitation
#20161103 APA UPDATE
#20161202 APA ADD
#V2 optimization :date expire
#Debug
# == settings ==
MyRemoteDir="/"
MyInfra='<infra_name>'
MyCompany='<company>'
MyEmailSupport='<email_support>'
MyFoot="Ceci est un email automatique. Veuillez ne pas repondre, SVP.
Pour toutes questions relatives a cet email, merci de contacter le Centre De Service a ${MyEmailSupport}.
Cordialement,
L equipe systeme"
# === Policies settings ===
MyExpireLenght="90"
# == Init ==
cd $(dirname $0)
if [ ! -f .htpasswd ] ;then
touch .htpasswd
chmod 600 .htpasswd
fi
# == Processing ==
# Send mail for each group
grep -v ^"\ *#" authentication.mail.cfg |while read MyLine ;do
### Paramaters load
IFS=';' read MyGroup MyMail MyDate <<< $MyLine
MyAppUrlList=$(grep $MyGroup authentication.cfg |grep -v ^"\ *#" |awk 'BEGIN{FS=";"}{print " "$1", "$2}' |sort -u)
MyHtpasswdOld=$(grep "^${MyGroup}:" .htpasswd)
### Paramaters OK?
if { [ "$(date +"%s")" -gt "$(date -d "$MyDate" +"%s")" ] || [ -z "$MyDate" ] || [ -z "${MyHtpasswdOld}" ] ;} && [ ! -z "$MyMail" ] && [ ! -z "$MyAppUrlList" ] ;then
##### Information mail
if [ -z "$MyDate" ] ;then
echo "Subject: [${MyInfra}] Information applications internes
Bonjour,
Voici les URLS des applications ${MyCompany} :
${MyAppUrlList}
${MyFoot}" |sendmail "$(echo $MyMail |tr ',' ' ')"
sleep 1
fi
##### Password mail
MyLogin=$MyGroup
MyPasswd=$(pwgen 14 1)
MyAppList=$(grep $MyGroup authentication.cfg |grep -v ^"\ *#" |awk 'BEGIN{FS=";"}{print " "$1}')
echo "Subject: [${MyInfra}] Codes d acces applications internes
Bonjour,
Voici vos nouveaux codes d acces :
login=${MyLogin}
passwd=${MyPasswd}
Pour les applications ${MyCompany} suivantes :
${MyAppList}
${MyFoot}" |sendmail "$(echo $MyMail |tr ',' ' ')"
sleep 1
# === Store password hash ===
echo "${MyHtpasswdOld}" >>.htpasswd.history
htpasswd -b .htpasswd $MyGroup $MyPasswd
# === Date update for expiration password ===
grep $MyGroup authentication.mail.cfg >>authentication.mail.cfg.history
MyNewDate=$(date -d "+${MyExpireLenght} days" '+%Y%m%d')
sed -i "s/^${MyGroup};${MyMail}.*/${MyGroup};${MyMail};${MyNewDate}/g" authentication.mail.cfg
fi
done
sort -u .htpasswd -o .htpasswd
# == Remote update ==
grep -v ^"\ *#" authentication.cfg |while read MyLine ;do
### Read url and groups
IFS=';' read MyApplicationID MyUrlFull MyGroups <<< $MyLine
MyFilter=$(MyPatern='^https?://([^/]+).*$'
echo $MyUrlFull |\
sed -rn "s#$MyPatern#\1#p" |head -1)
MyServer="${MyFilter}"
>/tmp/.$$ ;chmod 600 /tmp/.$$
MyGroupList="$(echo $MyGroups |tr ',' ' ')"
for MyGroup in $MyGroupList ;do
grep "^$MyGroup:" .htpasswd >>/tmp/.$$
done
MyFilter=$(MyPatern='^https?://[^/]+/+(.+)/+[^/]*$'
echo $MyUrlFull |\
sed -rn "s#$MyPatern#\1#p" |head -1)
MyLocation="${MyFilter}"
MyConfigFile="${MyRemoteDir}etc/httpd/htpasswd/.$(echo $MyLocation |tr -c '[:alnum:]\r\n' '_').htpasswd"
sort -u /tmp/.$$ -o /tmp/.$$
scp -p /tmp/.$$ ${MyServer}:/tmp/.$$ &&\
rm -f /tmp/.$$ &&\
sleep 1 &&\
ssh $MyServer "diff /tmp/.$$ $MyConfigFile ||cat /tmp/.$$ >$MyConfigFile ;rm -f /tmp/.$$" </dev/null &&\
sleep 1
done
# End init
cd -