1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
|
#!/bin/sh
# Copyright 2017 Google Inc. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
is_freebsd() {
[ "$(uname)" = "FreeBSD" ]
return $?
}
nss_config="/etc/nsswitch.conf"
pam_sshd_config="/etc/pam.d/sshd"
pam_su_config="/etc/pam.d/su"
sshd_config="/etc/ssh/sshd_config"
group_config="/etc/security/group.conf"
sudoers_dir="/var/google-sudoers.d"
users_dir="/var/google-users.d"
added_comment="# Added by Google Compute Engine OS Login."
sshd_block="#### Google OS Login control. Do not edit this section. ####"
sshd_end_block="#### End Google OS Login control section. ####"
sudoers_file="/etc/sudoers.d/google-oslogin"
if is_freebsd; then
sudoers_file="/usr/local/etc/sudoers.d/google-oslogin"
fi
# Update nsswitch.conf to include OS Login NSS module for passwd.
modify_nsswitch_conf() {
local nss_config="${1:-${nss_config}}"
if ! grep -q '^passwd:.*oslogin' "$nss_config"; then
$sed -i"" '/^passwd:/ s/$/ cache_oslogin oslogin/' "$nss_config"
fi
if is_freebsd && grep -q '^passwd:.*compat' "$nss_config"; then
$sed -i"" '/^passwd:/ s/compat/files/' "$nss_config"
fi
}
restore_nsswitch_conf() {
local nss_config="${1:-${nss_config}}"
$sed -i"" '/^passwd:/ s/ cache_oslogin oslogin//' "$nss_config"
if is_freebsd; then
$sed -i"" '/^passwd:/ s/files/compat/' "$nss_config"
fi
}
modify_sshd_conf() (
set -e
local sshd_config="${1:-${sshd_config}}"
local sshd_auth_keys_command="AuthorizedKeysCommand /usr/bin/google_authorized_keys"
local sshd_auth_keys_command_user="AuthorizedKeysCommandUser root"
local sshd_auth_methods="AuthenticationMethods publickey,keyboard-interactive"
local sshd_challenge="ChallengeResponseAuthentication yes"
# Update google_authorized_keys path in FreeBSD.
if is_freebsd; then
sshd_auth_keys_command="AuthorizedKeysCommand /usr/local/bin/google_authorized_keys"
fi
# Update directives for EL 6.
if grep -qs "release 6" /etc/redhat-release; then
sshd_auth_keys_command_user="AuthorizedKeysCommandRunAs root"
sshd_auth_methods="RequiredAuthentications2 publickey,keyboard-interactive"
fi
add_or_update_sshd() {
local entry="$1"
local sshd_config="$2"
local directive="$(echo "$entry" | cut -d' ' -f1)"
local value="$(echo "$entry" | cut -d' ' -f2-)"
# Check if directive is present.
if grep -Eq "^\s*${directive}" "$sshd_config"; then
# Check if value is incorrect.
if ! grep -Eq "^\s*${directive}(\s|=)+${value}" "$sshd_config"; then
# Comment out the line (because sshd_config is first-directive-found)
# and add to end section.
$sed -i"" -E "/^\s*${directive}/ s/^/${added_comment}\n#/" "$sshd_config"
$sed -i"" "/$sshd_end_block/ i${entry}" "$sshd_config"
fi
else
$sed -i"" "/$sshd_end_block/ i${entry}" "$sshd_config"
fi
}
# Setup Google config block.
if ! grep -q "$sshd_block" "$sshd_config"; then
# Remove old-style additions.
$sed -i"" "/${added_comment}/,+1d" "$sshd_config"
printf "\n\n${sshd_block}\n${sshd_end_block}" >> "$sshd_config"
fi
for entry in "$sshd_auth_keys_command" "$sshd_auth_keys_command_user"; do
add_or_update_sshd "$entry" "$sshd_config"
done
if [ -n "$two_factor" ]; then
for entry in "$sshd_auth_methods" "$sshd_challenge"; do
add_or_update_sshd "$entry" "$sshd_config"
done
fi
)
restore_sshd_conf() {
local sshd_config="${1:-${sshd_config}}"
if ! grep -q "$sshd_block" "$sshd_config"; then
# Remove old-style additions.
$sed -i"" "/${added_comment}/,+1d" "$sshd_config"
else
# Uncomment commented-out fields and remove Google config block.
$sed -i"" "/${added_comment}/{n;s/^#//}" "$sshd_config"
$sed -i"" "/${added_comment}/d" "$sshd_config"
$sed -i"" "/${sshd_block}/,/${sshd_end_block}/d" "$sshd_config"
fi
}
# Inserts pam modules to relevant pam stacks if missing.
modify_pam_config() (
# TODO: idempotency of this function would be better assured if it wiped out
# and applied desired changes each time rather than detecting deltas.
set -e
local pam_sshd_config="${1:-${pam_sshd_config}}"
local pam_su_config="${1:-${pam_su_config}}"
local pam_auth_oslogin="auth [success=done perm_denied=die default=ignore] pam_oslogin_login.so"
local pam_auth_group="auth [default=ignore] pam_group.so"
local pam_account_oslogin="account [success=ok default=ignore] pam_oslogin_admin.so"
local pam_account_admin="account [success=ok ignore=ignore default=die] pam_oslogin_login.so"
local pam_session_homedir="session [success=ok default=ignore] pam_mkhomedir.so"
local pam_account_su="account [success=bad ignore=ignore] pam_oslogin_login.so"
# In FreeBSD, the used flags are not supported, replacing them with the
# previous ones (requisite and optional). This is not an exact feature parity
# with Linux.
if is_freebsd; then
pam_auth_oslogin="auth optional pam_oslogin_login.so"
pam_auth_group="auth optional pam_group.so"
pam_account_oslogin="account optional pam_oslogin_admin.so"
pam_account_admin="account requisite pam_oslogin_login.so"
pam_session_homedir="session optional pam_mkhomedir.so"
fi
local added_config=""
local added_su_config=""
# For COS this file is solely includes, so simply prepend the new config,
# making each entry the top of its stack.
if [ -e /etc/os-release ] && grep -q "ID=cos" /etc/os-release; then
added_config="${added_comment}\n"
for cfg in "$pam_account_admin" "$pam_account_oslogin" \
"$pam_session_homedir" "$pam_auth_group"; do
grep -qE "^${cfg%% *}.*${cfg##* }" ${pam_sshd_config} || added_config="${added_config}${cfg}\n"
done
if [ -n "$two_factor" ]; then
grep -q "$pam_auth_oslogin" "$pam_sshd_config" || added_config="${added_config}${pam_auth_oslogin}\n"
fi
$sed -i"" "1i ${added_config}\n\n" "$pam_sshd_config"
added_su_config="${added_comment}\n${pam_account_su}"
$sed -i"" "1i ${added_su_config}" "$pam_su_config"
return 0
fi
# Find the distro-specific insertion point for auth and su.
if [ -e /etc/debian_version ]; then
# Get location of common-auth and check if preceding line is a comment.
insert=$($sed -rn "/^@include\s+common-auth/=" "$pam_sshd_config")
$sed -n "$((insert-1))p" "$pam_sshd_config" | grep -q '^#' && insert=$((insert-1))
su_insert=$($sed -rn "/^@include\s+common-account/=" "$pam_su_config")
elif [ -e /etc/redhat-release ]; then
# Get location of password-auth.
insert=$($sed -rn "/^auth\s+(substack|include)\s+password-auth/=" \
"$pam_sshd_config")
# Get location of system-auth.
su_insert=$($sed -rn "/^account\s+include\s+system-auth/=" "$pam_su_config")
elif [ -e /etc/os-release ] && grep -q 'ID="sles"' /etc/os-release; then
# Get location of common-auth.
insert=$($sed -rn "/^auth\s+include\s+common-auth/=" "$pam_sshd_config")
# Get location of common-account.
su_insert=$($sed -rn "/^account\s+include\s+common-account/=" "$pam_su_config")
elif [ -e /etc/arch-release ]; then
# Get location of system-remote-login.
insert=$($sed -rn "/^auth\s+include\s+system-remote-login/=" "$pam_sshd_config")
# TODO: find su_insert point for arch linux.
elif is_freebsd; then
# Get location of the first auth occurrence
insert=$($sed -rn '/^auth/=' "$pam_sshd_config" | head -1)
fi
added_config="$added_comment"
if ! grep -qE '^auth.*pam_group' "$pam_sshd_config"; then
added_config="${added_config}\n${pam_auth_group}"
fi
# This auth entry for OS Login+two factor MUST be added last, as it will
# short-circuit processing of the auth stack via [success=ok]. auth stack
# entries after this one will not be processed.
if [ -n "$two_factor" ] && ! grep -qE '^auth.*oslogin' "$pam_sshd_config"; then
added_config="${added_config}\n${pam_auth_oslogin}"
fi
# Insert auth modules at top of `sshd:auth` stack.
if [ -n "$insert" ] && [ "$added_config" != "$added_comment" ]; then
$sed -i"" "${insert}i ${added_config}" "$pam_sshd_config"
fi
# Insert su blocker at top of `su:account` stack.
if [ -n "$su_insert" ] && ! grep -qE "$pam_account_su" "$pam_su_config"; then
added_su_config="${added_comment}\n${pam_account_su}"
$sed -i"" "${su_insert}i ${added_su_config}" "$pam_su_config"
fi
# Append account modules at end of `sshd:account` stack.
if ! grep -qE '^account.*oslogin' "$pam_sshd_config"; then
added_config="\\\n${added_comment}\n${pam_account_admin}\n${pam_account_oslogin}"
account_end=$($sed -n '/^account/=' "$pam_sshd_config" | tail -1)
$sed -i"" "${account_end}a ${added_config}" "$pam_sshd_config"
fi
# Append mkhomedir module at end of `sshd:session` stack.
if ! grep -qE '^session.*mkhomedir' "$pam_sshd_config"; then
added_config="\\\n${added_comment}\n${pam_session_homedir}"
session_end=$($sed -n '/^session/=' "$pam_sshd_config" | tail -1)
$sed -i"" "${session_end}a ${added_config}" "$pam_sshd_config"
fi
)
restore_pam_config() {
local pam_sshd_config="${1:-${pam_sshd_config}}"
local pam_su_config="${1:-${pam_su_config}}"
$sed -i"" "/${added_comment}/d" "$pam_sshd_config"
$sed -i"" "/pam_oslogin/d" "$pam_sshd_config"
$sed -i"" "/^session.*mkhomedir/d" "$pam_sshd_config"
$sed -i"" "/^auth.*pam_group/d" "$pam_sshd_config"
$sed -i"" "/${added_comment}/d" "$pam_su_config"
$sed -i"" "/pam_oslogin/d" "$pam_su_config"
}
modify_group_conf() {
# In FreeBSD there is no pam_group config file similar to
# /etc/security/group.conf.
if is_freebsd; then
return
fi
local group_config="${1:-${group_config}}"
local group_conf_entry="sshd;*;*;Al0000-2400;adm,dip,docker,lxd,plugdev,video"
if ! grep -q "$group_conf_entry" "$group_config"; then
$sed -i"" "\$a ${added_comment}\n${group_conf_entry}" "$group_config"
fi
}
restore_group_conf() {
# In FreeBSD there is no pam_group config file similar to
# /etc/security/group.conf.
if is_freebsd; then
return
fi
local group_config="${1:-${group_config}}"
$sed -i"" "/${added_comment}/{n;d}" "$group_config"
$sed -i"" "/${added_comment}/d" "$group_config"
}
restart_service() {
local service="$1"
# The other options will be wrappers to systemctl on
# systemd-enabled systems, so stop if found.
if readlink -f /sbin/init|grep -q systemd; then
if systemctl is-active --quiet "$service"; then
systemctl restart "$service"
return $?
else
return 0
fi
fi
# Use the service helper if it exists.
if command -v service > /dev/null; then
if ! service "$service" status 2>&1 | grep -Eq "unrecognized|does not exist"; then
service "$service" restart
return $?
else
return 0
fi
fi
# Fallback to trying sysvinit script of the same name.
if command -v /etc/init.d/"$service" > /dev/null; then
if /etc/init.d/"$service" status > /dev/null 2>&1; then
/etc/init.d/"$service" restart
return $?
else
return 0
fi
fi
# We didn't find any way to restart this service.
return 1
}
# Restart sshd unless --norestartsshd flag is set.
restart_sshd() {
if [ -n "$no_restart_sshd" ]; then
return 0
fi
echo "Restarting SSHD"
for svc in "ssh" "sshd"; do
restart_service "$svc"
done
}
restart_svcs() {
echo "Restarting optional services."
for svc in "nscd" "unscd" "systemd-logind" "cron" "crond"; do
restart_service "$svc"
done
}
setup_google_dirs() {
for dir in "$sudoers_dir" "$users_dir"; do
[ -d "$dir" ] && continue
mkdir -p "$dir"
chmod 750 "$dir"
if fixfiles=$(command -v fixfiles); then
$fixfiles restore "$dir"
fi
done
echo "#includedir ${sudoers_dir}" > "$sudoers_file"
chmod 0440 "$sudoers_file"
}
remove_google_dirs() {
for dir in "$sudoers_dir" "$users_dir"; do
rm -rf "$dir"
done
rm -f "$sudoers_file"
}
activate() {
for func in modify_sshd_conf modify_nsswitch_conf \
modify_pam_config setup_google_dirs restart_svcs restart_sshd \
modify_group_conf; do
$func
[ $? -eq 0 ] || return 1
done
}
deactivate() {
for func in remove_google_dirs restore_nsswitch_conf \
restore_sshd_conf restore_pam_config restart_svcs restart_sshd \
restore_group_conf; do
$func
done
}
# get_status checks each file for appropriate updates and exits on first
# failure. Checks for two factor config changes only if requested.
get_status() (
set -e
grep -Eq '^account.*oslogin' "$pam_sshd_config"
grep -Eq 'google_authorized_keys' "$sshd_config"
grep -Eq 'passwd:.*oslogin' "$nss_config"
if [ -n "$two_factor" ]; then
grep -Eq '^auth.*oslogin' "$pam_sshd_config"
grep -Eq '^(AuthenticationMethods|RequiredAuthentications2).*publickey,keyboard-interactive' "$sshd_config"
fi
)
usage() {
echo "Usage: $(basename "$0") {activate|deactivate|status} [--norestartsshd] [--twofactor]"
echo "This script will activate or deactivate the features for"
echo "Google Compute Engine OS Login and (optionally) two-factor authentication."
echo "This script must be run as root."
exit 1
}
# Main
if [ $(id -u) -ne 0 ] || [ $# -lt 1 ]; then
usage
fi
sed="sed"
is_freebsd && sed="gsed"
while [ $# -gt 0 ]; do
case "$1" in
--norestartsshd)
no_restart_sshd="true"
shift
;;
--twofactor)
two_factor="true"
shift
;;
activate)
action="activate"
shift
;;
deactivate)
action="deactivate"
shift
;;
status)
action="status"
shift
;;
*)
shift
;;
esac
done
case "$action" in
activate)
echo "Activating Google Compute Engine OS Login."
activate
if [ $? -ne 0 ]; then
echo "Failed to apply changes, rolling back"
deactivate
exit 1
fi
;;
deactivate)
echo "Deactivating Google Compute Engine OS Login."
deactivate
;;
status)
get_status
exit $?
;;
*)
usage
;;
esac
|
