2018-10-31 22:21:08 +00:00
#!/bin/bash
#
# Name: pam_panic_config
# Description: Create a pam_panic configuration.
# Author: Bandie <bandie@chaospott.de>
#
CONFIGFILE="/etc/pam.d/pampanic"
LHBU="$HOME/LUKSHeaderBackup"
2018-11-03 00:50:17 +00:00
# Set on build time
SECUREDIR="__SECURELIBDIR__"
2018-11-03 15:16:38 +00:00
PAMPANICPW="__PAMPANICPW__"
[[ ! -d $SECUREDIR ]] || [[ ! -f $PAMPANICPW ]] && { echo "ERROR: Bash script was not build correctly." ; exit 1 ; }
2018-11-03 00:50:17 +00:00
2018-10-31 22:21:08 +00:00
if [ $EUID -ne 0 ]; then
echo "Please run this script as root or using sudo."
exit 1
fi
2018-10-31 23:53:11 +00:00
# Call when using the Cancel button
2018-10-31 22:21:08 +00:00
function cancel(){
2018-11-01 10:38:56 +00:00
rm -f .pam_panic_media_choice
2018-10-31 22:21:08 +00:00
clear
echo "Bye! :)"
exit 0
}
2018-10-31 23:53:11 +00:00
# Call when CTRL+C
2018-10-31 22:21:08 +00:00
trap "cancel" INT
2018-10-31 23:53:11 +00:00
# Check, if $1 is a gpt formatted device
2018-10-31 22:21:08 +00:00
function checkGPT(){
blkid $1 -t PTTYPE=gpt >> /dev/null
return $?
}
2018-10-31 23:53:11 +00:00
# Get the GPT PartitionUUID
2018-10-31 22:21:08 +00:00
function getPARTUUID(){
blkid $1 | awk '{print $4;}' | sed 's/PARTUUID="//;s/"//'
}
2018-10-31 23:53:11 +00:00
# Get the LUKS-Device's UUId
2018-10-31 22:21:08 +00:00
function getLUKSDevice(){
if [ "$1" = "UUID" ]; then
blkid /dev/sda*[1-9] | grep "crypto_LUKS" | awk '{print $2;}' | sed 's/UUID="//;s/"//'
fi
if [ "$1" = "NAME" ]; then
blkid /dev/sda*[1-9] | grep "crypto_LUKS" | awk '{print $1;}' | sed 's/://'
fi
}
2018-10-31 23:53:11 +00:00
# Generic dialog question
2018-10-31 22:21:08 +00:00
function ask(){
dialog --backtitle "pam_panic's Configuration Generator" --title "$1" --yesno "$2" 8 80
return $?
}
2018-10-31 23:53:11 +00:00
# Generic message box
2018-10-31 22:21:08 +00:00
msg() {
2018-11-01 10:38:56 +00:00
dialog --backtitle "pam_panic's Configuration Generator" --title "$1" --msgbox "$2" 8 80
2018-10-31 22:21:08 +00:00
}
2018-10-31 23:53:11 +00:00
# Generate a two dimensional flat array of all GPT devices from sdb-sdz
2018-10-31 22:21:08 +00:00
function getMediaDevice(){
local i=0
local uuid
for dev in $(ls /dev/sd[b-z] 2> /dev/null); do
if $(checkGPT $dev); then
for part in $(ls $dev*[1-9]); do
echo -n "$i $part[$(getPARTUUID $part)] "
(( i++ ))
done
fi
done
}
2018-10-31 23:53:11 +00:00
# Hint for GPT formatted key before searching for it
2018-10-31 22:21:08 +00:00
function chooseMediumPre(){
local title="Removable media: $1 device"
dialog --backtitle "pam_panic's Configuration Generator" --title "$title" --yes-label "OK" --no-label "Cancel" --yesno "Please remove all media devices before your continue.\nNote, if you device doesn't show up it might not be a GPT formatted device.\n\nPlease insert the device you want to use as $1 device and press OK." 10 80
if [ $? -eq 1 ]; then
cancel
fi
}
2018-10-31 23:53:11 +00:00
# Choosing a GPT formatted key
2018-10-31 22:21:08 +00:00
function chooseMedium(){
local ans
local title="Removable media: $1 device"
dialog --backtitle "pam_panic's Configuration Generator" --title "$title" --menu "Choose your device:" 10 80 5 $media 2> .pam_panic_media_choice
if [ $? -eq 1 ]; then
cancel
fi
ans=$(cat .pam_panic_media_choice)
(( ans=(2*ans)+1 ))
rm -f .pam_panic_media_choice
return $ans
}
2018-10-31 23:53:11 +00:00
# A "Detecting devices...", assures to use a more up to date device list
2018-10-31 22:21:08 +00:00
function showDetectDev(){
dialog --backtitle "pam_panic's Configuration Generator" \
--title "$title" \
--infobox "Detecting devices..." 3 80
# Prevention for impatient beings
sleep 2
}
2018-10-31 23:53:11 +00:00
# Welcome
2018-10-31 22:21:08 +00:00
dialog --backtitle "pam_panic's Configuration Generator" \
--title "Welcome" \
--ok-label "Yip!" \
--msgbox "Welcome to pam_panic's Configuration Generator.\n\nIt will help you to create a valid pam_panic setup. It will also generate a Linux' PAM configuration file.\n\nAfter you're done with this Configuration Generator, you will see some hints how to integrate the new PAM configuration file in your system." 20 80
2018-11-01 10:52:36 +00:00
# Authentication mode
2018-10-31 22:21:08 +00:00
auth_mode=2
while [ $auth_mode -eq 2 ]; do
dialog --backtitle "pam_panic's Configuration Generator" \
--title "Authentication mode" \
--help-button \
--extra-button --extra-label "Passwords" \
--ok-label "Removable Media" \
--yesno "You can choose between the \"two removable media\" option and the \"two passwords\" option.\nSee \"Help\" to learn what it is.\n\nRemovable media or passwords?" 10 80
auth_mode=$?
case $auth_mode in
"0")
2018-10-31 23:53:11 +00:00
# Removable media
# Authentication
2018-10-31 22:21:08 +00:00
while [ -z $media ]; do
chooseMediumPre Authentication
showDetectDev
media=$(getMediaDevice)
read -r -a mediaArray <<< "$media"
done
chooseMedium Authentication
auth_dev=$(echo ${mediaArray[$?]} | sed 's/\/dev\/sd[b-z]*[0-1]\[//;s/\]//')
2018-11-01 10:38:56 +00:00
msg "Removable media: Authentication device" "Authentication device chosen with UUID $auth_dev."
2018-10-31 22:21:08 +00:00
2018-10-31 23:53:11 +00:00
# Panic
2018-10-31 22:21:08 +00:00
unset media
while [ -z $media ]; do
chooseMediumPre Panic
showDetectDev
media=$(getMediaDevice)
read -r -a mediaArray <<< "$media"
done
chooseMedium Panic
panic_dev=$(echo ${mediaArray[$?]} | sed 's/\/dev\/sd[b-z]*[0-1]\[//;s/\]//')
2018-11-01 10:38:56 +00:00
msg "Removable media: Panic device" "Panic device chosen with UUID $panic_dev."
2018-10-31 22:21:08 +00:00
;;
"3")
2018-10-31 23:53:11 +00:00
# Passwords
2018-10-31 22:21:08 +00:00
ask "Passwords" "Do you want to set the passwords now?"
setpw=$?
case $setpw in
"0")
clear
2018-11-03 15:16:38 +00:00
$PAMPANICPW
2018-10-31 22:21:08 +00:00
if [ $? -ne 0 ]; then
clear
echo "Failed to set a password. :("
exit 1
fi
;;
esac
;;
"2")
2018-10-31 23:53:11 +00:00
# Help
2018-10-31 22:21:08 +00:00
man pam_panic
;;
"1")
2018-10-31 23:53:11 +00:00
# Cancel
2018-10-31 22:21:08 +00:00
cancel
;;
esac
done
2018-11-01 10:52:36 +00:00
2018-10-31 23:53:11 +00:00
# serious flag
2018-11-01 10:38:56 +00:00
ask "pam_panic's behaviour" "Do you wish to destroy your LUKS header in case of emergency?\nThis means that your encrypted root device won't be readable anymore. After this question you will be asked to make a backup of this header."
2018-10-31 22:21:08 +00:00
serious=$?
if [ $serious -eq 0 ]; then
serious_dev=$(getLUKSDevice UUID)
2018-11-01 10:38:56 +00:00
if [ ! -z $serious_dev ]; then
msg "pam_panic's behaviour" "We will destroy $(getLUKSDevice NAME) [$serious_dev] when you trigger the panic function."
# LUKS header backup
ask "LUKS Header backup" "Do you want to make a LUKS-Header backup now?\nIt will be saved at \"$LHBU\"."
bu=$?
case $bu in
"0")
cryptsetup luksHeaderBackup $(getLUKSDevice NAME) --header-backup-file "$LHBU"
msg "LUKS Header backup" "LUKSHeader backup has been saved here: $LHBU"
;;
esac
else
msg "pam_panic's behaviour" "ERROR: There is no encrypted root device on /dev/sda."
serious=1
fi
2018-10-31 22:21:08 +00:00
fi
2018-11-01 10:52:36 +00:00
2018-10-31 23:53:11 +00:00
# poweroff / reboot behaviour
2018-10-31 22:21:08 +00:00
dialog --backtitle "pam_panic's Configuration Generator" \
--title "pam_panic's behaviour" \
--ok-label "Reboot" \
--extra-button --extra-label "Shutdown" \
--cancel-label "Nothing" \
--yesno "Do you wish a reboot or a shutdown after issuing the panic function? n for nothing of those? " 10 80
power=$?
2018-10-31 23:53:11 +00:00
# Configuration generation
2018-10-31 22:21:08 +00:00
dialog --backtitle "pam_panic's Configuration Generator" \
--infobox "Generating configuration..." 3 40
2018-11-03 00:50:17 +00:00
config="#%PAM-1.0\nauth requisite $SECUREDIR/pam_panic.so"
2018-10-31 22:21:08 +00:00
case $power in
"0")
config="$config reboot"
;;
"3")
config="$config poweroff"
;;
esac
case $auth_mode in
"3")
config="$config password"
;;
"0")
config="$config allow=$auth_dev reject=$panic_dev"
;;
esac
case $serious in
"0")
config="$config serious=$serious_dev"
;;
esac
2018-11-03 00:50:17 +00:00
config="$config\naccount requisite $SECUREDIR/pam_panic.so"
2018-10-31 22:21:08 +00:00
2018-10-31 23:53:11 +00:00
# Write config file
2018-11-03 00:01:17 +00:00
writeout=0
2018-10-31 22:21:08 +00:00
if [ -f $CONFIGFILE ]; then
ask "Configfile exist" "$CONFIGFILE exists. Overwrite it?"
2018-11-03 00:01:17 +00:00
writeout=$?
case $writeout in
2018-10-31 22:21:08 +00:00
"0")
echo -e "$config" > $CONFIGFILE
;;
esac
else
echo -e "$config" > $CONFIGFILE
fi
2018-11-01 10:52:36 +00:00
2018-10-31 23:53:11 +00:00
# Finished message
2018-10-31 22:21:08 +00:00
clear
2018-11-03 00:01:17 +00:00
[ $writeout -eq 0 ] && echo "Done! <3" || echo "Nothing done! </3"
2018-10-31 22:21:08 +00:00
2018-11-03 16:26:42 +00:00
echo -e "\n
What now?
=========
Now we saved our configuration to $CONFIGFILE.
If you want to let them apply to the other modules,
proceed as follows:
1. Open a module in /etc/pam.d/
You can try out:
- xscreensaver
- system-local-login (on Arch Linux)
- common-auth and common-account (Ubuntu)
2. After the line \"#%PAM-1.0\" append
auth include pampanic
account include pampanic
On Ubuntu you might want to seperate both lines in common-auth and common-account.
Once you have changed and saved those files, pam_panic will be active.
On your next login you need to
- type your pam_panic authentification password or
- insert your removable authentication media
previous your regular user password.
" | more
echo "If you got any question, don't hesitate to ask via IRC (chat.freenode.de in room #pampanic) or via mail + GPG."
2018-11-02 20:46:00 +00:00
echo -e "\nPress Enter to exit."
read -n1