@@ -1,90 +1,99 | |||||
1 | # |
|
1 | # | |
2 | # Setup SSH settings and public keys |
|
2 | # Setup SSH settings and public keys | |
3 | # |
|
3 | # | |
4 |
|
4 | |||
5 | # Load utility functions |
|
5 | # Load utility functions | |
6 | . ./functions.sh |
|
6 | . ./functions.sh | |
7 |
|
7 | |||
8 | if [ "$ENABLE_SSHD" = true ] ; then |
|
8 | if [ "$ENABLE_SSHD" = true ] ; then | |
9 | if [ "$SSH_ENABLE_ROOT" = false ] ; then |
|
9 | if [ "$SSH_ENABLE_ROOT" = false ] ; then | |
10 | # User root is not allowed to log in |
|
10 | # User root is not allowed to log in | |
11 | sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin no|g" "${ETC_DIR}/ssh/sshd_config" |
|
11 | sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin no|g" "${ETC_DIR}/ssh/sshd_config" | |
12 | fi |
|
12 | fi | |
13 |
|
13 | |||
14 | if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then |
|
14 | if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then | |
15 | # Permit SSH root login |
|
15 | # Permit SSH root login | |
16 | sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin yes|g" "${ETC_DIR}/ssh/sshd_config" |
|
16 | sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin yes|g" "${ETC_DIR}/ssh/sshd_config" | |
17 |
|
17 | |||
18 | # Create root SSH config directory |
|
18 | # Create root SSH config directory | |
19 | mkdir -p "${R}/root/.ssh" |
|
19 | mkdir -p "${R}/root/.ssh" | |
20 |
|
20 | |||
21 | # Set permissions of root SSH config directory |
|
21 | # Set permissions of root SSH config directory | |
22 | chroot_exec chmod 700 "/root/.ssh" |
|
22 | chroot_exec chmod 700 "/root/.ssh" | |
23 | chroot_exec chown root:root "/root/.ssh" |
|
23 | chroot_exec chown root:root "/root/.ssh" | |
24 |
|
24 | |||
25 | # Install SSH (v2) authorized keys file for user root |
|
25 | # Install SSH (v2) authorized keys file for user root | |
26 | if [ ! -z "$SSH_ROOT_AUTHORIZED_KEYS" ] ; then |
|
26 | if [ ! -z "$SSH_ROOT_AUTHORIZED_KEYS" ] ; then | |
27 | install_readonly "$SSH_ROOT_AUTHORIZED_KEYS" "${R}/root/.ssh/authorized_keys2" |
|
27 | install_readonly "$SSH_ROOT_AUTHORIZED_KEYS" "${R}/root/.ssh/authorized_keys2" | |
28 | fi |
|
28 | fi | |
29 |
|
29 | |||
30 | # Add SSH (v2) public key for user root |
|
30 | # Add SSH (v2) public key for user root | |
31 | if [ ! -z "$SSH_ROOT_PUB_KEY" ] ; then |
|
31 | if [ ! -z "$SSH_ROOT_PUB_KEY" ] ; then | |
32 | cat "$SSH_ROOT_PUB_KEY" >> "${R}/root/.ssh/authorized_keys2" |
|
32 | cat "$SSH_ROOT_PUB_KEY" >> "${R}/root/.ssh/authorized_keys2" | |
33 | fi |
|
33 | fi | |
34 |
|
34 | |||
35 | # Set permissions of root SSH authorized keys file |
|
35 | # Set permissions of root SSH authorized keys file | |
36 | if [ -f "${R}/root/.ssh/authorized_keys2" ] ; then |
|
36 | if [ -f "${R}/root/.ssh/authorized_keys2" ] ; then | |
37 | chroot_exec chmod 600 "/root/.ssh/authorized_keys2" |
|
37 | chroot_exec chmod 600 "/root/.ssh/authorized_keys2" | |
38 | chroot_exec chown root:root "/root/.ssh/authorized_keys2" |
|
38 | chroot_exec chown root:root "/root/.ssh/authorized_keys2" | |
39 |
|
39 | |||
40 | # Allow SSH public key authentication |
|
40 | # Allow SSH public key authentication | |
41 | sed -i "s|[#]*PubkeyAuthentication.*|PubkeyAuthentication yes|g" "${ETC_DIR}/ssh/sshd_config" |
|
41 | sed -i "s|[#]*PubkeyAuthentication.*|PubkeyAuthentication yes|g" "${ETC_DIR}/ssh/sshd_config" | |
42 | fi |
|
42 | fi | |
43 | fi |
|
43 | fi | |
44 |
|
44 | |||
45 | # Create $USER_NAME SSH config directory |
|
45 | if [ "$ENABLE_USER" = true ] ; then | |
46 | mkdir -p "${R}/home/${USER_NAME}/.ssh" |
|
46 | # Create $USER_NAME SSH config directory | |
|
47 | mkdir -p "${R}/home/${USER_NAME}/.ssh" | |||
47 |
|
48 | |||
48 | # Set permissions of $USER_NAME SSH config directory |
|
49 | # Set permissions of $USER_NAME SSH config directory | |
49 | chroot_exec chmod 700 "/home/${USER_NAME}/.ssh" |
|
50 | chroot_exec chmod 700 "/home/${USER_NAME}/.ssh" | |
50 | chroot_exec chown ${USER_NAME}:${USER_NAME} "/home/${USER_NAME}/.ssh" |
|
51 | chroot_exec chown ${USER_NAME}:${USER_NAME} "/home/${USER_NAME}/.ssh" | |
51 |
|
52 | |||
52 | # Install SSH (v2) authorized keys file for user $USER_NAME |
|
53 | # Install SSH (v2) authorized keys file for user $USER_NAME | |
53 | if [ ! -z "$SSH_USER_AUTHORIZED_KEYS" ] ; then |
|
54 | if [ ! -z "$SSH_USER_AUTHORIZED_KEYS" ] ; then | |
54 | install_readonly "$SSH_USER_AUTHORIZED_KEYS" "${R}/home/${USER_NAME}/.ssh/authorized_keys2" |
|
55 | install_readonly "$SSH_USER_AUTHORIZED_KEYS" "${R}/home/${USER_NAME}/.ssh/authorized_keys2" | |
55 | fi |
|
56 | fi | |
56 |
|
57 | |||
57 | # Add SSH (v2) public key for user $USER_NAME |
|
58 | # Add SSH (v2) public key for user $USER_NAME | |
58 | if [ ! -z "$SSH_USER_PUB_KEY" ] ; then |
|
59 | if [ ! -z "$SSH_USER_PUB_KEY" ] ; then | |
59 | cat "$SSH_USER_PUB_KEY" >> "${R}/home/${USER_NAME}/.ssh/authorized_keys2" |
|
60 | cat "$SSH_USER_PUB_KEY" >> "${R}/home/${USER_NAME}/.ssh/authorized_keys2" | |
60 | fi |
|
61 | fi | |
61 |
|
62 | |||
62 | # Set permissions of $USER_NAME SSH authorized keys file |
|
63 | # Set permissions of $USER_NAME SSH authorized keys file | |
63 | if [ -f "${R}/home/${USER_NAME}/.ssh/authorized_keys2" ] ; then |
|
64 | if [ -f "${R}/home/${USER_NAME}/.ssh/authorized_keys2" ] ; then | |
64 | chroot_exec chmod 600 "/home/${USER_NAME}/.ssh/authorized_keys2" |
|
65 | chroot_exec chmod 600 "/home/${USER_NAME}/.ssh/authorized_keys2" | |
65 | chroot_exec chown ${USER_NAME}:${USER_NAME} "/home/${USER_NAME}/.ssh/authorized_keys2" |
|
66 | chroot_exec chown ${USER_NAME}:${USER_NAME} "/home/${USER_NAME}/.ssh/authorized_keys2" | |
66 |
|
67 | |||
67 | # Allow SSH public key authentication |
|
68 | # Allow SSH public key authentication | |
68 | sed -i "s|[#]*PubkeyAuthentication.*|PubkeyAuthentication yes|g" "${ETC_DIR}/ssh/sshd_config" |
|
69 | sed -i "s|[#]*PubkeyAuthentication.*|PubkeyAuthentication yes|g" "${ETC_DIR}/ssh/sshd_config" | |
|
70 | fi | |||
69 | fi |
|
71 | fi | |
70 |
|
72 | |||
71 | # Limit the users that are allowed to login via SSH |
|
73 | # Limit the users that are allowed to login via SSH | |
72 | if [ "$SSH_LIMIT_USERS" = true ] ; then |
|
74 | if [ "$SSH_LIMIT_USERS" = true ] ; then | |
|
75 | allowed_users="" | |||
73 | if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then |
|
76 | if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then | |
74 | echo "AllowUsers root ${USER_NAME}" >> "${ETC_DIR}/ssh/sshd_config" |
|
77 | allowed_users="root" | |
75 | else |
|
78 | fi | |
76 | echo "AllowUsers ${USER_NAME}" >> "${ETC_DIR}/ssh/sshd_config" |
|
79 | ||
|
80 | if [ "$ENABLE_USER" = true ] ; then | |||
|
81 | allowed_users="${allowed_users} ${USER_NAME}" | |||
|
82 | fi | |||
|
83 | ||||
|
84 | if [ ! -z "$allowed_users" ] ; then | |||
|
85 | echo "AllowUsers ${allowed_users}" >> "${ETC_DIR}/ssh/sshd_config" | |||
77 | fi |
|
86 | fi | |
78 | fi |
|
87 | fi | |
79 |
|
88 | |||
80 | # Disable password-based authentication |
|
89 | # Disable password-based authentication | |
81 | if [ "$SSH_DISABLE_PASSWORD_AUTH" = true ] ; then |
|
90 | if [ "$SSH_DISABLE_PASSWORD_AUTH" = true ] ; then | |
82 | if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then |
|
91 | if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then | |
83 | sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin without-password|g" "${ETC_DIR}/ssh/sshd_config" |
|
92 | sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin without-password|g" "${ETC_DIR}/ssh/sshd_config" | |
84 | fi |
|
93 | fi | |
85 |
|
94 | |||
86 | sed -i "s|[#]*PasswordAuthentication.*|PasswordAuthentication no|g" "${ETC_DIR}/ssh/sshd_config" |
|
95 | sed -i "s|[#]*PasswordAuthentication.*|PasswordAuthentication no|g" "${ETC_DIR}/ssh/sshd_config" | |
87 | sed -i "s|[#]*ChallengeResponseAuthentication no.*|ChallengeResponseAuthentication no|g" "${ETC_DIR}/ssh/sshd_config" |
|
96 | sed -i "s|[#]*ChallengeResponseAuthentication no.*|ChallengeResponseAuthentication no|g" "${ETC_DIR}/ssh/sshd_config" | |
88 | sed -i "s|[#]*UsePAM.*|UsePAM no|g" "${ETC_DIR}/ssh/sshd_config" |
|
97 | sed -i "s|[#]*UsePAM.*|UsePAM no|g" "${ETC_DIR}/ssh/sshd_config" | |
89 | fi |
|
98 | fi | |
90 | fi |
|
99 | fi |
General Comments 0
Vous devez vous connecter pour laisser un commentaire.
Se connecter maintenant