[debian-edu-commits] [Git][debian-edu/debian-edu-config][personal/gber/ldap-uid-gid] 3 commits: setup-freeradius-server: Set commonName and subjectAltNames on the server cert
Mike Gabriel (@sunweaver)
gitlab at salsa.debian.org
Tue Sep 26 11:32:25 BST 2023
Mike Gabriel pushed to branch personal/gber/ldap-uid-gid at Debian Edu / debian-edu-config
Commits:
ed1d0ca1 by Guido Berhoerster at 2023-09-25T17:59:16+02:00
setup-freeradius-server: Set commonName and subjectAltNames on the server cert
Closes: #1010159.
- - - - -
e29c074f by Guido Berhoerster at 2023-09-25T17:59:35+02:00
setup-freeradius-server: Improve robustness
Use update-ini-file for OpenSSL config files.
Use more precise sed substitutions which do not rely on example values.
Increase password length from 8 to 16 characters.
- - - - -
02c4c4c1 by Guido Berhoerster at 2023-09-26T10:32:16+00:00
Change minimum UID/GID for LDAP user to 2000
With this change local user accounts now use the UID/GID range 1000-1999
instead of 500-999 whereas LDAP user accounts use 2000-59999 instead of
1000-59999. This is to reserve UID/GID 0-999 for system users which is the
default in Debian and not conforming to it is increasingly problematic as
packages are beginning to use systemd-sysusers for creating system user
accounts which does not obey /etc/addusers.conf or /etc/login.defs by default.
The first user account created during installation now has UID/GID 2000 instead
of 1000.
Configure gosa and adjust ldap-createuser-krb5 accordingly.
Closes: #1003192.
- - - - -
10 changed files:
- cf3/cf.adduser
- ldap-bootstrap/firstuser.ldif
- ldap-tools/ldap-createuser-krb5
- ldap-tools/ldap-debian-edu-install
- share/debian-edu-config/d-i/pre-pkgsel
- share/debian-edu-config/gosa.conf.template
- share/debian-edu-config/pam-nopwdchange.py
- share/debian-edu-config/tools/goodbye-user-session
- share/debian-edu-config/tools/kerberos-kdc-init
- share/debian-edu-config/tools/setup-freeradius-server
Changes:
=====================================
cf3/cf.adduser
=====================================
@@ -17,10 +17,8 @@ bundle edit_line adduser_conf
replace_patterns:
- "FIRST_UID=1000" replace_with => value("FIRST_UID=500");
- "LAST_UID=59999" replace_with => value("LAST_UID=999");
- "FIRST_GID=1000" replace_with => value("FIRST_GID=500");
- "LAST_GID=59999" replace_with => value("LAST_GID=999");
+ "LAST_UID=59999" replace_with => value("LAST_UID=1999");
+ "LAST_GID=59999" replace_with => value("LAST_GID=1999");
"DIR_MODE=0755" replace_with => value("DIR_MODE=0700");
}
=====================================
ldap-bootstrap/firstuser.ldif
=====================================
@@ -15,8 +15,8 @@ cn: $FIRSTUSERGECOS
userPassword: $FIRSTUSERPWDHASH
homeDirectory: /skole/tjener/home0/$FIRSTUSERNAME
loginShell: /bin/bash
-uidNumber: 1000
-gidNumber: 1000
+uidNumber: 2000
+gidNumber: 2000
gecos: $FIRSTUSERGECOS
shadowLastChange: 14818
@@ -25,4 +25,4 @@ objectClass: top
objectClass: posixGroup
cn: $FIRSTUSERNAME
description: Group of user $FIRSTUSERNAME
-gidNumber: 1000
+gidNumber: 2000
=====================================
ldap-tools/ldap-createuser-krb5
=====================================
@@ -91,11 +91,11 @@ HOMEDIR=/skole/tjener/home0/$USERNAME
KRB5DOMAIN=INTERN
PWLASTCHANGE=$(( $(date +%s) / (60 * 60 * 24) ))
-LASTID="$(ldapsearch -x -LLL -o ldif-wrap=no '(|(&(objectclass=posixaccount)(uidNumber>=1000)(uidNumber<=10000))(&(objectclass=posixgroup)(gidNumber>=1000)(gidNumber<=10000)))' uidnumber gidnumber 2>/dev/null | awk '/^[ug]idNumber: / {if (max < $2) { max = $2; } } END { print max}')"
+LASTID="$(ldapsearch -x -LLL -o ldif-wrap=no '(|(&(objectclass=posixaccount)(uidNumber>=2000)(uidNumber<=10000))(&(objectclass=posixgroup)(gidNumber>=2000)(gidNumber<=10000)))' uidnumber gidnumber 2>/dev/null | awk '/^[ug]idNumber: / {if (max < $2) { max = $2; } } END { print max}')"
-# If no ID was found, use LASTID=1000-1 to get uid/gid=1000
+# If no ID was found, use LASTID=2000-1 to get uid/gid=2000
if [ -z "$LASTID" ] ; then
- LASTID=999
+ LASTID=1999
fi
NEWUID=$(( $LASTID + 1 ))
=====================================
ldap-tools/ldap-debian-edu-install
=====================================
@@ -363,7 +363,7 @@ if [ -x /usr/bin/certutil ] ; then
mkdir -p /skole/tjener/home0/"$FIRSTUSERNAME"/.pki/nssdb
chmod -R 700 /skole/tjener/home0/"$FIRSTUSERNAME"/.pki/nssdb
certutil -A -d sql:/skole/tjener/home0/"$FIRSTUSERNAME"/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
- chown -R 1000:1000 /skole/tjener/home0/"$FIRSTUSERNAME"/
+ chown -R 2000:2000 /skole/tjener/home0/"$FIRSTUSERNAME"/
echo "info: created PKI nssdb files for first-user"
fi
=====================================
share/debian-edu-config/d-i/pre-pkgsel
=====================================
@@ -269,8 +269,8 @@ EOF
create_initial_localadmin_user() {
LOCAL_USER_ID="localadmin"
LOCAL_USER_GECOS="Local Administrator"
- LOCAL_USER_UIDNUMBER="500"
- LOCAL_USER_PRIMGIDNUMBER="500"
+ LOCAL_USER_UIDNUMBER="1000"
+ LOCAL_USER_PRIMGIDNUMBER="1000"
LOCAL_USER_INGROUPS="$LOCAL_USER_INGROUPS adm sudo"
=====================================
share/debian-edu-config/gosa.conf.template
=====================================
@@ -361,8 +361,8 @@
userRDN="ou=people"
groupRDN="ou=group"
netgroupRDN="ou=netgroup"
- gidNumberBase="1000"
- uidNumberBase="1000"
+ gidNumberBase="2000"
+ uidNumberBase="2000"
loginAttribute="uid"
timezone="Etc/UTC"
honourUnitTags="false"
=====================================
share/debian-edu-config/pam-nopwdchange.py
=====================================
@@ -30,7 +30,7 @@ def pam_sm_chauthtok(pamh, flags, argv):
user = pamh.get_user(None)
userinfo = pwd.getpwnam(user)
uid = userinfo[2]
- if 1000 <= uid:
+ if 2000 <= uid:
text = "\nPlease visit https://www/gosa to change your password for Debian Edu / Skolelinux. Thanks!\n"
msg = pamh.Message(pamh.PAM_TEXT_INFO, text)
pamh.conversation(msg)
=====================================
share/debian-edu-config/tools/goodbye-user-session
=====================================
@@ -16,7 +16,7 @@
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-if [ $EUID -ge 500 ]; then
+if [ $EUID -ge 1000 ]; then
# safety net for well-known browsers
pkill -TERM -u "${LOGNAME}" x-www-browser
=====================================
share/debian-edu-config/tools/kerberos-kdc-init
=====================================
@@ -248,8 +248,8 @@ firstuser_post() {
cp -r /etc/skel $HOMEDIR
# Must use uid/gid as NSS is not able to connect to LDAP yet
- FIRSTUSERUID=1000
- FIRSTUSERGID=1000
+ FIRSTUSERUID=2000
+ FIRSTUSERGID=2000
chown -R $FIRSTUSERUID:$FIRSTUSERGID $HOMEDIR
pwlen=$(echo -n "$FIRSTUSERPWD" | wc -c)
=====================================
share/debian-edu-config/tools/setup-freeradius-server
=====================================
@@ -115,31 +115,75 @@ cd -
service freeradius stop
# Generate freeRADIUS specific CA and server certificates and make them available.
-chmod +x bootstrap
-PASSWORD="$(pwgen -1)"
-
-for i in *.cnf xpextensions ; do
- sed -i "s#whatever#$PASSWORD#g" $i
- sed -i 's#FR#NO#g' $i
- sed -i 's#Example Inc.#Debian Edu#g' $i
- sed -i 's#admin at example.org#postmaster at postoffice.intern#g' $i
- sed -i 's#user at example.org#user at postoffice.intern#g' $i
- sed -i 's#example.org/example#intern/intern#g' $i
- sed -i 's#example.com/example#intern/intern#g' $i
- sed -i 's#Example S#Debian Edu freeRADIUS S#g' $i
- sed -i 's#Example C#Debian Edu freeRADIUS C#g' $i
- sed -i 's#*example.com#*intern#g' $i
- sed -i 's#radius.example.com#freeradius.intern#g' $i
- sed -i 's#= 60#= 3650#g' $i
- sed -i 's#Example Inner S#Debian Edu freeRADIUS Inner S#g' $i
-done
-
-sed -i "s#whatever#$PASSWORD#g" ../mods-available/eap
-sed -i 's#ssl-cert-snakeoil.pem#freeradius-server.crt#' ../mods-available/eap
-sed -i 's#ssl-cert-snakeoil.key#freeradius-server.key#' ../mods-available/eap
-sed -i 's#ca-certificates.crt#freeradius-ca.crt#' ../mods-available/eap
-
-./bootstrap
+PASSWORD="$(pwgen -1 16)"
+
+update-ini-file ca.cnf req input_password "${PASSWORD}"
+update-ini-file client.cnf req input_password "${PASSWORD}"
+update-ini-file inner-server.cnf req input_password "${PASSWORD}"
+update-ini-file server.cnf req input_password "${PASSWORD}"
+
+update-ini-file ca.cnf req output_password "${PASSWORD}"
+update-ini-file client.cnf req output_password "${PASSWORD}"
+update-ini-file inner-server.cnf req output_password "${PASSWORD}"
+update-ini-file server.cnf req output_password "${PASSWORD}"
+
+update-ini-file ca.cnf certificate_authority countryName NO
+update-ini-file client.cnf client countryName NO
+update-ini-file inner-server.cnf server countryName NO
+update-ini-file server.cnf server countryName NO
+
+update-ini-file ca.cnf certificate_authority organizationName "Debian Edu"
+update-ini-file client.cnf client organizationName "Debian Edu"
+update-ini-file inner-server.cnf server organizationName "Debian Edu"
+update-ini-file server.cnf server organizationName "Debian Edu"
+
+update-ini-file xpextensions xpclient_ext crlDistributionPoints URI:http://www.intern/intern_ca.crl
+update-ini-file xpextensions xpserver_ext crlDistributionPoints URI:http://www.intern/intern_ca.crl
+update-ini-file ca.cnf CA_default crlDistributionPoints URI:http://www.intern/intern_ca.crl
+update-ini-file ca.cnf v3_ca crlDistributionPoints URI:http://www.intern/intern_ca.crl
+
+update-ini-file ca.cnf certificate_authority emailAddress postmaster at postoffice.intern
+update-ini-file inner-server.cnf server emailAddress postmaster at postoffice.intern
+update-ini-file server.cnf server emailAddress postmaster at postoffice.intern
+
+update-ini-file client.cnf client commonName user at postoffice.intern
+update-ini-file client.cnf client emailAddress user at postoffice.intern
+
+update-ini-file ca.cnf certificate_authority commonName '"Debian Edu freeRADIUS Certificate Authority"'
+update-ini-file server.cnf server commonName freeradius.intern
+
+update-ini-file server.cnf alt_names DNS.1 freeradius.intern
+
+update-ini-file ca.cnf CA_default default_days 3650
+update-ini-file client.cnf CA_default default_days 3650
+update-ini-file inner-server.cnf CA_default default_days 3650
+update-ini-file server.cnf CA_default default_days 3650
+
+update-ini-file inner-server.cnf server commonName '"Debian Edu freeRADIUS Inner Server Certificate"'
+
+grep -q '^[[:blank:]]*subjectAltName[[:blank:]=]' xpextensions || cat >>xpextensions <<'EOF'
+
+subjectAltName = @alt_names
+
+# This should be a host name of the RADIUS server.
+# Note that the host name is exchanged in EAP *before*
+# the user machine has network access. So the host name
+# here doesn't really have to match anything in DNS.
+[alt_names]
+DNS.1 = freeradius.intern
+
+# NAIRealm from RFC 7585
+otherName.0 = 1.3.6.1.5.5.7.8.8;FORMAT:UTF8,UTF8:*.intern
+EOF
+
+sed -i \
+ -e "/^[[:blank:]]*private_key_password[[:blank:]=]/s#=.*#= $PASSWORD#g" \
+ -e '/^[[:blank:]]*certificate_file[[:blank:]=]/s#=.*#= /etc/ssl/certs/freeradius-server.crt#g' \
+ -e '/^[[:blank:]]*private_key_file[[:blank:]=]/s#=.*#= /etc/ssl/private/freeradius-server.key#g' \
+ -e '/^[[:blank:]]*ca_file[[:blank:]=]/s#=.*#= /etc/ssl/certs/freeradius-ca.crt#g' \
+ ../mods-available/eap
+
+sh ./bootstrap
chmod 644 dh server.crt server.pem ca.pem ca.der
chmod 640 server.key
@@ -157,8 +201,6 @@ fi
# Cleanup the certs dir.
make clean
-chmod -x bootstrap
-
# Start the configured freeRADIUS service and give some feedback.
service freeradius start
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/67e38935928b74d9dafcf9d2adb71812aab4697b...02c4c4c14c7b9ecccfb2633af103699c41403979
--
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/67e38935928b74d9dafcf9d2adb71812aab4697b...02c4c4c14c7b9ecccfb2633af103699c41403979
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20230926/1d744c7a/attachment-0001.htm>
More information about the debian-edu-commits
mailing list