# HG changeset patch # User Carl Byington # Date 1488391706 28800 # Node ID 524d6c83d8ad28cadb3c9385020b91f42f85ff5a initial version diff -r 000000000000 -r 524d6c83d8ad Makefile --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/Makefile Wed Mar 01 10:08:26 2017 -0800 @@ -0,0 +1,38 @@ +# +# based on http://blog.boa.nu/2012/11/two-factor-ssh-login-google-authenticator-and-selinux.html +# + +r := $(shell grep Wrote: mylog | grep -v debuginfo | awk '{print $$2}') +b := $(shell basename ${r}) +m := google-authenticator.pp + +all: + rpmbuild --rebuild google-authenticator-1.0-0.gita096a62.fc24.6.src.rpm >mylog 2>&1 + grep Wrote: mylog + make -f /usr/share/selinux/devel/Makefile + + +install: + [ -f ${r} ] || /bin/false + yum -y install ${r} + semodule -i ${m} + sed -i -e 's/PAM-1.0/PAM-1.0\nauth required pam_google_authenticator.so nullok/g' /etc/pam.d/sshd + sed -i -e 's/^ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' /etc/ssh/sshd_config + service sshd restart + + +setup: + google-authenticator + # authenticator setup creates the file with the wrong label. + restorecon ~/.google_authenticator + + +install-remote: + scp ${r} ${m} $$target:/tmp + ssh $$target "cd /tmp; yum -y install ${b}" + ssh $$target "cd /tmp; semodule -i ${m}" + ssh $$target "sed -i -e 's/PAM-1.0/PAM-1.0\nauth required pam_google_authenticator.so nullok/g' /etc/pam.d/sshd" + ssh $$target "sed -i -e 's/^ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' /etc/ssh/sshd_config" + ssh $$target "service sshd restart" + +# make install-remote target=host.domain.tld diff -r 000000000000 -r 524d6c83d8ad google-authenticator-1.0-0.gita096a62.fc24.6.src.rpm Binary file google-authenticator-1.0-0.gita096a62.fc24.6.src.rpm has changed diff -r 000000000000 -r 524d6c83d8ad google-authenticator.fc --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/google-authenticator.fc Wed Mar 01 10:08:26 2017 -0800 @@ -0,0 +1,4 @@ +/root/\.google_authenticator -- gen_context(system_u:object_r:google_authenticator_t,s0) +/root/\.google_authenticator~ -- gen_context(system_u:object_r:google_authenticator_t,s0) +HOME_DIR/\.google_authenticator -- gen_context(system_u:object_r:google_authenticator_t,s0) +HOME_DIR/\.google_authenticator~ -- gen_context(system_u:object_r:google_authenticator_t,s0) diff -r 000000000000 -r 524d6c83d8ad google-authenticator.te --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/google-authenticator.te Wed Mar 01 10:08:26 2017 -0800 @@ -0,0 +1,59 @@ +# Name and version, every module should have this. + +policy_module(google_authenticator, 0.0.1) + + +# List of the types, class and everything else you are going to use in +# your module that is not defined in this .te file. If you are getting +# any errors when you compile your module that it is unable to find a +# type, you probably forgot to declare it here. + +require { + type sshd_t; + type user_home_dir_t; + type admin_home_t; +} + + +# This is where we define our type. A good practise is to append _t for +# all types. This is the type we are going to give our +# .google_authenticator file. + +type google_authenticator_t; + + +# What role our type should have. This is almost always going to be +# object_r + +role object_r types google_authenticator_t; + + +# What sshd_t (the context the ssh daemon runs as) should be able to do +# with our type (google_authenticator_t), as a file. rename, create and +# unlink are base definitions, rw_file_perms is a set of rules. The +# rw_file_perms group is defined in +# /usr/share/selinux/devel/include/support/obj_perm_sets.spt with a lot +# of other groups. Reading this files give you a good overview of what +# they allow. + +allow sshd_t google_authenticator_t:file { rename create unlink rw_file_perms }; + + +# Without this, SELinux will be way too strict as default, as it won't +# know what this type really is. Remember that SELinux doesn’t only +# deal with files, but sockets and other filetypes as well. Leaving +# this out will still allow sshd_t to do its stuff, but you, in your +# shell will see a weird file. The only thing you will see is the file +# name. Even permissions will be hidden from you. (a fun trick to pull +# on your friends.. :] ) An overview of this is located at +# http://oss.tresys.com/docs/refpolicy/api/kernel_files.html. + +files_type(google_authenticator_t) + + +# re-label newly created files on the fly + +filetrans_pattern(sshd_t, user_home_dir_t, google_authenticator_t, file, ".google_authenticator") +filetrans_pattern(sshd_t, user_home_dir_t, google_authenticator_t, file, ".google_authenticator~") +filetrans_pattern(sshd_t, admin_home_t, google_authenticator_t, file, ".google_authenticator") +filetrans_pattern(sshd_t, admin_home_t, google_authenticator_t, file, ".google_authenticator~")