#!/bin/bash if /bin/false ; then while [ -n "$1" ]; do case "$1" in "--dry-run") DryRun="echo " ;; *) echo "Unknown param $1, exiting." exit 1 ;; esac shift done if [ "$EUID" != "0" ]; then Sudo="sudo " fi PreCmd="$DryRun $Sudo " $PreCmd iptables -N Dynamicipv4-I $PreCmd iptables -I INPUT -m state --state NEW -j Dynamicipv4-I #$PreCmd iptables -N UserI-wstearns #$PreCmd iptables -A UserI-wstearns -m tcp -p tcp --dport 22 -j ACCEPT fi echo "Now we set up individual users, their yubikeys, and what" echo "services they should able to access. When you have no" echo "more users, press Ctrl-D." while read OneUser ; do echo "$OneUser" #Check max 32 chars, only lowercase, legal characters (no '":;&` others) if ! $Sudo iptables -L "UserI-${OneUser}" -n >/dev/null 2>&1 ; then $PreCmd iptables -N "UserI-${OneUser}" fi echo "If you'd like to add more yubikeys for this user enter them now." echo "You can either enter a full 44 yubikey one-time password, or just" echo "the first 12 characters of any password formerly created by this key." echo "Enter Ctrl-D when you have none/no more to enter." while read NewYubikey ; do #FIXME: Validate yubikey character set and minimum 12 characters YubikeyId=`echo "$NewYubikey" | cut -c 1-12` if [ -n "$DryRun" ]; then echo "echo \"$OneUser:$YubikeyId\" | $Sudo tee -a /etc/yubikey_mappings >/dev/null" else echo "$OneUser:$YubikeyId" | $Sudo tee -a /etc/yubikey_mappings >/dev/null fi echo "Another key for ${OneUser} (ctrl-d if not)?" done echo "Now enter any ports this user should be able to access once he/she" echo "enters one of his/her yubikeys. Valid formats: '22 tcp', 'ssh tcp'," echo "'514 udp' or 'syslog udp'. Named ports must be listed in /etc/services." echo "When no more ports, enter Ctrl-D." while read Port Proto ; do if [ -z "$Proto" ]; then Proto='tcp' fi $PreCmd iptables -A UserI-${OneUser} -m "$Proto" -p "$Proto" --dport "$Port" -j ACCEPT echo "Another port for ${OneUser} (ctrl-d if not)?" done #FIXME - also forward rules? echo "Another user (ctrl-d if not)?" done