인디노트
system.login.console 본문
MacLogon 서비스 등록 스크립트
#!/usr/bin/python
import os
import plistlib
import subprocess
import sys
import tempfile
from subprocess import PIPE
## Mechs that support MacLogonPlugin
maclogon_mechs = ["MacLogon:Check,privileged","MacLogon:DuoAuthGUI"]
maclogon_index_mech = "loginwindow:done"
maclogon_index_offset = 0
def bash_command(script, getoutput=True):
try:
if getoutput:
return subprocess.check_output(script)
else:
return subprocess.call(script, stderr=PIPE)
except (subprocess.CalledProcessError, OSError) as err:
sys.exit("[* Error] **%s** [%s]" % (err, str(script)))
def remove_mechs_in_db(db, mech_list):
for mech in mech_list:
for old_mech in filter(lambda x: mech in x, db['mechanisms']):
db['mechanisms'].remove(old_mech)
return db
def set_mechs_in_db(db, mech_list, index_mech, index_offset):
## Clear away any previous configs
db = remove_mechs_in_db(db, mech_list)
## Add mech_list to db
i = int(db['mechanisms'].index(index_mech)) + index_offset
for mech in mech_list:
db['mechanisms'].insert(i, mech)
i += 1
return db
def edit_authdb():
## Create a temporary file used to write/read plist information
with tempfile.NamedTemporaryFile(delete=False) as temp_plist_file:
## Export "system.login.console" and read it into the temp file
system_login_console = bash_command([
"/usr/bin/security",
"authorizationdb",
"read",
"system.login.console"])
temp_plist_file.write(system_login_console)
temp_plist_file.close()
## Leave the for loop.
for p in [temp_plist_file.name]:
## Parse the plist
d = plistlib.readPlist(p)
## Add MacLogon mechs
d = set_mechs_in_db(d, maclogon_mechs,
maclogon_index_mech, maclogon_index_offset)
## Write out the changes
plistlib.writePlist(d, p)
## Read the edited plist file back into the authorizationdb command
with open(temp_plist_file.name, "r") as temp_plist_file:
p = subprocess.Popen([
"/usr/bin/security",
"authorizationdb",
"write",
"system.login.console"],
stdout=PIPE, stdin=PIPE, stderr=PIPE)
stdout_data = p.communicate(input=temp_plist_file.read().encode())
temp_plist_file.close()
def check_root():
if os.geteuid() != 0:
sys.exit("Only root can run this script.")
def check_plugin_exists():
plugin_path = "/Library/Security/SecurityAgentPlugins/MacLogon.bundle"
if not os.path.exists(plugin_path):
sys.exit("MacLogon bundle not found. Please reinstall MacLogon.")
def check_prefs_exists():
prefs_path = "/private/var/root/Library/Preferences/com.duosecurity.maclogon.plist"
if not os.path.exists(prefs_path):
sys.exit("MacLogon preferences plist not found. Please reinstall MacLogon.")
def main(argv):
check_root()
check_plugin_exists()
check_prefs_exists()
edit_authdb()
if __name__ == '__main__':
main(sys.argv)
# security authorizationdb read system.login.console
# security authorizationdb read system.login.console
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>comment</key>
<string>Login mechanism based rule. Not for general use, yet.</string>
<key>created</key>
<real>644522976.67134595</real>
<key>mechanisms</key>
<array>
<string>builtin:prelogin</string>
<string>builtin:policy-banner</string>
<string>loginwindow:login</string>
<string>builtin:login-begin</string>
<string>builtin:reset-password,privileged</string>
<string>loginwindow:FDESupport,privileged</string>
<string>builtin:forward-login,privileged</string>
<string>builtin:auto-login,privileged</string>
<string>builtin:authenticate,privileged</string>
<string>PKINITMechanism:auth,privileged</string>
<string>builtin:login-success</string>
<string>loginwindow:success</string>
<string>HomeDirMechanism:login,privileged</string>
<string>HomeDirMechanism:status</string>
<string>MCXMechanism:login</string>
<string>CryptoTokenKit:login</string>
<string>MacLogon:Check,privileged</string>
<string>MacLogon:DuoAuthGUI</string>
<string>loginwindow:done</string>
</array>
<key>modified</key>
<real>677994887.00514305</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>9</integer>
</dict>
</plist>
YES (0)
#!/usr/bin/python3
import os
import plistlib
import subprocess
import sys
import tempfile
from subprocess import PIPE
## Mechs that support MacLogonPlugin
maclogon_mechs = ["NameAndPassword:invoke"]
maclogon_index_mech = "loginwindow:done"
maclogon_index_offset = 0
def bash_command(script, getoutput=True):
try:
if getoutput:
return subprocess.check_output(script)
else:
return subprocess.call(script, stderr=PIPE)
except (subprocess.CalledProcessError, OSError) as err:
sys.exit("[* Error] **%s** [%s]" % (err, str(script)))
def remove_mechs_in_db(db, mech_list):
for mech in mech_list:
for old_mech in filter(lambda x: mech in x, db['mechanisms']):
db['mechanisms'].remove(old_mech)
return db
def set_mechs_in_db(db, mech_list, index_mech, index_offset):
## Clear away any previous configs
db = remove_mechs_in_db(db, mech_list)
## Add mech_list to db
i = int(db['mechanisms'].index(index_mech)) + index_offset
for mech in mech_list:
db['mechanisms'].insert(i, mech)
i += 1
return db
def edit_authdb():
## Create a temporary file used to write/read plist information
with tempfile.NamedTemporaryFile(delete=False) as temp_plist_file:
## Export "system.login.console" and read it into the temp file
system_login_console = bash_command([
"/usr/bin/security",
"authorizationdb",
"read",
"system.login.console"])
temp_plist_file.write(system_login_console)
temp_plist_file.close()
## Leave the for loop.
for p in [temp_plist_file.name]:
## Parse the plist
d = plistlib.readPlist(p)
## Add MacLogon mechs
d = set_mechs_in_db(d, maclogon_mechs,
maclogon_index_mech, maclogon_index_offset)
## Write out the changes
plistlib.writePlist(d, p)
## Read the edited plist file back into the authorizationdb command
with open(temp_plist_file.name, "r") as temp_plist_file:
p = subprocess.Popen([
"/usr/bin/security",
"authorizationdb",
"write",
"system.login.console"],
stdout=PIPE, stdin=PIPE, stderr=PIPE)
stdout_data = p.communicate(input=temp_plist_file.read().encode())
temp_plist_file.close()
def check_root():
if os.geteuid() != 0:
sys.exit("Only root can run this script.")
def check_plugin_exists():
plugin_path = "/Library/Security/SecurityAgentPlugins/NameAndPassword.bundle"
if not os.path.exists(plugin_path):
sys.exit("NameAndPassword bundle not found. Please reinstall NameAndPassword.")
def check_prefs_exists():
prefs_path = "/private/var/root/Library/Preferences/com.otpkey.maclogin.plist"
if not os.path.exists(prefs_path):
sys.exit("MacLogin preferences plist not found. Please reinstall MacLogin.")
def main(argv):
check_root()
check_plugin_exists()
# check_prefs_exists()
edit_authdb()
if __name__ == '__main__':
main(sys.argv)
% security authorizationdb read system.login.console
% security authorizationdb read system.login.console
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>comment</key>
<string>Login mechanism based rule. Not for general use, yet.</string>
<key>created</key>
<real>678069359.12538099</real>
<key>mechanisms</key>
<array>
<string>builtin:prelogin</string>
<string>builtin:policy-banner</string>
<string>loginwindow:login</string>
<string>builtin:login-begin</string>
<string>builtin:reset-password,privileged</string>
<string>loginwindow:FDESupport,privileged</string>
<string>builtin:forward-login,privileged</string>
<string>builtin:auto-login,privileged</string>
<string>builtin:authenticate,privileged</string>
<string>PKINITMechanism:auth,privileged</string>
<string>builtin:login-success</string>
<string>loginwindow:success</string>
<string>HomeDirMechanism:login,privileged</string>
<string>HomeDirMechanism:status</string>
<string>MCXMechanism:login</string>
<string>CryptoTokenKit:login</string>
<string>NameAndPassword:invoke</string>
<string>loginwindow:done</string>
</array>
<key>modified</key>
<real>678097098.22432697</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>9</integer>
</dict>
</plist>
YES (0)반응형
Comments