aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEmil Renner Berthing <esmil@labitat.dk>2018-10-27 22:41:40 +0200
committerEmil Renner Berthing <esmil@labitat.dk>2018-10-27 22:44:14 +0200
commit2441baf2870a296ccd77b5e903ffa450a0418b9b (patch)
tree8824dc069009bae3484d70652031c2525c363169
parent060a041a7bf07960877099081554065bba155b4e (diff)
downloadlabitat-ansible-2441baf2870a296ccd77b5e903ffa450a0418b9b.tar.gz
labitat-ansible-2441baf2870a296ccd77b5e903ffa450a0418b9b.tar.xz
labitat-ansible-2441baf2870a296ccd77b5e903ffa450a0418b9b.zip
space_server: radius: use python for ASSHA auth
..rather than our own patched radiusd
-rwxr-xr-xroles/space_server/files/radius/assha.py50
-rw-r--r--roles/space_server/files/radius/freeradius-assha-3.0.15-1.fc26.x86_64.rpmbin1112554 -> 0 bytes
-rw-r--r--roles/space_server/files/radius/freeradius-assha-3.0.15-3.fc27.x86_64.rpmbin1140764 -> 0 bytes
-rw-r--r--roles/space_server/files/radius/mods-available/python-assha17
-rw-r--r--roles/space_server/files/radius/sites-available/labitat3
-rw-r--r--roles/space_server/files/radius/sites-available/labitat-inner3
-rw-r--r--roles/space_server/tasks/radius.yml64
-rwxr-xr-xroles/space_server/templates/radius/getusers.sh.j22
8 files changed, 110 insertions, 29 deletions
diff --git a/roles/space_server/files/radius/assha.py b/roles/space_server/files/radius/assha.py
new file mode 100755
index 0000000..e34c382
--- /dev/null
+++ b/roles/space_server/files/radius/assha.py
@@ -0,0 +1,50 @@
+#!/usr/bin/env python
+
+import radiusd
+import hashlib
+import re
+
+USERS = '/etc/raddb/mods-config/files/authorize'
+REXP = re.compile('^([^ ]+) ASSHA-Password := "(.*)"$')
+
+def authorize(p):
+ #radiusd.radlog(radiusd.L_INFO, '*** radlog call in authorize ***')
+ reply = ( ('Reply-Message', 'Welcome to Labitat!'), )
+ config = ( ('Auth-Type', 'python'), )
+ return (radiusd.RLM_MODULE_OK, reply, config)
+
+def load_users():
+ users = {}
+ with open(USERS) as fp:
+ for line in fp:
+ match = REXP.match(line)
+ if match:
+ users[match.group(1)] = match.group(2)
+
+ return users
+
+def check_pwd(user, pw):
+ users = load_users()
+ if user not in users:
+ return False
+ assha = users[user]
+ crypted = assha[:40]
+ salt = assha[40:]
+ h = hashlib.sha1('--%s--%s--' % (salt, pw)).hexdigest()
+ return h == crypted
+
+def authenticate(p):
+ #radiusd.radlog(radiusd.L_INFO, '*** radlog call in authenticate *** ')
+ user = None
+ pw = None
+ for (attr, value) in p:
+ if attr == 'User-Name':
+ user = value
+ if attr == 'User-Password':
+ pw = value
+
+ # check password
+ if user != None and pw != None and check_pwd(user, pw):
+ return radiusd.RLM_MODULE_OK
+
+ return radiusd.RLM_MODULE_REJECT
diff --git a/roles/space_server/files/radius/freeradius-assha-3.0.15-1.fc26.x86_64.rpm b/roles/space_server/files/radius/freeradius-assha-3.0.15-1.fc26.x86_64.rpm
deleted file mode 100644
index 145191c..0000000
--- a/roles/space_server/files/radius/freeradius-assha-3.0.15-1.fc26.x86_64.rpm
+++ /dev/null
Binary files differ
diff --git a/roles/space_server/files/radius/freeradius-assha-3.0.15-3.fc27.x86_64.rpm b/roles/space_server/files/radius/freeradius-assha-3.0.15-3.fc27.x86_64.rpm
deleted file mode 100644
index d69ef22..0000000
--- a/roles/space_server/files/radius/freeradius-assha-3.0.15-3.fc27.x86_64.rpm
+++ /dev/null
Binary files differ
diff --git a/roles/space_server/files/radius/mods-available/python-assha b/roles/space_server/files/radius/mods-available/python-assha
new file mode 100644
index 0000000..fa48e01
--- /dev/null
+++ b/roles/space_server/files/radius/mods-available/python-assha
@@ -0,0 +1,17 @@
+python {
+ python_path="/usr/lib/python27.zip:/usr/lib64/python2.7:/usr/lib64/python2.7/plat-linux2:/usr/lib64/python2.7/lib-tk:/usr/lib64/python2.7/lib-old:/usr/lib64/python2.7/lib-dynload:/usr/lib64/python2.7/site-packages:/usr/lib/python2.7/site-packages:/etc/raddb/mods-config/python/"
+
+ module = assha
+
+ #mod_instantiate = ${.module}
+ #func_instantiate = instantiate
+
+ #mod_detach = ${.module}
+ #func_detach = instantiate
+
+ mod_authorize = ${.module}
+ func_authorize = authorize
+
+ mod_authenticate = ${.module}
+ func_authenticate = authenticate
+}
diff --git a/roles/space_server/files/radius/sites-available/labitat b/roles/space_server/files/radius/sites-available/labitat
index fcdbda7..6deb993 100644
--- a/roles/space_server/files/radius/sites-available/labitat
+++ b/roles/space_server/files/radius/sites-available/labitat
@@ -21,8 +21,6 @@ server labitat {
ok = return
}
- files
-
expiration
logintime
pap
@@ -40,7 +38,6 @@ server labitat {
preprocess
acct_unique
suffix
- files
}
accounting {
diff --git a/roles/space_server/files/radius/sites-available/labitat-inner b/roles/space_server/files/radius/sites-available/labitat-inner
index 94d5643..8c099fc 100644
--- a/roles/space_server/files/radius/sites-available/labitat-inner
+++ b/roles/space_server/files/radius/sites-available/labitat-inner
@@ -13,7 +13,7 @@ server labitat-inner {
ok = return
}
- files
+ python
expiration
logintime
pap
@@ -24,6 +24,7 @@ server labitat-inner {
pap
}
+ python
eap
}
diff --git a/roles/space_server/tasks/radius.yml b/roles/space_server/tasks/radius.yml
index 521f6ae..972cc40 100644
--- a/roles/space_server/tasks/radius.yml
+++ b/roles/space_server/tasks/radius.yml
@@ -1,31 +1,15 @@
---
-- name: Install our freeradius-assha package
- dnf:
- name: '{{ item }}'
- state: present
- with_fileglob: 'radius/freeradius-assha-*.fc{{ ansible_distribution_major_version }}.*.rpm'
- tags:
- - packages
-
-- name: Make sure curl and diffutils are installed
+- name: Install freeradius-python, curl and diffutils package
dnf:
name: '{{ item }}'
state: present
with_items:
+ - freeradius-python
- curl
- diffutils
tags:
- packages
-- name: Disable default site
- file:
- path: '/etc/raddb/sites-enabled/{{ item }}'
- state: absent
- with_items:
- - default
- - inner-tunnel
- notify:
- - restart radiusd
- name: Configure radiusd
copy:
dest: '/etc/raddb/{{ item }}'
@@ -36,10 +20,22 @@
with_items:
- radiusd.conf
- mods-available/eap
+ - mods-available/python-assha
- sites-available/labitat
- sites-available/labitat-inner
notify:
- restart radiusd
+
+- name: Create assha python script
+ copy:
+ dest: '/etc/raddb/mods-config/python/assha.py'
+ src: 'radius/assha.py'
+ owner: root
+ group: root
+ mode: 0755
+ notify:
+ - restart radiusd
+
- name: Configure radius clients
template:
dest: '/etc/raddb/clients.conf'
@@ -49,17 +45,35 @@
mode: 0640
notify:
- restart radiusd
-- name: Enable labitat site
+
+- name: Configure radius sites
+ file:
+ path: '/etc/raddb/sites-enabled/{{ item.name }}'
+ src: '../sites-available/{{ item.name }}'
+ state: '{{ item.state }}'
+ owner: root
+ group: radiusd
+ force: yes
+ with_items:
+ - { name: default, state: absent }
+ - { name: inner-tunnel, state: absent }
+ - { name: labitat, state: link }
+ - { name: labitat-inner, state: link }
+ notify:
+ - restart radiusd
+
+- name: Configure radius modules
file:
- path: '/etc/raddb/sites-enabled/{{ item }}'
- src: '../sites-available/{{ item }}'
- state: link
+ path: '/etc/raddb/mods-enabled/{{ item.name }}'
+ src: '../mods-available/{{ item.name }}'
+ state: '{{ item.state }}'
owner: root
group: radiusd
force: yes
with_items:
- - labitat
- - labitat-inner
+ - { name: files, state: absent }
+ - { name: python, state: absent }
+ - { name: python-assha, state: link }
notify:
- restart radiusd
@@ -70,6 +84,7 @@
owner: root
group: radiusd
mode: 0750
+
- name: Create getusers service and timer
copy:
dest: '/etc/systemd/system/{{ item }}'
@@ -103,6 +118,7 @@
owner: root
group: root
mode: 0755
+
- name: Start radiusd after networks are configured
copy:
dest: '/etc/systemd/system/radiusd.service.d/wait-online.conf'
diff --git a/roles/space_server/templates/radius/getusers.sh.j2 b/roles/space_server/templates/radius/getusers.sh.j2
index 25068a8..b7e6659 100755
--- a/roles/space_server/templates/radius/getusers.sh.j2
+++ b/roles/space_server/templates/radius/getusers.sh.j2
@@ -12,5 +12,5 @@ trap cleanup EXIT SIGINT SIGTERM
curl -fs -o "$tmpfile" '{{ radius_passwords.download_url }}'
if ! diff -q "$tmpfile" "$outfile" >/dev/null; then
install -m0640 "$tmpfile" "$outfile"
- systemctl restart radiusd.service
+ #systemctl restart radiusd.service
fi