2
0
mirror of https://github.com/xcat2/xcat-core.git synced 2025-10-25 08:25:29 +00:00
Files
xcat-core/xCAT-server/share/xcat/scripts/setup-local-client.sh

103 lines
3.2 KiB
Bash
Executable File

# IBM(c) 2007 EPL license http://www.eclipse.org/legal/epl-v10.html
# set up credentials for user to be able to run xCAT commands
# Must be run by root
# Interface
# setup-local-client.sh - setup root credentials
# setup-local-client.sh user1 - set up user1 credentials and store in
# $HOME/.xcat
# setup-local-client.sh user2 /tmp/user2 - setup user2 credentials and
# store in /tmp/user2/.xcat. Must later be copied to
# $HOME/xcat for user2. Used when root cannot write to
# the home directory of user2 (e.g when mounted).
umask 0077 #nothing make by this script should be readable by group or others
if [ -z "$XCATDIR" ]; then
XCATDIR=/etc/xcat
fi
# if `-f`|`--force` option is supplied, set a variable and remove option from paraameters
# This allows use of the old code without modification
FORCE=0
for v in "$@"; do
case "$v" in
"-f"|"--force")
FORCE=1
continue
;;
esac
ARGS[${#ARGS[@]}]="$v"
done
if [ ${#ARGS[@]} -gt 0 ]; then
set "${ARGS[@]}"
fi
if [ -z "$1" ]; then
set `whoami`
fi
# if directory is not supplied then just use home
if [ -z "$2" ]; then
CNA="$*"
# getent doesn't exist on AIX
if [ -x /usr/bin/getent ];then
USERHOME=`getent passwd $1|awk -F: '{print $6}'`
else
USERHOME=`grep ^$1: /etc/passwd | cut -d: -f6`
fi
else
CNA="$1"
USERHOME=$2
fi
XCATCADIR=$XCATDIR/ca
if [ -e $USERHOME/.xcat ]; then
# exit 0
if [ $FORCE -eq 0 ]; then
echo -n "$USERHOME/.xcat already exists, delete and start over (y/n)?"
read ANSWER
if [ "$ANSWER" != "y" ]; then
echo "Aborting at user request"
exit 0
fi
fi
rm -rf $USERHOME/.xcat
fi
# remove user from index
index=`grep $CNA /etc/xcat/ca/index | cut -f4 2>&1`
for id in $index; do
openssl ca -startdate 19600101010101Z -config /etc/xcat/ca/openssl.cnf -revoke /etc/xcat/ca/certs/$id.pem
done
mkdir -p $USERHOME/.xcat
cd $USERHOME/.xcat
openssl genrsa -out client-key.pem 2048
if [ $FORCE -eq 0 ]; then
openssl req -config $XCATCADIR/openssl.cnf -new -key client-key.pem -out client-req.pem -extensions usr_cert -subj "/CN=$CNA"
else
openssl req -config $XCATCADIR/openssl.cnf -new -key client-key.pem -out client-req.pem -extensions usr_cert -subj "/CN=$CNA" -batch
fi
cp client-req.pem $XCATDIR/ca/root.csr
cd - >/dev/null
cd $XCATDIR/ca
# - "make sign" doesn't work on my AIX test system????
# - seems to be a problem with the use of the wildcard in the Makefile
# - calling cmds directly instead - should be safe
# make sign
if [ $FORCE -eq 0 ]; then
openssl ca -startdate 600101010101Z -config openssl.cnf -in root.csr -out root.cert
else
openssl ca -startdate 600101010101Z -config openssl.cnf -in root.csr -out root.cert -batch
fi
if [ -f root.cert ]; then
rm root.csr
fi
cp root.cert $USERHOME/.xcat/client-cert.pem
#Unify certificate and key in one file, console command at least expects it
cat $USERHOME/.xcat/client-cert.pem $USERHOME/.xcat/client-key.pem > $USERHOME/.xcat/client-cred.pem
cp ca-cert.pem $USERHOME/.xcat/ca.pem
chown -R $1 $USERHOME/.xcat
find $USERHOME/.xcat -type f -exec chmod 600 {} \;
find $USERHOME/.xcat -type d -exec chmod 700 {} \;
chmod 644 $USERHOME/.xcat/ca.pem
chmod 755 $USERHOME/.xcat
cd - >/dev/null