Use new smartauthmon C++ program instead of the old bash script for smartcard authentication

This plugs several possible security holes


git-svn-id: svn://anonsvn.kde.org/home/kde/branches/trinity/applications/smartcardauth@1254687 283d02a7-25f6-0310-bc7c-ecb5cbfe19da
v3.5.13-sru
tpearson 13 years ago
parent 125b13c176
commit 32b6f4c4ae

2
debian/control vendored

@ -13,7 +13,7 @@ Conflicts: openct
Description: SmartCard Login and LUKS Decrypt, Setup Utility Description: SmartCard Login and LUKS Decrypt, Setup Utility
This utility will allow you to set up your computer to accept a SmartCard as an authentication source for: This utility will allow you to set up your computer to accept a SmartCard as an authentication source for:
- Your encrypted LUKS partition - Your encrypted LUKS partition
- KDE3.5, including automatic login, lock, and unlock features - TDE, including automatic login, lock, and unlock features
It is designed to work with any ISO 7816-1,2,3,4 compliant smartcard It is designed to work with any ISO 7816-1,2,3,4 compliant smartcard
Examples of such cards are: Examples of such cards are:
- The Schlumberger MultiFlex - The Schlumberger MultiFlex

@ -8,7 +8,7 @@ start on (filesystem
stop on stopping kdm-trinity stop on stopping kdm-trinity
script script
if [ -e /usr/bin/smartauthmon.sh ]; then if [ -e /usr/bin/smartauthmon ]; then
/usr/bin/smartauthmon.sh /usr/bin/smartauthmon
fi fi
end script end script

@ -1,4 +1,7 @@
all: ckpasswd.o xmalloc.o messages.o ckpasswd all: ckpasswd.o xmalloc.o messages.o ckpass.o ckpasswd smartauthmon
ckpass.o: ckpass.c
gcc ckpass.c -c
ckpasswd.o: ckpasswd.c ckpasswd.o: ckpasswd.c
gcc ckpasswd.c -c gcc ckpasswd.c -c
@ -9,14 +12,14 @@ xmalloc.o: xmalloc.c
messages.o: messages.c messages.o: messages.c
gcc messages.c -c gcc messages.c -c
#smartauthmon.o: smartauthmon.cpp smartauthmon.o: smartauthmon.cpp
# g++ -I/usr/include/tqt -I/usr/include/qt3 smartauthmon.cpp -c g++ -I/usr/include/tqt -I/usr/include/qt3 smartauthmon.cpp -c
ckpasswd: ckpasswd.o ckpasswd: ckpasswd.o
gcc ckpasswd.o xmalloc.o messages.o -o ckpasswd -lpam -lcrypt gcc ckpasswd.o xmalloc.o messages.o -o ckpasswd -lpam -lcrypt
#ckpasswd: smartauthmon.o smartauthmon: smartauthmon.o ckpass.o
# gcc smartauthmon.o -o smartauthmon -ltqt gcc smartauthmon.o ckpass.o xmalloc.o messages.o -o smartauthmon -ltqt -lpam -lcrypt
clean: clean:
rm -f ckpasswd.o xmalloc.o messages.o ckpasswd rm -f ckpasswd.o xmalloc.o messages.o ckpasswd

@ -0,0 +1,284 @@
/* $Id: ckpasswd.c 7565 2006-08-28 02:42:54Z eagle $
**
** The default username/password authenticator.
**
** This program is intended to be run by nnrpd and handle usernames and
** passwords. It can authenticate against a regular flat file (the type
** managed by htpasswd), a DBM file, the system password file or shadow file,
** or PAM.
*/
/* Used for unused parameters to silence gcc warnings. */
#define UNUSED __attribute__((__unused__))
/* Make available the bool type. */
#if INN_HAVE_STDBOOL_H
# include <stdbool.h>
#else
# undef true
# undef false
# define true (1)
# define false (0)
# ifndef __cplusplus
# define bool int
# endif
#endif /* INN_HAVE_STDBOOL_H */
#include <stdlib.h>
#include <string.h>
#include <crypt.h>
#include <fcntl.h>
#include <pwd.h>
#include <grp.h>
#define DB_DBM_HSEARCH 1
#include <db.h>
#define OPT_DBM "d:"
#if HAVE_GETSPNAM
# include <shadow.h>
# define OPT_SHADOW "s"
#else
# define OPT_SHADOW ""
#endif
/* The functions are actually macros so that we can pick up the file and line
number information for debugging error messages without the user having to
pass those in every time. */
#define xcalloc(n, size) x_calloc((n), (size), __FILE__, __LINE__)
#define xmalloc(size) x_malloc((size), __FILE__, __LINE__)
#define xrealloc(p, size) x_realloc((p), (size), __FILE__, __LINE__)
#define xstrdup(p) x_strdup((p), __FILE__, __LINE__)
#define xstrndup(p, size) x_strndup((p), (size), __FILE__, __LINE__)
#include <security/pam_appl.h>
/* Holds the authentication information from nnrpd. */
struct auth_info {
char *username;
char *password;
};
/*
** The PAM conversation function.
**
** Since we already have all the information and can't ask the user
** questions, we can't quite follow the real PAM protocol. Instead, we just
** return the password in response to every question that PAM asks. There
** appears to be no generic way to determine whether the message in question
** is indeed asking for the password....
**
** This function allocates an array of struct pam_response to return to the
** PAM libraries that's never freed. For this program, this isn't much of an
** issue, since it will likely only be called once and then the program will
** exit. This function uses malloc and strdup instead of xmalloc and xstrdup
** intentionally so that the PAM conversation will be closed cleanly if we
** run out of memory rather than simply terminated.
**
** appdata_ptr contains the password we were given.
*/
static int pass_conv(int num_msg, const struct pam_message **msgm UNUSED, struct pam_response **response, void *appdata_ptr)
{
int i;
*response = malloc(num_msg * sizeof(struct pam_response));
if (*response == NULL)
return PAM_CONV_ERR;
for (i = 0; i < num_msg; i++) {
(*response)[i].resp = strdup((char *)appdata_ptr);
(*response)[i].resp_retcode = 0;
}
return PAM_SUCCESS;
}
/*
** Authenticate a user via PAM.
**
** Attempts to authenticate a user with PAM, returning true if the user
** successfully authenticates and false otherwise. Note that this function
** doesn't attempt to handle any remapping of the authenticated user by the
** PAM stack, but just assumes that the authenticated user was the same as
** the username given.
**
** Right now, all failures are handled via die. This may be worth revisiting
** in case we want to try other authentication methods if this fails for a
** reason other than the system not having PAM support.
*/
static bool auth_pam(const char *username, char *password)
{
pam_handle_t *pamh;
struct pam_conv conv;
int status;
conv.conv = pass_conv;
conv.appdata_ptr = password;
status = pam_start("nnrpd", username, &conv, &pamh);
if (status != PAM_SUCCESS)
die("pam_start failed: %s", pam_strerror(pamh, status));
status = pam_authenticate(pamh, PAM_SILENT);
if (status != PAM_SUCCESS)
die("pam_authenticate failed: %s", pam_strerror(pamh, status));
status = pam_acct_mgmt(pamh, PAM_SILENT);
if (status != PAM_SUCCESS)
die("pam_acct_mgmt failed: %s", pam_strerror(pamh, status));
status = pam_end(pamh, status);
if (status != PAM_SUCCESS)
die("pam_end failed: %s", pam_strerror(pamh, status));
/* If we get to here, the user successfully authenticated. */
return true;
}
/*
** Try to get a password out of a dbm file. The dbm file should have the
** username for the key and the crypted password as the value. The crypted
** password, if found, is returned as a newly allocated string; otherwise,
** NULL is returned.
*/
#if !(defined(HAVE_DBM) || defined(HAVE_BDB_DBM))
static char *
password_dbm(char *user UNUSED, const char *file UNUSED)
{
return NULL;
}
#else
static char *
password_dbm(char *name, const char *file)
{
datum key, value;
DBM *database;
char *password;
database = dbm_open(file, O_RDONLY, 0600);
if (database == NULL)
return NULL;
key.dptr = name;
key.dsize = strlen(name);
value = dbm_fetch(database, key);
if (value.dptr == NULL) {
dbm_close(database);
return NULL;
}
password = xmalloc(value.dsize + 1);
strlcpy(password, value.dptr, value.dsize + 1);
dbm_close(database);
return password;
}
#endif /* HAVE_DBM || HAVE_BDB_DBM */
/*
** Try to get a password out of the system /etc/shadow file. The crypted
** password, if found, is returned as a newly allocated string; otherwise,
** NULL is returned.
*/
#if !HAVE_GETSPNAM
static char *
password_shadow(const char *user UNUSED)
{
return NULL;
}
#else
static char *
password_shadow(const char *user)
{
struct spwd *spwd;
spwd = getspnam(user);
if (spwd != NULL)
return xstrdup(spwd->sp_pwdp);
return NULL;
}
#endif /* HAVE_GETSPNAM */
/*
** Try to get a password out of the system password file. The crypted
** password, if found, is returned as a newly allocated string; otherwise,
** NULL is returned.
*/
static char *
password_system(const char *username)
{
struct passwd *pwd;
pwd = getpwnam(username);
if (pwd != NULL)
return xstrdup(pwd->pw_passwd);
return NULL;
}
/*
** Try to get the name of a user's primary group out of the system group
** file. The group, if found, is returned as a newly allocated string;
** otherwise, NULL is returned. If the username is not found, NULL is
** returned.
*/
static char *
group_system(const char *username)
{
struct passwd *pwd;
struct group *gr;
pwd = getpwnam(username);
if (pwd == NULL)
return NULL;
gr = getgrgid(pwd->pw_gid);
if (gr == NULL)
return NULL;
return xstrdup(gr->gr_name);
}
/*
** Output username (and group, if desired) in correct return format.
*/
static void
output_user(const char *username, bool wantgroup)
{
if (wantgroup) {
char *group = group_system(username);
if (group == NULL)
die("group info for user %s not available", username);
printf("User:%s@%s\n", username, group);
}
else
printf("User:%s\n", username);
}
/*
** Main routines.
**
** We handle the variences between systems with #if blocks above, so that
** this code can look fairly clean.
*/
int
check_password(const char* username, const char* password)
{
bool wantgroup = false;
struct auth_info *authinfo = NULL;
authinfo = xmalloc(sizeof(struct auth_info));
authinfo->username = username;
authinfo->password = password;
if (auth_pam(authinfo->username, authinfo->password)) {
output_user(authinfo->username, wantgroup);
return 0;
}
password = password_system(authinfo->username);
if (password == NULL)
return 1;
if (strcmp(password, crypt(authinfo->password, password)) != 0)
return 1;
/* The password matched. */
output_user(authinfo->username, wantgroup);
return 0;
}

@ -252,11 +252,12 @@ output_user(const char *username, bool wantgroup)
/* /*
** Main routine. ** Main routines.
** **
** We handle the variences between systems with #if blocks above, so that ** We handle the variences between systems with #if blocks above, so that
** this code can look fairly clean. ** this code can look fairly clean.
*/ */
int int
main(int argc, char *argv[]) main(int argc, char *argv[])
{ {

@ -40,9 +40,19 @@
// The [secure] temporary directory for authentication // The [secure] temporary directory for authentication
#define SECURE_DIRECTORY_PATH "/tmp/smartauth" #define SECURE_DIRECTORY_PATH "/tmp/smartauth"
// The Trinity binary directory
#define TRINITY_BIN_PREFIX "/opt/trinity/bin/"
// Some internal constants // Some internal constants
#define CREATE_LIFE_CYCLE "01" #define CREATE_LIFE_CYCLE "01"
#define tqarg arg
// In ckpass.o
extern "C" {
int check_password(const char* username, const char* password);
}
static TQString secure_directory; static TQString secure_directory;
static TQString command_mode; static TQString command_mode;
static TQString select_file; static TQString select_file;
@ -251,6 +261,7 @@ int main (int argc, char *argv[])
{ {
TQString smartcard_username; TQString smartcard_username;
TQString oldsmartcard_username; TQString oldsmartcard_username;
TQString smartcard_password;
TQString smartcard_slave; TQString smartcard_slave;
TQString lverify; TQString lverify;
TQString cverify; TQString cverify;
@ -295,6 +306,18 @@ int main (int argc, char *argv[])
return 1; return 1;
} }
// Read hexidecimal_key from the system crypto files
FILE* fpkey = fopen("/etc/smartauth/smartauthmon.key", "rb");
if (fpkey == NULL) {
printf("Smart card login has been disabled. Exiting...\n\r");
return 1;
}
else {
fclose(fpkey);
}
hexidecimal_key = readfile("/etc/smartauth/smartauthmon.key");
hexidecimal_key.replace('\n', "");
oldsmartcard_username=""; oldsmartcard_username="";
printf("[DEBUG 400.0] Ready...\n\r"); printf("[DEBUG 400.0] Ready...\n\r");
while (1) { while (1) {
@ -371,9 +394,7 @@ int main (int argc, char *argv[])
// Now DES encrypt the challenge // Now DES encrypt the challenge
// Later, change the initialization vector to random if possible // Later, change the initialization vector to random if possible
// Read hexidecimal_key from the system crypto files and create the response from the challenge // Create the response from the challenge
hexidecimal_key = readfile("/etc/smartauth/smartauthmon.key");
hexidecimal_key.replace('\n', "");
systemexec((TQString("openssl des-ecb -in %1/challenge -out %2/response -K %3 -iv 1").tqarg(secure_directory).tqarg(secure_directory).tqarg(hexidecimal_key)).ascii()); systemexec((TQString("openssl des-ecb -in %1/challenge -out %2/response -K %3 -iv 1").tqarg(secure_directory).tqarg(secure_directory).tqarg(hexidecimal_key)).ascii());
if (command_mode == "acos") { if (command_mode == "acos") {
@ -414,15 +435,20 @@ int main (int argc, char *argv[])
// Get username and password // Get username and password
TQString response = get_file("10 02", "text"); TQString response = get_file("10 02", "text");
smartcard_username = readfile(response); smartcard_username = readfile(response);
unlink(response.ascii());
response = get_file("10 03", "text"); response = get_file("10 03", "text");
systemexec((TQString("mv %1 %2/password").tqarg(response).tqarg(secure_directory)).ascii()); smartcard_password = readfile(response.ascii());
unlink(response.ascii());
response = get_file("10 04", "text"); response = get_file("10 04", "text");
smartcard_slave = readfile(response); smartcard_slave = readfile(response);
unlink(response.ascii());
if (smartcard_slave == "SLAVE") { if (smartcard_slave == "SLAVE") {
get_file("10 05", "text"); get_file("10 05", "text");
smartcard_minutes_raw = readfile(response); smartcard_minutes_raw = readfile(response);
unlink(response.ascii());
get_file("10 06", "text"); get_file("10 06", "text");
internet_minutes = readfile(response).toInt(); internet_minutes = readfile(response).toInt();
unlink(response.ascii());
} }
} }
else { else {
@ -471,7 +497,7 @@ int main (int argc, char *argv[])
int waserror=0; int waserror=0;
int noactivesessions=0; int noactivesessions=0;
result = exec("/opt/trinity/bin/kdmctl -g list"); result = exec(TRINITY_BIN_PREFIX "kdmctl -g list");
if (result == "ok") { if (result == "ok") {
noactivesessions=1; noactivesessions=1;
result="okbutempty"; result="okbutempty";
@ -510,17 +536,12 @@ int main (int argc, char *argv[])
if (darray[index] != "") { if (darray[index] != "") {
printf("[DEBUG 400.a] Found existing session on desktop: %d\n\r", index); printf("[DEBUG 400.a] Found existing session on desktop: %d\n\r", index);
foundsession=1; foundsession=1;
// Check password
// FIXME
// This might expose the password for an instant
// Integrate the password checking from "ckpasswd.c" here instead
lverify = exec((TQString("/usr/bin/smartauthckpasswd -u %1 -p $(cat %2/password)").tqarg(darray[index]).tqarg(secure_directory)).ascii());
cverify = TQString("User:%1").tqarg(darray[index]);
udisplay = TQString(":%1").tqarg(index); udisplay = TQString(":%1").tqarg(index);
if (lverify == cverify) { // Check password
systemexec((TQString("su %1 -c \"export DISPLAY=%2; /opt/trinity/bin/dcop kdesktop KScreensaverIface quit\"").tqarg(smartcard_username).tqarg(udisplay)).ascii()); if (check_password(smartcard_username.ascii(), smartcard_password.ascii()) == 0) {
systemexec((TQString("su %1 -c \"export DISPLAY=%2; /opt/trinity/bin/dcop kdesktop KScreensaverIface enable false\"").tqarg(smartcard_username).tqarg(udisplay)).ascii()); systemexec((TQString("su %1 -c \"export DISPLAY=%2; " TRINITY_BIN_PREFIX "dcop kdesktop KScreensaverIface quit\"").tqarg(smartcard_username).tqarg(udisplay)).ascii());
systemexec((TQString("/opt/trinity/bin/kdmctl activate %1").tqarg(udisplay)).ascii()); systemexec((TQString("su %1 -c \"export DISPLAY=%2; " TRINITY_BIN_PREFIX "dcop kdesktop KScreensaverIface enable false\"").tqarg(smartcard_username).tqarg(udisplay)).ascii());
systemexec((TQString(TRINITY_BIN_PREFIX "kdmctl activate %1").tqarg(udisplay)).ascii());
} }
else { else {
systemexec("echo \"EUnauthorized SmartCard Inserted\" > /tmp/ksocket-global/kdesktoplockcontrol &"); systemexec("echo \"EUnauthorized SmartCard Inserted\" > /tmp/ksocket-global/kdesktoplockcontrol &");
@ -580,10 +601,16 @@ int main (int argc, char *argv[])
newdisplay = TQString(":%1").tqarg(newdisplayint); newdisplay = TQString(":%1").tqarg(newdisplayint);
printf("[DEBUG 400.f] The next display to start will be %s\n\r", newdisplay.ascii()); printf("[DEBUG 400.f] The next display to start will be %s\n\r", newdisplay.ascii());
systemexec("/opt/trinity/bin/kdmctl -g reserve"); systemexec(TRINITY_BIN_PREFIX "kdmctl -g reserve");
systemexec((TQString("/opt/trinity/bin/kdmctl -g login %1 now %2 $(cat %3/password)").tqarg(newdisplay).tqarg(smartcard_username).tqarg(secure_directory)).ascii()); TQString kdmctl_command = TQString("login\t%1\tnow\t%2\t%3\n").tqarg(newdisplay).tqarg(smartcard_username).tqarg(smartcard_password);
FILE* kdmctlpipe = popen(TRINITY_BIN_PREFIX "kdmctl -g -", "w");
if (pipe) {
fputs(kdmctl_command.ascii(), kdmctlpipe);
fflush(kdmctlpipe);
pclose(kdmctlpipe);
}
sleep(2); sleep(2);
systemexec((TQString("/opt/trinity/bin/kdmctl -g activate %1").tqarg(newdisplay)).ascii()); systemexec((TQString(TRINITY_BIN_PREFIX "kdmctl -g activate %1").tqarg(newdisplay)).ascii());
udisplay=newdisplay; udisplay=newdisplay;
} }
@ -603,8 +630,8 @@ int main (int argc, char *argv[])
while (output == 0) { while (output == 0) {
sleep(1); sleep(1);
systemexec((TQString("su %1 -c \"export DISPLAY=%2; /opt/trinity/bin/dcop kdesktop KScreensaverIface quit\"").tqarg(smartcard_username).tqarg(udisplay)).ascii()); systemexec((TQString("su %1 -c \"export DISPLAY=%2; " TRINITY_BIN_PREFIX "dcop kdesktop KScreensaverIface quit\"").tqarg(smartcard_username).tqarg(udisplay)).ascii());
systemexec((TQString("su %1 -c \"export DISPLAY=%2; /opt/trinity/bin/dcop kdesktop KScreensaverIface enable false\"").tqarg(smartcard_username).tqarg(udisplay)).ascii()); systemexec((TQString("su %1 -c \"export DISPLAY=%2; " TRINITY_BIN_PREFIX "dcop kdesktop KScreensaverIface enable false\"").tqarg(smartcard_username).tqarg(udisplay)).ascii());
output = systemexec("echo \"exit\" | scriptor 2>/dev/null 1>/dev/null"); output = systemexec("echo \"exit\" | scriptor 2>/dev/null 1>/dev/null");
if (smartcard_slave == "SLAVE") { if (smartcard_slave == "SLAVE") {
timer--; timer--;
@ -649,7 +676,7 @@ int main (int argc, char *argv[])
result="ok"; result="ok";
timeout=0; timeout=0;
errcode=0; errcode=0;
result = exec("/opt/trinity/bin/kdmctl -g list"); result = exec(TRINITY_BIN_PREFIX "kdmctl -g list");
if (result == "ok") { if (result == "ok") {
noactivesessions=1; noactivesessions=1;
result="okbutempty"; result="okbutempty";
@ -684,14 +711,16 @@ int main (int argc, char *argv[])
timeout=0; timeout=0;
blankresult=""; blankresult="";
while (blankresult != "true") { while (blankresult != "true") {
systemexec((TQString("/opt/trinity/bin/kdmctl -g activate %1").tqarg(udisplay)).ascii()); systemexec((TQString(TRINITY_BIN_PREFIX "kdmctl -g activate %1").tqarg(udisplay)).ascii());
systemexec((TQString("su %1 -c \"export DISPLAY=%2; /opt/trinity/bin/dcop kdesktop KScreensaverIface enable true\"").tqarg(smartcard_username).tqarg(udisplay)).ascii()); systemexec((TQString("su %1 -c \"export DISPLAY=%2; " TRINITY_BIN_PREFIX "dcop kdesktop KScreensaverIface enable true\"").tqarg(smartcard_username).tqarg(udisplay)).ascii());
systemexec((TQString("su %1 -c \"export DISPLAY=%2; /opt/trinity/bin/dcop kdesktop KScreensaverIface lock\"").tqarg(smartcard_username).tqarg(udisplay)).ascii()); systemexec((TQString("su %1 -c \"export DISPLAY=%2; " TRINITY_BIN_PREFIX "dcop kdesktop KScreensaverIface lock\"").tqarg(smartcard_username).tqarg(udisplay)).ascii());
int retcode; int retcode;
blankresult = execret(TQString("su %1 -c \"export DISPLAY=%2; /opt/trinity/bin/dcop kdesktop KScreensaverIface isBlanked\"").tqarg(smartcard_username).tqarg(udisplay).ascii(), &retcode); blankresult = execret(TQString("su %1 -c \"export DISPLAY=%2; " TRINITY_BIN_PREFIX "dcop kdesktop KScreensaverIface isBlanked\"").tqarg(smartcard_username).tqarg(udisplay).ascii(), &retcode);
if (retcode != 0) { if (retcode != 0) {
blankresult="true"; blankresult="true";
} }
blankresult = blankresult.replace('\n', "");
logouttest = exec((TQString("echo %1 | grep 'target display has no VT assigned'").tqarg(blankresult)).ascii()); logouttest = exec((TQString("echo %1 | grep 'target display has no VT assigned'").tqarg(blankresult)).ascii());
if (logouttest != "") { if (logouttest != "") {
printf("[DEBUG 401.6] User has logged out\n\r"); printf("[DEBUG 401.6] User has logged out\n\r");

@ -698,10 +698,10 @@ function loadpassword {
GREETER="Welcome to the SmartCard authentication setup utility!\n\nAUT1 is the manual update key\nAUT2 is the login key\nAUT3 is the LUKS decrypt key\n\nCard ATR: $smartatr\nDetected: $CARD_NICE_NAME\n\nPlease select an action from the list below:" GREETER="Welcome to the SmartCard authentication setup utility!\n\nAUT1 is the manual update key\nAUT2 is the login key\nAUT3 is the LUKS decrypt key\n\nCard ATR: $smartatr\nDetected: $CARD_NICE_NAME\n\nPlease select an action from the list below:"
while [[ 1 -eq 1 ]]; do while [[ 1 -eq 1 ]]; do
if [ -e "/usr/bin/smartauthmon.sh" ]; then if [ -e "/etc/smartauth/smartauthmon.key" ]; then
LOGINOPTION="Disable automatic login for KDE3.5" LOGINOPTION="Disable automatic login for TDE"
else else
LOGINOPTION="Enable automatic login for KDE3.5" LOGINOPTION="Enable automatic login for TDE"
fi fi
if [[ $COMMAND_MODE == "acos" ]]; then if [[ $COMMAND_MODE == "acos" ]]; then
@ -785,10 +785,6 @@ while [[ 1 -eq 1 ]]; do
if [ -e "/etc/smartauth/smartauthmon.key" ]; then if [ -e "/etc/smartauth/smartauthmon.key" ]; then
OLDKEY="<your key in hexadecimal>" OLDKEY="<your key in hexadecimal>"
NEWKEY=$(cat /etc/smartauth/smartauthmon.key) NEWKEY=$(cat /etc/smartauth/smartauthmon.key)
cp -Rp /etc/smartauth/smartauthmon.sh.in /usr/bin/smartauthmon.sh
sed -i "s#${OLDKEY}#${NEWKEY}#g" /usr/bin/smartauthmon.sh
chmod 600 /usr/bin/smartauthmon.sh
chmod a+x /usr/bin/smartauthmon.sh
fi fi
fi fi
fi fi
@ -849,10 +845,10 @@ while [[ 1 -eq 1 ]]; do
echo "Securing directories..." echo "Securing directories..."
chmod 600 "/boot/initrd.img-$(uname -r)" chmod 600 "/boot/initrd.img-$(uname -r)"
chmod -R 600 /etc/smartauth chmod -R 600 /etc/smartauth
if [ -e "/usr/bin/smartauthmon.sh" ]; then if [ -e "/etc/smartauth/smartauthmon.key" ]; then
echo "KDE3.5 login disabled; not altering" echo "TDE login disabled; not altering"
else else
selection="Enable automatic login for KDE3.5" selection="Enable automatic login for TDE"
fi fi
else else
zenity --error --text "A SmartCard authentication error has occurred.\nNo changes have been made to your system." zenity --error --text "A SmartCard authentication error has occurred.\nNo changes have been made to your system."
@ -949,10 +945,10 @@ while [[ 1 -eq 1 ]]; do
echo "Securing directories..." echo "Securing directories..."
chmod 600 "/boot/initrd.img-$(uname -r)" chmod 600 "/boot/initrd.img-$(uname -r)"
chmod -R 600 /etc/smartauth chmod -R 600 /etc/smartauth
if [ -e "/usr/bin/smartauthmon.sh" ]; then if [ -e "/etc/smartauth/smartauthmon.key" ]; then
selection="Enable automatic login for KDE3.5" selection="Enable automatic login for TDE"
else else
echo "KDE3.5 login disabled; not altering" echo "TDE login disabled; not altering"
fi fi
else else
zenity --error --text "A SmartCard authentication error has occurred." zenity --error --text "A SmartCard authentication error has occurred."
@ -968,25 +964,20 @@ while [[ 1 -eq 1 ]]; do
fi fi
fi fi
if [[ $selection = "Enable automatic login for KDE3.5" ]]; then if [[ $selection = "Enable automatic login for TDE" ]]; then
cp -Rp /etc/smartauth/smartauthmon.sh.in /usr/bin/smartauthmon.sh
OLDKEY="<your key in hexadecimal>" OLDKEY="<your key in hexadecimal>"
authenticatecard "AUT2" authenticatecard "AUT2"
if [[ $authenticated = "1" ]]; then if [[ $authenticated = "1" ]]; then
NEWKEY=$autkey NEWKEY=$autkey
echo $NEWKEY > /etc/smartauth/smartauthmon.key echo $NEWKEY > /etc/smartauth/smartauthmon.key
sed -i "s#${OLDKEY}#${NEWKEY}#g" /usr/bin/smartauthmon.sh
chmod 600 /usr/bin/smartauthmon.sh
chmod a+x /usr/bin/smartauthmon.sh
update-rc.d smartauthlogin defaults update-rc.d smartauthlogin defaults
/etc/init.d/smartauthlogin stop /etc/init.d/smartauthlogin stop
/etc/init.d/smartauthlogin start /etc/init.d/smartauthlogin start
fi fi
fi fi
if [[ $selection = "Disable automatic login for KDE3.5" ]]; then if [[ $selection = "Disable automatic login for TDE" ]]; then
/etc/init.d/smartauthlogin stop /etc/init.d/smartauthlogin stop
rm -rf /usr/bin/smartauthmon.sh
rm -rf /etc/smartauth/smartauthmon.key rm -rf /etc/smartauth/smartauthmon.key
update-rc.d -f smartauthlogin remove update-rc.d -f smartauthlogin remove
fi fi
@ -1002,7 +993,6 @@ while [[ 1 -eq 1 ]]; do
chmod -R 600 /etc/smartauth chmod -R 600 /etc/smartauth
chown -R root /etc/smartauth chown -R root /etc/smartauth
chmod a+x /usr/bin/smartauth.sh chmod a+x /usr/bin/smartauth.sh
chmod a+x /usr/bin/smartauthmon.sh
chmod 600 "/boot/initrd.img-$(uname -r)" chmod 600 "/boot/initrd.img-$(uname -r)"
chown root "/boot/initrd.img-$(uname -r)" chown root "/boot/initrd.img-$(uname -r)"
exit exit

@ -469,10 +469,10 @@ while [[ 1 -eq 1 ]]; do
echo "Securing directories..." echo "Securing directories..."
chmod 600 "/boot/initrd.img-$(uname -r)" chmod 600 "/boot/initrd.img-$(uname -r)"
chmod -R 600 /etc/smartauth chmod -R 600 /etc/smartauth
if [ -e "/usr/bin/smartauthmon.sh" ]; then if [ -e "/etc/smartauth/smartauthmon.key" ]; then
selection="Enable automatic login for KDE3.5" selection="Enable automatic login for TDE"
else else
echo "KDE3.5 login disabled; not altering" echo "TDE login disabled; not altering"
fi fi
else else
zenity --error --text "A SmartCard authentication error has occurred." zenity --error --text "A SmartCard authentication error has occurred."
@ -494,7 +494,6 @@ while [[ 1 -eq 1 ]]; do
chmod -R 600 /etc/smartauth chmod -R 600 /etc/smartauth
chown -R root /etc/smartauth chown -R root /etc/smartauth
chmod a+x /usr/bin/smartauth.sh chmod a+x /usr/bin/smartauth.sh
chmod a+x /usr/bin/smartauthmon.sh
chmod 600 "/boot/initrd.img-$(uname -r)" chmod 600 "/boot/initrd.img-$(uname -r)"
chown root "/boot/initrd.img-$(uname -r)" chown root "/boot/initrd.img-$(uname -r)"
exit exit

Loading…
Cancel
Save