#
# based on http://blog.boa.nu/2012/11/two-factor-ssh-login-google-authenticator-and-selinux.html
#

r := $(shell grep Wrote: mylog | grep -v debuginfo | awk '{print $$2}')
b := $(shell basename ${r})
m := google-authenticator.pp
c6 := $(shell grep -q 'CentOS .* 6' /etc/system-release && echo 1 || echo 0)
sy := $(shell which systemctl 2>/dev/null)

all:
	yum -y install pam-devel selinux-policy-devel qrencode-devel
	rpmbuild --rebuild google-authenticator-1.0-0.gita096a62.fc24.6.src.rpm >mylog 2>&1
	grep Wrote: mylog
	[ ${c6} -eq 1 ] && make -f /usr/share/selinux/devel/Makefile

install:
	[ -f ${r} ] || /bin/false
	yum -y install ${r}
	[ ${c6} -eq 1 ] && semodule -i ${m}
	sed -i -e 's/PAM-1.0/PAM-1.0\nauth		  required	   pam_google_authenticator.so nullok/g' /etc/pam.d/sshd
	sed -i -e 's/^ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' /etc/ssh/sshd_config
	[ -z "${sy}" ] && service sshd restart || systemctl restart sshd.service

setup:
	google-authenticator
	# authenticator setup creates the file with the wrong label on C6
	restorecon ~/.google_authenticator


install-remote:
	scp ${r} ${m} $$target:/tmp
	ssh $$target "cd /tmp; yum -y install ${b}"
	ssh $$target "cd /tmp; semodule -i ${m}"
	ssh $$target "sed -i -e 's/PAM-1.0/PAM-1.0\nauth		  required	   pam_google_authenticator.so nullok/g' /etc/pam.d/sshd"
	ssh $$target "sed -i -e 's/^ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' /etc/ssh/sshd_config"
	ssh $$target "service sshd restart"

# make install-remote target=host.domain.tld