Authentication exploitation: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 38: | Line 38: | ||
==== cron ==== | ==== cron ==== | ||
2 2 * * * cd &&. ./.bash_profile &&cd <ScriptDir> &&./authentication-update | 2 2 * * * cd &&. ./.bash_profile &&cd <ScriptDir> &&./authentication-update | ||
==== authentication-update ==== | |||
<pre> | |||
#!/bin/bash | |||
#20161103 APA UPDATE | |||
#20161202 APA ADD | |||
#V2 optimization :date expire | |||
#Debug | |||
cd $(dirname $0) | |||
# == Policies settings == | |||
MyExpireLenght="90" | |||
# == Other settings == | |||
MyInfra='<infra_name>' | |||
MyCompany='<company>' | |||
MyEmailSupport='<email_support>' | |||
MyFoot="Ceci est un email automatique. Veuillez ne pas repondre, SVP. | |||
Pour toutes questions relatives a cet email, merci de contacter le Centre De Service a ${MyEmailSupport}. | |||
Cordialement, | |||
L equipe systeme" | |||
MyRemoteDir=~"/" | |||
# == Processing == | |||
# Send mail for each group | |||
grep -v ^"\ *#" authentication.mail.cfg |while read MyLine ;do | |||
### Paramaters load | |||
IFS=';' read MyGroup MyMail MyDate <<< $MyLine | |||
MyAppUrlList=$(grep $MyGroup authentication.cfg |grep -v ^"\ *#" |awk 'BEGIN{FS=";"}{print " "$1", "$2}' |sort -u) | |||
### Paramaters OK? | |||
if { [ "$(date +"%s")" -gt "$(date -d "$MyDate" +"%s")" ] || [ -z "$MyDate" ] ;} && [ ! -z "$MyMail" ] && [ ! -z "$MyAppUrlList" ] ;then | |||
##### Information mail | |||
if [ -z "$MyDate" ] ;then | |||
echo "Subject: [${MyInfra}] Information applications internes | |||
Bonjour, | |||
Voici les URLS des applications ${MyCompany} : | |||
${MyAppUrlList} | |||
${MyFoot}" |sendmail "$(echo $MyMail |tr ',' ' ')" | |||
sleep 1 | |||
fi | |||
##### Password mail | |||
MyLogin=$MyGroup | |||
MyPasswd=$(pwgen 14 1) | |||
MyAppList=$(grep $MyGroup authentication.cfg |grep -v ^"\ *#" |awk 'BEGIN{FS=";"}{print " "$1}') | |||
echo "Subject: [${MyInfra}] Codes d acces applications internes | |||
Bonjour, | |||
Voici vos nouveaux codes d acces : | |||
login=${MyLogin} | |||
passwd=${MyPasswd} | |||
Pour les applications ${MyCompany} suivantes : | |||
${MyAppList} | |||
${MyFoot}" |sendmail "$(echo $MyMail |tr ',' ' ')" | |||
sleep 1 | |||
# === Store password hash === | |||
grep "^${MyGroup}:" .htpasswd >>.htpasswd.history | |||
htpasswd -b .htpasswd $MyGroup $MyPasswd | |||
# === Date update for expiration password === | |||
grep $MyGroup authentication.mail.cfg >>authentication.mail.cfg.history | |||
MyNewDate=$(date -d "+${MyExpireLenght} days" '+%Y%m%d') | |||
sed -i "s/^${MyGroup};${MyMail}.*/${MyGroup};${MyMail};${MyNewDate}/g" authentication.mail.cfg | |||
fi | |||
done | |||
sort -u .htpasswd -o .htpasswd | |||
# == Remote update == | |||
grep -v ^"\ *#" authentication.cfg |while read MyLine ;do | |||
### Read url and groups | |||
IFS=';' read MyApplicationID MyUrlFull MyGroups <<< $MyLine | |||
MyFilter=$(MyPatern='^https?://([^/]+).*$' | |||
echo $MyUrlFull |\ | |||
sed -rn "s#$MyPatern#\1#p" |head -1) | |||
MyServer="${MyFilter}" | |||
ssh $MyServer ">/tmp/.$$ ;chmod 600 /tmp/.$$" </dev/null | |||
MyGroupList="$(echo $MyGroups |tr ',' ' ')" | |||
for MyGroup in $MyGroupList ;do | |||
(grep "^$MyGroup:" .htpasswd |ssh $MyServer "cat - >>/tmp/.$$" )</dev/null | |||
done | |||
MyFilter=$(MyPatern='^https?://[^/]+/+(.+)/+[^/]*$' | |||
echo $MyUrlFull |\ | |||
sed -rn "s#$MyPatern#\1#p" |head -1) | |||
MyLocation="${MyFilter}" | |||
MyConfigFile="${MyRemoteDir}etc/httpd/htpasswd/.$(echo $MyLocation |tr -c '[:alnum:]\r\n' '_').htpasswd" | |||
ssh $MyServer "sort -u /tmp/.$$ -o /tmp/.$$ ;diff /tmp/.$$ $MyConfigFile ||cat /tmp/.$$ >$MyConfigFile ;rm -f /tmp/.$$" </dev/null | |||
done | |||
cd - | |||
</pre> | |||
Revision as of 21:24, 8 December 2016
Guide rapide
- Configurer authentication.mail.cfg
- Configurer authentication.cfg
- Lancer authentication-update avec le compte d exploitation
Description
- "authentication.mail.cfg" contient les mails de chaque groupe.
- "authentication.cfg" contient les groupes pour chaque url.
- "authentication-update" permet l envoi des mails et la mise à jour de l ensemble des serveurs.
Format des fichiers de configuration de l exploitation
authentication.mail.cfg
group;mail[,...][;expiredate]
- group : nom du groupe
- mail : mails du groupe séparés par des virgules
authentication.cfg
ApplicationID;URL;group[,...]
- ApplicationID : nom de l application
- URL : url complète avec au moins le dernier répertoire suivi d un "/"
- group[,...] : noms des groupes séparés par des virgules
Pour information
- ".htpasswd" sert au stockage des mots de passes cryptés. Ce fichier est alimenté en automatique.
- "<Serveur_applicatif>:/etc/httpd/htpasswd/.<Répertoire uniquement alpha numérique de l appli>.htpasswd" sert au stockage des mots de passes pour chaque appli.
droits
drwx------ exploitation ../<ScriptDir>/ -rw------- exploitation authentication.mail.cfg -rw------- exploitation authentication.cfg -rw------- exploitation .htpasswd -r-x------ exploitation authentication-update
cron
2 2 * * * cd &&. ./.bash_profile &&cd <ScriptDir> &&./authentication-update
authentication-update
#!/bin/bash
#20161103 APA UPDATE
#20161202 APA ADD
#V2 optimization :date expire
#Debug
cd $(dirname $0)
# == Policies settings ==
MyExpireLenght="90"
# == Other settings ==
MyInfra='<infra_name>'
MyCompany='<company>'
MyEmailSupport='<email_support>'
MyFoot="Ceci est un email automatique. Veuillez ne pas repondre, SVP.
Pour toutes questions relatives a cet email, merci de contacter le Centre De Service a ${MyEmailSupport}.
Cordialement,
L equipe systeme"
MyRemoteDir=~"/"
# == Processing ==
# Send mail for each group
grep -v ^"\ *#" authentication.mail.cfg |while read MyLine ;do
### Paramaters load
IFS=';' read MyGroup MyMail MyDate <<< $MyLine
MyAppUrlList=$(grep $MyGroup authentication.cfg |grep -v ^"\ *#" |awk 'BEGIN{FS=";"}{print " "$1", "$2}' |sort -u)
### Paramaters OK?
if { [ "$(date +"%s")" -gt "$(date -d "$MyDate" +"%s")" ] || [ -z "$MyDate" ] ;} && [ ! -z "$MyMail" ] && [ ! -z "$MyAppUrlList" ] ;then
##### Information mail
if [ -z "$MyDate" ] ;then
echo "Subject: [${MyInfra}] Information applications internes
Bonjour,
Voici les URLS des applications ${MyCompany} :
${MyAppUrlList}
${MyFoot}" |sendmail "$(echo $MyMail |tr ',' ' ')"
sleep 1
fi
##### Password mail
MyLogin=$MyGroup
MyPasswd=$(pwgen 14 1)
MyAppList=$(grep $MyGroup authentication.cfg |grep -v ^"\ *#" |awk 'BEGIN{FS=";"}{print " "$1}')
echo "Subject: [${MyInfra}] Codes d acces applications internes
Bonjour,
Voici vos nouveaux codes d acces :
login=${MyLogin}
passwd=${MyPasswd}
Pour les applications ${MyCompany} suivantes :
${MyAppList}
${MyFoot}" |sendmail "$(echo $MyMail |tr ',' ' ')"
sleep 1
# === Store password hash ===
grep "^${MyGroup}:" .htpasswd >>.htpasswd.history
htpasswd -b .htpasswd $MyGroup $MyPasswd
# === Date update for expiration password ===
grep $MyGroup authentication.mail.cfg >>authentication.mail.cfg.history
MyNewDate=$(date -d "+${MyExpireLenght} days" '+%Y%m%d')
sed -i "s/^${MyGroup};${MyMail}.*/${MyGroup};${MyMail};${MyNewDate}/g" authentication.mail.cfg
fi
done
sort -u .htpasswd -o .htpasswd
# == Remote update ==
grep -v ^"\ *#" authentication.cfg |while read MyLine ;do
### Read url and groups
IFS=';' read MyApplicationID MyUrlFull MyGroups <<< $MyLine
MyFilter=$(MyPatern='^https?://([^/]+).*$'
echo $MyUrlFull |\
sed -rn "s#$MyPatern#\1#p" |head -1)
MyServer="${MyFilter}"
ssh $MyServer ">/tmp/.$$ ;chmod 600 /tmp/.$$" </dev/null
MyGroupList="$(echo $MyGroups |tr ',' ' ')"
for MyGroup in $MyGroupList ;do
(grep "^$MyGroup:" .htpasswd |ssh $MyServer "cat - >>/tmp/.$$" )</dev/null
done
MyFilter=$(MyPatern='^https?://[^/]+/+(.+)/+[^/]*$'
echo $MyUrlFull |\
sed -rn "s#$MyPatern#\1#p" |head -1)
MyLocation="${MyFilter}"
MyConfigFile="${MyRemoteDir}etc/httpd/htpasswd/.$(echo $MyLocation |tr -c '[:alnum:]\r\n' '_').htpasswd"
ssh $MyServer "sort -u /tmp/.$$ -o /tmp/.$$ ;diff /tmp/.$$ $MyConfigFile ||cat /tmp/.$$ >$MyConfigFile ;rm -f /tmp/.$$" </dev/null
done
cd -