From 4c83de3995557eb1702234ec6290d7409eb4cff2 Mon Sep 17 00:00:00 2001 From: t3chn0m4g3 Date: Mon, 7 Mar 2016 15:48:44 +0100 Subject: [PATCH] rewrite 2fa_enable, delete ssh_enable --- installer/home/2fa_enable.sh | 59 ++++++++++++++++++++++-------------- 1 file changed, 36 insertions(+), 23 deletions(-) diff --git a/installer/home/2fa_enable.sh b/installer/home/2fa_enable.sh index 95561116..796739c2 100755 --- a/installer/home/2fa_enable.sh +++ b/installer/home/2fa_enable.sh @@ -2,30 +2,43 @@ ######################################################## # T-Pot # -# Two-Factor authentication enable script # +# Two-Factor-Authentication and SSH enable script # # # -# v0.01 by mo, DTAG, 2015-06-15 # +# v16.03.1 by mo, DTAG, 2016-03-07 # ######################################################## +myBACKTITLE="T-Pot - Two-Factor-Authentication and SSH enable script" -echo "### This script will enable Two-Factor-Authentication based on Google Authenticator for SSH." -while true -do - echo -n "### Do you want to continue (y/n)? "; read myANSWER; - case $myANSWER in - n) - echo "### Exiting." - exit 0; - ;; - y) - break - ;; - esac -done -if [ -f /etc/pam.d/sshd.bak ]; - then echo "### Already enabled. Exiting." - exit 1; + +# Let's ask if the user wants to enable two-factor ... +dialog --backtitle "$myBACKTITLE" --title "[ Enable 2FA? ]" --yesno "\nDo you want to enable Two-Factor-Authentication based on Google Authenticator for SSH?" 8 70 +my2FA=$? + +# Let's ask if the user wants to enable ssh ... +dialog --backtitle "$myBACKTITLE" --title "[ Enable SSH? ]" --yesno "\nDo you want to enable the SSH service?" 8 70 +mySSH=$? + +# Enable 2FA +if [ $my2FA == 0 ] && ! [ -f /etc/pam.d/sshd.bak ]; + then + clear + sudo sed -i.bak '\# PAM#aauth required pam_google_authenticator.so' /etc/pam.d/sshd + sudo sed -i.bak 's#ChallengeResponseAuthentication no#ChallengeResponseAuthentication yes#' /etc/ssh/sshd_config + google-authenticator -t -d -f -r 3 -R 30 -w 21 + echo "2FA enabled. Please press return to continue ..." + read + elif [ -f /etc/pam.d/sshd.bak ] + then + dialog --backtitle "$myBACKTITLE" --title "[ Already enabled ]" --msgbox "\nIt seems that Two-Factor-Authentication has already been enabled. Please run 'google-authenticator -t -d -f -r 3 -R 30 -w 21' if you want to rewrite your token." 8 70 +fi + +# Enable SSH +if [ $mySSH == 0 ] && [ -f /etc/init/ssh.override ]; + then + clear + sudo rm /etc/init/ssh.override + sudo service ssh start + dialog --backtitle "$myBACKTITLE" --title "[ SSH enabled ]" --msgbox "\nThe SSH service has been enabled and is now reachable via port tcp/64295. Password authentication is disabled by default." 8 70 + elif ! [ -f /etc/init/ssh.override ] + then + dialog --backtitle "$myBACKTITLE" --title "[ Already enabled ]" --msgbox "\nIt seems that SSH has already been enabled." 8 70 fi -sudo sed -i.bak '\# PAM#aauth required pam_google_authenticator.so' /etc/pam.d/sshd -sudo sed -i.bak 's#ChallengeResponseAuthentication no#ChallengeResponseAuthentication yes#' /etc/ssh/sshd_config -google-authenticator -t -d -f -r 3 -R 30 -w 21 -echo "### Please do not forget to run the ssh_enable script."