#!/bin/sh
# Downloads, patches, and installs the Perfect Paper Passwords PAM module for Snow Leopard
# Robert Harder
# http://blog.iharder.net
# Sept 2009
#

# =======================
# = Temporary Directory =
# =======================
echo "$(tput setaf 4):"
echo ": Making temporary directory ..."
echo ":$(tput reset)"
TEMPDIR=`mktemp -d -t pam_ppp_installer.XXXX`
cd "${TEMPDIR}"
echo "  ${TEMPDIR}"

# ========================
# = Download Source Code =
# ========================
echo "$(tput setaf 4):"
echo ": Downloading http://ppp-pam.googlecode.com/files/ppp-pam-0.2.tar.gz ..."
echo ":$(tput reset)"
curl http://ppp-pam.googlecode.com/files/ppp-pam-0.2.tar.gz > ppp-pam-0.2.tar.gz

# ==========
# = Unpack =
# ==========
echo "$(tput setaf 4):"
echo ": Unpacking ppp-pam-0.2.tar.gz ..."
echo ":$(tput reset)"
tar xzf ppp-pam-0.2.tar.gz

# ==========================
# = Patch Two Source Files =
# ==========================
echo "$(tput setaf 4):"
echo ": Patching files ..."
echo ":  1) To avoid denial of service attack, do not move to the next "
echo "      passcode if a wrong one is entered."
echo ":  2) To avoid typos, echo the one time use passcode back as it is typed."
echo ":  3) Hardcode include file that is missing in OS X 10.6"
echo ":     /Developer/SDKs/MacOSX10.5.sdk/usr/include/pam/_pam_macros.h"
echo ":$(tput reset)"
cd ppp-pam
patch -e ppp/ppp.c <<EOF
343,344c
        incrCurrPasscodeNum();
    }
.
341c
    if (strcmp(getPasscode(currPasscodeNum()), attempt) == 0){
.
EOF
patch -e ppp/pam_ppp.c <<EOF
90c
    message.msg_style = PAM_PROMPT_ECHO_ON;
.
EOF
if [ -f /Developer/SDKs/MacOSX10.5.sdk/usr/include/pam/_pam_macros.h ]; then
	patch -e ppp/pam_ppp.c <<EOF
47c
    #include "/Developer/SDKs/MacOSX10.5.sdk/usr/include/pam/_pam_macros.h"
.
EOF
else
	echo "$(tput setaf 1):"
	echo ": Could not find the _pam_macros.h file where it was expected at"
	echo ": /Developer/SDKs/MacOSX10.5.sdk/usr/include/pam/_pam_macros.h"
	echo ": Try running $(tput bold)locate _pam_macros.h$(tput reset;tput setaf 1) to see"
	echo ": if you have it elsewhere on your system, and modify the lines in"
	echo ": this script accordingly (roughly line 60 of this script)."
	echo ": Output from $(tput bold)locate _pam_macros.h$(tput reset;tput setaf 1) follows:$(tput reset)"
	locate _pam_macros.h
	exit 1
fi


# =============
# = Configure =
# =============
echo "$(tput setaf 4):"
echo ": Running configure script ..."
echo "$(tput reset):"
cd build
../configure

# ========
# = Make =
# ========
echo "$(tput setaf 4):"
echo ": Running Makefile ..."
echo "$(tput reset):"
make

# ===========
# = Install =
# ===========
echo "$(tput setaf 4):"
echo ": To complete installation, two commands must be run with root privileges:"
echo ":"
echo ":   1) $(tput setaf 2)sudo make install$(tput reset; tput setaf 4)"
echo ":      This installs /usr/bin/pppauth and /usr/lib/pam/pam_ppp.so."
echo ":"
echo ":   2) $(tput setaf 2)sudo patch /etc/pam.d/sshd ...$(tput reset; tput setaf 4) (incomplete command shown)"
echo ":      With the lines that follow in the script, "
echo ":      this adds a line to the /etc/pam.d/sshd file:"
echo ":"
echo ":      auth       required       pam_opendirectory.so"
echo ":      $(tput setaf 2)auth       required       pam_ppp.so$(tput reset; tput setaf 4)"
echo ":      account    required       pam_nologin.so"
echo ":"
echo ": These require you to enter your password."
echo ": Alternately, you may abort the script now (Ctrl-C) and"
echo ": type them yourself starting in the build directory:"
echo ": ${TEMPDIR}/ppp-pam/build"
echo "$(tput reset):"
sudo make install

# =============================
# = Configure /etc/pam.d/sshd =
# =============================
if grep -q pam_ppp /etc/pam.d/sshd; then
	echo "$(tput setaf 4):"
	echo ": The /etc/pam.d/sshd file appears patched already."
	echo "$(tput reset):"
else
	echo "$(tput setaf 4):"
	echo ": Patching /etc/pam.d/sshd file ..."
	echo "$(tput reset):"
	sudo patch -e /etc/pam.d/sshd <<EOF
5a
auth       required       pam_ppp.so
.
EOF
fi

# ========================
# = Generating passcodes =
# ========================
if [ -d ~/.pppauth ]; then
	echo "$(tput setaf 4):"
	echo ": Looks like you already have passcodes in folder ~/.pppauth. Enjoy!"
	echo "$(tput reset):"
	pppauth -t --next 1
else
	echo "$(tput setaf 4):"
	echo ": Generating passcodes in folder ~/.pppauth ..."
	echo "$(tput reset):"
	pppauth --key
	chmod 700 ~/.pppauth
	chmod 600 ~/.pppauth/*
	pppauth -t --next 1
fi


# =========
# = Done! =
# =========
echo "$(tput setaf 4):"
echo ": You are almost done, but you must do the final step."
echo ": Edit the /etc/sshd_config file and uncomment the following lines:"
echo "  ChallengeResponseAuthentication yes"
echo "  UsePAM yes"
echo ": Now go read up on all this, so you don't lock yourself out!"
echo ": http://www.grc.com/ppp"
echo ": http://code.google.com/p/ppp-pam"
echo "$(tput reset):"