home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
ftp.rsa.com
/
2014.05.ftp.rsa.com.tar
/
ftp.rsa.com
/
pub
/
agents
/
PAM-Agent_v7.0.1.29.02_25_11_04_30_33.tar
/
PAM-Agent_v7.0.0.29.02_25_11_04_30_33
/
install_pam.sh
next >
Wrap
Linux/UNIX/POSIX Shell Script
|
2011-02-25
|
21KB
|
673 lines
#!/bin/sh
#
# Installation script for the RSA Authentication Agent 7.0 for PAM.
#
#
#********************************************************************************
#* COPYRIGHT (C) 2007-2010 by EMC Corporation.
#* ---ALL RIGHTS RESERVED---
#********************************************************************************
#
############################################################
# Set default values and commands for the shell script.
############################################################
UNAME=`uname`
UNAMER=`uname -r`
HOSTNAME=`hostname`
USER_NAME=""
GREP=`which grep`
ECHO=`which echo`
HERE=`dirname $0`
THEPWD=`/bin/pwd`
if [ "$HERE" = "." ]; then
HERE="$THEPWD"
else
#if $HERE isn't absolute path add `pwd` to it
cd "$HERE"
HERE=`/bin/pwd`
cd "$THEPWD"
fi
########################
########################
CONFIG_FILE=""
PAM_AGENT="/tmp/toto"
PAM_AGENT_TAR="sd_pam_agent.tar"
PAM_AGENT_MODULE="pam_securid"
#PAM_AGENT_DOC="doc"
PAM_AGENT_README="readme.html"
PAM_AGENT_TAR_GZ="$PAM_AGENT_TAR.gz"
PAM_CONFIG="/etc/sd_pam.conf"
LICENSE="$HERE/license.txt"
MODULE_DIR_PRIMARY="/usr/lib/security"
MODULE_DIR_SECONDARY="/usr/lib/security/64"
ARCH=""
PATH_ROOT=""
echo_no_nl_mode="unknown"
##############################################################################
# Trap
# this will trap any escape characters, and allow the program to abort normally
# by calling abort_installation
##############################################################################
trap 'trap "" 1 2 15; abort_installation' 1 2 15
##############################################################################
# echo_no_nl()
# Echo a string with no carriage return (if possible). Must set
# $echo_no_nl to "unknown" before using for the first time.
##############################################################################
echo_no_nl()
{
if [ "$echo_no_nl_mode" = "unknown" ] ; then
echo_test=`echo \\\c`
if [ "$echo_test" = "\c" ] ; then
echo_no_nl_mode="-n"
else
echo_no_nl_mode="\c"
fi
fi
if [ "$echo_no_nl_mode" = "\c" ] ; then
echo $* \\c
else
echo -n $*
fi
}
##############################################################################
# getfilename()
# Gets a filename
# $1 The string to print to prompt the user
# $2 The default value if user hits <Enter> (y/n)
# $3 Type : DIRECTORY, EXISTINGFILE, NEWFILE, NEWDIRECTORY
# The variable $YESORNO is set in accordance to what the user entered.
##############################################################################
getfilename()
{
#####################################################
# Set up line parameters as $1 and $2 are overwritten
#####################################################
theprompt=$1
thedefault=$2
thetype=$3
theans=""
until [ -n "$theans" ] ;
do
echo ""
echo_no_nl "$theprompt [$thedefault] "
read theans
if [ "$theans" = "" ] ; then
theans=$thedefault
fi
case $thetype in
DIRECTORY) if [ ! -d "$theans" ]; then
echo Directory $theans doesn\'t exist
theans=""
fi;;
READFILE) if [ ! -f "$theans" ]; then
echo File $theans doesn\'t exist
theans=""
elif [ ! -r "$theans" ]; then
echo File "$theans" isn\'t readable
theans=""
fi;;
WRITEFILE) if [ ! -f "$theans" ]; then
echo File $theans doesn\'t exist
theans=""
elif [ ! -w "$theans" ]; then
echo File "$theans" isn\'t writable
theans=""
fi;;
EXECFILE) if [ ! -f "$theans" ]; then
echo File $theans doesn\'t exist
theans=""
elif [ ! -x "$theans" ]; then
echo File "$theans" isn\'t writable
theans=""
fi;;
NEWFILE) if [ -f "$theans" ]; then
echo File $theans already exist
theans=""
elif [ ! -d `dirname $theans` ]; then
echo Directory `dirname $theans` doesn\'t exist
theans=""
elif [ ! -w `dirname $theans` ]; then
echo Directory `dirname $theans` isn\'t writable
theans=""
fi;;
*);;
esac
done
}
##############################################################################
# getAcceptDecline()
# Gets either a "Accept" or a "Decline" in the traditional (a/d) pattern
# $1 The default value if user hits <Enter> (TRUE/FALSE)
# $2 The string to print to prompt the user
# The variable $AORD is set in accordance to what the user entered.
##############################################################################
getAcceptDecline()
{
#####################################################
# Set up line parameters as $1 and $2 are overwritten
#####################################################
AorDdef=$1
AorDprompt=$2
AORD=""
until [ -n "$AORD" ] ;
do
echo ""
echo_no_nl $AorDprompt
read AORD
AORD=`echo $AORD | tr '[a-z]' '[A-Z]'`
case "$AORD"
in
A|ACCEPT ) AORD=TRUE;;
D|DECLINE ) AORD=FALSE;;
'' ) AORD=$AorDdef;;
* ) echo ""
echo "Please enter 'A', 'D' or '<return>' "
AORD="";;
esac
done
}
##############################################################################
# getyesorno()
# Gets either a "yes" or a "no" in the traditional (y/n) pattern
# $1 The default value if user hits <Enter> (TRUE/FALSE)
# $2 The string to print to prompt the user
# The variable $YESORNO is set in accordance to what the user entered.
##############################################################################
getyesorno()
{
#####################################################
# Set up line parameters as $1 and $2 are overwritten
#####################################################
yesornodef=$1
yesornoprompt=$2
YESORNO=""
until [ -n "$YESORNO" ] ;
do
echo ""
echo_no_nl $yesornoprompt
read YESORNO
case "$YESORNO"
in
y|Y ) YESORNO=TRUE;;
n|N ) YESORNO=FALSE;;
'' ) YESORNO=$yesornodef;;
* ) echo ""
echo "Please enter 'y', 'n' or '<return>' "
YESORNO="";;
esac
done
}
##############################################################################
# abort_installation()
# This subroutine removes files that were recently installed and restores
# the previous installation files, if they existed.
##############################################################################
abort_installation()
{
#CP__need to fix this when done. Make sure to set values for each file placed somewhere
echo ""
echo "Aborting Installation..."
exit 1
}
############################################################
# Display the License and Copyright files.
############################################################
startup_screen()
{
# Changed so that we could have both license files shown
if [ -f "$LICENSE" ] ; then
more "$LICENSE"
else
echo "The License Agreement text file could not be found in the current directory."
echo "Installation is aborting..."
abort_installation
fi
getAcceptDecline FALSE "Do you accept the License Terms and Conditions stated above? (Accept/Decline) [D]"
if [ "$AORD" = FALSE ] ; then
abort_installation;
fi
echo ""
echo ""
echo ""
}
############################################################
# Check to see if the environment variable VAR_ACE is
# defined and sdconf.rec exists
############################################################
check_sdconf()
{
noerror=0
#Removing VAR_ACE check from environment
VAR_ACE="/var/ace"
theans=""
while [ "$theans" = "" ]
do
getfilename "Enter Directory where sdconf.rec is located" $VAR_ACE DIRECTORY
if [ ! -f "$theans/sdconf.rec" ]; then
echo file "$theans/sdconf.rec" not found
theans=""
elif [ ! -r "$theans/sdconf.rec" ]; then
echo file "$theans/sdconf.rec" not readable: change protection if needed
VAR_ACE="$theans"
theans=""
else
if [ "$theans" != "" ]; then
VAR_ACE="$theans"
fi
break
fi
done
}
############################################################
# Check to see if this is a supported platform.
############################################################
check_platform()
{
#echo "check_platform: uname is [$UNAME]"
case $UNAME
in
'SunOS' ) SUN_HARDWARE=`uname -p`
if [ `/usr/bin/isainfo -kv | cut -f 1 -d '-'` = "64" ] ; then
ARCH=64bit
MODULE_DIR_PRIMARY="/usr/lib/security"
MODULE_DIR_SECONDARY="/usr/lib/security/64"
else
ARCH=32bit
MODULE_DIR_PRIMARY="/usr/lib/security"
MODULE_DIR_SECONDARY=""
fi
case "$SUN_HARDWARE" in
'i386' )
WHOAMISOL=`/usr/ucb/whoami`
OS_DIR="sol_x86"
OS_EXT="so"
#
# Need this so grep handles extended expressions like '[[:space:]]'.
#
GREP="/usr/xpg4/bin/grep -E"
USER_NAME=`echo $WHOAMISOL`;;
'sparc' )
WHOAMISOL=`/usr/ucb/whoami`
OS_DIR="sparc"
OS_EXT="so"
#
# Need this so grep handles extended expressions like '[[:space:]]'.
#
GREP="/usr/xpg4/bin/grep -E"
USER_NAME=`echo $WHOAMISOL`;;
esac;;
'Linux' ) LNX_VERS=`uname -i`
if [ `getconf LONG_BIT` = "32" ] ; then
ARCH=32bit
MODULE_DIR_PRIMARY="/lib/security"
MODULE_DIR_SECONDARY=""
else
ARCH=64bit
MODULE_DIR_PRIMARY="/lib/security"
MODULE_DIR_SECONDARY="/lib64/security/"
fi
OS_DIR="lnx"
WHOAMILNX=`/usr/bin/whoami`
OS_EXT="so"
#
# Need this so that echo does the right thing with newlines.
#
ECHO="$ECHO -e"
USER_NAME=`echo $WHOAMILNX`
case "$LNX_VERS" in
'x86_64' )
echo "";;
'i386' )
echo "";;
* ) echo ""
echo "Sorry, this is not a supported configureation"
echo ""
abort_installation ;;
esac;;
'HP-UX' )
if [ `getconf KERNEL_BITS` = "32" ] ; then
ARCH=32bit
MODULE_DIR_PRIMARY="/usr/lib/security/hpux32"
MODULE_DIR_SECONDARY=""
else
ARCH=64bit
MODULE_DIR_PRIMARY="/usr/lib/security/hpux32"
MODULE_DIR_SECONDARY="/usr/lib/security/hpux64"
fi
if [ `uname -m | grep "ia"` ] ; then
HP_VERS=hp_itanium
else
HP_VERS=hp_parisc
fi
case "$HP_VERS" in
'hp_itanium' )
WHOAMIHP11=`/bin/whoami`
OS_DIR="hp_itanium"
OS_EXT="1"
PAM_AGENT_MODULE="pam_securid"
USER_NAME=`echo $WHOAMIHP11`;;
* )
WHOAMIHP11=`/bin/whoami`
echo ""
echo "Sorry, this is not a supported configureation"
echo ""
USER_NAME=`echo $WHOAMIHP11`;;
esac;;
'AIX' ) AIX_VERS=`uname -vr | awk '{print $2 * 1000 + $1}'`
if [ `bootinfo -K` = "32" ] ; then
ARCH=32bit
MODULE_DIR_PRIMARY="/usr/lib/security"
MODULE_DIR_SECONDARY=""
else
ARCH=64bit
MODULE_DIR_PRIMARY="/usr/lib/security"
MODULE_DIR_SECONDARY="/usr/lib/security/64"
fi
case "$AIX_VERS" in
*)
OS_DIR="aix"
OS_EXT="so"
USER_NAME=`/usr/bin/whoami`
esac;;
* ) echo ""
echo "Sorry, $UNAME is not currently supported."
echo ""
abort_installation ;;
esac
}
############################################################
# Ask the user for the destination of the Agent files and
# other installation information, documentation
############################################################
setup_paths()
{
###########################################
# Get the Agent directory path
###########################################
theans=""
DEFAULT_AGENT_ROOT="/opt"
AGENT_ROOT=""
echo ""
getfilename "Please enter the root path for the RSA Authentication Agent for PAM directory" $DEFAULT_AGENT_ROOT DIRECTORY
if [ "$theans" = "" ]; then
theans="$DEFAULT_AGENT_ROOT"
fi
while [ -d "$theans/pam" ]
do
echo PAM Agent is already installed in the "$theans/pam"
getyesorno TRUE "Would you like to overwrite it? (y/n) [y]"
if [ "$YESORNO" = FALSE ] ; then
getfilename "Please enter the root path for the new RSA Authentication Agent for PAM directory" $DEFAULT_AGENT_ROOT DIRECTORY
else
AGENT_ROOT="$theans"
break
fi
done
if [ "$AGENT_ROOT" = "" ]; then
AGENT_ROOT="$theans"
fi
echo ""
echo "The RSA Authentication Agent for PAM will be installed in the $AGENT_ROOT directory."
}
#################
# Check PAM_CONFIG to see if it has a line that defines VARIABLE.
# If so, do nothing. If not, append ENTRY to the end of PAM_CONFIG.
#################
check_config_line()
{
VARIABLE=$1
ENTRY=$2
if $GREP "^[[:space:]]*$VARIABLE[[:space:]]*=" $PAM_CONFIG > /dev/null; then
echo "$VARIABLE exists - entry will not be updated"
else
echo "$VARIABLE does not exist - entry will be appended"
$ECHO "$ENTRY" >> "$PAM_CONFIG"
echo "" >> "$PAM_CONFIG"
echo "" >> "$PAM_CONFIG"
fi
}
#################
# Create PAM config file
#################
create_conf()
{
if [ -f "$PAM_CONFIG" ]; then
cp "$PAM_CONFIG" "$PAM_CONFIG".bak
fi
touch "$PAM_CONFIG"
$ECHO "\nChecking $PAM_CONFIG:\n"
check_config_line VAR_ACE \
"#VAR_ACE :: the location where the sdconf.rec, sdstatus.12 and securid files will go\n\
# default value is /var/ace\n\
VAR_ACE=$VAR_ACE"
check_config_line RSATRACELEVEL \
"#RSATRACELEVEL :: To enable logging in UNIX for securid authentication\n\
# :: 0 Disable logging for securid authentication\n\
# :: 1 Logs regular messages for securid authentication\n\
# :: 2 Logs function entry points for securid authentication\n\
# :: 4 Logs function exit points for securid authentication\n\
# :: 8 All logic flow controls use this for securid authentication\n\
# NOTE :: For combinations, add the corresponding values\n\
# default value is 0\n\
RSATRACELEVEL=0"
check_config_line RSATRACEDEST \
"#RSATRACEDEST :: Specify the file path where the logs are to be redirected for securid authentication.\n\
# :: If this is not set, by default the logs go to Error output.\n\
RSATRACEDEST="
check_config_line ENABLE_USERS_SUPPORT \
"#ENABLE_USERS_SUPPORT :: 1 to enable; 0 to disable users support\n\
# default value is 0\n\
ENABLE_USERS_SUPPORT=0"
check_config_line INCL_EXCL_USERS \
"#INCL_EXCL_USERS :: 0 exclude users from securid authentication\n\
# :: 1 include users for securid authentication\n\
# default value is 0\n\
INCL_EXCL_USERS=0"
check_config_line LIST_OF_USERS \
"#LIST_OF_USERS :: a list of users to include or exclude from SecurID Authentication...Example:\n\
LIST_OF_USERS=user1:user2"
check_config_line PAM_IGNORE_SUPPORT_FOR_USERS \
"#PAM_IGNORE_SUPPORT_FOR_USERS :: 1 to return PAM_IGNORE if a user is not SecurID authenticated due to user exclusion support\n\
# :: 0 to UNIX authenticate a user that is not SecurID authenticated due to user exclusion support\n\
# default value is 0\n\
PAM_IGNORE_SUPPORT_FOR_USERS=0"
check_config_line ENABLE_GROUP_SUPPORT \
"#ENABLE_GROUP_SUPPORT :: 1 to enable; 0 to disable group support\n\
# default value is 0\n\
ENABLE_GROUP_SUPPORT=0"
check_config_line INCL_EXCL_GROUPS \
"#INCL_EXCL_GROUPS :: 1 to always prompt the listed groups for securid authentication (include)\n\
# :: 0 to never prompt the listed groups for securid authentication (exclude)\n\
# default value is 0\n\
INCL_EXCL_GROUPS=0"
check_config_line LIST_OF_GROUPS \
"#LIST_OF_GROUPS :: a list of groups to include or exclude...Example\n\
LIST_OF_GROUPS=other:wheel:eng:othergroupnames "
check_config_line PAM_IGNORE_SUPPORT \
"#PAM_IGNORE_SUPPORT :: 1 to return PAM_IGNORE if a user is not SecurID authenticated due to their group membership\n\
# :: 0 to UNIX authenticate a user that is not SecurID authenticated due to their group membership\n\
# default value is 0\n\
PAM_IGNORE_SUPPORT=0"
check_config_line AUTH_CHALLENGE_USERNAME_STR \
"#AUTH_CHALLENGE_USERNAME_STR :: prompt message to ask user for their username/login id\n\
AUTH_CHALLENGE_USERNAME_STR=Enter USERNAME :"
check_config_line AUTH_CHALLENGE_RESERVE_REQUEST_STR \
"#AUTH_CHALLENGE_RESERVE_REQUEST_STR :: prompt message to ask administrator for their System password\n\
AUTH_CHALLENGE_RESERVE_REQUEST_STR=Please enter System Password for root :"
check_config_line AUTH_CHALLENGE_PASSCODE_STR \
"#AUTH_CHALLENGE_PASSCODE_STR :: prompt message to ask user for their Passcode\n\
AUTH_CHALLENGE_PASSCODE_STR=Enter PASSCODE :"
check_config_line AUTH_CHALLENGE_PASSWORD_STR \
"#AUTH_CHALLENGE_PASSWORD_STR :: prompt message to ask user for their Password\n\
AUTH_CHALLENGE_PASSWORD_STR=Enter your PASSWORD :"
chmod 644 "$PAM_CONFIG"
}
############################################################
# Install the RSA Authentication Agent 7.0 for PAM library and documentation.
############################################################
install_pam_agent()
{
##############
#untar the RPM file
##############
cd $AGENT_ROOT/
if [ -f "$HERE/$OS_DIR/$PAM_AGENT_TAR" ]; then
tar xvf "$HERE/$OS_DIR/$PAM_AGENT_TAR"
elif [ -f "$HERE/$OS_DIR/$PAM_AGENT_TAR_GZ" ]; then
tar xzvf "$HERE/$OS_DIR/$PAM_AGENT_TAR_GZ"
else
echo Error $HERE/$OS_DIR/$PAM_AGENT_TAR or $HERE/$OS_DIR/$PAM_AGENT_TAR_GZ does not exist
abort_installation
fi
if [ $ARCH = "32bit" ]; then
if [ -d "$AGENT_ROOT/pam/bin/64bit" ]; then
rm -rf "$AGENT_ROOT/pam/bin/64bit"
fi
if [ -d "$AGENT_ROOT/pam/lib/64bit" ]; then
rm -rf "$AGENT_ROOT/pam/lib/64bit"
fi
fi
#if [ -d "$AGENT_ROOT/pam/$PAM_AGENT_DOC" ]; then
# cp "$HERE/"*.pdf "$AGENT_ROOT/pam/$PAM_AGENT_DOC"
#fi
if [ $ARCH = "64bit" ]; then
if [ "$OS_DIR" = "sparc" ] || [ "$OS_DIR" = "hp_itanium" ] || [ "$OS_DIR" = "lnx" ]
then
if [ -f $AGENT_ROOT/pam/lib/$ARCH/$PAM_AGENT_MODULE.$OS_EXT ]; then
cp "$HERE/"uninstall* "$AGENT_ROOT/pam"
cp "$AGENT_ROOT/pam/lib/$ARCH/$PAM_AGENT_MODULE.$OS_EXT" "$MODULE_DIR_SECONDARY"
cp "$AGENT_ROOT/pam/lib/32bit/$PAM_AGENT_MODULE.$OS_EXT" "$MODULE_DIR_PRIMARY"
chmod 755 "$MODULE_DIR_SECONDARY/$PAM_AGENT_MODULE.$OS_EXT"
chmod 755 "$MODULE_DIR_PRIMARY/$PAM_AGENT_MODULE.$OS_EXT"
else
echo Error Could not find $PAM_AGENT_MODULE.$OS_EXT in $AGENT_ROOT/pam/$OS_DIR directory.
abort_installation
fi
else
if [ -f $AGENT_ROOT/pam/lib/32bit/$PAM_AGENT_MODULE.$OS_EXT ]; then
cp "$HERE/"uninstall* "$AGENT_ROOT/pam"
cp "$AGENT_ROOT/pam/lib/32bit/$PAM_AGENT_MODULE.$OS_EXT" "$MODULE_DIR_PRIMARY"
chmod 755 "$MODULE_DIR_PRIMARY/$PAM_AGENT_MODULE.$OS_EXT"
else
echo Error Could not find $PAM_AGENT_MODULE.$OS_EXT in $AGENT_ROOT/pam/$OS_DIR directory.
abort_installation
fi
fi
else
if [ -f $AGENT_ROOT/pam/lib/$ARCH/$PAM_AGENT_MODULE.$OS_EXT ]; then
cp "$HERE/"uninstall* "$AGENT_ROOT/pam"
cp "$AGENT_ROOT/pam/lib/$ARCH/$PAM_AGENT_MODULE.$OS_EXT" "$MODULE_DIR_PRIMARY"
chmod 755 "$MODULE_DIR_PRIMARY/$PAM_AGENT_MODULE.$OS_EXT"
else
echo Error Could not find $PAM_AGENT_MODULE.$OS_EXT in $AGENT_ROOT/pam/$OS_DIR directory.
abort_installation
fi
fi
cd "$HERE"
chown -R root "$AGENT_ROOT/pam"
chmod -R 700 "$AGENT_ROOT/pam"
}
check_user()
{
#########################
# make sure user is root
#########################
if [ "$USER_NAME" != root ]; then
echo "You Must be ROOT to install this agent"
abort_installation
fi
}
check_platform
check_user
startup_screen
check_sdconf
setup_paths
install_pam_agent
create_conf
echo ""
echo "**********************************************************************"
echo "* You have successfully installed RSA Authentication Agent 7.0 for PAM"
echo "**********************************************************************"
echo ""