mrsh Installation

Overview

Requirements

1. MUNGE security realm  set up
2. Wireguard set up
3. build tools and development libraries
4. source code

Install and Configure

1. Compile
2. Set up the server in place
3. Configure the pam profile
4. Symlink the client

Requirements

sudo true
sudo apt-get install -y git build-essential libmunge-dev libpam0g-dev libncurses5-dev
# get the code
cd /opt || read -p continue?
git clone https://github.com/chaos/mrsh.git
# compile
cd /opt/mrsh || read -p continue?
./configure
make

Set up the server

We require the mlogin service to be registered and propose port 35805.

sudo true
getent services mlogin; [ $? == 2 ] && {
sudo tee -a /etc/services <<EOF
mlogin          35805/tcp
EOF
}

Determine the IP of the Wireguard interface. Maybe this helps:

sudo true
set `sudo wg show|grep interface`
IF=$2
set `ip addr show dev $2 |grep inet`
WGIP=${2%/*}

Setup up the service:

sudo true
SVDIR=/etc/sv/mrlogind
LOGDIR=/var/log/mrlogind
# Wireguard interface IP:
[ -n "$WGIP" ] || read -p "WGIP is required!"
# create run files
sudo install -d -m 2775 -g staff $SVDIR
cd $SVDIR || read -p continue?
cat > run <<EOF
#!/bin/sh
exec 2>&1
exec tcpsvd -v $WGIP mlogin /opt/mrsh/mrlogind/in.mrlogind
EOF
chmod +x run
mkdir $SVDIR/log && cd log
cat > run <<EOF
#!/bin/sh
exec chpst -u log svlogd -t ./main
EOF
chmod +x run
# create log directory
sudo install -d -m2750 -o log -g adm $LOGDIR
cd $SVDIR/log && ln -s $LOGDIR main
# activate service
cd $SVDIR && ln -s `pwd` /service

Configure the pam profile

sudo true
sudo tee /etc/pam.d/mrlogin <<EOF
#%PAM-1.0
# For root login to succeed here with pam_securetty, "mrsh" must be
# listed in /etc/securetty.

auth       requisite    pam_nologin.so
auth       required     pam_localuser.so
auth       required     pam_shells.so
auth       required     pam_securetty.so

@include common-account

@include common-session
EOF