VA
/
appliances-old
Archived
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

privacyIDEA: initial commit

This commit is contained in:
Joerg Deckert 2017-07-26 21:31:31 +02:00
parent 58289ece06
commit 4b106b977a
22 changed files with 3649 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
privacyidea/00-eth0.network Normal file
View File

@ -0,0 +1,22 @@
# Beispiel für feste IP-Adreß-Konfiguration:
# Anpassen und als 00-eth0.network nach /etc/systemd/network verschieben
# (s. "man systemd.network", "man systemd-resolved")
#
# NICHT VERGESSEN: entsprechende Einträge in /etc/hosts hinzufügen
# <IPv4> <FQDN> <Hostname>
# <IPv6> <FQDN> <Hostname>
[Match]
Name=eth0
[Network]
Description=1. Netzwerk-Port
Address=192.168.1.2/24
Address=fdb5:78b:64cc:0:f8c0::2/64
Gateway=192.168.1.1
Gateway=fdb5:78b:64cc:0:f8c0::1
DNS=192.168.1.3
DNS=fdb5:78b:64cc:0:f8c0::3
NTP=192.168.1.4
NTP=fdb5:78b:64cc:0:f8c0::4
Domains=privacyidea.de

70
privacyidea/Makefile Normal file
View File

@ -0,0 +1,70 @@
preinstall:
# switch to hardened, build hardened toolchain, rebuild everything
mkdir -p $(CHROOT)/etc/portage/profile
echo "-hardened" >> $(CHROOT)/etc/portage/profile/use.mask
$(inroot) $(EMERGE) $(USEPKG) --oneshot gcc
$(inroot) $(EMERGE) $(USEPKG) --oneshot binutils virtual/libc
-$(gcc_config)
## $(inroot) $(EMERGE) --depclean --with-bdeps=n
$(inroot) $(EMERGE) $(USEPKG) --emptytree @world
$(inroot) bash -c 'yes YES | etc-update --automode -9'
# Unitas-Portage-Overlay einbinden
$(inroot) $(EMERGE) -n $(USEPKG) app-portage/layman
sed -i 's/check_official : Yes/check_official : No/' $(CHROOT)/etc/layman/layman.cfg
wget -P $(CHROOT)/etc/layman/overlays http://dev.unitas-network.de/raw/Gentoo/Unitas.git/master/unitas-overlays.xml
$(inroot) layman -l | grep -q unitas || $(inroot) layman -La unitas
postinstall: timesyncd.conf installgrub.sh grub.shell firstboot.start
# Konfigurationen anpassen
cp timesyncd.conf $(CHROOT)/etc/systemd/timesyncd.conf
cp installgrub.sh $(CHROOT)/installgrub.sh
cp grub.shell $(CHROOT)/grub.shell
cp firstboot.start $(CHROOT)/etc/local.d/firstboot.start
touch $(CHROOT)/firstboot
sed -i 's/# %wheel ALL=(ALL) ALL/%wheel ALL=(ALL) ALL/' $(CHROOT)/etc/sudoers
$(inroot) useradd -m -G users,wheel -s /bin/bash admin
$(inroot) passwd -d admin; $(inroot) passwd -e admin
$(inroot) systemctl enable screen@adm.service
# Beispiel feste IP-Adresse
cp 00-eth0.network $(CHROOT)/00-eth0.network.example
# MariaDB-Konfiguration
cp mariadb/my.cnf $(CHROOT)/etc/mysql/my.cnf
cp mariadb/my.cnf.root $(CHROOT)/root/.my.cnf
chmod 0600 $(CHROOT)/root/.my.cnf
rm -rf $(CHROOT)/var/lib/mysql/*
$(inroot) bash -c 'yes gentoo | emerge --config dev-db/mariadb'
# Apache-/PHP-Konfiguration
sed -i 's:APACHE2_OPTS=\":APACHE2_OPTS=\"-D WSGI :' $(CHROOT)/etc/conf.d/apache2
cp apache/00_default_ssl_vhost.conf $(CHROOT)/etc/apache2/vhosts.d/
$(inroot) systemctl enable apache2
# privacyIDEA Konfiguration (eigene Voreinstellungen)
cp privacyidea/enckey $(CHROOT)/etc/privacyidea/
cp privacyidea/pi.cfg $(CHROOT)/etc/privacyidea/
cp privacyidea/private.pem $(CHROOT)/etc/privacyidea/
cp privacyidea/public.pem $(CHROOT)/etc/privacyidea/
cp privacyidea/openssl.cnf $(CHROOT)/etc/privacyidea/CA/
$(inroot) chown -R privacyidea:root /etc/privacyidea
chmod 600 $(CHROOT)/etc/privacyidea/enckey
chmod 600 $(CHROOT)/etc/privacyidea/private.pem
touch $(CHROOT)/var/log/privacyidea/privacyidea.log
$(inroot) chown privacyidea:root /var/log/privacyidea/privacyidea.log
# FreeRADIUS-Konfiguration
sed -i 's:filename = .*:filename = /usr/lib/privacyidea/authmodules/FreeRADIUS/privacyidea_radius.pm:' $(CHROOT)/etc/raddb/mods-available/perl
ln -s ../mods-available/perl $(CHROOT)/etc/raddb/mods-enabled/perl
cp freeradius/privacyidea $(CHROOT)/etc/raddb/sites-available/
$(inroot) chown root:radius /etc/raddb/sites-available/privacyidea
chmod 640 $(CHROOT)/etc/raddb/sites-available/privacyidea
rm $(CHROOT)/etc/raddb/mods-enabled/eap
rm $(CHROOT)/etc/raddb/sites-enabled/*
ln -s ../sites-available/privacyidea $(CHROOT)/etc/raddb/sites-enabled/privacyidea
mv $(CHROOT)/etc/raddb/dictionary $(CHROOT)/etc/raddb/dictionary.orig
cp $(CHROOT)/etc/privacyidea/dictionary $(CHROOT)/etc/raddb/
$(inroot) systemctl enable freeradius
clean:

15
privacyidea/README.md Normal file
View File

@ -0,0 +1,15 @@
Erstkonfiguration
=================
- für variable Daten (MySQL/MariaDB, Konfiguration) muß eine mit ext4 formatierte Datenpartition mit dem Label "DATA" vorhanden sein. Diese wird nach /DATA gemountet.
- feste IP-Adresse und /etc/hosts konfigurieren
- für privacyIDEA evtl die Keys neu erstellen (/etc/privacyidea/enckey und *.pem löschen und mit pi-manage neu erstellen. Anschließend auch die Datembank mit pi-manage löschen und neu erstellen.
- privacyIDEA Admin mit ip-manage erstellen
- evtl. Apache-Zertifikat neu erzeugen
- FreeRADIUS Server-Zertifikat erzeugen: cd /etc/raddb/certs/; make
- unter VMware evtl. open-vm-tools aktivieren
Hinweise
========
- FreeRADIUS läßt sich nur mit MAKEOPTS="-j1" bauen (Bug #509498). Am besten in Virtual-Appliance-Shell mit "make ... shell" springen und freeradius einzeln emergen. Es entsteht ein ein binäres Paket, welches dann immer genutzt wird.

57
privacyidea/apache/00_default_ssl_vhost.conf Normal file
View File

@ -0,0 +1,57 @@
<IfDefine SSL>
<IfDefine SSL_DEFAULT_VHOST>
<IfModule ssl_module>
Listen 443
<VirtualHost _default_:443>
ServerName localhost
Include /etc/apache2/vhosts.d/default_vhost.include
ErrorLog /var/log/apache2/ssl_error_log
<Directory />
Require all granted
Options FollowSymLinks
AllowOverride None
</Directory>
WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi
WSGIDaemonProcess privacyidea processes=1 threads=15 display-name=%{GROUP} user=privacyidea
WSGIProcessGroup privacyidea
WSGIPassAuthorization On
<IfModule log_config_module>
TransferLog /var/log/apache2/ssl_access_log
</IfModule>
SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
SSLHonorCipherOrder On
SSLCertificateFile /etc/ssl/apache2/server.crt
SSLCertificateKeyFile /etc/ssl/apache2/server.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/localhost/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
<IfModule setenvif_module>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</IfModule>
<IfModule log_config_module>
CustomLog /var/log/apache2/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</IfModule>
</VirtualHost>
</IfModule>
</IfDefine>
</IfDefine>

82
privacyidea/firstboot.start Executable file
View File

@ -0,0 +1,82 @@
#!/bin/bash
# base settings
set -e
[ -e /firstboot ] || exit 0
echo 'Setting defaults...'
localectl --no-convert set-keymap de-latin1-nodeadkeys
echo 'Activate services...'
timedatectl set-ntp true
# variables
LABEL="DATA"
DATABASE_PASS="Di1sgMySQLPwd."
# Data partition
echo 'Mount data partition...'
mkdir -p /$LABEL
if [ ! -L "/dev/disk/by-label/$LABEL" ]; then
echo 'ERROR: Data partition not found!'
echo "Please create a data partition with ext4 filesystem and label \"$LABEL\":"
echo "# cfdisk /dev/<disk> (use GPT label, create linux partition)"
echo "# mkfs.ext4 -L $LABEL /dev/<partition>"
exit 1
fi
if ! grep -Fq "LABEL=$LABEL" /etc/fstab; then
echo "LABEL=$LABEL /$LABEL ext4 noatime 0 1" >> /etc/fstab
fi
mount -a
if ! mount | grep /$LABEL > /dev/null; then
echo "ERROR: Could not mount data partition!"
exit 1
fi
if [ ! -d "/$LABEL/var/lib/mysql/pi" ]; then
echo 'Initialize MariaDB...'
systemctl stop mariadb
mkdir -p /$LABEL/var/lib/mysql
rm -rf /$LABEL/var/lib/mysql/*
cp -a /var/lib/mysql/. /$LABEL/var/lib/mysql
sed -i "s:^datadir.*:datadir = /$LABEL/var/lib/mysql:" /etc/mysql/my.cnf
systemctl start mariadb
echo 'Create privacyIDEA database...'
mysql -u root -e "CREATE USER 'pi'@'localhost' IDENTIFIED BY '$DATABASE_PASS'"
mysql -u root -e "CREATE DATABASE pi DEFAULT CHARACTER SET latin1 COLLATE latin1_swedish_ci;"
mysql -u root -e "GRANT ALL PRIVILEGES ON pi.* TO 'pi'@'localhost' IDENTIFIED by '$DATABASE_PASS';"
mysql -u root -e "FLUSH PRIVILEGES;"
echo 'Initialize privacyIDEA database...'
sed -i "s:<pi-db-password>:$DATABASE_PASS:" /etc/privacyidea/pi.cfg
pi-manage createdb
if [ ! -d "/$LABEL/etc/privacyidea" ]; then
echo 'Create privacyIDEA encryption and audit keys...'
mkdir -p /$LABEL/etc/privacyidea
chown privacyidea /$LABEL/etc/privacyidea
rm /etc/privacyidea/enckey
pi-manage create_enckey
mv /etc/privacyidea/enckey /$LABEL/etc/privacyidea/enckey
chown privacyidea /$LABEL/etc/privacyidea/enckey
ln -s /$LABEL/etc/privacyidea/enckey /etc/privacyidea/enckey
rm /etc/privacyidea/public.pem /etc/privacyidea/private.pem
pi-manage create_audit_keys
mv /etc/privacyidea/private.pem /$LABEL/etc/privacyidea/private.pem
mv /etc/privacyidea/public.pem /$LABEL/etc/privacyidea/public.pem
chown privacyidea /$LABEL/etc/privacyidea/*.pem
ln -s /$LABEL/etc/privacyidea/private.pem etc/privacyidea/private.pem
ln -s /$LABEL/etc/privacyidea/public.pem /etc/privacyidea/public.pem
fi
else
echo 'Start MariaDB...'
sed -i "s:^datadir.*:datadir = /$LABEL/var/lib/mysql:" /etc/mysql/my.cnf
systemctl start mariadb
fi
echo 'Enable database...'
systemctl enable mariadb
rm /firstboot

64
privacyidea/freeradius/privacyidea Normal file
View File

@ -0,0 +1,64 @@
server default {
listen {
type = auth
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
limit {
}
}
authorize {
preprocess
digest
suffix
ntdomain
files
expiration
logintime
pap
update control {
Auth-Type := Perl
}
}
authenticate {
Auth-Type Perl {
perl
}
digest
}
preacct {
suffix
files
}
accounting {
detail
}
session {
}
post-auth {
}
pre-proxy {
}
post-proxy {
}
}

6
privacyidea/grub.shell Normal file
View File

@ -0,0 +1,6 @@
root (hd0,0)
setup (hd0)
root (hd1,0)
setup (hd1)
quit

12
privacyidea/installgrub.sh Executable file
View File

@ -0,0 +1,12 @@
#!/bin/sh
mount -t proc proc /mnt/gentoo/proc
mount --rbind /sys /mnt/gentoo/sys
mount --rbind /dev /mnt/gentoo/dev
chroot /mnt/gentoo cat /grub.shell | /sbin/grub --no-floppy --batch
umount /mnt/gentoo/proc
umount /mnt/gentoo/sys
umount /mnt/gentoo/dev

2711
privacyidea/kernel.config Normal file
View File

File diff suppressed because it is too large Load Diff

6
privacyidea/make.conf Normal file
View File

@ -0,0 +1,6 @@
CFLAGS="-O2 -pipe"
CXXFLAGS="-O2 -pipe"
USE="hardened justify pax_kernel pie ssp urandom xattr xtpax -fortran -jit -orc -pch -pic -prelink -profile -tcc"
MAKEOPTS="-j5"
PYTHON_TARGETS="python2_7"
PYTHON_SINGLE_TARGET="python2_7"

139
privacyidea/mariadb/my.cnf Normal file
View File

@ -0,0 +1,139 @@
# /etc/mysql/my.cnf: The global mysql configuration file.
# $Id$
# The following options will be passed to all MySQL clients
[client]
#password = your_password
port = 3306
socket = /var/run/mysqld/mysqld.sock
[mysql]
character-sets-dir=/usr/share/mysql/charsets
default-character-set=utf8
[mysqladmin]
character-sets-dir=/usr/share/mysql/charsets
default-character-set=utf8
[mysqlcheck]
character-sets-dir=/usr/share/mysql/charsets
default-character-set=utf8
[mysqldump]
character-sets-dir=/usr/share/mysql/charsets
default-character-set=utf8
[mysqlimport]
character-sets-dir=/usr/share/mysql/charsets
default-character-set=utf8
[mysqlshow]
character-sets-dir=/usr/share/mysql/charsets
default-character-set=utf8
[myisamchk]
character-sets-dir=/usr/share/mysql/charsets
[myisampack]
character-sets-dir=/usr/share/mysql/charsets
# add a section [mysqld-4.1] or [mysqld-5.0] for specific configurations
[mysqld]
character-set-server = utf8
user = mysql
port = 3306
socket = /var/run/mysqld/mysqld.sock
pid-file = /var/run/mysqld/mysqld.pid
log-error = /var/log/mysql/mysqld.err
basedir = /usr
datadir = /var/lib/mysql
skip-external-locking
key_buffer_size = 16M
max_allowed_packet = 4M
table_open_cache = 400
sort_buffer_size = 512K
net_buffer_length = 16K
read_buffer_size = 256K
read_rnd_buffer_size = 512K
myisam_sort_buffer_size = 8M
lc_messages_dir = /usr/share/mysql
#Set this to your desired error message language
lc_messages = en_US
# security:
# using "localhost" in connects uses sockets by default
# skip-networking
bind-address = 127.0.0.1
##log-bin
server-id = 1
# point the following paths to different dedicated disks
tmpdir = /tmp/
#log-update = /path-to-dedicated-directory/hostname
# you need the debug USE flag enabled to use the following directives,
# if needed, uncomment them, start the server and issue
# #tail -f /tmp/mysqld.sql /tmp/mysqld.trace
# this will show you *exactly* what's happening in your server ;)
#log = /tmp/mysqld.sql
#gdb
#debug = d:t:i:o,/tmp/mysqld.trace
#one-thread
# the rest of the innodb config follows:
# don't eat too much memory, we're trying to be safe on 64Mb boxes
# you might want to bump this up a bit on boxes with more RAM
innodb_buffer_pool_size = 128M
#
# i'd like to use /var/lib/mysql/innodb, but that is seen as a database :-(
# and upstream wants things to be under /var/lib/mysql/, so that's the route
# we have to take for the moment
#innodb_data_home_dir = /var/lib/mysql/
#innodb_log_arch_dir = /var/lib/mysql/
#innodb_log_group_home_dir = /var/lib/mysql/
# you may wish to change this size to be more suitable for your system
# the max is there to avoid run-away growth on your machine
innodb_data_file_path = ibdata1:10M:autoextend:max:128M
# we keep this at around 25% of of innodb_buffer_pool_size
# sensible values range from 1MB to (1/innodb_log_files_in_group*innodb_buffer_pool_size)
innodb_log_file_size = 48M
# this is the default, increase it if you have very large transactions going on
innodb_log_buffer_size = 8M
# this is the default and won't hurt you
# you shouldn't need to tweak it
innodb_log_files_in_group=2
# see the innodb config docs, the other options are not always safe
innodb_flush_log_at_trx_commit = 1
innodb_lock_wait_timeout = 50
innodb_file_per_table
# Uncomment this to get FEDERATED engine support
#plugin-load=federated=ha_federated.so
loose-federated
[mysqldump]
quick
max_allowed_packet = 16M
[mysql]
# uncomment the next directive if you are not familiar with SQL
#safe-updates
[isamchk]
key_buffer_size = 20M
sort_buffer_size = 20M
read_buffer = 2M
write_buffer = 2M
[myisamchk]
key_buffer_size = 20M
sort_buffer_size = 20M
read_buffer_size = 2M
write_buffer_size = 2M
[mysqlhotcopy]
interactive-timeout
[mariadb]

7
privacyidea/mariadb/my.cnf.root Normal file
View File

@ -0,0 +1,7 @@
[mysqladmin]
user = root
password = gentoo
[mysql]
user = root
password = gentoo

28
privacyidea/package.keywords Normal file
View File

@ -0,0 +1,28 @@
# base
app-admin/paxtest ~amd64 ~x86
app-emulation/open-vm-tools ~amd64 ~x86
sys-auth/pam_ssh_agent_auth ~amd64 ~x86
sys-kernel/gentoo-sources ~amd64 ~x86
sys-kernel/hardened-sources ~amd64 ~x86
#MariaDB mit SystemD-Support
dev-db/mariadb ~amd64 ~x86
# privacyIDEA
dev-python/responses
dev-python/pyusb
dev-python/imagesize
dev-python/cookies
dev-python/python-gnupg
dev-python/ldap3
dev-python/yubiotp
dev-python/pycrypto
dev-python/mysql-connector-python
dev-python/pytest-cov
##dev-python/bottleneck
# grunt, wird nur zur privacyIDEA-Translation benötigt
dev-nodejs/*
# FreeRADIUS mit systemd-Support
net-dialup/freeradius

34
privacyidea/package.use Normal file
View File

@ -0,0 +1,34 @@
# base
app-admin/sudo -sendmail
app-editors/nano ncurses
app-emulation/open-vm-tools pic -modules
app-misc/mc -slang
dev-lang/python ssl threads xml
dev-libs/libpcre cxx
dev-util/pkgconfig internal-glib
net-misc/openssh ssl
net-misc/wget ssl
sys-apps/hwids udev
sys-apps/kmod tools
sys-apps/net-tools hostname
sys-apps/portage ipc
sys-auth/pambase nullok sha512
sys-devel/gcc cxx nptl
sys-kernel/gentoo-sources symlink
sys-kernel/hardened-sources symlink
# Monitoring
net-analyzer/zabbix agent
# privacyIDEA
www-apps/privacyidea -translation
dev-lang/python
dev-python/sqlalchemy -sqlite
dev-python/netaddr -cli
dev-python/numpy lapack
dev-libs/c-blosc hdf5
sys-devel/gcc fortran
sci-libs/hdf5 -cxx -fortran -hl
# RADIUS
net-dialup/freeradius kerberos ldap mysql python

18
privacyidea/privacyidea.cfg Normal file
View File

@ -0,0 +1,18 @@
##HOSTNAME = $(APPLIANCE)
##TIMEZONE = UTC
##DISK_SIZE = 6.0G
##SWAP_SIZE = 30
##SWAP_FILE = $(CHROOT)/.swap
##ARCH = amd64-hardened
##MAKEOPTS = -j10 -l10
##PRUNE_CRITICAL = NO
##CHANGE_PASSWORD = YES
##HEADLESS = NO
##SOFTWARE = 1
##PKGLIST = 0
##RSYNC_MIRROR = rsync://rsync15.de.gentoo.org/gentoo/
KERNEL_PKG = hardened-sources
KERNEL_CONFIG = appliances/$(APPLIANCE)/kernel.config
ENABLE_SSHD = YES
TIMEZONE=Europe/Berlin
LOCALE=de_DE.utf8

2
privacyidea/privacyidea/enckey Normal file
View File

@ -0,0 +1,2 @@
1<>¹5pA^¾ D ½8 1<ֽ‚היאִ ˆךץ¾זיzy†<79>F_bG~<´<¶„+U<14>z\׳ƒ7<C692>TםV²ִ)[PJֻה<D6BB>״vװ<76>h,kQ·2IH˜

295
privacyidea/privacyidea/openssl.cnf Normal file
View File

@ -0,0 +1,295 @@
# This is an example configuration that can work
# with privacyIDEA local CA Connector.
# For productive use, please ask a consultant to
# set up your PKI.
# Do not use this productively, unless you know, what
# you are doing!
#
# To initialize the CA do:
# openssl req -days 1500 -new -x509 -keyout /etc/privacyidea/CA/ca.key \
# -out /etc/privacyidea/CA/ca.crt -config /etc/privacyidea/CA/openssl.cnf
# chmod 0600 /etc/privacyidea/CA/ca.key
# touch /etc/privacyidea/CA/index.txt
# echo 01 > /etc/privacyidea/CA/serial
#
# Please adapt the following lines
#
#----------- your configuration -------------------
HOME = /etc/privacyidea/CA
RANDFILE = $HOME/.rnd
KEYSIZE = 2048
COUNTRY = DE
STATE = TH
CITY = Ronneburg
ORGANIZATION = Unitas Network
EMAIL = info@unitas-network.de
AIA = http://example.com/ca.crt
CDP1 = http://example.com/crl.pem
CDP2 = http://pki.example.com/crl.pem
#---------- end of your configuration -------------
# Extra OBJECT IDENTIFIER info:
oid_section = new_oids
#openssl_conf = openssl_init
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /etc/privacyidea/CA/ # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 3650 # how long to certify for
default_crl_days= 35 # how long before next CRL
default_md = sha1 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = $KEYSIZE
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = $COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $STATE
localityName = Locality Name (eg, city)
localityName_default = $CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ORGANIZATION
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_default = $EMAIL
emailAddress_max = 40
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
crlDistributionPoints = @crl_dp_policy
authorityInfoAccess = caIssuers;URI:http://www.example.com/yourCA.crt
[ server ]
keyUsage = digitalSignature, keyEncipherment
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
crlDistributionPoints = @crl_dp_policy
authorityInfoAccess = caIssuers;URI:http://www.example.com/yourCA.crt
[ etoken ]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
crlDistributionPoints = @crl_dp_policy
authorityInfoAccess = caIssuers;URI:http://www.example.com/yourCA.crt
[ ocsp ]
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = OCSPSigning
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
crlDistributionPoints = @crl_dp_policy
authorityInfoAccess = caIssuers;URI:http://www.example.com/yourCA.crt
[ user ]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
basicConstraints = CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
crlDistributionPoints = @crl_dp_policy
authorityInfoAccess = caIssuers;URI:$AIA
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
#
# CDP für die Zertifikate
#
[ crl_dp_policy ]
URI.1=$CDP1
URI.2=$CDP2

17
privacyidea/privacyidea/pi.cfg Normal file
View File

@ -0,0 +1,17 @@
import logging
# The realm, where users are allowed to login as administrators
SUPERUSER_REALM = ['admin']
# Your database
SQLALCHEMY_DATABASE_URI = 'mysql://pi:Di1sgMySQLPwd.@localhost/pi'
SQLALCHEMY_TRACK_MODIFICATIONS = False
# This is used to encrypt the auth_token
SECRET_KEY = 'Y2E3ZDYyNTNmOWY2YzNhY2Ix'
# This is used to encrypt the admin passwords
PI_PEPPER = "ZGMyNTliOTk3M2FlYTNmMWZk"
# This is used to encrypt the token data and token passwords
PI_ENCFILE = '/etc/privacyidea/enckey'
# This is used to sign the audit log
PI_AUDIT_KEY_PRIVATE = '/etc/privacyidea/private.pem'
PI_AUDIT_KEY_PUBLIC = '/etc/privacyidea/public.pem'
PI_LOGFILE = '/var/log/privacyidea/privacyidea.log'
PI_LOGLEVEL = logging.INFO

27
privacyidea/privacyidea/private.pem Normal file
View File

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAr7p3dvNP5IE6i1AsYhTar5GehW7O/C/H9TxFsq5l8mQ6trKy
vPASvYEsmkfqb+CT/mJB0+IzkwJGW5KNwcMkQ959fTyTjFUcVaGbZxldovIhYXF0
brrVveGfOKQn59WQcksjy1uc80oh9LjJ3CEMdZlgM8sixr8gzY1hn+4oMV2DQ+Xe
TFiyL+7jT1D8jcyVj7R+plP6DaDt5WRkSigJ+yHjkcEiuK1aOaiNihXJgwyDgBcj
AOR+ZLs9h4LMhj03cQNjduUV4mppMvCgkw5i7y4Kl72WWMePMV2Ff0FrFZWSoZtq
sjCm0IPORh6kJ0/7xip/GLBjxh/COuQbWCksYwIDAQABAoIBABq5oheOE3VuDehI
Difwgf23iMNEQehqn991BiiRi2Gcyq0kajh/zmnRrmXcUBQptHg4m0hNG4jdDLQ6
iqKQOgC0YqNcRhhOjVuck1TPr8TrTBZUud9pPL5/BMcJeCQy/5/SO6Rez3TUrmtY
eyKmSA3OgKn/188gHC4GtXUsNCKllKAETixpmP/uqrzM39SJQ8Rv9dudC/jsphCE
AaSXusW1LLkNxr2moJkHUK5cMSMSIhxxsqfSs5Yj6WQa1eNKcFYV0/XqbsvG4ii/
TZFtO+hn5/auJq9yQt5OhPXtLDshKHtfAZcgXjH/09WyGBsk0EUG50JjzM4J3M9b
W7A5+dkCgYEA0qZdwoJCSAud1Cbp9RdS/UlBxkJ+b2z3zKoAzqAypI1iACGyKUiu
neCPW/6RhSKdkpuCk1OEO/bQoigaJRKyH0F8a0sTvzXfc7/y67l+BNd5uwjMn0W1
dNe+z/0nWT6Oh2aYg7WjUroswmkZ8BUFN7Qvo9axi9Vi3pyh5K/ZTu8CgYEA1Y91
TWtrXoTMEm737SarhKjhDe5hVCARGhzzY7ejlLP/raXhhIJtYRlTTMd32T0itDXt
yZvS+5hIkuVzpborBHJAg9Nmkw2w2G9U+aP9mKMtZ6lKd5Xvmaej6okpZkILwRCl
BoYlego3Wwk5Qm+bWqNtomJbVE9lDRfsS/yKec0CgYEAiL+p5GjNgJnR9vTgMtTW
ckmJYpyuGcXixEGkzn6fAcYq1a0KTNS7TxCF4JHNhGFpa9B6nwu7r3XWET75YhHW
AoZvr/OIOTxO+ISmvbKohZogk3Pt6oPFfbnFTJ6qWbxLqMjIv9A926my/u5eAUaU
IYpe1vy8O+vmCGAklSI3b48CgYAPnYW+O3SGXL9vOZ33QTSZZp/OHPgQ5qdZeXRy
fiL/5Il1cQOkZMUKrIdivdMNl2LKOodAjpxGuUPVOeHS5GHw2UnOWc7OQdoEeV+F
QXBxkLzpL3+6bsQuQAvEQnM8fufNHiJy76wd2FFj3rDJItABOKHzla2H5KZG5tDo
XXbioQKBgQC1T4sAjxsYCEQnmtgNY1TslWl96pp+dLMaG0+LNoLN4MOIKtHtMbhM
51sjFSAamdHh5KVDI4+5CXow9h8ymJq6T/X0WAgUwjeOAvWUOFJASMc9eERdox7y
1o3a9de4eaQGD4+1bFdjNYBjJ3YeDPNT9WecHM/qPInH/fS40ZY/jQ==
-----END RSA PRIVATE KEY-----

9
privacyidea/privacyidea/public.pem Normal file
View File

@ -0,0 +1,9 @@
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr7p3dvNP5IE6i1AsYhTa
r5GehW7O/C/H9TxFsq5l8mQ6trKyvPASvYEsmkfqb+CT/mJB0+IzkwJGW5KNwcMk
Q959fTyTjFUcVaGbZxldovIhYXF0brrVveGfOKQn59WQcksjy1uc80oh9LjJ3CEM
dZlgM8sixr8gzY1hn+4oMV2DQ+XeTFiyL+7jT1D8jcyVj7R+plP6DaDt5WRkSigJ
+yHjkcEiuK1aOaiNihXJgwyDgBcjAOR+ZLs9h4LMhj03cQNjduUV4mppMvCgkw5i
7y4Kl72WWMePMV2Ff0FrFZWSoZtqsjCm0IPORh6kJ0/7xip/GLBjxh/COuQbWCks
YwIDAQAB
-----END PUBLIC KEY-----

12
privacyidea/timesyncd.conf Normal file
View File

@ -0,0 +1,12 @@
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
#
# See timesyncd.conf(5) for details.
[Time]
NTP=0.de.pool.ntp.org 1.de.pool.ntp.org 2.de.pool.ntp.org 3.de.pool.ntp.org
FallbackNTP=0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org

16
privacyidea/world Normal file
View File

@ -0,0 +1,16 @@
app-admin/logrotate
app-admin/paxtest
app-admin/sudo
app-emulation/open-vm-tools
app-misc/mc
app-misc/screenservice
net-analyzer/zabbix
sys-apps/elfix
sys-apps/gradm
sys-apps/paxctl
sys-auth/pam_ssh_agent_auth
sys-power/acpid
dev-db/mariadb
www-apps/privacyidea
www-apps/privacyideaadm
net-dialup/freeradius