changeset 0:524d6c83d8ad

initial version
author Carl Byington <carl@five-ten-sg.com>
date Wed, 01 Mar 2017 10:08:26 -0800
parents
children 0e3c9806a620
files Makefile google-authenticator-1.0-0.gita096a62.fc24.6.src.rpm google-authenticator.fc google-authenticator.te
diffstat 4 files changed, 101 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/Makefile	Wed Mar 01 10:08:26 2017 -0800
@@ -0,0 +1,38 @@
+#
+# based on http://blog.boa.nu/2012/11/two-factor-ssh-login-google-authenticator-and-selinux.html
+#
+
+r := $(shell grep Wrote: mylog | grep -v debuginfo | awk '{print $$2}')
+b := $(shell basename ${r})
+m := google-authenticator.pp
+
+all:
+	rpmbuild --rebuild google-authenticator-1.0-0.gita096a62.fc24.6.src.rpm >mylog 2>&1
+	grep Wrote: mylog
+	make -f /usr/share/selinux/devel/Makefile
+
+
+install:
+	[ -f ${r} ] || /bin/false
+	yum -y install ${r}
+	semodule -i ${m}
+	sed -i -e 's/PAM-1.0/PAM-1.0\nauth		  required	   pam_google_authenticator.so nullok/g' /etc/pam.d/sshd
+	sed -i -e 's/^ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' /etc/ssh/sshd_config
+	service sshd restart
+
+
+setup:
+	google-authenticator
+	# authenticator setup creates the file with the wrong label.
+	restorecon ~/.google_authenticator
+
+
+install-remote:
+	scp ${r} ${m} $$target:/tmp
+	ssh $$target "cd /tmp; yum -y install ${b}"
+	ssh $$target "cd /tmp; semodule -i ${m}"
+	ssh $$target "sed -i -e 's/PAM-1.0/PAM-1.0\nauth		  required	   pam_google_authenticator.so nullok/g' /etc/pam.d/sshd"
+	ssh $$target "sed -i -e 's/^ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' /etc/ssh/sshd_config"
+	ssh $$target "service sshd restart"
+
+# make install-remote target=host.domain.tld
Binary file google-authenticator-1.0-0.gita096a62.fc24.6.src.rpm has changed
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/google-authenticator.fc	Wed Mar 01 10:08:26 2017 -0800
@@ -0,0 +1,4 @@
+/root/\.google_authenticator        --  gen_context(system_u:object_r:google_authenticator_t,s0)
+/root/\.google_authenticator~       --  gen_context(system_u:object_r:google_authenticator_t,s0)
+HOME_DIR/\.google_authenticator     --  gen_context(system_u:object_r:google_authenticator_t,s0)
+HOME_DIR/\.google_authenticator~    --  gen_context(system_u:object_r:google_authenticator_t,s0)
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/google-authenticator.te	Wed Mar 01 10:08:26 2017 -0800
@@ -0,0 +1,59 @@
+# Name and version, every module should have this.
+
+policy_module(google_authenticator, 0.0.1)
+
+
+# List of the types, class and everything else you are going to use in
+# your module that is not defined in this .te file.  If you are getting
+# any errors when you compile your module that it is unable to find a
+# type, you probably forgot to declare it here.
+
+require {
+    type sshd_t;
+    type user_home_dir_t;
+    type admin_home_t;
+}
+
+
+# This is where we define our type. A good practise is to append _t for
+# all types.  This is the type we are going to give our
+# .google_authenticator file.
+
+type google_authenticator_t;
+
+
+# What role our type should have. This is almost always going to be
+# object_r
+
+role object_r types google_authenticator_t;
+
+
+# What sshd_t (the context the ssh daemon runs as) should be able to do
+# with our type (google_authenticator_t), as a file. rename, create and
+# unlink are base definitions, rw_file_perms is a set of rules.  The
+# rw_file_perms group is defined in
+# /usr/share/selinux/devel/include/support/obj_perm_sets.spt with a lot
+# of other groups. Reading this files give you a good overview of what
+# they allow.
+
+allow sshd_t google_authenticator_t:file { rename create unlink rw_file_perms };
+
+
+# Without this, SELinux will be way too strict as default, as it won't
+# know what this type really is.  Remember that SELinux doesn’t only
+# deal with files, but sockets and other filetypes as well.  Leaving
+# this out will still allow sshd_t to do its stuff, but you, in your
+# shell will see a weird file.  The only thing you will see is the file
+# name. Even permissions will be hidden from you. (a fun trick to pull
+# on your friends.. :] ) An overview of this is located at
+# http://oss.tresys.com/docs/refpolicy/api/kernel_files.html.
+
+files_type(google_authenticator_t)
+
+
+# re-label newly created files on the fly
+
+filetrans_pattern(sshd_t, user_home_dir_t, google_authenticator_t, file, ".google_authenticator")
+filetrans_pattern(sshd_t, user_home_dir_t, google_authenticator_t, file, ".google_authenticator~")
+filetrans_pattern(sshd_t, admin_home_t, google_authenticator_t, file, ".google_authenticator")
+filetrans_pattern(sshd_t, admin_home_t, google_authenticator_t, file, ".google_authenticator~")