Authentication exploitation: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 42: | Line 42: | ||
<pre> | <pre> | ||
#!/bin/bash | #!/bin/bash | ||
#http://infocepo.com/wiki/index.php/Authentication_exploitation | |||
#20161103 APA UPDATE | #20161103 APA UPDATE | ||
| Line 48: | Line 49: | ||
#Debug | #Debug | ||
# == settings == | |||
MyRemoteDir="/" | |||
# == | |||
MyInfra='<infra_name>' | MyInfra='<infra_name>' | ||
MyCompany='<company>' | MyCompany='<company>' | ||
| Line 64: | Line 61: | ||
L equipe systeme" | L equipe systeme" | ||
# === Policies settings === | |||
MyExpireLenght="90" | |||
# == Init == | |||
cd $(dirname $0) | |||
if [ ! -f .htpasswd ] ;then | |||
touch .htpasswd | |||
chmod 600 .htpasswd | |||
fi | |||
# == Processing == | # == Processing == | ||
# Send mail for each group | # Send mail for each group | ||
| Line 73: | Line 78: | ||
IFS=';' read MyGroup MyMail MyDate <<< $MyLine | IFS=';' read MyGroup MyMail MyDate <<< $MyLine | ||
MyAppUrlList=$(grep $MyGroup authentication.cfg |grep -v ^"\ *#" |awk 'BEGIN{FS=";"}{print " "$1", "$2}' |sort -u) | MyAppUrlList=$(grep $MyGroup authentication.cfg |grep -v ^"\ *#" |awk 'BEGIN{FS=";"}{print " "$1", "$2}' |sort -u) | ||
MyHtpasswdOld=$(grep "^${MyGroup}:" .htpasswd) | |||
### Paramaters OK? | ### Paramaters OK? | ||
if { [ "$(date +"%s")" -gt "$(date -d "$MyDate" +"%s")" ] || [ -z "$MyDate" ] ;} && [ ! -z "$MyMail" ] && [ ! -z "$MyAppUrlList" ] ;then | if { [ "$(date +"%s")" -gt "$(date -d "$MyDate" +"%s")" ] || [ -z "$MyDate" ] || [ -z "${MyHtpasswdOld}" ] ;} && [ ! -z "$MyMail" ] && [ ! -z "$MyAppUrlList" ] ;then | ||
##### Information mail | ##### Information mail | ||
| Line 114: | Line 120: | ||
# === Store password hash === | # === Store password hash === | ||
echo "${MyHtpasswdOld}" >>.htpasswd.history | |||
htpasswd -b .htpasswd $MyGroup $MyPasswd | htpasswd -b .htpasswd $MyGroup $MyPasswd | ||
| Line 137: | Line 143: | ||
MyServer="${MyFilter}" | MyServer="${MyFilter}" | ||
>/tmp/.$$ ;chmod 600 /tmp/.$$ | |||
MyGroupList="$(echo $MyGroups |tr ',' ' ')" | MyGroupList="$(echo $MyGroups |tr ',' ' ')" | ||
for MyGroup in $MyGroupList ;do | for MyGroup in $MyGroupList ;do | ||
grep "^$MyGroup:" .htpasswd >>/tmp/.$$ | |||
done | done | ||
| Line 149: | Line 155: | ||
MyConfigFile="${MyRemoteDir}etc/httpd/htpasswd/.$(echo $MyLocation |tr -c '[:alnum:]\r\n' '_').htpasswd" | MyConfigFile="${MyRemoteDir}etc/httpd/htpasswd/.$(echo $MyLocation |tr -c '[:alnum:]\r\n' '_').htpasswd" | ||
sort -u /tmp/.$$ -o /tmp/.$$ | |||
scp -p /tmp/.$$ ${MyServer}:/tmp/.$$ &&\ | |||
rm -f /tmp/.$$ &&\ | |||
sleep 1 &&\ | |||
ssh $MyServer "diff /tmp/.$$ $MyConfigFile ||cat /tmp/.$$ >$MyConfigFile ;rm -f /tmp/.$$" </dev/null &&\ | |||
sleep 1 | |||
done | done | ||
# End init | |||
cd - | cd - | ||
</pre> | </pre> | ||
Revision as of 00:24, 12 December 2016
Guide rapide
- Configurer authentication.mail.cfg
- Configurer authentication.cfg
- Lancer authentication-update avec le compte d exploitation
Description
- "authentication.mail.cfg" contient les mails de chaque groupe.
- "authentication.cfg" contient les groupes pour chaque url.
- "authentication-update" permet l envoi des mails et la mise à jour de l ensemble des serveurs.
Format des fichiers de configuration de l exploitation
authentication.mail.cfg
group;mail[,...][;expiredate]
- group : nom du groupe
- mail : mails du groupe séparés par des virgules
authentication.cfg
ApplicationID;URL;group[,...]
- ApplicationID : nom de l application
- URL : url complète avec au moins le dernier répertoire suivi d un "/"
- group[,...] : noms des groupes séparés par des virgules
Pour information
- ".htpasswd" sert au stockage des mots de passes cryptés. Ce fichier est alimenté en automatique.
- "<Serveur_applicatif>:/etc/httpd/htpasswd/.<Répertoire uniquement alpha numérique de l appli>.htpasswd" sert au stockage des mots de passes pour chaque appli.
droits
drwx------ exploitation ../<ScriptDir>/ -rw------- exploitation authentication.mail.cfg -rw------- exploitation authentication.cfg -rw------- exploitation .htpasswd -r-x------ exploitation authentication-update
cron
2 2 * * * cd &&. ./.bash_profile &&cd <ScriptDir> &&./authentication-update
authentication-update
#!/bin/bash
#http://infocepo.com/wiki/index.php/Authentication_exploitation
#20161103 APA UPDATE
#20161202 APA ADD
#V2 optimization :date expire
#Debug
# == settings ==
MyRemoteDir="/"
MyInfra='<infra_name>'
MyCompany='<company>'
MyEmailSupport='<email_support>'
MyFoot="Ceci est un email automatique. Veuillez ne pas repondre, SVP.
Pour toutes questions relatives a cet email, merci de contacter le Centre De Service a ${MyEmailSupport}.
Cordialement,
L equipe systeme"
# === Policies settings ===
MyExpireLenght="90"
# == Init ==
cd $(dirname $0)
if [ ! -f .htpasswd ] ;then
touch .htpasswd
chmod 600 .htpasswd
fi
# == Processing ==
# Send mail for each group
grep -v ^"\ *#" authentication.mail.cfg |while read MyLine ;do
### Paramaters load
IFS=';' read MyGroup MyMail MyDate <<< $MyLine
MyAppUrlList=$(grep $MyGroup authentication.cfg |grep -v ^"\ *#" |awk 'BEGIN{FS=";"}{print " "$1", "$2}' |sort -u)
MyHtpasswdOld=$(grep "^${MyGroup}:" .htpasswd)
### Paramaters OK?
if { [ "$(date +"%s")" -gt "$(date -d "$MyDate" +"%s")" ] || [ -z "$MyDate" ] || [ -z "${MyHtpasswdOld}" ] ;} && [ ! -z "$MyMail" ] && [ ! -z "$MyAppUrlList" ] ;then
##### Information mail
if [ -z "$MyDate" ] ;then
echo "Subject: [${MyInfra}] Information applications internes
Bonjour,
Voici les URLS des applications ${MyCompany} :
${MyAppUrlList}
${MyFoot}" |sendmail "$(echo $MyMail |tr ',' ' ')"
sleep 1
fi
##### Password mail
MyLogin=$MyGroup
MyPasswd=$(pwgen 14 1)
MyAppList=$(grep $MyGroup authentication.cfg |grep -v ^"\ *#" |awk 'BEGIN{FS=";"}{print " "$1}')
echo "Subject: [${MyInfra}] Codes d acces applications internes
Bonjour,
Voici vos nouveaux codes d acces :
login=${MyLogin}
passwd=${MyPasswd}
Pour les applications ${MyCompany} suivantes :
${MyAppList}
${MyFoot}" |sendmail "$(echo $MyMail |tr ',' ' ')"
sleep 1
# === Store password hash ===
echo "${MyHtpasswdOld}" >>.htpasswd.history
htpasswd -b .htpasswd $MyGroup $MyPasswd
# === Date update for expiration password ===
grep $MyGroup authentication.mail.cfg >>authentication.mail.cfg.history
MyNewDate=$(date -d "+${MyExpireLenght} days" '+%Y%m%d')
sed -i "s/^${MyGroup};${MyMail}.*/${MyGroup};${MyMail};${MyNewDate}/g" authentication.mail.cfg
fi
done
sort -u .htpasswd -o .htpasswd
# == Remote update ==
grep -v ^"\ *#" authentication.cfg |while read MyLine ;do
### Read url and groups
IFS=';' read MyApplicationID MyUrlFull MyGroups <<< $MyLine
MyFilter=$(MyPatern='^https?://([^/]+).*$'
echo $MyUrlFull |\
sed -rn "s#$MyPatern#\1#p" |head -1)
MyServer="${MyFilter}"
>/tmp/.$$ ;chmod 600 /tmp/.$$
MyGroupList="$(echo $MyGroups |tr ',' ' ')"
for MyGroup in $MyGroupList ;do
grep "^$MyGroup:" .htpasswd >>/tmp/.$$
done
MyFilter=$(MyPatern='^https?://[^/]+/+(.+)/+[^/]*$'
echo $MyUrlFull |\
sed -rn "s#$MyPatern#\1#p" |head -1)
MyLocation="${MyFilter}"
MyConfigFile="${MyRemoteDir}etc/httpd/htpasswd/.$(echo $MyLocation |tr -c '[:alnum:]\r\n' '_').htpasswd"
sort -u /tmp/.$$ -o /tmp/.$$
scp -p /tmp/.$$ ${MyServer}:/tmp/.$$ &&\
rm -f /tmp/.$$ &&\
sleep 1 &&\
ssh $MyServer "diff /tmp/.$$ $MyConfigFile ||cat /tmp/.$$ >$MyConfigFile ;rm -f /tmp/.$$" </dev/null &&\
sleep 1
done
# End init
cd -