##// END OF EJS Templates
Fixed: Remove SSH_*_AUTHORIZED_KEYS, works with SSH_*_PUB_KEY only
drtyhlpr -
r126:1dfbb1fcf201
parent child
Show More
@@ -224,17 +224,11 Disable password based SSH authentication. Only public key based SSH (v2) authen
224 ##### `SSH_LIMIT_USERS`=false
224 ##### `SSH_LIMIT_USERS`=false
225 Limit the users that are allowed to login via SSH. Only allow user `USER_NAME`=pi and root if `SSH_ENABLE_ROOT`=true to login.
225 Limit the users that are allowed to login via SSH. Only allow user `USER_NAME`=pi and root if `SSH_ENABLE_ROOT`=true to login.
226
226
227 ##### `SSH_ROOT_AUTHORIZED_KEYS`=""
228 Add specified SSH `authorized_keys` file that contains keys for public key based SSH (v2) authentication of user `root`. SSH protocol version 1 is not supported. `ENABLE_ROOT` **and** `SSH_ENABLE_ROOT` must be set to `true`.
229
230 ##### `SSH_ROOT_PUB_KEY`=""
227 ##### `SSH_ROOT_PUB_KEY`=""
231 Add specified SSH (v2) public key file to `authorized_keys` file to enable public key based SSH (v2) authentication of user `root`. SSH protocol version 1 is not supported. `ENABLE_ROOT` **and** `SSH_ENABLE_ROOT` must be set to `true`.
228 Add specified SSH (v2) public key from file to `authorized_keys` file to enable public key based SSH (v2) authentication of user `root`. The specified file can also contain multiple SSH (v2) public keys. SSH protocol version 1 is not supported. `ENABLE_ROOT` **and** `SSH_ENABLE_ROOT` must be set to `true`.
232
233 ##### `SSH_USER_AUTHORIZED_KEYS`=""
234 Add specified SSH `authorized_keys` file that contains keys for public key based SSH (v2) authentication of user `USER_NAME`=pi. SSH protocol version 1 is not supported.
235
229
236 ##### `SSH_USER_PUB_KEY`=""
230 ##### `SSH_USER_PUB_KEY`=""
237 Add specified SSH (v2) public key file to `authorized_keys` file to enable public key based SSH (v2) authentication of user `USER_NAME`=pi. SSH protocol version 1 is not supported.
231 Add specified SSH (v2) public key from file to `authorized_keys` file to enable public key based SSH (v2) authentication of user `USER_NAME`=pi. The specified file can also contain multiple SSH (v2) public keys. SSH protocol version 1 is not supported.
238
232
239 #### Kernel compilation:
233 #### Kernel compilation:
240 ##### `BUILD_KERNEL`=false
234 ##### `BUILD_KERNEL`=false
@@ -15,6 +15,8 if [ "$ENABLE_SSHD" = true ] ; then
15 # Permit SSH root login
15 # Permit SSH root login
16 sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin yes|g" "${ETC_DIR}/ssh/sshd_config"
16 sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin yes|g" "${ETC_DIR}/ssh/sshd_config"
17
17
18 # Add SSH (v2) public key for user root
19 if [ ! -z "$SSH_ROOT_PUB_KEY" ] ; then
18 # Create root SSH config directory
20 # Create root SSH config directory
19 mkdir -p "${R}/root/.ssh"
21 mkdir -p "${R}/root/.ssh"
20
22
@@ -22,18 +24,10 if [ "$ENABLE_SSHD" = true ] ; then
22 chroot_exec chmod 700 "/root/.ssh"
24 chroot_exec chmod 700 "/root/.ssh"
23 chroot_exec chown root:root "/root/.ssh"
25 chroot_exec chown root:root "/root/.ssh"
24
26
25 # Install SSH (v2) authorized keys file for user root
27 # Add SSH (v2) public key(s) to authorized_keys file
26 if [ ! -z "$SSH_ROOT_AUTHORIZED_KEYS" ] ; then
27 install_readonly "$SSH_ROOT_AUTHORIZED_KEYS" "${R}/root/.ssh/authorized_keys"
28 fi
29
30 # Add SSH (v2) public key for user root
31 if [ ! -z "$SSH_ROOT_PUB_KEY" ] ; then
32 cat "$SSH_ROOT_PUB_KEY" >> "${R}/root/.ssh/authorized_keys"
28 cat "$SSH_ROOT_PUB_KEY" >> "${R}/root/.ssh/authorized_keys"
33 fi
34
29
35 # Set permissions of root SSH authorized keys file
30 # Set permissions of root SSH authorized_keys file
36 if [ -f "${R}/root/.ssh/authorized_keys" ] ; then
37 chroot_exec chmod 600 "/root/.ssh/authorized_keys"
31 chroot_exec chmod 600 "/root/.ssh/authorized_keys"
38 chroot_exec chown root:root "/root/.ssh/authorized_keys"
32 chroot_exec chown root:root "/root/.ssh/authorized_keys"
39
33
@@ -43,6 +37,8 if [ "$ENABLE_SSHD" = true ] ; then
43 fi
37 fi
44
38
45 if [ "$ENABLE_USER" = true ] ; then
39 if [ "$ENABLE_USER" = true ] ; then
40 # Add SSH (v2) public key for user $USER_NAME
41 if [ ! -z "$SSH_USER_PUB_KEY" ] ; then
46 # Create $USER_NAME SSH config directory
42 # Create $USER_NAME SSH config directory
47 mkdir -p "${R}/home/${USER_NAME}/.ssh"
43 mkdir -p "${R}/home/${USER_NAME}/.ssh"
48
44
@@ -50,18 +46,10 if [ "$ENABLE_SSHD" = true ] ; then
50 chroot_exec chmod 700 "/home/${USER_NAME}/.ssh"
46 chroot_exec chmod 700 "/home/${USER_NAME}/.ssh"
51 chroot_exec chown ${USER_NAME}:${USER_NAME} "/home/${USER_NAME}/.ssh"
47 chroot_exec chown ${USER_NAME}:${USER_NAME} "/home/${USER_NAME}/.ssh"
52
48
53 # Install SSH (v2) authorized keys file for user $USER_NAME
49 # Add SSH (v2) public key(s) to authorized_keys file
54 if [ ! -z "$SSH_USER_AUTHORIZED_KEYS" ] ; then
55 install_readonly "$SSH_USER_AUTHORIZED_KEYS" "${R}/home/${USER_NAME}/.ssh/authorized_keys"
56 fi
57
58 # Add SSH (v2) public key for user $USER_NAME
59 if [ ! -z "$SSH_USER_PUB_KEY" ] ; then
60 cat "$SSH_USER_PUB_KEY" >> "${R}/home/${USER_NAME}/.ssh/authorized_keys"
50 cat "$SSH_USER_PUB_KEY" >> "${R}/home/${USER_NAME}/.ssh/authorized_keys"
61 fi
62
51
63 # Set permissions of $USER_NAME SSH authorized keys file
52 # Set permissions of $USER_NAME SSH config directory
64 if [ -f "${R}/home/${USER_NAME}/.ssh/authorized_keys" ] ; then
65 chroot_exec chmod 600 "/home/${USER_NAME}/.ssh/authorized_keys"
53 chroot_exec chmod 600 "/home/${USER_NAME}/.ssh/authorized_keys"
66 chroot_exec chown ${USER_NAME}:${USER_NAME} "/home/${USER_NAME}/.ssh/authorized_keys"
54 chroot_exec chown ${USER_NAME}:${USER_NAME} "/home/${USER_NAME}/.ssh/authorized_keys"
67
55
@@ -133,8 +133,6 ENABLE_ROOT=${ENABLE_ROOT:=false}
133 SSH_ENABLE_ROOT=${SSH_ENABLE_ROOT:=false}
133 SSH_ENABLE_ROOT=${SSH_ENABLE_ROOT:=false}
134 SSH_DISABLE_PASSWORD_AUTH=${SSH_DISABLE_PASSWORD_AUTH:=false}
134 SSH_DISABLE_PASSWORD_AUTH=${SSH_DISABLE_PASSWORD_AUTH:=false}
135 SSH_LIMIT_USERS=${SSH_LIMIT_USERS:=false}
135 SSH_LIMIT_USERS=${SSH_LIMIT_USERS:=false}
136 SSH_ROOT_AUTHORIZED_KEYS=${SSH_ROOT_AUTHORIZED_KEYS:=""}
137 SSH_USER_AUTHORIZED_KEYS=${SSH_USER_AUTHORIZED_KEYS:=""}
138 SSH_ROOT_PUB_KEY=${SSH_ROOT_PUB_KEY:=""}
136 SSH_ROOT_PUB_KEY=${SSH_ROOT_PUB_KEY:=""}
139 SSH_USER_PUB_KEY=${SSH_USER_PUB_KEY:=""}
137 SSH_USER_PUB_KEY=${SSH_USER_PUB_KEY:=""}
140
138
@@ -263,22 +261,6 if [ "$ENABLE_UBOOT" = true ] ; then
263 APT_INCLUDES="${APT_INCLUDES},device-tree-compiler"
261 APT_INCLUDES="${APT_INCLUDES},device-tree-compiler"
264 fi
262 fi
265
263
266 # Check if root SSH authorized keys file exists
267 if [ ! -z "$SSH_ROOT_AUTHORIZED_KEYS" ] ; then
268 if [ ! -f "$SSH_ROOT_AUTHORIZED_KEYS" ] ; then
269 echo "error: '$SSH_ROOT_AUTHORIZED_KEYS' specified SSH authorized keys file not found (SSH_ROOT_AUTHORIZED_KEYS)!"
270 exit 1
271 fi
272 fi
273
274 # Check if $USER_NAME SSH authorized keys file exists
275 if [ ! -z "$SSH_USER_AUTHORIZED_KEYS" ] ; then
276 if [ ! -f "$SSH_USER_AUTHORIZED_KEYS" ] ; then
277 echo "error: '$SSH_USER_AUTHORIZED_KEYS' specified SSH authorized keys file not found (SSH_USER_AUTHORIZED_KEYS)!"
278 exit 1
279 fi
280 fi
281
282 # Check if root SSH (v2) public key file exists
264 # Check if root SSH (v2) public key file exists
283 if [ ! -z "$SSH_ROOT_PUB_KEY" ] ; then
265 if [ ! -z "$SSH_ROOT_PUB_KEY" ] ; then
284 if [ ! -f "$SSH_ROOT_PUB_KEY" ] ; then
266 if [ ! -f "$SSH_ROOT_PUB_KEY" ] ; then
@@ -510,16 +492,6 rm -f "${R}/initrd.img"
510 rm -f "${R}/vmlinuz"
492 rm -f "${R}/vmlinuz"
511 rm -f "${R}${QEMU_BINARY}"
493 rm -f "${R}${QEMU_BINARY}"
512
494
513 # Remove root .ssh directory if it's empty
514 if [ -d "${R}/root/.ssh" ] ; then
515 rmdir --ignore-fail-on-non-empty "${R}/root/.ssh"
516 fi
517
518 # Remove $USER_NAME .ssh directory if it's empty
519 if [ -d "${R}/home/${USER_NAME}/.ssh" ] ; then
520 rmdir --ignore-fail-on-non-empty "${R}/home/${USER_NAME}/.ssh"
521 fi
522
523 # Calculate size of the chroot directory in KB
495 # Calculate size of the chroot directory in KB
524 CHROOT_SIZE=$(expr `du -s "${R}" | awk '{ print $1 }'`)
496 CHROOT_SIZE=$(expr `du -s "${R}" | awk '{ print $1 }'`)
525
497
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant