##// END OF EJS Templates
Added: SSH public key auth, other fixes
drtyhlpr -
r120:15fff1eef3a5
parent child
Show More
@@ -0,0 +1,90
1 #
2 # Setup SSH settings and public keys
3 #
4
5 # Load utility functions
6 . ./functions.sh
7
8 if [ "$ENABLE_SSHD" = true ] ; then
9 if [ "$SSH_ENABLE_ROOT" = false ] ; then
10 # User root is not allowed to log in
11 sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin no|g" "${ETC_DIR}/ssh/sshd_config"
12 fi
13
14 if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then
15 # Permit SSH root login
16 sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin yes|g" "${ETC_DIR}/ssh/sshd_config"
17
18 # Create root SSH config directory
19 mkdir -p "${R}/root/.ssh"
20
21 # Set permissions of root SSH config directory
22 chroot_exec chmod 700 "/root/.ssh"
23 chroot_exec chown root:root "/root/.ssh"
24
25 # Install SSH (v2) authorized keys file for user root
26 if [ ! -z "$SSH_ROOT_AUTHORIZED_KEYS" ] ; then
27 install_readonly "$SSH_ROOT_AUTHORIZED_KEYS" "${R}/root/.ssh/authorized_keys2"
28 fi
29
30 # Add SSH (v2) public key for user root
31 if [ ! -z "$SSH_ROOT_PUB_KEY" ] ; then
32 cat "$SSH_ROOT_PUB_KEY" >> "${R}/root/.ssh/authorized_keys2"
33 fi
34
35 # Set permissions of root SSH authorized keys file
36 if [ -f "${R}/root/.ssh/authorized_keys2" ] ; then
37 chroot_exec chmod 600 "/root/.ssh/authorized_keys2"
38 chroot_exec chown root:root "/root/.ssh/authorized_keys2"
39
40 # Allow SSH public key authentication
41 sed -i "s|[#]*PubkeyAuthentication.*|PubkeyAuthentication yes|g" "${ETC_DIR}/ssh/sshd_config"
42 fi
43 fi
44
45 # Create $USER_NAME SSH config directory
46 mkdir -p "${R}/home/${USER_NAME}/.ssh"
47
48 # Set permissions of $USER_NAME SSH config directory
49 chroot_exec chmod 700 "/home/${USER_NAME}/.ssh"
50 chroot_exec chown ${USER_NAME}:${USER_NAME} "/home/${USER_NAME}/.ssh"
51
52 # Install SSH (v2) authorized keys file for user $USER_NAME
53 if [ ! -z "$SSH_USER_AUTHORIZED_KEYS" ] ; then
54 install_readonly "$SSH_USER_AUTHORIZED_KEYS" "${R}/home/${USER_NAME}/.ssh/authorized_keys2"
55 fi
56
57 # Add SSH (v2) public key for user $USER_NAME
58 if [ ! -z "$SSH_USER_PUB_KEY" ] ; then
59 cat "$SSH_USER_PUB_KEY" >> "${R}/home/${USER_NAME}/.ssh/authorized_keys2"
60 fi
61
62 # Set permissions of $USER_NAME SSH authorized keys file
63 if [ -f "${R}/home/${USER_NAME}/.ssh/authorized_keys2" ] ; then
64 chroot_exec chmod 600 "/home/${USER_NAME}/.ssh/authorized_keys2"
65 chroot_exec chown ${USER_NAME}:${USER_NAME} "/home/${USER_NAME}/.ssh/authorized_keys2"
66
67 # Allow SSH public key authentication
68 sed -i "s|[#]*PubkeyAuthentication.*|PubkeyAuthentication yes|g" "${ETC_DIR}/ssh/sshd_config"
69 fi
70
71 # Limit the users that are allowed to login via SSH
72 if [ "$SSH_LIMIT_USERS" = true ] ; then
73 if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then
74 echo "AllowUsers root ${USER_NAME}" >> "${ETC_DIR}/ssh/sshd_config"
75 else
76 echo "AllowUsers ${USER_NAME}" >> "${ETC_DIR}/ssh/sshd_config"
77 fi
78 fi
79
80 # Disable password-based authentication
81 if [ "$SSH_DISABLE_PASSWORD_AUTH" = true ] ; then
82 if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then
83 sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin without-password|g" "${ETC_DIR}/ssh/sshd_config"
84 fi
85
86 sed -i "s|[#]*PasswordAuthentication.*|PasswordAuthentication no|g" "${ETC_DIR}/ssh/sshd_config"
87 sed -i "s|[#]*ChallengeResponseAuthentication no.*|ChallengeResponseAuthentication no|g" "${ETC_DIR}/ssh/sshd_config"
88 sed -i "s|[#]*UsePAM.*|UsePAM no|g" "${ETC_DIR}/ssh/sshd_config"
89 fi
90 fi
@@ -193,10 +193,6 Non-root user to create. Ignored if `ENABLE_USER`=false
193 193 ##### `ENABLE_ROOT`=false
194 194 Set root user password so root login will be enabled
195 195
196 ##### `ENABLE_ROOT_SSH`=true
197 Enable password root login via SSH. May be a security risk with default
198 password, use only in trusted environments.
199
200 196 ##### `ENABLE_HARDNET`=false
201 197 Enable IPv4/IPv6 network stack hardening settings.
202 198
@@ -212,6 +208,28 Create an initramfs that that will be loaded during the Linux startup process. `
212 208 ##### `ENABLE_IFNAMES`=true
213 209 Enable automatic assignment of predictable, stable network interface names for all local Ethernet, WLAN interfaces. This might create complex and long interface names. This parameter is only supported if the Debian release `stretch` is used.
214 210
211 #### SSH settings
212 ##### `SSH_ENABLE_ROOT`=false
213 Enable password root login via SSH. This may be a security risk with default password, use only in trusted environments. `ENABLE_ROOT` must be set to `true`.
214
215 ##### `SSH_DISABLE_PASSWORD_AUTH`=false
216 Disable password based SSH authentication. Only public key based SSH (v2) authentication will be supported.
217
218 ##### `SSH_LIMIT_USERS`=false
219 Limit the users that are allowed to login via SSH. Only allow user `USER_NAME`=pi and root if `SSH_ENABLE_ROOT`=true to login.
220
221 ##### `SSH_ROOT_AUTHORIZED_KEYS`=""
222 Add specified SSH `authorized_keys2` file that contains keys for public key based SSH (v2) authentication of user `root`. SSH protocol version 1 is not supported. `ENABLE_ROOT` **and** `SSH_ENABLE_ROOT` must be set to `true`.
223
224 ##### `SSH_ROOT_PUB_KEY`=""
225 Add specified SSH (v2) public key file to `authorized_keys2` file to enable public key based SSH (v2) authentication of user `root`. SSH protocol version 1 is not supported. `ENABLE_ROOT` **and** `SSH_ENABLE_ROOT` must be set to `true`.
226
227 ##### `SSH_USER_AUTHORIZED_KEYS`=""
228 Add specified SSH `authorized_keys2` file that contains keys for public key based SSH (v2) authentication of user `USER_NAME`=pi. SSH protocol version 1 is not supported.
229
230 ##### `SSH_USER_PUB_KEY`=""
231 Add specified SSH (v2) public key file to `authorized_keys2` file to enable public key based SSH (v2) authentication of user `USER_NAME`=pi. SSH protocol version 1 is not supported.
232
215 233 #### Kernel compilation:
216 234 ##### `BUILD_KERNEL`=false
217 235 Build and install the latest RPi2/3 Linux kernel. Currently only the default RPi2/3 kernel configuration is used. `BUILD_KERNEL`=true will automatically be set if the Raspberry Pi model `3` is used.
@@ -306,6 +324,7 The functions of this script that are required for the different stages of the b
306 324 | `21-firewall.sh` | Setup Firewall |
307 325 | `30-security.sh` | Setup Users and Security settings |
308 326 | `31-logging.sh` | Setup Logging |
327 | `32-sshd.sh` | Setup SSH and public keys |
309 328 | `41-uboot.sh` | Build and Setup U-Boot |
310 329 | `42-fbturbo.sh` | Build and Setup fbturbo Xorg driver |
311 330 | `50-firstboot.sh` | First boot actions |
@@ -233,7 +233,7 fi
233 233
234 234 # Disable RPi3 Bluetooth and restore ttyAMA0 serial device
235 235 if [ "$RPI_MODEL" = 3 ] ; then
236 if [ "$ENABLE_CONSOLE" = true ] && [ "$ENABLE_UBOOT" = false ]; then
236 if [ "$ENABLE_CONSOLE" = true ] && [ "$ENABLE_UBOOT" = false ] ; then
237 237 echo "dtoverlay=pi3-disable-bt" >> "${BOOT_DIR}/config.txt"
238 238 echo "enable_uart=1" >> "${BOOT_DIR}/config.txt"
239 239 fi
@@ -11,18 +11,13 ENCRYPTED_USER_PASSWORD=`mkpasswd -m sha-512 "${USER_PASSWORD}"`
11 11
12 12 # Setup default user
13 13 if [ "$ENABLE_USER" = true ] ; then
14 chroot_exec adduser --gecos $USER_NAME --add_extra_groups \
15 --disabled-password $USER_NAME
14 chroot_exec adduser --gecos $USER_NAME --add_extra_groups --disabled-password $USER_NAME
16 15 chroot_exec usermod -a -G sudo -p "${ENCRYPTED_USER_PASSWORD}" $USER_NAME
17 16 fi
18 17
19 18 # Setup root password or not
20 19 if [ "$ENABLE_ROOT" = true ] ; then
21 20 chroot_exec usermod -p "${ENCRYPTED_PASSWORD}" root
22
23 if [ "$ENABLE_ROOT_SSH" = true ] ; then
24 sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin yes|g" "${ETC_DIR}/ssh/sshd_config"
25 fi
26 21 else
27 22 # Set no root password to disable root login
28 23 chroot_exec usermod -p \'!\' root
@@ -1,7 +1,7
1 1 #!/bin/sh
2 2
3 3 ########################################################################
4 # rpi23-gen-image.sh 2015-2016
4 # rpi23-gen-image.sh 2015-2017
5 5 #
6 6 # Advanced Debian "jessie" and "stretch" bootstrap script for RPi2/3
7 7 #
@@ -126,7 +126,15 ENABLE_RSYSLOG=${ENABLE_RSYSLOG:=true}
126 126 ENABLE_USER=${ENABLE_USER:=true}
127 127 USER_NAME=${USER_NAME:="pi"}
128 128 ENABLE_ROOT=${ENABLE_ROOT:=false}
129 ENABLE_ROOT_SSH=${ENABLE_ROOT_SSH:=false}
129
130 # SSH settings
131 SSH_ENABLE_ROOT=${SSH_ENABLE_ROOT:=false}
132 SSH_DISABLE_PASSWORD_AUTH=${SSH_DISABLE_PASSWORD_AUTH:=false}
133 SSH_LIMIT_USERS=${SSH_LIMIT_USERS:=false}
134 SSH_ROOT_AUTHORIZED_KEYS=${SSH_ROOT_AUTHORIZED_KEYS:=""}
135 SSH_USER_AUTHORIZED_KEYS=${SSH_USER_AUTHORIZED_KEYS:=""}
136 SSH_ROOT_PUB_KEY=${SSH_ROOT_PUB_KEY:=""}
137 SSH_USER_PUB_KEY=${SSH_USER_PUB_KEY:=""}
130 138
131 139 # Advanced settings
132 140 ENABLE_MINBASE=${ENABLE_MINBASE:=false}
@@ -253,6 +261,38 if [ "$ENABLE_UBOOT" = true ] ; then
253 261 APT_INCLUDES="${APT_INCLUDES},device-tree-compiler"
254 262 fi
255 263
264 # Check if root SSH (v2) authorized keys file exists
265 if [ ! -z "$SSH_ROOT_AUTHORIZED_KEYS" ] ; then
266 if [ ! -f "$SSH_ROOT_AUTHORIZED_KEYS" ] ; then
267 echo "error: '$SSH_ROOT_AUTHORIZED_KEYS' specified SSH authorized keys file not found (SSH_ROOT_AUTHORIZED_KEYS)!"
268 exit 1
269 fi
270 fi
271
272 # Check if $USER_NAME SSH (v2) authorized keys file exists
273 if [ ! -z "$SSH_USER_AUTHORIZED_KEYS" ] ; then
274 if [ ! -f "$SSH_USER_AUTHORIZED_KEYS" ] ; then
275 echo "error: '$SSH_USER_AUTHORIZED_KEYS' specified SSH authorized keys file not found (SSH_USER_AUTHORIZED_KEYS)!"
276 exit 1
277 fi
278 fi
279
280 # Check if root SSH (v2) public key file exists
281 if [ ! -z "$SSH_ROOT_PUB_KEY" ] ; then
282 if [ ! -f "$SSH_ROOT_PUB_KEY" ] ; then
283 echo "error: '$SSH_ROOT_PUB_KEY' specified SSH public key file not found (SSH_ROOT_PUB_KEY)!"
284 exit 1
285 fi
286 fi
287
288 # Check if $USER_NAME SSH (v2) public key file exists
289 if [ ! -z "$SSH_USER_PUB_KEY" ] ; then
290 if [ ! -f "$SSH_USER_PUB_KEY" ] ; then
291 echo "error: '$SSH_USER_PUB_KEY' specified SSH public key file not found (SSH_USER_PUB_KEY)!"
292 exit 1
293 fi
294 fi
295
256 296 # Check if all required packages are installed on the build system
257 297 for package in $REQUIRED_PACKAGES ; do
258 298 if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
@@ -489,37 +529,37 DATE="$(date +%Y-%m-%d)"
489 529
490 530 # Prepare image file
491 531 if [ "$ENABLE_SPLITFS" = true ] ; then
492 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" bs=512 count=${TABLE_SECTORS}
493 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" bs=512 count=0 seek=${FRMW_SECTORS}
494 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-root.img" bs=512 count=${TABLE_SECTORS}
495 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-root.img" bs=512 count=0 seek=${ROOT_SECTORS}
532 dd if=/dev/zero of="$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-frmw.img" bs=512 count=${TABLE_SECTORS}
533 dd if=/dev/zero of="$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-frmw.img" bs=512 count=0 seek=${FRMW_SECTORS}
534 dd if=/dev/zero of="$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-root.img" bs=512 count=${TABLE_SECTORS}
535 dd if=/dev/zero of="$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-root.img" bs=512 count=0 seek=${ROOT_SECTORS}
496 536
497 537 # Write firmware/boot partition tables
498 sfdisk -q -L -uS -f "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" 2> /dev/null <<EOM
538 sfdisk -q -L -uS -f "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-frmw.img" 2> /dev/null <<EOM
499 539 ${TABLE_SECTORS},${FRMW_SECTORS},c,*
500 540 EOM
501 541
502 542 # Write root partition table
503 sfdisk -q -L -uS -f "$BASEDIR/${DATE}-debian-${RELEASE}-root.img" 2> /dev/null <<EOM
543 sfdisk -q -L -uS -f "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-root.img" 2> /dev/null <<EOM
504 544 ${TABLE_SECTORS},${ROOT_SECTORS},83
505 545 EOM
506 546
507 547 # Setup temporary loop devices
508 FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}-frmw.img)"
509 ROOT_LOOP="$(losetup -o 1M -f --show $BASEDIR/${DATE}-debian-${RELEASE}-root.img)"
548 FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-frmw.img)"
549 ROOT_LOOP="$(losetup -o 1M -f --show $BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-root.img)"
510 550 else # ENABLE_SPLITFS=false
511 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=${TABLE_SECTORS}
512 dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=0 seek=${IMAGE_SECTORS}
551 dd if=/dev/zero of="$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.img" bs=512 count=${TABLE_SECTORS}
552 dd if=/dev/zero of="$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.img" bs=512 count=0 seek=${IMAGE_SECTORS}
513 553
514 554 # Write partition table
515 sfdisk -q -L -uS -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" 2> /dev/null <<EOM
555 sfdisk -q -L -uS -f "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.img" 2> /dev/null <<EOM
516 556 ${TABLE_SECTORS},${FRMW_SECTORS},c,*
517 557 ${ROOT_OFFSET},${ROOT_SECTORS},83
518 558 EOM
519 559
520 560 # Setup temporary loop devices
521 FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
522 ROOT_LOOP="$(losetup -o 65M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
561 FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.img)"
562 ROOT_LOOP="$(losetup -o 65M -f --show $BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.img)"
523 563 fi
524 564
525 565 if [ "$ENABLE_CRYPTFS" = true ] ; then
@@ -566,16 +606,16 cleanup
566 606 # Create block map file(s) of image(s)
567 607 if [ "$ENABLE_SPLITFS" = true ] ; then
568 608 # Create block map files for "bmaptool"
569 bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img"
570 bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}-root.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}-root.img"
609 bmaptool create -o "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-frmw.bmap" "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-frmw.img"
610 bmaptool create -o "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-root.bmap" "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-root.img"
571 611
572 612 # Image was successfully created
573 echo "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img ($(expr \( ${TABLE_SECTORS} + ${FRMW_SECTORS} \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
574 echo "$BASEDIR/${DATE}-debian-${RELEASE}-root.img ($(expr \( ${TABLE_SECTORS} + ${ROOT_SECTORS} \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
613 echo "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-frmw.img ($(expr \( ${TABLE_SECTORS} + ${FRMW_SECTORS} \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
614 echo "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-root.img ($(expr \( ${TABLE_SECTORS} + ${ROOT_SECTORS} \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
575 615 else
576 616 # Create block map file for "bmaptool"
577 bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
617 bmaptool create -o "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.bmap" "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.img"
578 618
579 619 # Image was successfully created
580 echo "$BASEDIR/${DATE}-debian-${RELEASE}.img ($(expr \( ${TABLE_SECTORS} + ${FRMW_SECTORS} + ${ROOT_SECTORS} \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
620 echo "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.img ($(expr \( ${TABLE_SECTORS} + ${FRMW_SECTORS} + ${ROOT_SECTORS} \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
581 621 fi
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant