Raspi2-3_GenImage Commit - r120:15fff1eef3a5 · Collaboration Tremplin des Sciences

Added: SSH public key auth, other fixes

drtyhlpr -

r120:15fff1eef3a5

parent child

Context file:

r120:15fff1eef3a5

Collapse all files

bootstrap.d/32-sshd.sh created 644 +90 0

@@ -0,0 +1,90
	1	#
	2	# Setup SSH settings and public keys
	3	#
	4
	5	# Load utility functions
	6	. ./functions.sh
	7
	8	if [ "$ENABLE_SSHD" = true ] ; then
	9	if [ "$SSH_ENABLE_ROOT" = false ] ; then
	10	# User root is not allowed to log in
	11	sed -i "s\|[#]PermitRootLogin.\|PermitRootLogin no\|g" "${ETC_DIR}/ssh/sshd_config"
	12	fi
	13
	14	if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then
	15	# Permit SSH root login
	16	sed -i "s\|[#]PermitRootLogin.\|PermitRootLogin yes\|g" "${ETC_DIR}/ssh/sshd_config"
	17
	18	# Create root SSH config directory
	19	mkdir -p "${R}/root/.ssh"
	20
	21	# Set permissions of root SSH config directory
	22	chroot_exec chmod 700 "/root/.ssh"
	23	chroot_exec chown root:root "/root/.ssh"
	24
	25	# Install SSH (v2) authorized keys file for user root
	26	if [ ! -z "$SSH_ROOT_AUTHORIZED_KEYS" ] ; then
	27	install_readonly "$SSH_ROOT_AUTHORIZED_KEYS" "${R}/root/.ssh/authorized_keys2"
	28	fi
	29
	30	# Add SSH (v2) public key for user root
	31	if [ ! -z "$SSH_ROOT_PUB_KEY" ] ; then
	32	cat "$SSH_ROOT_PUB_KEY" >> "${R}/root/.ssh/authorized_keys2"
	33	fi
	34
	35	# Set permissions of root SSH authorized keys file
	36	if [ -f "${R}/root/.ssh/authorized_keys2" ] ; then
	37	chroot_exec chmod 600 "/root/.ssh/authorized_keys2"
	38	chroot_exec chown root:root "/root/.ssh/authorized_keys2"
	39
	40	# Allow SSH public key authentication
	41	sed -i "s\|[#]PubkeyAuthentication.\|PubkeyAuthentication yes\|g" "${ETC_DIR}/ssh/sshd_config"
	42	fi
	43	fi
	44
	45	# Create $USER_NAME SSH config directory
	46	mkdir -p "${R}/home/${USER_NAME}/.ssh"
	47
	48	# Set permissions of $USER_NAME SSH config directory
	49	chroot_exec chmod 700 "/home/${USER_NAME}/.ssh"
	50	chroot_exec chown ${USER_NAME}:${USER_NAME} "/home/${USER_NAME}/.ssh"
	51
	52	# Install SSH (v2) authorized keys file for user $USER_NAME
	53	if [ ! -z "$SSH_USER_AUTHORIZED_KEYS" ] ; then
	54	install_readonly "$SSH_USER_AUTHORIZED_KEYS" "${R}/home/${USER_NAME}/.ssh/authorized_keys2"
	55	fi
	56
	57	# Add SSH (v2) public key for user $USER_NAME
	58	if [ ! -z "$SSH_USER_PUB_KEY" ] ; then
	59	cat "$SSH_USER_PUB_KEY" >> "${R}/home/${USER_NAME}/.ssh/authorized_keys2"
	60	fi
	61
	62	# Set permissions of $USER_NAME SSH authorized keys file
	63	if [ -f "${R}/home/${USER_NAME}/.ssh/authorized_keys2" ] ; then
	64	chroot_exec chmod 600 "/home/${USER_NAME}/.ssh/authorized_keys2"
	65	chroot_exec chown ${USER_NAME}:${USER_NAME} "/home/${USER_NAME}/.ssh/authorized_keys2"
	66
	67	# Allow SSH public key authentication
	68	sed -i "s\|[#]PubkeyAuthentication.\|PubkeyAuthentication yes\|g" "${ETC_DIR}/ssh/sshd_config"
	69	fi
	70
	71	# Limit the users that are allowed to login via SSH
	72	if [ "$SSH_LIMIT_USERS" = true ] ; then
	73	if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then
	74	echo "AllowUsers root ${USER_NAME}" >> "${ETC_DIR}/ssh/sshd_config"
	75	else
	76	echo "AllowUsers ${USER_NAME}" >> "${ETC_DIR}/ssh/sshd_config"
	77	fi
	78	fi
	79
	80	# Disable password-based authentication
	81	if [ "$SSH_DISABLE_PASSWORD_AUTH" = true ] ; then
	82	if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then
	83	sed -i "s\|[#]PermitRootLogin.\|PermitRootLogin without-password\|g" "${ETC_DIR}/ssh/sshd_config"
	84	fi
	85
	86	sed -i "s\|[#]PasswordAuthentication.\|PasswordAuthentication no\|g" "${ETC_DIR}/ssh/sshd_config"
	87	sed -i "s\|[#]ChallengeResponseAuthentication no.\|ChallengeResponseAuthentication no\|g" "${ETC_DIR}/ssh/sshd_config"
	88	sed -i "s\|[#]UsePAM.\|UsePAM no\|g" "${ETC_DIR}/ssh/sshd_config"
	89	fi
	90	fi

README.md +23 -4

@@ -193,10 +193,6 Non-root user to create. Ignored if `ENABLE_USER`=false
193	##### `ENABLE_ROOT`=false	193	##### `ENABLE_ROOT`=false
194	Set root user password so root login will be enabled	194	Set root user password so root login will be enabled
195		195
196	##### `ENABLE_ROOT_SSH`=true
197	Enable password root login via SSH. May be a security risk with default
198	password, use only in trusted environments.
199
200	##### `ENABLE_HARDNET`=false	196	##### `ENABLE_HARDNET`=false
201	Enable IPv4/IPv6 network stack hardening settings.	197	Enable IPv4/IPv6 network stack hardening settings.
202		198
@@ -212,6 +208,28 Create an initramfs that that will be loaded during the Linux startup process. `
212	##### `ENABLE_IFNAMES`=true	208	##### `ENABLE_IFNAMES`=true
213	Enable automatic assignment of predictable, stable network interface names for all local Ethernet, WLAN interfaces. This might create complex and long interface names. This parameter is only supported if the Debian release `stretch` is used.	209	Enable automatic assignment of predictable, stable network interface names for all local Ethernet, WLAN interfaces. This might create complex and long interface names. This parameter is only supported if the Debian release `stretch` is used.
214		210
		211	#### SSH settings
		212	##### `SSH_ENABLE_ROOT`=false
		213	Enable password root login via SSH. This may be a security risk with default password, use only in trusted environments. `ENABLE_ROOT` must be set to `true`.
		214
		215	##### `SSH_DISABLE_PASSWORD_AUTH`=false
		216	Disable password based SSH authentication. Only public key based SSH (v2) authentication will be supported.
		217
		218	##### `SSH_LIMIT_USERS`=false
		219	Limit the users that are allowed to login via SSH. Only allow user `USER_NAME`=pi and root if `SSH_ENABLE_ROOT`=true to login.
		220
		221	##### `SSH_ROOT_AUTHORIZED_KEYS`=""
		222	Add specified SSH `authorized_keys2` file that contains keys for public key based SSH (v2) authentication of user `root`. SSH protocol version 1 is not supported. `ENABLE_ROOT` and `SSH_ENABLE_ROOT` must be set to `true`.
		223
		224	##### `SSH_ROOT_PUB_KEY`=""
		225	Add specified SSH (v2) public key file to `authorized_keys2` file to enable public key based SSH (v2) authentication of user `root`. SSH protocol version 1 is not supported. `ENABLE_ROOT` and `SSH_ENABLE_ROOT` must be set to `true`.
		226
		227	##### `SSH_USER_AUTHORIZED_KEYS`=""
		228	Add specified SSH `authorized_keys2` file that contains keys for public key based SSH (v2) authentication of user `USER_NAME`=pi. SSH protocol version 1 is not supported.
		229
		230	##### `SSH_USER_PUB_KEY`=""
		231	Add specified SSH (v2) public key file to `authorized_keys2` file to enable public key based SSH (v2) authentication of user `USER_NAME`=pi. SSH protocol version 1 is not supported.
		232
215	#### Kernel compilation:	233	#### Kernel compilation:
216	##### `BUILD_KERNEL`=false	234	##### `BUILD_KERNEL`=false
217	Build and install the latest RPi2/3 Linux kernel. Currently only the default RPi2/3 kernel configuration is used. `BUILD_KERNEL`=true will automatically be set if the Raspberry Pi model `3` is used.	235	Build and install the latest RPi2/3 Linux kernel. Currently only the default RPi2/3 kernel configuration is used. `BUILD_KERNEL`=true will automatically be set if the Raspberry Pi model `3` is used.
@@ -306,6 +324,7 The functions of this script that are required for the different stages of the b
306	\| `21-firewall.sh` \| Setup Firewall \|	324	\| `21-firewall.sh` \| Setup Firewall \|
307	\| `30-security.sh` \| Setup Users and Security settings \|	325	\| `30-security.sh` \| Setup Users and Security settings \|
308	\| `31-logging.sh` \| Setup Logging \|	326	\| `31-logging.sh` \| Setup Logging \|
		327	\| `32-sshd.sh` \| Setup SSH and public keys \|
309	\| `41-uboot.sh` \| Build and Setup U-Boot \|	328	\| `41-uboot.sh` \| Build and Setup U-Boot \|
310	\| `42-fbturbo.sh` \| Build and Setup fbturbo Xorg driver \|	329	\| `42-fbturbo.sh` \| Build and Setup fbturbo Xorg driver \|
311	\| `50-firstboot.sh` \| First boot actions \|	330	\| `50-firstboot.sh` \| First boot actions \|

bootstrap.d/13-kernel.sh +1 -1

             # Disable RPi3 Bluetooth and restore ttyAMA0 serial device
             if [ "$RPI_MODEL" = 3 ] ; then
-              if [ "$ENABLE_CONSOLE" = true ] && [ "$ENABLE_UBOOT" = false ]; then
+              if [ "$ENABLE_CONSOLE" = true ] && [ "$ENABLE_UBOOT" = false ] ; then
                 echo "dtoverlay=pi3-disable-bt" >> "${BOOT_DIR}/config.txt"
                 echo "enable_uart=1" >> "${BOOT_DIR}/config.txt"
               fi

bootstrap.d/30-security.sh +1 -6

             # Setup default user
             if [ "$ENABLE_USER" = true ] ; then
-              chroot_exec adduser --gecos $USER_NAME --add_extra_groups \
+              chroot_exec adduser --gecos $USER_NAME --add_extra_groups --disabled-password $USER_NAME
-            	--disabled-password $USER_NAME
               chroot_exec usermod -a -G sudo -p "${ENCRYPTED_USER_PASSWORD}" $USER_NAME
             fi
             # Setup root password or not
             if [ "$ENABLE_ROOT" = true ] ; then
               chroot_exec usermod -p "${ENCRYPTED_PASSWORD}" root
-              if [ "$ENABLE_ROOT_SSH" = true ] ; then
-                sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin yes|g" "${ETC_DIR}/ssh/sshd_config"
-              fi
             else
               # Set no root password to disable root login
               chroot_exec usermod -p \'!\' root

rpi23-gen-image.sh +61 -21

             #!/bin/sh
             ########################################################################
-            # rpi23-gen-image.sh					       2015-2016
+            # rpi23-gen-image.sh					       2015-2017
             #
             # Advanced Debian "jessie" and "stretch"  bootstrap script for RPi2/3
             #
             ENABLE_USER=${ENABLE_USER:=true}
             USER_NAME=${USER_NAME:="pi"}
             ENABLE_ROOT=${ENABLE_ROOT:=false}
-            ENABLE_ROOT_SSH=${ENABLE_ROOT_SSH:=false}
+            # SSH settings
+            SSH_ENABLE_ROOT=${SSH_ENABLE_ROOT:=false}
+            SSH_DISABLE_PASSWORD_AUTH=${SSH_DISABLE_PASSWORD_AUTH:=false}
+            SSH_LIMIT_USERS=${SSH_LIMIT_USERS:=false}
+            SSH_ROOT_AUTHORIZED_KEYS=${SSH_ROOT_AUTHORIZED_KEYS:=""}
+            SSH_USER_AUTHORIZED_KEYS=${SSH_USER_AUTHORIZED_KEYS:=""}
+            SSH_ROOT_PUB_KEY=${SSH_ROOT_PUB_KEY:=""}
+            SSH_USER_PUB_KEY=${SSH_USER_PUB_KEY:=""}
             # Advanced settings
             ENABLE_MINBASE=${ENABLE_MINBASE:=false}
               APT_INCLUDES="${APT_INCLUDES},device-tree-compiler"
             fi
+            # Check if root SSH (v2) authorized keys file exists
+            if [ ! -z "$SSH_ROOT_AUTHORIZED_KEYS" ] ; then
+              if [ ! -f "$SSH_ROOT_AUTHORIZED_KEYS" ] ; then
+                echo "error: '$SSH_ROOT_AUTHORIZED_KEYS' specified SSH authorized keys file not found (SSH_ROOT_AUTHORIZED_KEYS)!"
+                exit 1
+              fi
+            fi
+            # Check if $USER_NAME SSH (v2) authorized keys file exists
+            if [ ! -z "$SSH_USER_AUTHORIZED_KEYS" ] ; then
+              if [ ! -f "$SSH_USER_AUTHORIZED_KEYS" ] ; then
+                echo "error: '$SSH_USER_AUTHORIZED_KEYS' specified SSH authorized keys file not found (SSH_USER_AUTHORIZED_KEYS)!"
+                exit 1
+              fi
+            fi
+            # Check if root SSH (v2) public key file exists
+            if [ ! -z "$SSH_ROOT_PUB_KEY" ] ; then
+              if [ ! -f "$SSH_ROOT_PUB_KEY" ] ; then
+                echo "error: '$SSH_ROOT_PUB_KEY' specified SSH public key file not found (SSH_ROOT_PUB_KEY)!"
+                exit 1
+              fi
+            fi
+            # Check if $USER_NAME SSH (v2) public key file exists
+            if [ ! -z "$SSH_USER_PUB_KEY" ] ; then
+              if [ ! -f "$SSH_USER_PUB_KEY" ] ; then
+                echo "error: '$SSH_USER_PUB_KEY' specified SSH public key file not found (SSH_USER_PUB_KEY)!"
+                exit 1
+              fi
+            fi
             # Check if all required packages are installed on the build system
             for package in $REQUIRED_PACKAGES ; do
               if [ "`dpkg-query -W -f='${Status}' $package`" != "install ok installed" ] ; then
             # Prepare image file
             if [ "$ENABLE_SPLITFS" = true ] ; then
-              dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" bs=512 count=${TABLE_SECTORS}
+              dd if=/dev/zero of="$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-frmw.img" bs=512 count=${TABLE_SECTORS}
-              dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" bs=512 count=0 seek=${FRMW_SECTORS}
+              dd if=/dev/zero of="$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-frmw.img" bs=512 count=0 seek=${FRMW_SECTORS}
-              dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-root.img" bs=512 count=${TABLE_SECTORS}
+              dd if=/dev/zero of="$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-root.img" bs=512 count=${TABLE_SECTORS}
-              dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}-root.img" bs=512 count=0 seek=${ROOT_SECTORS}
+              dd if=/dev/zero of="$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-root.img" bs=512 count=0 seek=${ROOT_SECTORS}
               # Write firmware/boot partition tables
-              sfdisk -q -L -uS -f "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img" 2> /dev/null <<EOM
+              sfdisk -q -L -uS -f "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-frmw.img" 2> /dev/null <<EOM
             ${TABLE_SECTORS},${FRMW_SECTORS},c,*
             EOM
               # Write root partition table
-              sfdisk -q -L -uS -f "$BASEDIR/${DATE}-debian-${RELEASE}-root.img" 2> /dev/null <<EOM
+              sfdisk -q -L -uS -f "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-root.img" 2> /dev/null <<EOM
             ${TABLE_SECTORS},${ROOT_SECTORS},83
             EOM
               # Setup temporary loop devices
-              FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}-frmw.img)"
+              FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-frmw.img)"
-              ROOT_LOOP="$(losetup -o 1M -f --show $BASEDIR/${DATE}-debian-${RELEASE}-root.img)"
+              ROOT_LOOP="$(losetup -o 1M -f --show $BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-root.img)"
             else # ENABLE_SPLITFS=false
-              dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=${TABLE_SECTORS}
+              dd if=/dev/zero of="$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.img" bs=512 count=${TABLE_SECTORS}
-              dd if=/dev/zero of="$BASEDIR/${DATE}-debian-${RELEASE}.img" bs=512 count=0 seek=${IMAGE_SECTORS}
+              dd if=/dev/zero of="$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.img" bs=512 count=0 seek=${IMAGE_SECTORS}
               # Write partition table
-              sfdisk -q -L -uS -f "$BASEDIR/${DATE}-debian-${RELEASE}.img" 2> /dev/null <<EOM
+              sfdisk -q -L -uS -f "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.img" 2> /dev/null <<EOM
             ${TABLE_SECTORS},${FRMW_SECTORS},c,*
             ${ROOT_OFFSET},${ROOT_SECTORS},83
             EOM
               # Setup temporary loop devices
-              FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
+              FRMW_LOOP="$(losetup -o 1M --sizelimit 64M -f --show $BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.img)"
-              ROOT_LOOP="$(losetup -o 65M -f --show $BASEDIR/${DATE}-debian-${RELEASE}.img)"
+              ROOT_LOOP="$(losetup -o 65M -f --show $BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.img)"
             fi
             if [ "$ENABLE_CRYPTFS" = true ] ; then
             # Create block map file(s) of image(s)
             if [ "$ENABLE_SPLITFS" = true ] ; then
               # Create block map files for "bmaptool"
-              bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img"
+              bmaptool create -o "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-frmw.bmap" "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-frmw.img"
-              bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}-root.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}-root.img"
+              bmaptool create -o "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-root.bmap" "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-root.img"
               # Image was successfully created
-              echo "$BASEDIR/${DATE}-debian-${RELEASE}-frmw.img ($(expr \( ${TABLE_SECTORS} + ${FRMW_SECTORS} \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
+              echo "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-frmw.img ($(expr \( ${TABLE_SECTORS} + ${FRMW_SECTORS} \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
-              echo "$BASEDIR/${DATE}-debian-${RELEASE}-root.img ($(expr \( ${TABLE_SECTORS} + ${ROOT_SECTORS} \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
+              echo "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}-root.img ($(expr \( ${TABLE_SECTORS} + ${ROOT_SECTORS} \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
             else
               # Create block map file for "bmaptool"
-              bmaptool create -o "$BASEDIR/${DATE}-debian-${RELEASE}.bmap" "$BASEDIR/${DATE}-debian-${RELEASE}.img"
+              bmaptool create -o "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.bmap" "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.img"
               # Image was successfully created
-              echo "$BASEDIR/${DATE}-debian-${RELEASE}.img ($(expr \( ${TABLE_SECTORS} + ${FRMW_SECTORS} + ${ROOT_SECTORS} \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
+              echo "$BASEDIR/${DATE}-rpi${RPI_MODEL}-${RELEASE}.img ($(expr \( ${TABLE_SECTORS} + ${FRMW_SECTORS} + ${ROOT_SECTORS} \) \* 512 \/ 1024 \/ 1024)M)" ": successfully created"
             fi

General Comments 0

Écrire
Preview

Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Dépôts
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages