From 2441baf2870a296ccd77b5e903ffa450a0418b9b Mon Sep 17 00:00:00 2001 From: Emil Renner Berthing Date: Sat, 27 Oct 2018 22:41:40 +0200 Subject: space_server: radius: use python for ASSHA auth ..rather than our own patched radiusd --- roles/space_server/files/radius/assha.py | 50 ++++++++++++++++ .../freeradius-assha-3.0.15-1.fc26.x86_64.rpm | Bin 1112554 -> 0 bytes .../freeradius-assha-3.0.15-3.fc27.x86_64.rpm | Bin 1140764 -> 0 bytes .../files/radius/mods-available/python-assha | 17 ++++++ .../files/radius/sites-available/labitat | 3 - .../files/radius/sites-available/labitat-inner | 3 +- roles/space_server/tasks/radius.yml | 64 +++++++++++++-------- roles/space_server/templates/radius/getusers.sh.j2 | 2 +- 8 files changed, 110 insertions(+), 29 deletions(-) create mode 100755 roles/space_server/files/radius/assha.py delete mode 100644 roles/space_server/files/radius/freeradius-assha-3.0.15-1.fc26.x86_64.rpm delete mode 100644 roles/space_server/files/radius/freeradius-assha-3.0.15-3.fc27.x86_64.rpm create mode 100644 roles/space_server/files/radius/mods-available/python-assha diff --git a/roles/space_server/files/radius/assha.py b/roles/space_server/files/radius/assha.py new file mode 100755 index 0000000..e34c382 --- /dev/null +++ b/roles/space_server/files/radius/assha.py @@ -0,0 +1,50 @@ +#!/usr/bin/env python + +import radiusd +import hashlib +import re + +USERS = '/etc/raddb/mods-config/files/authorize' +REXP = re.compile('^([^ ]+) ASSHA-Password := "(.*)"$') + +def authorize(p): + #radiusd.radlog(radiusd.L_INFO, '*** radlog call in authorize ***') + reply = ( ('Reply-Message', 'Welcome to Labitat!'), ) + config = ( ('Auth-Type', 'python'), ) + return (radiusd.RLM_MODULE_OK, reply, config) + +def load_users(): + users = {} + with open(USERS) as fp: + for line in fp: + match = REXP.match(line) + if match: + users[match.group(1)] = match.group(2) + + return users + +def check_pwd(user, pw): + users = load_users() + if user not in users: + return False + assha = users[user] + crypted = assha[:40] + salt = assha[40:] + h = hashlib.sha1('--%s--%s--' % (salt, pw)).hexdigest() + return h == crypted + +def authenticate(p): + #radiusd.radlog(radiusd.L_INFO, '*** radlog call in authenticate *** ') + user = None + pw = None + for (attr, value) in p: + if attr == 'User-Name': + user = value + if attr == 'User-Password': + pw = value + + # check password + if user != None and pw != None and check_pwd(user, pw): + return radiusd.RLM_MODULE_OK + + return radiusd.RLM_MODULE_REJECT diff --git a/roles/space_server/files/radius/freeradius-assha-3.0.15-1.fc26.x86_64.rpm b/roles/space_server/files/radius/freeradius-assha-3.0.15-1.fc26.x86_64.rpm deleted file mode 100644 index 145191c..0000000 Binary files a/roles/space_server/files/radius/freeradius-assha-3.0.15-1.fc26.x86_64.rpm and /dev/null differ diff --git a/roles/space_server/files/radius/freeradius-assha-3.0.15-3.fc27.x86_64.rpm b/roles/space_server/files/radius/freeradius-assha-3.0.15-3.fc27.x86_64.rpm deleted file mode 100644 index d69ef22..0000000 Binary files a/roles/space_server/files/radius/freeradius-assha-3.0.15-3.fc27.x86_64.rpm and /dev/null differ diff --git a/roles/space_server/files/radius/mods-available/python-assha b/roles/space_server/files/radius/mods-available/python-assha new file mode 100644 index 0000000..fa48e01 --- /dev/null +++ b/roles/space_server/files/radius/mods-available/python-assha @@ -0,0 +1,17 @@ +python { + python_path="/usr/lib/python27.zip:/usr/lib64/python2.7:/usr/lib64/python2.7/plat-linux2:/usr/lib64/python2.7/lib-tk:/usr/lib64/python2.7/lib-old:/usr/lib64/python2.7/lib-dynload:/usr/lib64/python2.7/site-packages:/usr/lib/python2.7/site-packages:/etc/raddb/mods-config/python/" + + module = assha + + #mod_instantiate = ${.module} + #func_instantiate = instantiate + + #mod_detach = ${.module} + #func_detach = instantiate + + mod_authorize = ${.module} + func_authorize = authorize + + mod_authenticate = ${.module} + func_authenticate = authenticate +} diff --git a/roles/space_server/files/radius/sites-available/labitat b/roles/space_server/files/radius/sites-available/labitat index fcdbda7..6deb993 100644 --- a/roles/space_server/files/radius/sites-available/labitat +++ b/roles/space_server/files/radius/sites-available/labitat @@ -21,8 +21,6 @@ server labitat { ok = return } - files - expiration logintime pap @@ -40,7 +38,6 @@ server labitat { preprocess acct_unique suffix - files } accounting { diff --git a/roles/space_server/files/radius/sites-available/labitat-inner b/roles/space_server/files/radius/sites-available/labitat-inner index 94d5643..8c099fc 100644 --- a/roles/space_server/files/radius/sites-available/labitat-inner +++ b/roles/space_server/files/radius/sites-available/labitat-inner @@ -13,7 +13,7 @@ server labitat-inner { ok = return } - files + python expiration logintime pap @@ -24,6 +24,7 @@ server labitat-inner { pap } + python eap } diff --git a/roles/space_server/tasks/radius.yml b/roles/space_server/tasks/radius.yml index 521f6ae..972cc40 100644 --- a/roles/space_server/tasks/radius.yml +++ b/roles/space_server/tasks/radius.yml @@ -1,31 +1,15 @@ --- -- name: Install our freeradius-assha package - dnf: - name: '{{ item }}' - state: present - with_fileglob: 'radius/freeradius-assha-*.fc{{ ansible_distribution_major_version }}.*.rpm' - tags: - - packages - -- name: Make sure curl and diffutils are installed +- name: Install freeradius-python, curl and diffutils package dnf: name: '{{ item }}' state: present with_items: + - freeradius-python - curl - diffutils tags: - packages -- name: Disable default site - file: - path: '/etc/raddb/sites-enabled/{{ item }}' - state: absent - with_items: - - default - - inner-tunnel - notify: - - restart radiusd - name: Configure radiusd copy: dest: '/etc/raddb/{{ item }}' @@ -36,10 +20,22 @@ with_items: - radiusd.conf - mods-available/eap + - mods-available/python-assha - sites-available/labitat - sites-available/labitat-inner notify: - restart radiusd + +- name: Create assha python script + copy: + dest: '/etc/raddb/mods-config/python/assha.py' + src: 'radius/assha.py' + owner: root + group: root + mode: 0755 + notify: + - restart radiusd + - name: Configure radius clients template: dest: '/etc/raddb/clients.conf' @@ -49,17 +45,35 @@ mode: 0640 notify: - restart radiusd -- name: Enable labitat site + +- name: Configure radius sites + file: + path: '/etc/raddb/sites-enabled/{{ item.name }}' + src: '../sites-available/{{ item.name }}' + state: '{{ item.state }}' + owner: root + group: radiusd + force: yes + with_items: + - { name: default, state: absent } + - { name: inner-tunnel, state: absent } + - { name: labitat, state: link } + - { name: labitat-inner, state: link } + notify: + - restart radiusd + +- name: Configure radius modules file: - path: '/etc/raddb/sites-enabled/{{ item }}' - src: '../sites-available/{{ item }}' - state: link + path: '/etc/raddb/mods-enabled/{{ item.name }}' + src: '../mods-available/{{ item.name }}' + state: '{{ item.state }}' owner: root group: radiusd force: yes with_items: - - labitat - - labitat-inner + - { name: files, state: absent } + - { name: python, state: absent } + - { name: python-assha, state: link } notify: - restart radiusd @@ -70,6 +84,7 @@ owner: root group: radiusd mode: 0750 + - name: Create getusers service and timer copy: dest: '/etc/systemd/system/{{ item }}' @@ -103,6 +118,7 @@ owner: root group: root mode: 0755 + - name: Start radiusd after networks are configured copy: dest: '/etc/systemd/system/radiusd.service.d/wait-online.conf' diff --git a/roles/space_server/templates/radius/getusers.sh.j2 b/roles/space_server/templates/radius/getusers.sh.j2 index 25068a8..b7e6659 100755 --- a/roles/space_server/templates/radius/getusers.sh.j2 +++ b/roles/space_server/templates/radius/getusers.sh.j2 @@ -12,5 +12,5 @@ trap cleanup EXIT SIGINT SIGTERM curl -fs -o "$tmpfile" '{{ radius_passwords.download_url }}' if ! diff -q "$tmpfile" "$outfile" >/dev/null; then install -m0640 "$tmpfile" "$outfile" - systemctl restart radiusd.service + #systemctl restart radiusd.service fi -- cgit v1.2.1