Raspi2-3_GenImage Commit - r120:15fff1eef3a5 · Collaboration Tremplin des Sciences

Added: SSH public key auth, other fixes

drtyhlpr -

r120:15fff1eef3a5

parent child

Context file:

r120:15fff1eef3a5

Collapse all files

bootstrap.d/32-sshd.sh created 644 +90 0

			@@ -0,0 +1,90
		1	#
		2	# Setup SSH settings and public keys
		3	#
		4
		5	# Load utility functions
		6	. ./functions.sh
		7
		8	if [ "$ENABLE_SSHD" = true ] ; then
		9	if [ "$SSH_ENABLE_ROOT" = false ] ; then
		10	# User root is not allowed to log in
		11	sed -i "s\|[#]PermitRootLogin.\|PermitRootLogin no\|g" "${ETC_DIR}/ssh/sshd_config"
		12	fi
		13
		14	if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then
		15	# Permit SSH root login
		16	sed -i "s\|[#]PermitRootLogin.\|PermitRootLogin yes\|g" "${ETC_DIR}/ssh/sshd_config"
		17
		18	# Create root SSH config directory
		19	mkdir -p "${R}/root/.ssh"
		20
		21	# Set permissions of root SSH config directory
		22	chroot_exec chmod 700 "/root/.ssh"
		23	chroot_exec chown root:root "/root/.ssh"
		24
		25	# Install SSH (v2) authorized keys file for user root
		26	if [ ! -z "$SSH_ROOT_AUTHORIZED_KEYS" ] ; then
		27	install_readonly "$SSH_ROOT_AUTHORIZED_KEYS" "${R}/root/.ssh/authorized_keys2"
		28	fi
		29
		30	# Add SSH (v2) public key for user root
		31	if [ ! -z "$SSH_ROOT_PUB_KEY" ] ; then
		32	cat "$SSH_ROOT_PUB_KEY" >> "${R}/root/.ssh/authorized_keys2"
		33	fi
		34
		35	# Set permissions of root SSH authorized keys file
		36	if [ -f "${R}/root/.ssh/authorized_keys2" ] ; then
		37	chroot_exec chmod 600 "/root/.ssh/authorized_keys2"
		38	chroot_exec chown root:root "/root/.ssh/authorized_keys2"
		39
		40	# Allow SSH public key authentication
		41	sed -i "s\|[#]PubkeyAuthentication.\|PubkeyAuthentication yes\|g" "${ETC_DIR}/ssh/sshd_config"
		42	fi
		43	fi
		44
		45	# Create $USER_NAME SSH config directory
		46	mkdir -p "${R}/home/${USER_NAME}/.ssh"
		47
		48	# Set permissions of $USER_NAME SSH config directory
		49	chroot_exec chmod 700 "/home/${USER_NAME}/.ssh"
		50	chroot_exec chown ${USER_NAME}:${USER_NAME} "/home/${USER_NAME}/.ssh"
		51
		52	# Install SSH (v2) authorized keys file for user $USER_NAME
		53	if [ ! -z "$SSH_USER_AUTHORIZED_KEYS" ] ; then
		54	install_readonly "$SSH_USER_AUTHORIZED_KEYS" "${R}/home/${USER_NAME}/.ssh/authorized_keys2"
		55	fi
		56
		57	# Add SSH (v2) public key for user $USER_NAME
		58	if [ ! -z "$SSH_USER_PUB_KEY" ] ; then
		59	cat "$SSH_USER_PUB_KEY" >> "${R}/home/${USER_NAME}/.ssh/authorized_keys2"
		60	fi
		61
		62	# Set permissions of $USER_NAME SSH authorized keys file
		63	if [ -f "${R}/home/${USER_NAME}/.ssh/authorized_keys2" ] ; then
		64	chroot_exec chmod 600 "/home/${USER_NAME}/.ssh/authorized_keys2"
		65	chroot_exec chown ${USER_NAME}:${USER_NAME} "/home/${USER_NAME}/.ssh/authorized_keys2"
		66
		67	# Allow SSH public key authentication
		68	sed -i "s\|[#]PubkeyAuthentication.\|PubkeyAuthentication yes\|g" "${ETC_DIR}/ssh/sshd_config"
		69	fi
		70
		71	# Limit the users that are allowed to login via SSH
		72	if [ "$SSH_LIMIT_USERS" = true ] ; then
		73	if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then
		74	echo "AllowUsers root ${USER_NAME}" >> "${ETC_DIR}/ssh/sshd_config"
		75	else
		76	echo "AllowUsers ${USER_NAME}" >> "${ETC_DIR}/ssh/sshd_config"
		77	fi
		78	fi
		79
		80	# Disable password-based authentication
		81	if [ "$SSH_DISABLE_PASSWORD_AUTH" = true ] ; then
		82	if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then
		83	sed -i "s\|[#]PermitRootLogin.\|PermitRootLogin without-password\|g" "${ETC_DIR}/ssh/sshd_config"
		84	fi
		85
		86	sed -i "s\|[#]PasswordAuthentication.\|PasswordAuthentication no\|g" "${ETC_DIR}/ssh/sshd_config"
		87	sed -i "s\|[#]ChallengeResponseAuthentication no.\|ChallengeResponseAuthentication no\|g" "${ETC_DIR}/ssh/sshd_config"
		88	sed -i "s\|[#]UsePAM.\|UsePAM no\|g" "${ETC_DIR}/ssh/sshd_config"
		89	fi
		90	fi

README.md +23 -4

              ##### `ENABLE_ROOT`=false
              Set root user password so root login will be enabled
-             ##### `ENABLE_ROOT_SSH`=true
-             Enable password root login via SSH. May be a security risk with default
-             password, use only in trusted environments.
              ##### `ENABLE_HARDNET`=false
              Enable IPv4/IPv6 network stack hardening settings.
              ##### `ENABLE_IFNAMES`=true
              Enable automatic assignment of predictable, stable network interface names for all local Ethernet, WLAN interfaces. This might create complex and long interface names. This parameter is only supported if the Debian release `stretch` is used.
+             #### SSH settings
+             ##### `SSH_ENABLE_ROOT`=false
+             Enable password root login via SSH. This may be a security risk with default password, use only in trusted environments. `ENABLE_ROOT` must be set to `true`.
+             ##### `SSH_DISABLE_PASSWORD_AUTH`=false
+             Disable password based SSH authentication. Only public key based SSH (v2) authentication will be supported.
+             ##### `SSH_LIMIT_USERS`=false
+             Limit the users that are allowed to login via SSH. Only allow user `USER_NAME`=pi and root if `SSH_ENABLE_ROOT`=true to login.
+             ##### `SSH_ROOT_AUTHORIZED_KEYS`=""
+             Add specified SSH `authorized_keys2` file that contains keys for public key based SSH (v2) authentication of user `root`. SSH protocol version 1 is not supported. `ENABLE_ROOT` **and** `SSH_ENABLE_ROOT` must be set to `true`.
+             ##### `SSH_ROOT_PUB_KEY`=""
+             Add specified SSH (v2) public key file to `authorized_keys2` file to enable public key based SSH (v2) authentication of user `root`. SSH protocol version 1 is not supported. `ENABLE_ROOT` **and** `SSH_ENABLE_ROOT` must be set to `true`.
+             ##### `SSH_USER_AUTHORIZED_KEYS`=""
+             Add specified SSH `authorized_keys2` file that contains keys for public key based SSH (v2) authentication of user `USER_NAME`=pi. SSH protocol version 1 is not supported.
+             ##### `SSH_USER_PUB_KEY`=""
+             Add specified SSH (v2) public key file to `authorized_keys2` file to enable public key based SSH (v2) authentication of user `USER_NAME`=pi. SSH protocol version 1 is not supported.
              #### Kernel compilation:
              ##### `BUILD_KERNEL`=false
              Build and install the latest RPi2/3 Linux kernel. Currently only the default RPi2/3 kernel configuration is used. `BUILD_KERNEL`=true will automatically be set if the Raspberry Pi model `3` is used.
              | `21-firewall.sh` | Setup Firewall |
              | `30-security.sh` | Setup Users and Security settings |
              | `31-logging.sh` | Setup Logging |
+             | `32-sshd.sh` | Setup SSH and public keys |
              | `41-uboot.sh` | Build and Setup U-Boot |
              | `42-fbturbo.sh` | Build and Setup fbturbo Xorg driver |
              | `50-firstboot.sh` | First boot actions |

bootstrap.d/13-kernel.sh +1 -1

              # Disable RPi3 Bluetooth and restore ttyAMA0 serial device
              if [ "$RPI_MODEL" = 3 ] ; then
-               if [ "$ENABLE_CONSOLE" = true ] && [ "$ENABLE_UBOOT" = false ]; then
+               if [ "$ENABLE_CONSOLE" = true ] && [ "$ENABLE_UBOOT" = false ] ; then
                  echo "dtoverlay=pi3-disable-bt" >> "${BOOT_DIR}/config.txt"
                  echo "enable_uart=1" >> "${BOOT_DIR}/config.txt"
                fi

bootstrap.d/30-security.sh +1 -6

              # Setup default user
              if [ "$ENABLE_USER" = true ] ; then
-               chroot_exec adduser --gecos $USER_NAME --add_extra_groups \
-             	--disabled-password $USER_NAME
+               chroot_exec adduser --gecos $USER_NAME --add_extra_groups --disabled-password $USER_NAME
                chroot_exec usermod -a -G sudo -p "${ENCRYPTED_USER_PASSWORD}" $USER_NAME
              fi
              # Setup root password or not
              if [ "$ENABLE_ROOT" = true ] ; then
                chroot_exec usermod -p "${ENCRYPTED_PASSWORD}" root
-               if [ "$ENABLE_ROOT_SSH" = true ] ; then
-                 sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin yes|g" "${ETC_DIR}/ssh/sshd_config"
-               fi
              else
                # Set no root password to disable root login
                chroot_exec usermod -p \'!\' root

rpi23-gen-image.sh +61 -21

              #!/bin/sh
              ########################################################################
-             # rpi23-gen-image.sh					       2015-2016
+             # rpi23-gen-image.sh					       2015-2017
              #
              # Advanced Debian "jessie" and "stretch"  bootstrap script for RPi2/3
              #
              ENABLE_USER=${ENABLE_USER:=true}
              USER_NAME=${USER_NAME:="pi"}
              ENABLE_ROOT=${ENABLE_ROOT:=false}
-             ENABLE_ROOT_SSH=${ENABLE_ROOT_SSH:=false}
+             # SSH settings
+             SSH_ENABLE_ROOT=${SSH_ENABLE_ROOT:=false}
+             SSH_DISABLE_PASSWORD_AUTH=${SSH_DISABLE_PASSWORD_AUTH:=false}
+             SSH_LIMIT_USERS=${SSH_LIMIT_USERS:=false}
+             SSH_ROOT_AUTHORIZED_KEYS=${SSH_ROOT_AUTHORIZED_KEYS:=""}
+             SSH_USER_AUTHORIZED_KEYS=${SSH_USER_AUTHORIZED_KEYS:=""}
+             SSH_ROOT_PUB_KEY=${SSH_ROOT_PUB_KEY:=""}
+             SSH_USER_PUB_KEY=${SSH_USER_PUB_KEY:=""}
              # Advanced settings
              ENABLE_MINBASE=${ENABLE_MINBASE:=false}
                APT_INCLUDES="${APT_INCLUDES},device-tree-compiler"
              fi
+             # Check if root SSH (v2) authorized keys file exists
+             if [ ! -z "$SSH_ROOT_AUTHORIZED_KEYS" ] ; then
+               if [ ! -f "$SSH_ROOT_AUTHORIZED_KEYS" ] ; then
+                 echo "error: '$SSH_ROOT_AUTHORIZED_KEYS' specified SSH authorized keys file not found (SSH_ROOT_AUTHORIZED_KEYS)!"
+                 exit 1
+               fi
+             fi
+             # Check if $USER_NAME SSH (v2) authorized keys file exists
+             if [ ! -z "$SSH_USER_AUTHORIZED_KEYS" ] ; then
+               if [ ! -f "$SSH_USER_AUTHORIZED_KEYS" ] ; then
+                 echo "error: '$SSH_USER_AUTHORIZED_KEYS' specified SSH authorized keys file not found (SSH_USER_AUTHORIZED_KEYS)!"
+                 exit 1
+               fi
+             fi
+             # Check if root SSH (v2) public key file exists
+             if [ ! -z "$SSH_ROOT_PUB_KEY" ] ; then
+               if [ ! -f "$SSH_ROOT_PUB_KEY" ] ; then
+                 echo "error: '$SSH_ROOT_PUB_KEY' specified SSH public key file not found (SSH_ROOT_PUB_KEY)!"
+                 exit 1
+               fi
+             fi
+             # Check if $USER_NAME SSH (v2) public key file exists
+             if [ ! -z "$SSH_USER_PUB_KEY" ] ; then
+               if [ ! -f "$SSH_USER_PUB_KEY" ] ; then
+                 echo "error: '$SSH_USER_PUB_KEY' specified SSH public key file not found (SSH_USER_PUB_KEY)!"
+                 exit 1
+               fi
+             fi
              # Check if all required packages are installed on the build system
              for package in $REQUIRED_PACKAGES ; do
                if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
              # Prepare image file
              if [ "$ENABLE_SPLITFS" = true ] ; then
-               dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" bs=512 count=${TABLE_SECTORS}
-               dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" bs=512 count=0 seek=${FRMW_SECTORS}
-               dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-root.img" bs=512 count=${TABLE_SECTORS}
-               dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-root.img" bs=512 count=0 seek=${ROOT_SECTORS}
+               dd if=/dev/zero of="$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-frmw.img" bs=512 count=${TABLE_SECTORS}
+               dd if=/dev/zero of="$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-frmw.img" bs=512 count=0 seek=${FRMW_SECTORS}
+               dd if=/dev/zero of="$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-root.img" bs=512 count=${TABLE_SECTORS}
+               dd if=/dev/zero of="$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-root.img" bs=512 count=0 seek=${ROOT_SECTORS}
                # Write firmware/boot partition tables
-               sfdisk -q -L -uS -f "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" 2> /dev/null <<EOM
+               sfdisk -q -L -uS -f "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-frmw.img" 2> /dev/null <<EOM
              ${TABLE_SECTORS},${FRMW_SECTORS},c,*
              EOM
                # Write root partition table
-               sfdisk -q -L -uS -f "$BASEDIR/${DATE}-debian-${RELEASE}-root.img" 2> /dev/null <<EOM
+               sfdisk -q -L -uS -f "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-root.img" 2> /dev/null <<EOM
              ${TABLE_SECTORS},${ROOT_SECTORS},83
              EOM
                # Setup temporary loop devices
-               FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}-frmw.img)"
-               ROOT_LOOP="$(losetup -o 1M -f --show $BASEDIR/${DATE}-debian-${RELEASE}-root.img)"
+               FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-frmw.img)"
+               ROOT_LOOP="$(losetup -o 1M -f --show $BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-root.img)"
              else # ENABLE_SPLITFS=false
-               dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=${TABLE_SECTORS}
-               dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=0 seek=${IMAGE_SECTORS}
+               dd if=/dev/zero of="$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.img" bs=512 count=${TABLE_SECTORS}
+               dd if=/dev/zero of="$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.img" bs=512 count=0 seek=${IMAGE_SECTORS}
                # Write partition table
-               sfdisk -q -L -uS -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" 2> /dev/null <<EOM
+               sfdisk -q -L -uS -f "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.img" 2> /dev/null <<EOM
              ${TABLE_SECTORS},${FRMW_SECTORS},c,*
              ${ROOT_OFFSET},${ROOT_SECTORS},83
              EOM
                # Setup temporary loop devices
-               FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
-               ROOT_LOOP="$(losetup -o 65M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
+               FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.img)"
+               ROOT_LOOP="$(losetup -o 65M -f --show $BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.img)"
              fi
              if [ "$ENABLE_CRYPTFS" = true ] ; then
              # Create block map file(s) of image(s)
              if [ "$ENABLE_SPLITFS" = true ] ; then
                # Create block map files for "bmaptool"
-               bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img"
-               bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}-root.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}-root.img"
+               bmaptool create -o "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-frmw.bmap" "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-frmw.img"
+               bmaptool create -o "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-root.bmap" "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-root.img"
                # Image was successfully created
-               echo "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img ($(expr \( ${TABLE_SECTORS} + ${FRMW_SECTORS} \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
-               echo "$BASEDIR/${DATE}-debian-${RELEASE}-root.img ($(expr \( ${TABLE_SECTORS} + ${ROOT_SECTORS} \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
+               echo "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-frmw.img ($(expr \( ${TABLE_SECTORS} + ${FRMW_SECTORS} \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
+               echo "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-root.img ($(expr \( ${TABLE_SECTORS} + ${ROOT_SECTORS} \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
              else
                # Create block map file for "bmaptool"
-               bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
+               bmaptool create -o "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.bmap" "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.img"
                # Image was successfully created
-               echo "$BASEDIR/${DATE}-debian-${RELEASE}.img ($(expr \( ${TABLE_SECTORS} + ${FRMW_SECTORS} + ${ROOT_SECTORS} \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
+               echo "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.img ($(expr \( ${TABLE_SECTORS} + ${FRMW_SECTORS} + ${ROOT_SECTORS} \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
              fi

General Comments 0

Écrire
Preview

Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Dépôts
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages