#!/bin/bash
CMDBAPI="http://cmdb.xxx.cn/api/accounts.php"
CONF="/etc/cloud_sshduser"
PAM_SSHD="/etc/pam.d/sshd"
SUDO="/etc/sudoers.d/cmdb"
PAM_BACKUP="/etc/pam.d/sshd.bak"
IPADDR=`ip add |grep -E "10\." |grep -v "/32" |head -n 1 |awk '{print $2}' |awk -F'/' '{print $1}'`
# 接口返回说明
# PAM_OFF#| : PAM关闭,应恢复/etc/pam.d/sshd文件
# ACCOUNTS_OK#| : PAM开启
# Permission Deny : 无权限查询,直接退出
# ERROR: 错误,直接退出
# NOT FOUND: 未找到 直接退出
function pam_off()
{
if [ ! -f $PAM_BACKUP ];then
sed -i "#$CONF#d" $PAM_SSHD
else
cp $PAM_BACKUP $PAM_SSHD
fi
}
function pam_on()
{
[ ! -f $PAM_BACKUP ] && cp $PAM_SSHD $PAM_BACKUP
cat >$PAM_SSHD <
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
#account required pam_access.so
account requisite pam_listfile.so item=user sense=allow file=$CONF onerr=succeed
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
EOF
cat > $CONF <
root
user1
user2
EOF
cat > $SUDO <
user1 ALL=(ALL) NOPASSWD: ALL
user2 ALL=(ALL) NOPASSWD: ALL
EOF
for u in `echo $1 | tr ',' ' '`;do
echo "$u" >> $CONF
echo "$u ALL=(ALL) NOPASSWD: ALL" >> $SUDO
done
}
userlist=`curl --connect-timeout 3 -s "$CMDBAPI?ip=$IPADDR" |head -n 1`
stats=`echo "$userlist" |cut -f1 -d'#'`
users=`echo "$userlist" |cut -f2 -d'#' |cut -f1 -d'|'`
sudoers=`echo "$userlist" |cut -f2 -d'#' |cut -f2 -d'|'`
echo $userlist
case $stats in
"ACCOUNTS_OK") pam_on "$users";;
"PAM_OFF") pam_off;;
"ERROR") exit 1;;
"NOT FOUND") exit 1;;
"Permission denied") exit 1;;
*) echo "UNKOWN ERROR";exit 1;;
esac