diff --git a/checktrust/checktrust b/checktrust/checktrust new file mode 100755 index 00000000..ba55e282 --- /dev/null +++ b/checktrust/checktrust @@ -0,0 +1,12 @@ +#! /usr/bin/bash + +for host in wtf afk pummelfee; do + reply="$(netcat -w 1 $host 236 </dev/null)" + if [ "$reply" = "I trust you" ]; then + echo "trusted" + exit + elif [ "$reply" = "I don't trust you" ]; then + echo "not trusted" + exit + fi +done diff --git a/checktrust/getty-checktrust b/checktrust/getty-checktrust new file mode 100755 index 00000000..5e7dfc43 --- /dev/null +++ b/checktrust/getty-checktrust @@ -0,0 +1,14 @@ +#! /usr/bin/bash + +if [ "$(/usr/sbin/checktrust)" = "not trusted" ]; then + mkdir -p /node/issue.d + cat > /node/issue.d/notrust.issue <<EOF +** WARNING: Loss of trust detected ** +** Looks like your machine lost the trust of our network. Maybe it was offline for too long. ** +** You won't be able to log in. ** +** Please contact IT Helpdesk: <helpdesk@molgen.mpg.de>, phone: -1708 ** + +EOF +else + rm -f /node/issue.d/notrust.issue +fi diff --git a/checktrust/getty-checktrust.service b/checktrust/getty-checktrust.service new file mode 100644 index 00000000..2d301e30 --- /dev/null +++ b/checktrust/getty-checktrust.service @@ -0,0 +1,11 @@ +[Unit] +Description=Check Mariux64 trust for getty +Before=getty@.service + +[Install] +WantedBy=getty@.service + +[Service] +Type=oneshot +ExecStart=/usr/libexec/getty-checktrust +RemainAfterExit=yes diff --git a/checktrust/lightdm-greeter-wrapper b/checktrust/lightdm-greeter-wrapper new file mode 100755 index 00000000..1e47adaf --- /dev/null +++ b/checktrust/lightdm-greeter-wrapper @@ -0,0 +1,3 @@ +#! /bin/bash +(/usr/libexec/lightdm-show-trust-warning &) +exec "$@" diff --git a/checktrust/lightdm-show-trust-warning b/checktrust/lightdm-show-trust-warning new file mode 100755 index 00000000..ed738c0f --- /dev/null +++ b/checktrust/lightdm-show-trust-warning @@ -0,0 +1,28 @@ +#! /usr/bin/bash + +while true; do + reply="$(/usr/sbin/checktrust)" + if [ "$reply" = "trusted" ]; then + break + elif [ "$reply" = "not trusted" ]; then + if [ -z "$XDOPID" ]; then + (while true; do xdotool search --sync --name bla windowraise; sleep 1; done) & + XDOPID=$! + fi + xdotool search --sync --name bla windowraise & + zenity --width 400 --error --title bla --text \ +"<b>Loss of trust detected!</b> + +Looks like your machine lost the trust of our network. Maybe it was offline for too long. + +<i>You won't be able to log in.</i> + +<b>Please contact IT Helpdesk</b> + +helpdesk@molgen.mpg.de +phone: -1708" + continue + fi + sleep 5 +done +test -n "$XDOPID" && kill $XDOPID diff --git a/checktrust/lightdm-use-wrapper.conf b/checktrust/lightdm-use-wrapper.conf new file mode 100644 index 00000000..80af383f --- /dev/null +++ b/checktrust/lightdm-use-wrapper.conf @@ -0,0 +1,2 @@ +[Seat:*] +greeter-wrapper=/usr/libexec/lightdm-greeter-wrapper diff --git a/clusterd/clusterd b/clusterd/clusterd index 96741a8d..f6c7dc29 100755 --- a/clusterd/clusterd +++ b/clusterd/clusterd @@ -1794,6 +1794,31 @@ sub cmd_push { #------------------------------------------------------------ +our $TRUSTCHECK_PORT=236; +our $trustcheck_listen_socket; + +sub trustcheck_init { + $trustcheck_listen_socket=new IO::Socket::INET(LocalPort=>$TRUSTCHECK_PORT,Proto=>'tcp',Listen=>10,ReuseAddr=>1); + defined $trustcheck_listen_socket or die "$!\n"; + My::Select::reader($trustcheck_listen_socket,\&trustcheck_connect_request); +} + +sub trustcheck_connect_request { + My::Select::reader_requeue(); + my $socket=$trustcheck_listen_socket->accept(); + $socket->blocking(0); + my $hostname = gethostbyaddr(inet_aton($socket->peerhost()), AF_INET); + system 'hostconfig','--host',$hostname,'amd'; + if ($? == 0) { + $socket->send("I trust you\n", 0); + } elsif ($? == 256) { + $socket->send("I don't trust you\n", 0); + } + close($socket); +} + +#------------------------------------------------------------ + use constant USAGE => <<'__EOF__'; usage: $0 [options] @@ -1901,6 +1926,7 @@ if (defined $options{'push'}) { init_area(); mgmt_init(); clp_init(); + trustcheck_init(); sync_cluster_pw() or warn "$CLUSTER_PW_FILE: $!\n"; diff --git a/install.sh b/install.sh index 1543cc86..44c8e890 100755 --- a/install.sh +++ b/install.sh @@ -76,6 +76,13 @@ function install_cron() install_if "$1" "$2" $INSTALL_CRON } +function install_symlink() +{ + if [ "$(readlink "$2")" != "$1" ]; then + ln -sfv "$1" "$2" + fi +} + umask 022; mkdir -p "$DESTDIR$usr_bindir" @@ -159,4 +166,13 @@ install_data misc_etc_files/rsyslog.conf "$DESTDIR$sysconfdir/rsyslog.conf" install_data crashkernel/crashkernel.service "$DESTDIR$systemdunitdir/crashkernel.service" install_exec crashkernel/crash-recovery.sh "$DESTDIR$root_sbindir/crash-recovery.sh" install_data misc_systemd_units/admin-sshd.service "$DESTDIR$systemdunitdir/admin-sshd.service" +install_exec checktrust/checktrust "$DESTDIR$usr_sbindir/checktrust" +mkdir -p "$DESTDIR$sysconfdir/xdg/lightdm/lightdm.conf.d" +install_data checktrust/lightdm-use-wrapper.conf "$DESTDIR$sysconfdir/xdg/lightdm/lightdm.conf.d/50-use-wrapper.conf" +install_exec checktrust/lightdm-greeter-wrapper "$DESTDIR$usr_exec_prefix/libexec/lightdm-greeter-wrapper" +install_exec checktrust/lightdm-show-trust-warning "$DESTDIR$usr_exec_prefix/libexec/lightdm-show-trust-warning" +mkdir -p "$DESTDIR$sysconfdir/issue.d/" +install_symlink /node/issue.d/notrust.issue "$DESTDIR$sysconfdir/issue.d/notrust.issue" +install_data checktrust/getty-checktrust.service "$DESTDIR$systemdunitdir/getty-checktrust.service" +install_exec checktrust/getty-checktrust "$DESTDIR$usr_exec_prefix/libexec/getty-checktrust" exit