@@ -0,0 +1,90 | |||
|
1 | # | |
|
2 | # Setup SSH settings and public keys | |
|
3 | # | |
|
4 | ||
|
5 | # Load utility functions | |
|
6 | . ./functions.sh | |
|
7 | ||
|
8 | if [ "$ENABLE_SSHD" = true ] ; then | |
|
9 | if [ "$SSH_ENABLE_ROOT" = false ] ; then | |
|
10 | # User root is not allowed to log in | |
|
11 | sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin no|g" "${ETC_DIR}/ssh/sshd_config" | |
|
12 | fi | |
|
13 | ||
|
14 | if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then | |
|
15 | # Permit SSH root login | |
|
16 | sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin yes|g" "${ETC_DIR}/ssh/sshd_config" | |
|
17 | ||
|
18 | # Create root SSH config directory | |
|
19 | mkdir -p "${R}/root/.ssh" | |
|
20 | ||
|
21 | # Set permissions of root SSH config directory | |
|
22 | chroot_exec chmod 700 "/root/.ssh" | |
|
23 | chroot_exec chown root:root "/root/.ssh" | |
|
24 | ||
|
25 | # Install SSH (v2) authorized keys file for user root | |
|
26 | if [ ! -z "$SSH_ROOT_AUTHORIZED_KEYS" ] ; then | |
|
27 | install_readonly "$SSH_ROOT_AUTHORIZED_KEYS" "${R}/root/.ssh/authorized_keys2" | |
|
28 | fi | |
|
29 | ||
|
30 | # Add SSH (v2) public key for user root | |
|
31 | if [ ! -z "$SSH_ROOT_PUB_KEY" ] ; then | |
|
32 | cat "$SSH_ROOT_PUB_KEY" >> "${R}/root/.ssh/authorized_keys2" | |
|
33 | fi | |
|
34 | ||
|
35 | # Set permissions of root SSH authorized keys file | |
|
36 | if [ -f "${R}/root/.ssh/authorized_keys2" ] ; then | |
|
37 | chroot_exec chmod 600 "/root/.ssh/authorized_keys2" | |
|
38 | chroot_exec chown root:root "/root/.ssh/authorized_keys2" | |
|
39 | ||
|
40 | # Allow SSH public key authentication | |
|
41 | sed -i "s|[#]*PubkeyAuthentication.*|PubkeyAuthentication yes|g" "${ETC_DIR}/ssh/sshd_config" | |
|
42 | fi | |
|
43 | fi | |
|
44 | ||
|
45 | # Create $USER_NAME SSH config directory | |
|
46 | mkdir -p "${R}/home/${USER_NAME}/.ssh" | |
|
47 | ||
|
48 | # Set permissions of $USER_NAME SSH config directory | |
|
49 | chroot_exec chmod 700 "/home/${USER_NAME}/.ssh" | |
|
50 | chroot_exec chown ${USER_NAME}:${USER_NAME} "/home/${USER_NAME}/.ssh" | |
|
51 | ||
|
52 | # Install SSH (v2) authorized keys file for user $USER_NAME | |
|
53 | if [ ! -z "$SSH_USER_AUTHORIZED_KEYS" ] ; then | |
|
54 | install_readonly "$SSH_USER_AUTHORIZED_KEYS" "${R}/home/${USER_NAME}/.ssh/authorized_keys2" | |
|
55 | fi | |
|
56 | ||
|
57 | # Add SSH (v2) public key for user $USER_NAME | |
|
58 | if [ ! -z "$SSH_USER_PUB_KEY" ] ; then | |
|
59 | cat "$SSH_USER_PUB_KEY" >> "${R}/home/${USER_NAME}/.ssh/authorized_keys2" | |
|
60 | fi | |
|
61 | ||
|
62 | # Set permissions of $USER_NAME SSH authorized keys file | |
|
63 | if [ -f "${R}/home/${USER_NAME}/.ssh/authorized_keys2" ] ; then | |
|
64 | chroot_exec chmod 600 "/home/${USER_NAME}/.ssh/authorized_keys2" | |
|
65 | chroot_exec chown ${USER_NAME}:${USER_NAME} "/home/${USER_NAME}/.ssh/authorized_keys2" | |
|
66 | ||
|
67 | # Allow SSH public key authentication | |
|
68 | sed -i "s|[#]*PubkeyAuthentication.*|PubkeyAuthentication yes|g" "${ETC_DIR}/ssh/sshd_config" | |
|
69 | fi | |
|
70 | ||
|
71 | # Limit the users that are allowed to login via SSH | |
|
72 | if [ "$SSH_LIMIT_USERS" = true ] ; then | |
|
73 | if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then | |
|
74 | echo "AllowUsers root ${USER_NAME}" >> "${ETC_DIR}/ssh/sshd_config" | |
|
75 | else | |
|
76 | echo "AllowUsers ${USER_NAME}" >> "${ETC_DIR}/ssh/sshd_config" | |
|
77 | fi | |
|
78 | fi | |
|
79 | ||
|
80 | # Disable password-based authentication | |
|
81 | if [ "$SSH_DISABLE_PASSWORD_AUTH" = true ] ; then | |
|
82 | if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then | |
|
83 | sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin without-password|g" "${ETC_DIR}/ssh/sshd_config" | |
|
84 | fi | |
|
85 | ||
|
86 | sed -i "s|[#]*PasswordAuthentication.*|PasswordAuthentication no|g" "${ETC_DIR}/ssh/sshd_config" | |
|
87 | sed -i "s|[#]*ChallengeResponseAuthentication no.*|ChallengeResponseAuthentication no|g" "${ETC_DIR}/ssh/sshd_config" | |
|
88 | sed -i "s|[#]*UsePAM.*|UsePAM no|g" "${ETC_DIR}/ssh/sshd_config" | |
|
89 | fi | |
|
90 | fi |
@@ -193,10 +193,6 Non-root user to create. Ignored if `ENABLE_USER`=false | |||
|
193 | 193 | ##### `ENABLE_ROOT`=false |
|
194 | 194 | Set root user password so root login will be enabled |
|
195 | 195 | |
|
196 | ##### `ENABLE_ROOT_SSH`=true | |
|
197 | Enable password root login via SSH. May be a security risk with default | |
|
198 | password, use only in trusted environments. | |
|
199 | ||
|
200 | 196 | ##### `ENABLE_HARDNET`=false |
|
201 | 197 | Enable IPv4/IPv6 network stack hardening settings. |
|
202 | 198 | |
@@ -212,6 +208,28 Create an initramfs that that will be loaded during the Linux startup process. ` | |||
|
212 | 208 | ##### `ENABLE_IFNAMES`=true |
|
213 | 209 | Enable automatic assignment of predictable, stable network interface names for all local Ethernet, WLAN interfaces. This might create complex and long interface names. This parameter is only supported if the Debian release `stretch` is used. |
|
214 | 210 | |
|
211 | #### SSH settings | |
|
212 | ##### `SSH_ENABLE_ROOT`=false | |
|
213 | Enable password root login via SSH. This may be a security risk with default password, use only in trusted environments. `ENABLE_ROOT` must be set to `true`. | |
|
214 | ||
|
215 | ##### `SSH_DISABLE_PASSWORD_AUTH`=false | |
|
216 | Disable password based SSH authentication. Only public key based SSH (v2) authentication will be supported. | |
|
217 | ||
|
218 | ##### `SSH_LIMIT_USERS`=false | |
|
219 | Limit the users that are allowed to login via SSH. Only allow user `USER_NAME`=pi and root if `SSH_ENABLE_ROOT`=true to login. | |
|
220 | ||
|
221 | ##### `SSH_ROOT_AUTHORIZED_KEYS`="" | |
|
222 | Add specified SSH `authorized_keys2` file that contains keys for public key based SSH (v2) authentication of user `root`. SSH protocol version 1 is not supported. `ENABLE_ROOT` **and** `SSH_ENABLE_ROOT` must be set to `true`. | |
|
223 | ||
|
224 | ##### `SSH_ROOT_PUB_KEY`="" | |
|
225 | Add specified SSH (v2) public key file to `authorized_keys2` file to enable public key based SSH (v2) authentication of user `root`. SSH protocol version 1 is not supported. `ENABLE_ROOT` **and** `SSH_ENABLE_ROOT` must be set to `true`. | |
|
226 | ||
|
227 | ##### `SSH_USER_AUTHORIZED_KEYS`="" | |
|
228 | Add specified SSH `authorized_keys2` file that contains keys for public key based SSH (v2) authentication of user `USER_NAME`=pi. SSH protocol version 1 is not supported. | |
|
229 | ||
|
230 | ##### `SSH_USER_PUB_KEY`="" | |
|
231 | Add specified SSH (v2) public key file to `authorized_keys2` file to enable public key based SSH (v2) authentication of user `USER_NAME`=pi. SSH protocol version 1 is not supported. | |
|
232 | ||
|
215 | 233 | #### Kernel compilation: |
|
216 | 234 | ##### `BUILD_KERNEL`=false |
|
217 | 235 | Build and install the latest RPi2/3 Linux kernel. Currently only the default RPi2/3 kernel configuration is used. `BUILD_KERNEL`=true will automatically be set if the Raspberry Pi model `3` is used. |
@@ -306,6 +324,7 The functions of this script that are required for the different stages of the b | |||
|
306 | 324 | | `21-firewall.sh` | Setup Firewall | |
|
307 | 325 | | `30-security.sh` | Setup Users and Security settings | |
|
308 | 326 | | `31-logging.sh` | Setup Logging | |
|
327 | | `32-sshd.sh` | Setup SSH and public keys | | |
|
309 | 328 | | `41-uboot.sh` | Build and Setup U-Boot | |
|
310 | 329 | | `42-fbturbo.sh` | Build and Setup fbturbo Xorg driver | |
|
311 | 330 | | `50-firstboot.sh` | First boot actions | |
@@ -233,7 +233,7 fi | |||
|
233 | 233 | |
|
234 | 234 | # Disable RPi3 Bluetooth and restore ttyAMA0 serial device |
|
235 | 235 | if [ "$RPI_MODEL" = 3 ] ; then |
|
236 | if [ "$ENABLE_CONSOLE" = true ] && [ "$ENABLE_UBOOT" = false ]; then | |
|
236 | if [ "$ENABLE_CONSOLE" = true ] && [ "$ENABLE_UBOOT" = false ] ; then | |
|
237 | 237 | echo "dtoverlay=pi3-disable-bt" >> "${BOOT_DIR}/config.txt" |
|
238 | 238 | echo "enable_uart=1" >> "${BOOT_DIR}/config.txt" |
|
239 | 239 | fi |
@@ -11,18 +11,13 ENCRYPTED_USER_PASSWORD=`mkpasswd -m sha-512 "${USER_PASSWORD}"` | |||
|
11 | 11 | |
|
12 | 12 | # Setup default user |
|
13 | 13 | if [ "$ENABLE_USER" = true ] ; then |
|
14 |
chroot_exec adduser --gecos $USER_NAME --add_extra_groups |
|
|
15 | --disabled-password $USER_NAME | |
|
14 | chroot_exec adduser --gecos $USER_NAME --add_extra_groups --disabled-password $USER_NAME | |
|
16 | 15 | chroot_exec usermod -a -G sudo -p "${ENCRYPTED_USER_PASSWORD}" $USER_NAME |
|
17 | 16 | fi |
|
18 | 17 | |
|
19 | 18 | # Setup root password or not |
|
20 | 19 | if [ "$ENABLE_ROOT" = true ] ; then |
|
21 | 20 | chroot_exec usermod -p "${ENCRYPTED_PASSWORD}" root |
|
22 | ||
|
23 | if [ "$ENABLE_ROOT_SSH" = true ] ; then | |
|
24 | sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin yes|g" "${ETC_DIR}/ssh/sshd_config" | |
|
25 | fi | |
|
26 | 21 | else |
|
27 | 22 | # Set no root password to disable root login |
|
28 | 23 | chroot_exec usermod -p \'!\' root |
@@ -1,7 +1,7 | |||
|
1 | 1 | #!/bin/sh |
|
2 | 2 | |
|
3 | 3 | ######################################################################## |
|
4 |
# rpi23-gen-image.sh 2015-201 |
|
|
4 | # rpi23-gen-image.sh 2015-2017 | |
|
5 | 5 | # |
|
6 | 6 | # Advanced Debian "jessie" and "stretch" bootstrap script for RPi2/3 |
|
7 | 7 | # |
@@ -126,7 +126,15 ENABLE_RSYSLOG=${ENABLE_RSYSLOG:=true} | |||
|
126 | 126 | ENABLE_USER=${ENABLE_USER:=true} |
|
127 | 127 | USER_NAME=${USER_NAME:="pi"} |
|
128 | 128 | ENABLE_ROOT=${ENABLE_ROOT:=false} |
|
129 | ENABLE_ROOT_SSH=${ENABLE_ROOT_SSH:=false} | |
|
129 | ||
|
130 | # SSH settings | |
|
131 | SSH_ENABLE_ROOT=${SSH_ENABLE_ROOT:=false} | |
|
132 | SSH_DISABLE_PASSWORD_AUTH=${SSH_DISABLE_PASSWORD_AUTH:=false} | |
|
133 | SSH_LIMIT_USERS=${SSH_LIMIT_USERS:=false} | |
|
134 | SSH_ROOT_AUTHORIZED_KEYS=${SSH_ROOT_AUTHORIZED_KEYS:=""} | |
|
135 | SSH_USER_AUTHORIZED_KEYS=${SSH_USER_AUTHORIZED_KEYS:=""} | |
|
136 | SSH_ROOT_PUB_KEY=${SSH_ROOT_PUB_KEY:=""} | |
|
137 | SSH_USER_PUB_KEY=${SSH_USER_PUB_KEY:=""} | |
|
130 | 138 | |
|
131 | 139 | # Advanced settings |
|
132 | 140 | ENABLE_MINBASE=${ENABLE_MINBASE:=false} |
@@ -253,6 +261,38 if [ "$ENABLE_UBOOT" = true ] ; then | |||
|
253 | 261 | APT_INCLUDES="${APT_INCLUDES},device-tree-compiler" |
|
254 | 262 | fi |
|
255 | 263 | |
|
264 | # Check if root SSH (v2) authorized keys file exists | |
|
265 | if [ ! -z "$SSH_ROOT_AUTHORIZED_KEYS" ] ; then | |
|
266 | if [ ! -f "$SSH_ROOT_AUTHORIZED_KEYS" ] ; then | |
|
267 | echo "error: '$SSH_ROOT_AUTHORIZED_KEYS' specified SSH authorized keys file not found (SSH_ROOT_AUTHORIZED_KEYS)!" | |
|
268 | exit 1 | |
|
269 | fi | |
|
270 | fi | |
|
271 | ||
|
272 | # Check if $USER_NAME SSH (v2) authorized keys file exists | |
|
273 | if [ ! -z "$SSH_USER_AUTHORIZED_KEYS" ] ; then | |
|
274 | if [ ! -f "$SSH_USER_AUTHORIZED_KEYS" ] ; then | |
|
275 | echo "error: '$SSH_USER_AUTHORIZED_KEYS' specified SSH authorized keys file not found (SSH_USER_AUTHORIZED_KEYS)!" | |
|
276 | exit 1 | |
|
277 | fi | |
|
278 | fi | |
|
279 | ||
|
280 | # Check if root SSH (v2) public key file exists | |
|
281 | if [ ! -z "$SSH_ROOT_PUB_KEY" ] ; then | |
|
282 | if [ ! -f "$SSH_ROOT_PUB_KEY" ] ; then | |
|
283 | echo "error: '$SSH_ROOT_PUB_KEY' specified SSH public key file not found (SSH_ROOT_PUB_KEY)!" | |
|
284 | exit 1 | |
|
285 | fi | |
|
286 | fi | |
|
287 | ||
|
288 | # Check if $USER_NAME SSH (v2) public key file exists | |
|
289 | if [ ! -z "$SSH_USER_PUB_KEY" ] ; then | |
|
290 | if [ ! -f "$SSH_USER_PUB_KEY" ] ; then | |
|
291 | echo "error: '$SSH_USER_PUB_KEY' specified SSH public key file not found (SSH_USER_PUB_KEY)!" | |
|
292 | exit 1 | |
|
293 | fi | |
|
294 | fi | |
|
295 | ||
|
256 | 296 | # Check if all required packages are installed on the build system |
|
257 | 297 | for package in $REQUIRED_PACKAGES ; do |
|
258 | 298 | if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then |
@@ -489,37 +529,37 DATE="$(date +%Y-%m-%d)" | |||
|
489 | 529 | |
|
490 | 530 | # Prepare image file |
|
491 | 531 | if [ "$ENABLE_SPLITFS" = true ] ; then |
|
492 |
dd if=/dev/zero of="$BASEDIR/${DATE}- |
|
|
493 |
dd if=/dev/zero of="$BASEDIR/${DATE}- |
|
|
494 |
dd if=/dev/zero of="$BASEDIR/${DATE}- |
|
|
495 |
dd if=/dev/zero of="$BASEDIR/${DATE}- |
|
|
532 | dd if=/dev/zero of="$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-frmw.img" bs=512 count=${TABLE_SECTORS} | |
|
533 | dd if=/dev/zero of="$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-frmw.img" bs=512 count=0 seek=${FRMW_SECTORS} | |
|
534 | dd if=/dev/zero of="$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-root.img" bs=512 count=${TABLE_SECTORS} | |
|
535 | dd if=/dev/zero of="$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-root.img" bs=512 count=0 seek=${ROOT_SECTORS} | |
|
496 | 536 | |
|
497 | 537 | # Write firmware/boot partition tables |
|
498 |
sfdisk -q -L -uS -f "$BASEDIR/${DATE}- |
|
|
538 | sfdisk -q -L -uS -f "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-frmw.img" 2> /dev/null <<EOM | |
|
499 | 539 | ${TABLE_SECTORS},${FRMW_SECTORS},c,* |
|
500 | 540 | EOM |
|
501 | 541 | |
|
502 | 542 | # Write root partition table |
|
503 |
sfdisk -q -L -uS -f "$BASEDIR/${DATE}- |
|
|
543 | sfdisk -q -L -uS -f "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-root.img" 2> /dev/null <<EOM | |
|
504 | 544 | ${TABLE_SECTORS},${ROOT_SECTORS},83 |
|
505 | 545 | EOM |
|
506 | 546 | |
|
507 | 547 | # Setup temporary loop devices |
|
508 |
FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}- |
|
|
509 |
ROOT_LOOP="$(losetup -o 1M -f --show $BASEDIR/${DATE}- |
|
|
548 | FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-frmw.img)" | |
|
549 | ROOT_LOOP="$(losetup -o 1M -f --show $BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-root.img)" | |
|
510 | 550 | else # ENABLE_SPLITFS=false |
|
511 |
dd if=/dev/zero of="$BASEDIR/${DATE}- |
|
|
512 |
dd if=/dev/zero of="$BASEDIR/${DATE}- |
|
|
551 | dd if=/dev/zero of="$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.img" bs=512 count=${TABLE_SECTORS} | |
|
552 | dd if=/dev/zero of="$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.img" bs=512 count=0 seek=${IMAGE_SECTORS} | |
|
513 | 553 | |
|
514 | 554 | # Write partition table |
|
515 |
sfdisk -q -L -uS -f "$BASEDIR/${DATE}- |
|
|
555 | sfdisk -q -L -uS -f "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.img" 2> /dev/null <<EOM | |
|
516 | 556 | ${TABLE_SECTORS},${FRMW_SECTORS},c,* |
|
517 | 557 | ${ROOT_OFFSET},${ROOT_SECTORS},83 |
|
518 | 558 | EOM |
|
519 | 559 | |
|
520 | 560 | # Setup temporary loop devices |
|
521 |
FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}- |
|
|
522 |
ROOT_LOOP="$(losetup -o 65M -f --show $BASEDIR/${DATE}- |
|
|
561 | FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.img)" | |
|
562 | ROOT_LOOP="$(losetup -o 65M -f --show $BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.img)" | |
|
523 | 563 | fi |
|
524 | 564 | |
|
525 | 565 | if [ "$ENABLE_CRYPTFS" = true ] ; then |
@@ -566,16 +606,16 cleanup | |||
|
566 | 606 | # Create block map file(s) of image(s) |
|
567 | 607 | if [ "$ENABLE_SPLITFS" = true ] ; then |
|
568 | 608 | # Create block map files for "bmaptool" |
|
569 |
bmaptool create -o "$BASEDIR/${DATE}- |
|
|
570 |
bmaptool create -o "$BASEDIR/${DATE}- |
|
|
609 | bmaptool create -o "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-frmw.bmap" "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-frmw.img" | |
|
610 | bmaptool create -o "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-root.bmap" "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-root.img" | |
|
571 | 611 | |
|
572 | 612 | # Image was successfully created |
|
573 |
echo "$BASEDIR/${DATE}- |
|
|
574 |
echo "$BASEDIR/${DATE}- |
|
|
613 | echo "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-frmw.img ($(expr \( ${TABLE_SECTORS} + ${FRMW_SECTORS} \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created" | |
|
614 | echo "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-root.img ($(expr \( ${TABLE_SECTORS} + ${ROOT_SECTORS} \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created" | |
|
575 | 615 | else |
|
576 | 616 | # Create block map file for "bmaptool" |
|
577 |
bmaptool create -o "$BASEDIR/${DATE}- |
|
|
617 | bmaptool create -o "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.bmap" "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.img" | |
|
578 | 618 | |
|
579 | 619 | # Image was successfully created |
|
580 |
echo "$BASEDIR/${DATE}- |
|
|
620 | echo "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.img ($(expr \( ${TABLE_SECTORS} + ${FRMW_SECTORS} + ${ROOT_SECTORS} \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created" | |
|
581 | 621 | fi |
General Comments 0
Vous devez vous connecter pour laisser un commentaire.
Se connecter maintenant