Authentication exploitation

From Essential
Revision as of 00:24, 12 December 2016 by Tcepo (talk | contribs)
Jump to navigation Jump to search

Guide rapide

Description

  • "authentication.mail.cfg" contient les mails de chaque groupe.
  • "authentication.cfg" contient les groupes pour chaque url.
  • "authentication-update" permet l envoi des mails et la mise à jour de l ensemble des serveurs.

Format des fichiers de configuration de l exploitation

authentication.mail.cfg

group;mail[,...][;expiredate]
  • group : nom du groupe
  • mail : mails du groupe séparés par des virgules

authentication.cfg

ApplicationID;URL;group[,...]
  • ApplicationID : nom de l application
  • URL : url complète avec au moins le dernier répertoire suivi d un "/"
  • group[,...] : noms des groupes séparés par des virgules

Pour information

  • ".htpasswd" sert au stockage des mots de passes cryptés. Ce fichier est alimenté en automatique.
  • "<Serveur_applicatif>:/etc/httpd/htpasswd/.<Répertoire uniquement alpha numérique de l appli>.htpasswd" sert au stockage des mots de passes pour chaque appli.

droits

drwx------	exploitation   ../<ScriptDir>/
-rw-------	exploitation   authentication.mail.cfg
-rw-------	exploitation   authentication.cfg
-rw-------	exploitation   .htpasswd
-r-x------	exploitation   authentication-update

cron

2 2 * * * cd &&. ./.bash_profile &&cd <ScriptDir> &&./authentication-update

authentication-update

#!/bin/bash
#http://infocepo.com/wiki/index.php/Authentication_exploitation

#20161103 APA UPDATE
#20161202 APA ADD
#V2 optimization :date expire
#Debug

# == settings ==
MyRemoteDir="/"
MyInfra='<infra_name>'
MyCompany='<company>'
MyEmailSupport='<email_support>'

MyFoot="Ceci est un email automatique. Veuillez ne pas repondre, SVP.
Pour toutes questions relatives a cet email, merci de contacter le Centre De Service a ${MyEmailSupport}.

Cordialement,
L equipe systeme"

# === Policies settings ===
MyExpireLenght="90"

# == Init ==
cd $(dirname $0)

if [ ! -f .htpasswd ] ;then
  touch .htpasswd
  chmod 600 .htpasswd
fi
# == Processing ==
# Send mail for each group
grep -v ^"\ *#" authentication.mail.cfg |while read MyLine ;do

### Paramaters load
  IFS=';' read MyGroup MyMail MyDate <<< $MyLine
  MyAppUrlList=$(grep $MyGroup authentication.cfg |grep -v ^"\ *#" |awk 'BEGIN{FS=";"}{print "  "$1", "$2}' |sort -u)
  MyHtpasswdOld=$(grep "^${MyGroup}:" .htpasswd)

### Paramaters OK?
  if { [ "$(date +"%s")" -gt "$(date -d "$MyDate" +"%s")" ] || [ -z "$MyDate" ] || [ -z "${MyHtpasswdOld}" ] ;} && [ ! -z "$MyMail" ] && [ ! -z "$MyAppUrlList" ] ;then

##### Information mail
    if [ -z "$MyDate" ] ;then
      echo "Subject: [${MyInfra}] Information applications internes

Bonjour,

Voici les URLS des applications ${MyCompany} :

${MyAppUrlList}

${MyFoot}" |sendmail "$(echo $MyMail |tr ',' ' ')"
      sleep 1
    fi

##### Password mail

    MyLogin=$MyGroup
    MyPasswd=$(pwgen 14 1)
    MyAppList=$(grep $MyGroup authentication.cfg |grep -v ^"\ *#" |awk 'BEGIN{FS=";"}{print "  "$1}')

    echo "Subject: [${MyInfra}] Codes d acces applications internes

Bonjour,

Voici vos nouveaux codes d acces :

  login=${MyLogin}
  passwd=${MyPasswd}

Pour les applications ${MyCompany} suivantes :

${MyAppList}

${MyFoot}" |sendmail "$(echo $MyMail |tr ',' ' ')"
sleep 1

# === Store password hash ===
    echo "${MyHtpasswdOld}" >>.htpasswd.history
    htpasswd -b .htpasswd $MyGroup $MyPasswd

# === Date update for expiration password ===
    grep $MyGroup authentication.mail.cfg >>authentication.mail.cfg.history
    MyNewDate=$(date -d "+${MyExpireLenght} days" '+%Y%m%d')
    sed -i "s/^${MyGroup};${MyMail}.*/${MyGroup};${MyMail};${MyNewDate}/g" authentication.mail.cfg
  fi
done

sort -u .htpasswd -o .htpasswd

# == Remote update ==
grep -v ^"\ *#" authentication.cfg |while read MyLine ;do

### Read url and groups
  IFS=';' read MyApplicationID MyUrlFull MyGroups <<< $MyLine

  MyFilter=$(MyPatern='^https?://([^/]+).*$'
  echo $MyUrlFull |\
  sed -rn "s#$MyPatern#\1#p" |head -1)
  MyServer="${MyFilter}"

  >/tmp/.$$ ;chmod 600 /tmp/.$$
  MyGroupList="$(echo $MyGroups |tr ',' ' ')"
  for MyGroup in $MyGroupList ;do
    grep "^$MyGroup:" .htpasswd >>/tmp/.$$
  done

  MyFilter=$(MyPatern='^https?://[^/]+/+(.+)/+[^/]*$'
  echo $MyUrlFull |\
  sed -rn "s#$MyPatern#\1#p" |head -1)
  MyLocation="${MyFilter}"
  MyConfigFile="${MyRemoteDir}etc/httpd/htpasswd/.$(echo $MyLocation |tr -c '[:alnum:]\r\n' '_').htpasswd"

  sort -u /tmp/.$$ -o /tmp/.$$
  scp -p /tmp/.$$ ${MyServer}:/tmp/.$$ &&\
  rm -f /tmp/.$$ &&\
  sleep 1 &&\
  ssh $MyServer "diff /tmp/.$$ $MyConfigFile ||cat /tmp/.$$ >$MyConfigFile ;rm -f /tmp/.$$" </dev/null &&\
  sleep 1
done

# End init
cd -
Retrieved from "https://infocepo.com/wiki/index.php?title=Authentication_exploitation&oldid=723"