privacyIDEA: initial commit
This commit is contained in:
parent
58289ece06
commit
4b106b977a
|
@ -0,0 +1,22 @@
|
||||||
|
# Beispiel für feste IP-Adreß-Konfiguration:
|
||||||
|
# Anpassen und als 00-eth0.network nach /etc/systemd/network verschieben
|
||||||
|
# (s. "man systemd.network", "man systemd-resolved")
|
||||||
|
#
|
||||||
|
# NICHT VERGESSEN: entsprechende Einträge in /etc/hosts hinzufügen
|
||||||
|
# <IPv4> <FQDN> <Hostname>
|
||||||
|
# <IPv6> <FQDN> <Hostname>
|
||||||
|
|
||||||
|
[Match]
|
||||||
|
Name=eth0
|
||||||
|
|
||||||
|
[Network]
|
||||||
|
Description=1. Netzwerk-Port
|
||||||
|
Address=192.168.1.2/24
|
||||||
|
Address=fdb5:78b:64cc:0:f8c0::2/64
|
||||||
|
Gateway=192.168.1.1
|
||||||
|
Gateway=fdb5:78b:64cc:0:f8c0::1
|
||||||
|
DNS=192.168.1.3
|
||||||
|
DNS=fdb5:78b:64cc:0:f8c0::3
|
||||||
|
NTP=192.168.1.4
|
||||||
|
NTP=fdb5:78b:64cc:0:f8c0::4
|
||||||
|
Domains=privacyidea.de
|
|
@ -0,0 +1,70 @@
|
||||||
|
preinstall:
|
||||||
|
# switch to hardened, build hardened toolchain, rebuild everything
|
||||||
|
mkdir -p $(CHROOT)/etc/portage/profile
|
||||||
|
echo "-hardened" >> $(CHROOT)/etc/portage/profile/use.mask
|
||||||
|
$(inroot) $(EMERGE) $(USEPKG) --oneshot gcc
|
||||||
|
$(inroot) $(EMERGE) $(USEPKG) --oneshot binutils virtual/libc
|
||||||
|
-$(gcc_config)
|
||||||
|
## $(inroot) $(EMERGE) --depclean --with-bdeps=n
|
||||||
|
$(inroot) $(EMERGE) $(USEPKG) --emptytree @world
|
||||||
|
$(inroot) bash -c 'yes YES | etc-update --automode -9'
|
||||||
|
|
||||||
|
# Unitas-Portage-Overlay einbinden
|
||||||
|
$(inroot) $(EMERGE) -n $(USEPKG) app-portage/layman
|
||||||
|
sed -i 's/check_official : Yes/check_official : No/' $(CHROOT)/etc/layman/layman.cfg
|
||||||
|
wget -P $(CHROOT)/etc/layman/overlays http://dev.unitas-network.de/raw/Gentoo/Unitas.git/master/unitas-overlays.xml
|
||||||
|
$(inroot) layman -l | grep -q unitas || $(inroot) layman -La unitas
|
||||||
|
|
||||||
|
postinstall: timesyncd.conf installgrub.sh grub.shell firstboot.start
|
||||||
|
# Konfigurationen anpassen
|
||||||
|
cp timesyncd.conf $(CHROOT)/etc/systemd/timesyncd.conf
|
||||||
|
cp installgrub.sh $(CHROOT)/installgrub.sh
|
||||||
|
cp grub.shell $(CHROOT)/grub.shell
|
||||||
|
cp firstboot.start $(CHROOT)/etc/local.d/firstboot.start
|
||||||
|
touch $(CHROOT)/firstboot
|
||||||
|
sed -i 's/# %wheel ALL=(ALL) ALL/%wheel ALL=(ALL) ALL/' $(CHROOT)/etc/sudoers
|
||||||
|
$(inroot) useradd -m -G users,wheel -s /bin/bash admin
|
||||||
|
$(inroot) passwd -d admin; $(inroot) passwd -e admin
|
||||||
|
$(inroot) systemctl enable screen@adm.service
|
||||||
|
|
||||||
|
# Beispiel feste IP-Adresse
|
||||||
|
cp 00-eth0.network $(CHROOT)/00-eth0.network.example
|
||||||
|
|
||||||
|
# MariaDB-Konfiguration
|
||||||
|
cp mariadb/my.cnf $(CHROOT)/etc/mysql/my.cnf
|
||||||
|
cp mariadb/my.cnf.root $(CHROOT)/root/.my.cnf
|
||||||
|
chmod 0600 $(CHROOT)/root/.my.cnf
|
||||||
|
rm -rf $(CHROOT)/var/lib/mysql/*
|
||||||
|
$(inroot) bash -c 'yes gentoo | emerge --config dev-db/mariadb'
|
||||||
|
|
||||||
|
# Apache-/PHP-Konfiguration
|
||||||
|
sed -i 's:APACHE2_OPTS=\":APACHE2_OPTS=\"-D WSGI :' $(CHROOT)/etc/conf.d/apache2
|
||||||
|
cp apache/00_default_ssl_vhost.conf $(CHROOT)/etc/apache2/vhosts.d/
|
||||||
|
$(inroot) systemctl enable apache2
|
||||||
|
|
||||||
|
# privacyIDEA Konfiguration (eigene Voreinstellungen)
|
||||||
|
cp privacyidea/enckey $(CHROOT)/etc/privacyidea/
|
||||||
|
cp privacyidea/pi.cfg $(CHROOT)/etc/privacyidea/
|
||||||
|
cp privacyidea/private.pem $(CHROOT)/etc/privacyidea/
|
||||||
|
cp privacyidea/public.pem $(CHROOT)/etc/privacyidea/
|
||||||
|
cp privacyidea/openssl.cnf $(CHROOT)/etc/privacyidea/CA/
|
||||||
|
$(inroot) chown -R privacyidea:root /etc/privacyidea
|
||||||
|
chmod 600 $(CHROOT)/etc/privacyidea/enckey
|
||||||
|
chmod 600 $(CHROOT)/etc/privacyidea/private.pem
|
||||||
|
touch $(CHROOT)/var/log/privacyidea/privacyidea.log
|
||||||
|
$(inroot) chown privacyidea:root /var/log/privacyidea/privacyidea.log
|
||||||
|
|
||||||
|
# FreeRADIUS-Konfiguration
|
||||||
|
sed -i 's:filename = .*:filename = /usr/lib/privacyidea/authmodules/FreeRADIUS/privacyidea_radius.pm:' $(CHROOT)/etc/raddb/mods-available/perl
|
||||||
|
ln -s ../mods-available/perl $(CHROOT)/etc/raddb/mods-enabled/perl
|
||||||
|
cp freeradius/privacyidea $(CHROOT)/etc/raddb/sites-available/
|
||||||
|
$(inroot) chown root:radius /etc/raddb/sites-available/privacyidea
|
||||||
|
chmod 640 $(CHROOT)/etc/raddb/sites-available/privacyidea
|
||||||
|
rm $(CHROOT)/etc/raddb/mods-enabled/eap
|
||||||
|
rm $(CHROOT)/etc/raddb/sites-enabled/*
|
||||||
|
ln -s ../sites-available/privacyidea $(CHROOT)/etc/raddb/sites-enabled/privacyidea
|
||||||
|
mv $(CHROOT)/etc/raddb/dictionary $(CHROOT)/etc/raddb/dictionary.orig
|
||||||
|
cp $(CHROOT)/etc/privacyidea/dictionary $(CHROOT)/etc/raddb/
|
||||||
|
$(inroot) systemctl enable freeradius
|
||||||
|
|
||||||
|
clean:
|
|
@ -0,0 +1,15 @@
|
||||||
|
Erstkonfiguration
|
||||||
|
=================
|
||||||
|
|
||||||
|
- für variable Daten (MySQL/MariaDB, Konfiguration) muß eine mit ext4 formatierte Datenpartition mit dem Label "DATA" vorhanden sein. Diese wird nach /DATA gemountet.
|
||||||
|
- feste IP-Adresse und /etc/hosts konfigurieren
|
||||||
|
- für privacyIDEA evtl die Keys neu erstellen (/etc/privacyidea/enckey und *.pem löschen und mit pi-manage neu erstellen. Anschließend auch die Datembank mit pi-manage löschen und neu erstellen.
|
||||||
|
- privacyIDEA Admin mit ip-manage erstellen
|
||||||
|
- evtl. Apache-Zertifikat neu erzeugen
|
||||||
|
- FreeRADIUS Server-Zertifikat erzeugen: cd /etc/raddb/certs/; make
|
||||||
|
- unter VMware evtl. open-vm-tools aktivieren
|
||||||
|
|
||||||
|
Hinweise
|
||||||
|
========
|
||||||
|
|
||||||
|
- FreeRADIUS läßt sich nur mit MAKEOPTS="-j1" bauen (Bug #509498). Am besten in Virtual-Appliance-Shell mit "make ... shell" springen und freeradius einzeln emergen. Es entsteht ein ein binäres Paket, welches dann immer genutzt wird.
|
|
@ -0,0 +1,57 @@
|
||||||
|
<IfDefine SSL>
|
||||||
|
<IfDefine SSL_DEFAULT_VHOST>
|
||||||
|
<IfModule ssl_module>
|
||||||
|
|
||||||
|
Listen 443
|
||||||
|
|
||||||
|
<VirtualHost _default_:443>
|
||||||
|
ServerName localhost
|
||||||
|
Include /etc/apache2/vhosts.d/default_vhost.include
|
||||||
|
ErrorLog /var/log/apache2/ssl_error_log
|
||||||
|
|
||||||
|
<Directory />
|
||||||
|
Require all granted
|
||||||
|
Options FollowSymLinks
|
||||||
|
AllowOverride None
|
||||||
|
</Directory>
|
||||||
|
|
||||||
|
WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi
|
||||||
|
WSGIDaemonProcess privacyidea processes=1 threads=15 display-name=%{GROUP} user=privacyidea
|
||||||
|
WSGIProcessGroup privacyidea
|
||||||
|
WSGIPassAuthorization On
|
||||||
|
|
||||||
|
<IfModule log_config_module>
|
||||||
|
TransferLog /var/log/apache2/ssl_access_log
|
||||||
|
</IfModule>
|
||||||
|
|
||||||
|
SSLEngine on
|
||||||
|
|
||||||
|
SSLProtocol ALL -SSLv2 -SSLv3
|
||||||
|
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
|
||||||
|
SSLHonorCipherOrder On
|
||||||
|
SSLCertificateFile /etc/ssl/apache2/server.crt
|
||||||
|
SSLCertificateKeyFile /etc/ssl/apache2/server.key
|
||||||
|
|
||||||
|
<FilesMatch "\.(cgi|shtml|phtml|php)$">
|
||||||
|
SSLOptions +StdEnvVars
|
||||||
|
</FilesMatch>
|
||||||
|
|
||||||
|
<Directory "/var/www/localhost/cgi-bin">
|
||||||
|
SSLOptions +StdEnvVars
|
||||||
|
</Directory>
|
||||||
|
|
||||||
|
<IfModule setenvif_module>
|
||||||
|
BrowserMatch ".*MSIE.*" \
|
||||||
|
nokeepalive ssl-unclean-shutdown \
|
||||||
|
downgrade-1.0 force-response-1.0
|
||||||
|
</IfModule>
|
||||||
|
|
||||||
|
<IfModule log_config_module>
|
||||||
|
CustomLog /var/log/apache2/ssl_request_log \
|
||||||
|
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
|
||||||
|
</IfModule>
|
||||||
|
|
||||||
|
</VirtualHost>
|
||||||
|
</IfModule>
|
||||||
|
</IfDefine>
|
||||||
|
</IfDefine>
|
|
@ -0,0 +1,82 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# base settings
|
||||||
|
set -e
|
||||||
|
|
||||||
|
[ -e /firstboot ] || exit 0
|
||||||
|
|
||||||
|
echo 'Setting defaults...'
|
||||||
|
localectl --no-convert set-keymap de-latin1-nodeadkeys
|
||||||
|
|
||||||
|
echo 'Activate services...'
|
||||||
|
timedatectl set-ntp true
|
||||||
|
|
||||||
|
# variables
|
||||||
|
LABEL="DATA"
|
||||||
|
DATABASE_PASS="Di1sgMySQLPwd."
|
||||||
|
|
||||||
|
# Data partition
|
||||||
|
echo 'Mount data partition...'
|
||||||
|
mkdir -p /$LABEL
|
||||||
|
if [ ! -L "/dev/disk/by-label/$LABEL" ]; then
|
||||||
|
echo 'ERROR: Data partition not found!'
|
||||||
|
echo "Please create a data partition with ext4 filesystem and label \"$LABEL\":"
|
||||||
|
echo "# cfdisk /dev/<disk> (use GPT label, create linux partition)"
|
||||||
|
echo "# mkfs.ext4 -L $LABEL /dev/<partition>"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
if ! grep -Fq "LABEL=$LABEL" /etc/fstab; then
|
||||||
|
echo "LABEL=$LABEL /$LABEL ext4 noatime 0 1" >> /etc/fstab
|
||||||
|
fi
|
||||||
|
mount -a
|
||||||
|
if ! mount | grep /$LABEL > /dev/null; then
|
||||||
|
echo "ERROR: Could not mount data partition!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -d "/$LABEL/var/lib/mysql/pi" ]; then
|
||||||
|
echo 'Initialize MariaDB...'
|
||||||
|
systemctl stop mariadb
|
||||||
|
mkdir -p /$LABEL/var/lib/mysql
|
||||||
|
rm -rf /$LABEL/var/lib/mysql/*
|
||||||
|
cp -a /var/lib/mysql/. /$LABEL/var/lib/mysql
|
||||||
|
sed -i "s:^datadir.*:datadir = /$LABEL/var/lib/mysql:" /etc/mysql/my.cnf
|
||||||
|
systemctl start mariadb
|
||||||
|
|
||||||
|
echo 'Create privacyIDEA database...'
|
||||||
|
mysql -u root -e "CREATE USER 'pi'@'localhost' IDENTIFIED BY '$DATABASE_PASS'"
|
||||||
|
mysql -u root -e "CREATE DATABASE pi DEFAULT CHARACTER SET latin1 COLLATE latin1_swedish_ci;"
|
||||||
|
mysql -u root -e "GRANT ALL PRIVILEGES ON pi.* TO 'pi'@'localhost' IDENTIFIED by '$DATABASE_PASS';"
|
||||||
|
mysql -u root -e "FLUSH PRIVILEGES;"
|
||||||
|
|
||||||
|
echo 'Initialize privacyIDEA database...'
|
||||||
|
sed -i "s:<pi-db-password>:$DATABASE_PASS:" /etc/privacyidea/pi.cfg
|
||||||
|
pi-manage createdb
|
||||||
|
if [ ! -d "/$LABEL/etc/privacyidea" ]; then
|
||||||
|
echo 'Create privacyIDEA encryption and audit keys...'
|
||||||
|
mkdir -p /$LABEL/etc/privacyidea
|
||||||
|
chown privacyidea /$LABEL/etc/privacyidea
|
||||||
|
|
||||||
|
rm /etc/privacyidea/enckey
|
||||||
|
pi-manage create_enckey
|
||||||
|
mv /etc/privacyidea/enckey /$LABEL/etc/privacyidea/enckey
|
||||||
|
chown privacyidea /$LABEL/etc/privacyidea/enckey
|
||||||
|
ln -s /$LABEL/etc/privacyidea/enckey /etc/privacyidea/enckey
|
||||||
|
|
||||||
|
rm /etc/privacyidea/public.pem /etc/privacyidea/private.pem
|
||||||
|
pi-manage create_audit_keys
|
||||||
|
mv /etc/privacyidea/private.pem /$LABEL/etc/privacyidea/private.pem
|
||||||
|
mv /etc/privacyidea/public.pem /$LABEL/etc/privacyidea/public.pem
|
||||||
|
chown privacyidea /$LABEL/etc/privacyidea/*.pem
|
||||||
|
ln -s /$LABEL/etc/privacyidea/private.pem etc/privacyidea/private.pem
|
||||||
|
ln -s /$LABEL/etc/privacyidea/public.pem /etc/privacyidea/public.pem
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
echo 'Start MariaDB...'
|
||||||
|
sed -i "s:^datadir.*:datadir = /$LABEL/var/lib/mysql:" /etc/mysql/my.cnf
|
||||||
|
systemctl start mariadb
|
||||||
|
fi
|
||||||
|
echo 'Enable database...'
|
||||||
|
systemctl enable mariadb
|
||||||
|
|
||||||
|
rm /firstboot
|
|
@ -0,0 +1,64 @@
|
||||||
|
server default {
|
||||||
|
|
||||||
|
listen {
|
||||||
|
type = auth
|
||||||
|
ipaddr = *
|
||||||
|
port = 0
|
||||||
|
limit {
|
||||||
|
max_connections = 16
|
||||||
|
lifetime = 0
|
||||||
|
idle_timeout = 30
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
listen {
|
||||||
|
ipaddr = *
|
||||||
|
port = 0
|
||||||
|
type = acct
|
||||||
|
limit {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
authorize {
|
||||||
|
preprocess
|
||||||
|
digest
|
||||||
|
suffix
|
||||||
|
ntdomain
|
||||||
|
files
|
||||||
|
expiration
|
||||||
|
logintime
|
||||||
|
pap
|
||||||
|
update control {
|
||||||
|
Auth-Type := Perl
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
authenticate {
|
||||||
|
Auth-Type Perl {
|
||||||
|
perl
|
||||||
|
}
|
||||||
|
digest
|
||||||
|
}
|
||||||
|
|
||||||
|
preacct {
|
||||||
|
suffix
|
||||||
|
files
|
||||||
|
}
|
||||||
|
|
||||||
|
accounting {
|
||||||
|
detail
|
||||||
|
}
|
||||||
|
|
||||||
|
session {
|
||||||
|
}
|
||||||
|
|
||||||
|
post-auth {
|
||||||
|
}
|
||||||
|
|
||||||
|
pre-proxy {
|
||||||
|
}
|
||||||
|
|
||||||
|
post-proxy {
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,6 @@
|
||||||
|
root (hd0,0)
|
||||||
|
setup (hd0)
|
||||||
|
root (hd1,0)
|
||||||
|
setup (hd1)
|
||||||
|
quit
|
||||||
|
|
|
@ -0,0 +1,12 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
mount -t proc proc /mnt/gentoo/proc
|
||||||
|
mount --rbind /sys /mnt/gentoo/sys
|
||||||
|
mount --rbind /dev /mnt/gentoo/dev
|
||||||
|
|
||||||
|
chroot /mnt/gentoo cat /grub.shell | /sbin/grub --no-floppy --batch
|
||||||
|
|
||||||
|
umount /mnt/gentoo/proc
|
||||||
|
umount /mnt/gentoo/sys
|
||||||
|
umount /mnt/gentoo/dev
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,6 @@
|
||||||
|
CFLAGS="-O2 -pipe"
|
||||||
|
CXXFLAGS="-O2 -pipe"
|
||||||
|
USE="hardened justify pax_kernel pie ssp urandom xattr xtpax -fortran -jit -orc -pch -pic -prelink -profile -tcc"
|
||||||
|
MAKEOPTS="-j5"
|
||||||
|
PYTHON_TARGETS="python2_7"
|
||||||
|
PYTHON_SINGLE_TARGET="python2_7"
|
|
@ -0,0 +1,139 @@
|
||||||
|
# /etc/mysql/my.cnf: The global mysql configuration file.
|
||||||
|
# $Id$
|
||||||
|
|
||||||
|
# The following options will be passed to all MySQL clients
|
||||||
|
[client]
|
||||||
|
#password = your_password
|
||||||
|
port = 3306
|
||||||
|
socket = /var/run/mysqld/mysqld.sock
|
||||||
|
|
||||||
|
[mysql]
|
||||||
|
character-sets-dir=/usr/share/mysql/charsets
|
||||||
|
default-character-set=utf8
|
||||||
|
|
||||||
|
[mysqladmin]
|
||||||
|
character-sets-dir=/usr/share/mysql/charsets
|
||||||
|
default-character-set=utf8
|
||||||
|
|
||||||
|
[mysqlcheck]
|
||||||
|
character-sets-dir=/usr/share/mysql/charsets
|
||||||
|
default-character-set=utf8
|
||||||
|
|
||||||
|
[mysqldump]
|
||||||
|
character-sets-dir=/usr/share/mysql/charsets
|
||||||
|
default-character-set=utf8
|
||||||
|
|
||||||
|
[mysqlimport]
|
||||||
|
character-sets-dir=/usr/share/mysql/charsets
|
||||||
|
default-character-set=utf8
|
||||||
|
|
||||||
|
[mysqlshow]
|
||||||
|
character-sets-dir=/usr/share/mysql/charsets
|
||||||
|
default-character-set=utf8
|
||||||
|
|
||||||
|
[myisamchk]
|
||||||
|
character-sets-dir=/usr/share/mysql/charsets
|
||||||
|
|
||||||
|
[myisampack]
|
||||||
|
character-sets-dir=/usr/share/mysql/charsets
|
||||||
|
|
||||||
|
# add a section [mysqld-4.1] or [mysqld-5.0] for specific configurations
|
||||||
|
[mysqld]
|
||||||
|
character-set-server = utf8
|
||||||
|
user = mysql
|
||||||
|
port = 3306
|
||||||
|
socket = /var/run/mysqld/mysqld.sock
|
||||||
|
pid-file = /var/run/mysqld/mysqld.pid
|
||||||
|
log-error = /var/log/mysql/mysqld.err
|
||||||
|
basedir = /usr
|
||||||
|
datadir = /var/lib/mysql
|
||||||
|
skip-external-locking
|
||||||
|
key_buffer_size = 16M
|
||||||
|
max_allowed_packet = 4M
|
||||||
|
table_open_cache = 400
|
||||||
|
sort_buffer_size = 512K
|
||||||
|
net_buffer_length = 16K
|
||||||
|
read_buffer_size = 256K
|
||||||
|
read_rnd_buffer_size = 512K
|
||||||
|
myisam_sort_buffer_size = 8M
|
||||||
|
lc_messages_dir = /usr/share/mysql
|
||||||
|
#Set this to your desired error message language
|
||||||
|
lc_messages = en_US
|
||||||
|
|
||||||
|
# security:
|
||||||
|
# using "localhost" in connects uses sockets by default
|
||||||
|
# skip-networking
|
||||||
|
bind-address = 127.0.0.1
|
||||||
|
|
||||||
|
##log-bin
|
||||||
|
server-id = 1
|
||||||
|
|
||||||
|
# point the following paths to different dedicated disks
|
||||||
|
tmpdir = /tmp/
|
||||||
|
#log-update = /path-to-dedicated-directory/hostname
|
||||||
|
|
||||||
|
# you need the debug USE flag enabled to use the following directives,
|
||||||
|
# if needed, uncomment them, start the server and issue
|
||||||
|
# #tail -f /tmp/mysqld.sql /tmp/mysqld.trace
|
||||||
|
# this will show you *exactly* what's happening in your server ;)
|
||||||
|
|
||||||
|
#log = /tmp/mysqld.sql
|
||||||
|
#gdb
|
||||||
|
#debug = d:t:i:o,/tmp/mysqld.trace
|
||||||
|
#one-thread
|
||||||
|
|
||||||
|
# the rest of the innodb config follows:
|
||||||
|
# don't eat too much memory, we're trying to be safe on 64Mb boxes
|
||||||
|
# you might want to bump this up a bit on boxes with more RAM
|
||||||
|
innodb_buffer_pool_size = 128M
|
||||||
|
#
|
||||||
|
# i'd like to use /var/lib/mysql/innodb, but that is seen as a database :-(
|
||||||
|
# and upstream wants things to be under /var/lib/mysql/, so that's the route
|
||||||
|
# we have to take for the moment
|
||||||
|
#innodb_data_home_dir = /var/lib/mysql/
|
||||||
|
#innodb_log_arch_dir = /var/lib/mysql/
|
||||||
|
#innodb_log_group_home_dir = /var/lib/mysql/
|
||||||
|
# you may wish to change this size to be more suitable for your system
|
||||||
|
# the max is there to avoid run-away growth on your machine
|
||||||
|
innodb_data_file_path = ibdata1:10M:autoextend:max:128M
|
||||||
|
# we keep this at around 25% of of innodb_buffer_pool_size
|
||||||
|
# sensible values range from 1MB to (1/innodb_log_files_in_group*innodb_buffer_pool_size)
|
||||||
|
innodb_log_file_size = 48M
|
||||||
|
# this is the default, increase it if you have very large transactions going on
|
||||||
|
innodb_log_buffer_size = 8M
|
||||||
|
# this is the default and won't hurt you
|
||||||
|
# you shouldn't need to tweak it
|
||||||
|
innodb_log_files_in_group=2
|
||||||
|
# see the innodb config docs, the other options are not always safe
|
||||||
|
innodb_flush_log_at_trx_commit = 1
|
||||||
|
innodb_lock_wait_timeout = 50
|
||||||
|
innodb_file_per_table
|
||||||
|
|
||||||
|
# Uncomment this to get FEDERATED engine support
|
||||||
|
#plugin-load=federated=ha_federated.so
|
||||||
|
loose-federated
|
||||||
|
|
||||||
|
[mysqldump]
|
||||||
|
quick
|
||||||
|
max_allowed_packet = 16M
|
||||||
|
|
||||||
|
[mysql]
|
||||||
|
# uncomment the next directive if you are not familiar with SQL
|
||||||
|
#safe-updates
|
||||||
|
|
||||||
|
[isamchk]
|
||||||
|
key_buffer_size = 20M
|
||||||
|
sort_buffer_size = 20M
|
||||||
|
read_buffer = 2M
|
||||||
|
write_buffer = 2M
|
||||||
|
|
||||||
|
[myisamchk]
|
||||||
|
key_buffer_size = 20M
|
||||||
|
sort_buffer_size = 20M
|
||||||
|
read_buffer_size = 2M
|
||||||
|
write_buffer_size = 2M
|
||||||
|
|
||||||
|
[mysqlhotcopy]
|
||||||
|
interactive-timeout
|
||||||
|
|
||||||
|
[mariadb]
|
|
@ -0,0 +1,7 @@
|
||||||
|
[mysqladmin]
|
||||||
|
user = root
|
||||||
|
password = gentoo
|
||||||
|
|
||||||
|
[mysql]
|
||||||
|
user = root
|
||||||
|
password = gentoo
|
|
@ -0,0 +1,28 @@
|
||||||
|
# base
|
||||||
|
app-admin/paxtest ~amd64 ~x86
|
||||||
|
app-emulation/open-vm-tools ~amd64 ~x86
|
||||||
|
sys-auth/pam_ssh_agent_auth ~amd64 ~x86
|
||||||
|
sys-kernel/gentoo-sources ~amd64 ~x86
|
||||||
|
sys-kernel/hardened-sources ~amd64 ~x86
|
||||||
|
|
||||||
|
#MariaDB mit SystemD-Support
|
||||||
|
dev-db/mariadb ~amd64 ~x86
|
||||||
|
|
||||||
|
# privacyIDEA
|
||||||
|
dev-python/responses
|
||||||
|
dev-python/pyusb
|
||||||
|
dev-python/imagesize
|
||||||
|
dev-python/cookies
|
||||||
|
dev-python/python-gnupg
|
||||||
|
dev-python/ldap3
|
||||||
|
dev-python/yubiotp
|
||||||
|
dev-python/pycrypto
|
||||||
|
dev-python/mysql-connector-python
|
||||||
|
dev-python/pytest-cov
|
||||||
|
##dev-python/bottleneck
|
||||||
|
|
||||||
|
# grunt, wird nur zur privacyIDEA-Translation benötigt
|
||||||
|
dev-nodejs/*
|
||||||
|
|
||||||
|
# FreeRADIUS mit systemd-Support
|
||||||
|
net-dialup/freeradius
|
|
@ -0,0 +1,34 @@
|
||||||
|
# base
|
||||||
|
app-admin/sudo -sendmail
|
||||||
|
app-editors/nano ncurses
|
||||||
|
app-emulation/open-vm-tools pic -modules
|
||||||
|
app-misc/mc -slang
|
||||||
|
dev-lang/python ssl threads xml
|
||||||
|
dev-libs/libpcre cxx
|
||||||
|
dev-util/pkgconfig internal-glib
|
||||||
|
net-misc/openssh ssl
|
||||||
|
net-misc/wget ssl
|
||||||
|
sys-apps/hwids udev
|
||||||
|
sys-apps/kmod tools
|
||||||
|
sys-apps/net-tools hostname
|
||||||
|
sys-apps/portage ipc
|
||||||
|
sys-auth/pambase nullok sha512
|
||||||
|
sys-devel/gcc cxx nptl
|
||||||
|
sys-kernel/gentoo-sources symlink
|
||||||
|
sys-kernel/hardened-sources symlink
|
||||||
|
|
||||||
|
# Monitoring
|
||||||
|
net-analyzer/zabbix agent
|
||||||
|
|
||||||
|
# privacyIDEA
|
||||||
|
www-apps/privacyidea -translation
|
||||||
|
dev-lang/python
|
||||||
|
dev-python/sqlalchemy -sqlite
|
||||||
|
dev-python/netaddr -cli
|
||||||
|
dev-python/numpy lapack
|
||||||
|
dev-libs/c-blosc hdf5
|
||||||
|
sys-devel/gcc fortran
|
||||||
|
sci-libs/hdf5 -cxx -fortran -hl
|
||||||
|
|
||||||
|
# RADIUS
|
||||||
|
net-dialup/freeradius kerberos ldap mysql python
|
|
@ -0,0 +1,18 @@
|
||||||
|
##HOSTNAME = $(APPLIANCE)
|
||||||
|
##TIMEZONE = UTC
|
||||||
|
##DISK_SIZE = 6.0G
|
||||||
|
##SWAP_SIZE = 30
|
||||||
|
##SWAP_FILE = $(CHROOT)/.swap
|
||||||
|
##ARCH = amd64-hardened
|
||||||
|
##MAKEOPTS = -j10 -l10
|
||||||
|
##PRUNE_CRITICAL = NO
|
||||||
|
##CHANGE_PASSWORD = YES
|
||||||
|
##HEADLESS = NO
|
||||||
|
##SOFTWARE = 1
|
||||||
|
##PKGLIST = 0
|
||||||
|
##RSYNC_MIRROR = rsync://rsync15.de.gentoo.org/gentoo/
|
||||||
|
KERNEL_PKG = hardened-sources
|
||||||
|
KERNEL_CONFIG = appliances/$(APPLIANCE)/kernel.config
|
||||||
|
ENABLE_SSHD = YES
|
||||||
|
TIMEZONE=Europe/Berlin
|
||||||
|
LOCALE=de_DE.utf8
|
|
@ -0,0 +1,2 @@
|
||||||
|
|
||||||
|
1<>¹5pA^¾
D’½8
1<ֽ‚היאִ ˆךץ¾זיzy†<79>F_bG~<´<¶„+U<14>z\׳ƒ7<C692>TםV²ִ)[PJֻה<D6BB>״vװ<76>h,kQ·2IH˜
|
|
@ -0,0 +1,295 @@
|
||||||
|
# This is an example configuration that can work
|
||||||
|
# with privacyIDEA local CA Connector.
|
||||||
|
# For productive use, please ask a consultant to
|
||||||
|
# set up your PKI.
|
||||||
|
# Do not use this productively, unless you know, what
|
||||||
|
# you are doing!
|
||||||
|
#
|
||||||
|
# To initialize the CA do:
|
||||||
|
|
||||||
|
# openssl req -days 1500 -new -x509 -keyout /etc/privacyidea/CA/ca.key \
|
||||||
|
# -out /etc/privacyidea/CA/ca.crt -config /etc/privacyidea/CA/openssl.cnf
|
||||||
|
# chmod 0600 /etc/privacyidea/CA/ca.key
|
||||||
|
# touch /etc/privacyidea/CA/index.txt
|
||||||
|
# echo 01 > /etc/privacyidea/CA/serial
|
||||||
|
#
|
||||||
|
# Please adapt the following lines
|
||||||
|
#
|
||||||
|
#----------- your configuration -------------------
|
||||||
|
|
||||||
|
HOME = /etc/privacyidea/CA
|
||||||
|
RANDFILE = $HOME/.rnd
|
||||||
|
KEYSIZE = 2048
|
||||||
|
COUNTRY = DE
|
||||||
|
STATE = TH
|
||||||
|
CITY = Ronneburg
|
||||||
|
ORGANIZATION = Unitas Network
|
||||||
|
EMAIL = info@unitas-network.de
|
||||||
|
AIA = http://example.com/ca.crt
|
||||||
|
CDP1 = http://example.com/crl.pem
|
||||||
|
CDP2 = http://pki.example.com/crl.pem
|
||||||
|
|
||||||
|
|
||||||
|
#---------- end of your configuration -------------
|
||||||
|
|
||||||
|
# Extra OBJECT IDENTIFIER info:
|
||||||
|
oid_section = new_oids
|
||||||
|
#openssl_conf = openssl_init
|
||||||
|
|
||||||
|
# To use this configuration file with the "-extfile" option of the
|
||||||
|
# "openssl x509" utility, name here the section containing the
|
||||||
|
# X.509v3 extensions to use:
|
||||||
|
# extensions =
|
||||||
|
# (Alternatively, use a configuration file that has only
|
||||||
|
# X.509v3 extensions in its main [= default] section.)
|
||||||
|
|
||||||
|
[ new_oids ]
|
||||||
|
|
||||||
|
# We can add new OIDs in here for use by 'ca' and 'req'.
|
||||||
|
# Add a simple OID like this:
|
||||||
|
# testoid1=1.2.3.4
|
||||||
|
# Or use config file substitution like this:
|
||||||
|
# testoid2=${testoid1}.5.6
|
||||||
|
|
||||||
|
####################################################################
|
||||||
|
[ ca ]
|
||||||
|
default_ca = CA_default # The default ca section
|
||||||
|
|
||||||
|
####################################################################
|
||||||
|
[ CA_default ]
|
||||||
|
|
||||||
|
dir = /etc/privacyidea/CA/ # Where everything is kept
|
||||||
|
certs = $dir # Where the issued certs are kept
|
||||||
|
crl_dir = $dir # Where the issued crl are kept
|
||||||
|
database = $dir/index.txt # database index file.
|
||||||
|
new_certs_dir = $dir # default place for new certs.
|
||||||
|
|
||||||
|
certificate = $dir/ca.crt # The CA certificate
|
||||||
|
serial = $dir/serial # The current serial number
|
||||||
|
crl = $dir/crl.pem # The current CRL
|
||||||
|
private_key = $dir/ca.key # The private key
|
||||||
|
RANDFILE = $dir/.rand # private random number file
|
||||||
|
|
||||||
|
x509_extensions = usr_cert # The extentions to add to the cert
|
||||||
|
|
||||||
|
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
|
||||||
|
# so this is commented out by default to leave a V1 CRL.
|
||||||
|
# crl_extensions = crl_ext
|
||||||
|
|
||||||
|
default_days = 3650 # how long to certify for
|
||||||
|
default_crl_days= 35 # how long before next CRL
|
||||||
|
default_md = sha1 # which md to use.
|
||||||
|
preserve = no # keep passed DN ordering
|
||||||
|
|
||||||
|
# A few difference way of specifying how similar the request should look
|
||||||
|
# For type CA, the listed attributes must be the same, and the optional
|
||||||
|
# and supplied fields are just that :-)
|
||||||
|
policy = policy_anything
|
||||||
|
|
||||||
|
# For the CA policy
|
||||||
|
[ policy_match ]
|
||||||
|
countryName = match
|
||||||
|
stateOrProvinceName = match
|
||||||
|
organizationName = match
|
||||||
|
organizationalUnitName = optional
|
||||||
|
commonName = supplied
|
||||||
|
emailAddress = optional
|
||||||
|
|
||||||
|
# For the 'anything' policy
|
||||||
|
# At this point in time, you must list all acceptable 'object'
|
||||||
|
# types.
|
||||||
|
[ policy_anything ]
|
||||||
|
countryName = optional
|
||||||
|
stateOrProvinceName = optional
|
||||||
|
localityName = optional
|
||||||
|
organizationName = optional
|
||||||
|
organizationalUnitName = optional
|
||||||
|
commonName = supplied
|
||||||
|
emailAddress = optional
|
||||||
|
|
||||||
|
####################################################################
|
||||||
|
[ req ]
|
||||||
|
default_bits = $KEYSIZE
|
||||||
|
default_keyfile = privkey.pem
|
||||||
|
distinguished_name = req_distinguished_name
|
||||||
|
attributes = req_attributes
|
||||||
|
x509_extensions = v3_ca # The extentions to add to the self signed cert
|
||||||
|
|
||||||
|
# Passwords for private keys if not present they will be prompted for
|
||||||
|
# input_password = secret
|
||||||
|
# output_password = secret
|
||||||
|
|
||||||
|
# This sets a mask for permitted string types. There are several options.
|
||||||
|
# default: PrintableString, T61String, BMPString.
|
||||||
|
# pkix : PrintableString, BMPString.
|
||||||
|
# utf8only: only UTF8Strings.
|
||||||
|
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
|
||||||
|
# MASK:XXXX a literal mask value.
|
||||||
|
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
|
||||||
|
# so use this option with caution!
|
||||||
|
string_mask = nombstr
|
||||||
|
|
||||||
|
# req_extensions = v3_req # The extensions to add to a certificate request
|
||||||
|
|
||||||
|
[ req_distinguished_name ]
|
||||||
|
countryName = Country Name (2 letter code)
|
||||||
|
countryName_default = $COUNTRY
|
||||||
|
countryName_min = 2
|
||||||
|
countryName_max = 2
|
||||||
|
|
||||||
|
stateOrProvinceName = State or Province Name (full name)
|
||||||
|
stateOrProvinceName_default = $STATE
|
||||||
|
|
||||||
|
localityName = Locality Name (eg, city)
|
||||||
|
localityName_default = $CITY
|
||||||
|
|
||||||
|
0.organizationName = Organization Name (eg, company)
|
||||||
|
0.organizationName_default = $ORGANIZATION
|
||||||
|
|
||||||
|
# we can do this but it is not needed normally :-)
|
||||||
|
#1.organizationName = Second Organization Name (eg, company)
|
||||||
|
#1.organizationName_default = World Wide Web Pty Ltd
|
||||||
|
|
||||||
|
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||||
|
#organizationalUnitName_default =
|
||||||
|
|
||||||
|
commonName = Common Name (eg, your name or your server\'s hostname)
|
||||||
|
commonName_max = 64
|
||||||
|
|
||||||
|
emailAddress = Email Address
|
||||||
|
emailAddress_default = $EMAIL
|
||||||
|
emailAddress_max = 40
|
||||||
|
|
||||||
|
|
||||||
|
# SET-ex3 = SET extension number 3
|
||||||
|
|
||||||
|
[ req_attributes ]
|
||||||
|
challengePassword = A challenge password
|
||||||
|
challengePassword_min = 4
|
||||||
|
challengePassword_max = 20
|
||||||
|
|
||||||
|
unstructuredName = An optional company name
|
||||||
|
|
||||||
|
[ usr_cert ]
|
||||||
|
|
||||||
|
# These extensions are added when 'ca' signs a request.
|
||||||
|
|
||||||
|
# This goes against PKIX guidelines but some CAs do it and some software
|
||||||
|
# requires this to avoid interpreting an end user certificate as a CA.
|
||||||
|
|
||||||
|
basicConstraints=CA:FALSE
|
||||||
|
|
||||||
|
# Here are some examples of the usage of nsCertType. If it is omitted
|
||||||
|
# the certificate can be used for anything *except* object signing.
|
||||||
|
|
||||||
|
# This is OK for an SSL server.
|
||||||
|
# nsCertType = server
|
||||||
|
|
||||||
|
# For an object signing certificate this would be used.
|
||||||
|
# nsCertType = objsign
|
||||||
|
|
||||||
|
# For normal client use this is typical
|
||||||
|
# nsCertType = client, email
|
||||||
|
|
||||||
|
# and for everything including object signing:
|
||||||
|
# nsCertType = client, email, objsign
|
||||||
|
|
||||||
|
# This is typical in keyUsage for a client certificate.
|
||||||
|
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||||
|
|
||||||
|
# This will be displayed in Netscape's comment listbox.
|
||||||
|
nsComment = "OpenSSL Generated Certificate"
|
||||||
|
|
||||||
|
# PKIX recommendations harmless if included in all certificates.
|
||||||
|
subjectKeyIdentifier=hash
|
||||||
|
authorityKeyIdentifier=keyid,issuer:always
|
||||||
|
|
||||||
|
# This stuff is for subjectAltName and issuerAltname.
|
||||||
|
# Import the email address.
|
||||||
|
# subjectAltName=email:copy
|
||||||
|
|
||||||
|
# Copy subject details
|
||||||
|
# issuerAltName=issuer:copy
|
||||||
|
|
||||||
|
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
|
||||||
|
#nsBaseUrl
|
||||||
|
#nsRevocationUrl
|
||||||
|
#nsRenewalUrl
|
||||||
|
#nsCaPolicyUrl
|
||||||
|
#nsSslServerName
|
||||||
|
crlDistributionPoints = @crl_dp_policy
|
||||||
|
authorityInfoAccess = caIssuers;URI:http://www.example.com/yourCA.crt
|
||||||
|
|
||||||
|
[ server ]
|
||||||
|
keyUsage = digitalSignature, keyEncipherment
|
||||||
|
basicConstraints=CA:FALSE
|
||||||
|
nsCertType = server
|
||||||
|
nsComment = "OpenSSL Generated Server Certificate"
|
||||||
|
subjectKeyIdentifier=hash
|
||||||
|
authorityKeyIdentifier=keyid,issuer:always
|
||||||
|
extendedKeyUsage=serverAuth
|
||||||
|
crlDistributionPoints = @crl_dp_policy
|
||||||
|
authorityInfoAccess = caIssuers;URI:http://www.example.com/yourCA.crt
|
||||||
|
|
||||||
|
[ etoken ]
|
||||||
|
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||||
|
basicConstraints=CA:FALSE
|
||||||
|
subjectKeyIdentifier=hash
|
||||||
|
authorityKeyIdentifier=keyid,issuer:always
|
||||||
|
crlDistributionPoints = @crl_dp_policy
|
||||||
|
authorityInfoAccess = caIssuers;URI:http://www.example.com/yourCA.crt
|
||||||
|
|
||||||
|
[ ocsp ]
|
||||||
|
keyUsage = digitalSignature, keyEncipherment
|
||||||
|
extendedKeyUsage = OCSPSigning
|
||||||
|
basicConstraints=CA:FALSE
|
||||||
|
subjectKeyIdentifier=hash
|
||||||
|
authorityKeyIdentifier=keyid,issuer:always
|
||||||
|
crlDistributionPoints = @crl_dp_policy
|
||||||
|
authorityInfoAccess = caIssuers;URI:http://www.example.com/yourCA.crt
|
||||||
|
|
||||||
|
[ user ]
|
||||||
|
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||||
|
basicConstraints = CA:FALSE
|
||||||
|
subjectKeyIdentifier=hash
|
||||||
|
authorityKeyIdentifier=keyid,issuer:always
|
||||||
|
crlDistributionPoints = @crl_dp_policy
|
||||||
|
authorityInfoAccess = caIssuers;URI:$AIA
|
||||||
|
|
||||||
|
[ v3_ca ]
|
||||||
|
# Extensions for a typical CA
|
||||||
|
# PKIX recommendation.
|
||||||
|
subjectKeyIdentifier=hash
|
||||||
|
authorityKeyIdentifier=keyid:always,issuer:always
|
||||||
|
# This is what PKIX recommends but some broken software chokes on critical
|
||||||
|
# extensions.
|
||||||
|
#basicConstraints = critical,CA:true
|
||||||
|
# So we do this instead.
|
||||||
|
basicConstraints = CA:true
|
||||||
|
# Key usage: this is typical for a CA certificate. However since it will
|
||||||
|
# prevent it being used as an test self-signed certificate it is best
|
||||||
|
# left out by default.
|
||||||
|
# keyUsage = cRLSign, keyCertSign
|
||||||
|
# Some might want this also
|
||||||
|
# nsCertType = sslCA, emailCA
|
||||||
|
# Include email address in subject alt name: another PKIX recommendation
|
||||||
|
# subjectAltName=email:copy
|
||||||
|
# Copy issuer details
|
||||||
|
# issuerAltName=issuer:copy
|
||||||
|
# DER hex encoding of an extension: beware experts only!
|
||||||
|
# obj=DER:02:03
|
||||||
|
# Where 'obj' is a standard or added object
|
||||||
|
# You can even override a supported extension:
|
||||||
|
# basicConstraints= critical, DER:30:03:01:01:FF
|
||||||
|
|
||||||
|
[ crl_ext ]
|
||||||
|
# CRL extensions.
|
||||||
|
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
|
||||||
|
# issuerAltName=issuer:copy
|
||||||
|
authorityKeyIdentifier=keyid:always,issuer:always
|
||||||
|
#
|
||||||
|
# CDP für die Zertifikate
|
||||||
|
#
|
||||||
|
[ crl_dp_policy ]
|
||||||
|
URI.1=$CDP1
|
||||||
|
URI.2=$CDP2
|
|
@ -0,0 +1,17 @@
|
||||||
|
import logging
|
||||||
|
# The realm, where users are allowed to login as administrators
|
||||||
|
SUPERUSER_REALM = ['admin']
|
||||||
|
# Your database
|
||||||
|
SQLALCHEMY_DATABASE_URI = 'mysql://pi:Di1sgMySQLPwd.@localhost/pi'
|
||||||
|
SQLALCHEMY_TRACK_MODIFICATIONS = False
|
||||||
|
# This is used to encrypt the auth_token
|
||||||
|
SECRET_KEY = 'Y2E3ZDYyNTNmOWY2YzNhY2Ix'
|
||||||
|
# This is used to encrypt the admin passwords
|
||||||
|
PI_PEPPER = "ZGMyNTliOTk3M2FlYTNmMWZk"
|
||||||
|
# This is used to encrypt the token data and token passwords
|
||||||
|
PI_ENCFILE = '/etc/privacyidea/enckey'
|
||||||
|
# This is used to sign the audit log
|
||||||
|
PI_AUDIT_KEY_PRIVATE = '/etc/privacyidea/private.pem'
|
||||||
|
PI_AUDIT_KEY_PUBLIC = '/etc/privacyidea/public.pem'
|
||||||
|
PI_LOGFILE = '/var/log/privacyidea/privacyidea.log'
|
||||||
|
PI_LOGLEVEL = logging.INFO
|
|
@ -0,0 +1,27 @@
|
||||||
|
-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
MIIEpAIBAAKCAQEAr7p3dvNP5IE6i1AsYhTar5GehW7O/C/H9TxFsq5l8mQ6trKy
|
||||||
|
vPASvYEsmkfqb+CT/mJB0+IzkwJGW5KNwcMkQ959fTyTjFUcVaGbZxldovIhYXF0
|
||||||
|
brrVveGfOKQn59WQcksjy1uc80oh9LjJ3CEMdZlgM8sixr8gzY1hn+4oMV2DQ+Xe
|
||||||
|
TFiyL+7jT1D8jcyVj7R+plP6DaDt5WRkSigJ+yHjkcEiuK1aOaiNihXJgwyDgBcj
|
||||||
|
AOR+ZLs9h4LMhj03cQNjduUV4mppMvCgkw5i7y4Kl72WWMePMV2Ff0FrFZWSoZtq
|
||||||
|
sjCm0IPORh6kJ0/7xip/GLBjxh/COuQbWCksYwIDAQABAoIBABq5oheOE3VuDehI
|
||||||
|
Difwgf23iMNEQehqn991BiiRi2Gcyq0kajh/zmnRrmXcUBQptHg4m0hNG4jdDLQ6
|
||||||
|
iqKQOgC0YqNcRhhOjVuck1TPr8TrTBZUud9pPL5/BMcJeCQy/5/SO6Rez3TUrmtY
|
||||||
|
eyKmSA3OgKn/188gHC4GtXUsNCKllKAETixpmP/uqrzM39SJQ8Rv9dudC/jsphCE
|
||||||
|
AaSXusW1LLkNxr2moJkHUK5cMSMSIhxxsqfSs5Yj6WQa1eNKcFYV0/XqbsvG4ii/
|
||||||
|
TZFtO+hn5/auJq9yQt5OhPXtLDshKHtfAZcgXjH/09WyGBsk0EUG50JjzM4J3M9b
|
||||||
|
W7A5+dkCgYEA0qZdwoJCSAud1Cbp9RdS/UlBxkJ+b2z3zKoAzqAypI1iACGyKUiu
|
||||||
|
neCPW/6RhSKdkpuCk1OEO/bQoigaJRKyH0F8a0sTvzXfc7/y67l+BNd5uwjMn0W1
|
||||||
|
dNe+z/0nWT6Oh2aYg7WjUroswmkZ8BUFN7Qvo9axi9Vi3pyh5K/ZTu8CgYEA1Y91
|
||||||
|
TWtrXoTMEm737SarhKjhDe5hVCARGhzzY7ejlLP/raXhhIJtYRlTTMd32T0itDXt
|
||||||
|
yZvS+5hIkuVzpborBHJAg9Nmkw2w2G9U+aP9mKMtZ6lKd5Xvmaej6okpZkILwRCl
|
||||||
|
BoYlego3Wwk5Qm+bWqNtomJbVE9lDRfsS/yKec0CgYEAiL+p5GjNgJnR9vTgMtTW
|
||||||
|
ckmJYpyuGcXixEGkzn6fAcYq1a0KTNS7TxCF4JHNhGFpa9B6nwu7r3XWET75YhHW
|
||||||
|
AoZvr/OIOTxO+ISmvbKohZogk3Pt6oPFfbnFTJ6qWbxLqMjIv9A926my/u5eAUaU
|
||||||
|
IYpe1vy8O+vmCGAklSI3b48CgYAPnYW+O3SGXL9vOZ33QTSZZp/OHPgQ5qdZeXRy
|
||||||
|
fiL/5Il1cQOkZMUKrIdivdMNl2LKOodAjpxGuUPVOeHS5GHw2UnOWc7OQdoEeV+F
|
||||||
|
QXBxkLzpL3+6bsQuQAvEQnM8fufNHiJy76wd2FFj3rDJItABOKHzla2H5KZG5tDo
|
||||||
|
XXbioQKBgQC1T4sAjxsYCEQnmtgNY1TslWl96pp+dLMaG0+LNoLN4MOIKtHtMbhM
|
||||||
|
51sjFSAamdHh5KVDI4+5CXow9h8ymJq6T/X0WAgUwjeOAvWUOFJASMc9eERdox7y
|
||||||
|
1o3a9de4eaQGD4+1bFdjNYBjJ3YeDPNT9WecHM/qPInH/fS40ZY/jQ==
|
||||||
|
-----END RSA PRIVATE KEY-----
|
|
@ -0,0 +1,9 @@
|
||||||
|
-----BEGIN PUBLIC KEY-----
|
||||||
|
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr7p3dvNP5IE6i1AsYhTa
|
||||||
|
r5GehW7O/C/H9TxFsq5l8mQ6trKyvPASvYEsmkfqb+CT/mJB0+IzkwJGW5KNwcMk
|
||||||
|
Q959fTyTjFUcVaGbZxldovIhYXF0brrVveGfOKQn59WQcksjy1uc80oh9LjJ3CEM
|
||||||
|
dZlgM8sixr8gzY1hn+4oMV2DQ+XeTFiyL+7jT1D8jcyVj7R+plP6DaDt5WRkSigJ
|
||||||
|
+yHjkcEiuK1aOaiNihXJgwyDgBcjAOR+ZLs9h4LMhj03cQNjduUV4mppMvCgkw5i
|
||||||
|
7y4Kl72WWMePMV2Ff0FrFZWSoZtqsjCm0IPORh6kJ0/7xip/GLBjxh/COuQbWCks
|
||||||
|
YwIDAQAB
|
||||||
|
-----END PUBLIC KEY-----
|
|
@ -0,0 +1,12 @@
|
||||||
|
# This file is part of systemd.
|
||||||
|
#
|
||||||
|
# systemd is free software; you can redistribute it and/or modify it
|
||||||
|
# under the terms of the GNU Lesser General Public License as published by
|
||||||
|
# the Free Software Foundation; either version 2.1 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# See timesyncd.conf(5) for details.
|
||||||
|
|
||||||
|
[Time]
|
||||||
|
NTP=0.de.pool.ntp.org 1.de.pool.ntp.org 2.de.pool.ntp.org 3.de.pool.ntp.org
|
||||||
|
FallbackNTP=0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org
|
|
@ -0,0 +1,16 @@
|
||||||
|
app-admin/logrotate
|
||||||
|
app-admin/paxtest
|
||||||
|
app-admin/sudo
|
||||||
|
app-emulation/open-vm-tools
|
||||||
|
app-misc/mc
|
||||||
|
app-misc/screenservice
|
||||||
|
net-analyzer/zabbix
|
||||||
|
sys-apps/elfix
|
||||||
|
sys-apps/gradm
|
||||||
|
sys-apps/paxctl
|
||||||
|
sys-auth/pam_ssh_agent_auth
|
||||||
|
sys-power/acpid
|
||||||
|
dev-db/mariadb
|
||||||
|
www-apps/privacyidea
|
||||||
|
www-apps/privacyideaadm
|
||||||
|
net-dialup/freeradius
|
Reference in New Issue