Raspi2-3_GenImage Commit - r122:1e776801295f · Collaboration Tremplin des Sciences

1

#

1

#

2

# Setup SSH settings and public keys

2

# Setup SSH settings and public keys

3

#

3

#

4

5

# Load utility functions

5

# Load utility functions

6

. ./functions.sh

6

. ./functions.sh

7

8

if [ "$ENABLE_SSHD" = true ] ; then

8

if [ "$ENABLE_SSHD" = true ] ; then

9

if [ "$SSH_ENABLE_ROOT" = false ] ; then

9

if [ "$SSH_ENABLE_ROOT" = false ] ; then

10

# User root is not allowed to log in

10

# User root is not allowed to log in

11

sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin no|g" "${ETC_DIR}/ssh/sshd_config"

11

sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin no|g" "${ETC_DIR}/ssh/sshd_config"

12

fi

12

fi

13

14

if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then

14

if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then

15

# Permit SSH root login

15

# Permit SSH root login

16

sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin yes|g" "${ETC_DIR}/ssh/sshd_config"

16

sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin yes|g" "${ETC_DIR}/ssh/sshd_config"

17

18

# Create root SSH config directory

18

# Create root SSH config directory

19

mkdir -p "${R}/root/.ssh"

19

mkdir -p "${R}/root/.ssh"

20

21

# Set permissions of root SSH config directory

21

# Set permissions of root SSH config directory

22

chroot_exec chmod 700 "/root/.ssh"

22

chroot_exec chmod 700 "/root/.ssh"

23

chroot_exec chown root:root "/root/.ssh"

23

chroot_exec chown root:root "/root/.ssh"

24

25

# Install SSH (v2) authorized keys file for user root

25

# Install SSH (v2) authorized keys file for user root

26

if [ ! -z "$SSH_ROOT_AUTHORIZED_KEYS" ] ; then

26

if [ ! -z "$SSH_ROOT_AUTHORIZED_KEYS" ] ; then

27

install_readonly "$SSH_ROOT_AUTHORIZED_KEYS" "${R}/root/.ssh/authorized_keys2"

27

install_readonly "$SSH_ROOT_AUTHORIZED_KEYS" "${R}/root/.ssh/authorized_keys2"

28

fi

28

fi

29

30

# Add SSH (v2) public key for user root

30

# Add SSH (v2) public key for user root

31

if [ ! -z "$SSH_ROOT_PUB_KEY" ] ; then

31

if [ ! -z "$SSH_ROOT_PUB_KEY" ] ; then

32

cat "$SSH_ROOT_PUB_KEY" >> "${R}/root/.ssh/authorized_keys2"

32

cat "$SSH_ROOT_PUB_KEY" >> "${R}/root/.ssh/authorized_keys2"

33

fi

33

fi

34

35

# Set permissions of root SSH authorized keys file

35

# Set permissions of root SSH authorized keys file

36

if [ -f "${R}/root/.ssh/authorized_keys2" ] ; then

36

if [ -f "${R}/root/.ssh/authorized_keys2" ] ; then

37

chroot_exec chmod 600 "/root/.ssh/authorized_keys2"

37

chroot_exec chmod 600 "/root/.ssh/authorized_keys2"

38

chroot_exec chown root:root "/root/.ssh/authorized_keys2"

38

chroot_exec chown root:root "/root/.ssh/authorized_keys2"

39

40

# Allow SSH public key authentication

40

# Allow SSH public key authentication

41

sed -i "s|[#]*PubkeyAuthentication.*|PubkeyAuthentication yes|g" "${ETC_DIR}/ssh/sshd_config"

41

sed -i "s|[#]*PubkeyAuthentication.*|PubkeyAuthentication yes|g" "${ETC_DIR}/ssh/sshd_config"

42

fi

42

fi

43

fi

43

fi

44

45

# Create $USER_NAME SSH config directory

45

if [ "$ENABLE_USER" = true ] ; then

46

mkdir -p "${R}/home/${USER_NAME}/.ssh"

46

# Create $USER_NAME SSH config directory

47

mkdir -p "${R}/home/${USER_NAME}/.ssh"

47

48

# Set permissions of $USER_NAME SSH config directory

49

# Set permissions of $USER_NAME SSH config directory

49

chroot_exec chmod 700 "/home/${USER_NAME}/.ssh"

50

chroot_exec chmod 700 "/home/${USER_NAME}/.ssh"

50

chroot_exec chown ${USER_NAME}:${USER_NAME} "/home/${USER_NAME}/.ssh"

51

chroot_exec chown ${USER_NAME}:${USER_NAME} "/home/${USER_NAME}/.ssh"

51

52

# Install SSH (v2) authorized keys file for user $USER_NAME

53

# Install SSH (v2) authorized keys file for user $USER_NAME

53

if [ ! -z "$SSH_USER_AUTHORIZED_KEYS" ] ; then

54

if [ ! -z "$SSH_USER_AUTHORIZED_KEYS" ] ; then

54

install_readonly "$SSH_USER_AUTHORIZED_KEYS" "${R}/home/${USER_NAME}/.ssh/authorized_keys2"

55

install_readonly "$SSH_USER_AUTHORIZED_KEYS" "${R}/home/${USER_NAME}/.ssh/authorized_keys2"

55

fi

56

fi

56

57

# Add SSH (v2) public key for user $USER_NAME

58

# Add SSH (v2) public key for user $USER_NAME

58

if [ ! -z "$SSH_USER_PUB_KEY" ] ; then

59

if [ ! -z "$SSH_USER_PUB_KEY" ] ; then

59

cat "$SSH_USER_PUB_KEY" >> "${R}/home/${USER_NAME}/.ssh/authorized_keys2"

60

cat "$SSH_USER_PUB_KEY" >> "${R}/home/${USER_NAME}/.ssh/authorized_keys2"

60

fi

61

fi

61

62

# Set permissions of $USER_NAME SSH authorized keys file

63

# Set permissions of $USER_NAME SSH authorized keys file

63

if [ -f "${R}/home/${USER_NAME}/.ssh/authorized_keys2" ] ; then

64

if [ -f "${R}/home/${USER_NAME}/.ssh/authorized_keys2" ] ; then

64

chroot_exec chmod 600 "/home/${USER_NAME}/.ssh/authorized_keys2"

65

chroot_exec chmod 600 "/home/${USER_NAME}/.ssh/authorized_keys2"

65

chroot_exec chown ${USER_NAME}:${USER_NAME} "/home/${USER_NAME}/.ssh/authorized_keys2"

66

chroot_exec chown ${USER_NAME}:${USER_NAME} "/home/${USER_NAME}/.ssh/authorized_keys2"

66

67

# Allow SSH public key authentication

68

# Allow SSH public key authentication

68

sed -i "s|[#]*PubkeyAuthentication.*|PubkeyAuthentication yes|g" "${ETC_DIR}/ssh/sshd_config"

69

sed -i "s|[#]*PubkeyAuthentication.*|PubkeyAuthentication yes|g" "${ETC_DIR}/ssh/sshd_config"

70

fi

69

fi

71

fi

70

72

71

# Limit the users that are allowed to login via SSH

73

# Limit the users that are allowed to login via SSH

72

if [ "$SSH_LIMIT_USERS" = true ] ; then

74

if [ "$SSH_LIMIT_USERS" = true ] ; then

75

allowed_users=""

73

if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then

76

if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then

74

echo "AllowUsers root ${USER_NAME}" >> "${ETC_DIR}/ssh/sshd_config"

77

allowed_users="root"

75

else

78

fi

76

echo "AllowUsers ${USER_NAME}" >> "${ETC_DIR}/ssh/sshd_config"

79

80

if [ "$ENABLE_USER" = true ] ; then

81

allowed_users="${allowed_users} ${USER_NAME}"

82

fi

83

84

if [ ! -z "$allowed_users" ] ; then

85

echo "AllowUsers ${allowed_users}" >> "${ETC_DIR}/ssh/sshd_config"

77

fi

86

fi

78

fi

87

fi

79

88

80

# Disable password-based authentication

89

# Disable password-based authentication

81

if [ "$SSH_DISABLE_PASSWORD_AUTH" = true ] ; then

90

if [ "$SSH_DISABLE_PASSWORD_AUTH" = true ] ; then

82

if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then

91

if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then

83

sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin without-password|g" "${ETC_DIR}/ssh/sshd_config"

92

sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin without-password|g" "${ETC_DIR}/ssh/sshd_config"

84

fi

93

fi

85

94

86

sed -i "s|[#]*PasswordAuthentication.*|PasswordAuthentication no|g" "${ETC_DIR}/ssh/sshd_config"

95

sed -i "s|[#]*PasswordAuthentication.*|PasswordAuthentication no|g" "${ETC_DIR}/ssh/sshd_config"

87

sed -i "s|[#]*ChallengeResponseAuthentication no.*|ChallengeResponseAuthentication no|g" "${ETC_DIR}/ssh/sshd_config"

96

sed -i "s|[#]*ChallengeResponseAuthentication no.*|ChallengeResponseAuthentication no|g" "${ETC_DIR}/ssh/sshd_config"

88

sed -i "s|[#]*UsePAM.*|UsePAM no|g" "${ETC_DIR}/ssh/sshd_config"

97

sed -i "s|[#]*UsePAM.*|UsePAM no|g" "${ETC_DIR}/ssh/sshd_config"

89

fi

98

fi

90

fi

99

fi

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Dépôts
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             #
             # Setup SSH settings and public keys
             #
             # Load utility functions
             . ./functions.sh
             if [ "$ENABLE_SSHD" = true ] ; then
               if [ "$SSH_ENABLE_ROOT" = false ] ; then
                 # User root is not allowed to log in
                 sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin no|g" "${ETC_DIR}/ssh/sshd_config"
               fi
               if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then
                 # Permit SSH root login
                 sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin yes|g" "${ETC_DIR}/ssh/sshd_config"
                 # Create root SSH config directory
                 mkdir -p "${R}/root/.ssh"
                 # Set permissions of root SSH config directory
                 chroot_exec chmod 700 "/root/.ssh"
                 chroot_exec chown root:root "/root/.ssh"
                 # Install SSH (v2) authorized keys file for user root
                 if [ ! -z "$SSH_ROOT_AUTHORIZED_KEYS" ] ; then
                   install_readonly "$SSH_ROOT_AUTHORIZED_KEYS" "${R}/root/.ssh/authorized_keys2"
                 fi
                 # Add SSH (v2) public key for user root
                 if [ ! -z "$SSH_ROOT_PUB_KEY" ] ; then
                   cat "$SSH_ROOT_PUB_KEY" >> "${R}/root/.ssh/authorized_keys2"
                 fi
                 # Set permissions of root SSH authorized keys file
                 if [ -f "${R}/root/.ssh/authorized_keys2" ] ; then
                   chroot_exec chmod 600 "/root/.ssh/authorized_keys2"
                   chroot_exec chown root:root "/root/.ssh/authorized_keys2"
                   # Allow SSH public key authentication
                   sed -i "s|[#]*PubkeyAuthentication.*|PubkeyAuthentication yes|g" "${ETC_DIR}/ssh/sshd_config"
                 fi
               fi
-              # Create $USER_NAME SSH config directory
+              if [ "$ENABLE_USER" = true ] ; then
-              mkdir -p "${R}/home/${USER_NAME}/.ssh"
+                # Create $USER_NAME SSH config directory
+                mkdir -p "${R}/home/${USER_NAME}/.ssh"
-              # Set permissions of $USER_NAME SSH config directory
+                # Set permissions of $USER_NAME SSH config directory
-              chroot_exec chmod 700 "/home/${USER_NAME}/.ssh"
+                chroot_exec chmod 700 "/home/${USER_NAME}/.ssh"
-              chroot_exec chown ${USER_NAME}:${USER_NAME} "/home/${USER_NAME}/.ssh"
+                chroot_exec chown ${USER_NAME}:${USER_NAME} "/home/${USER_NAME}/.ssh"
-              # Install SSH (v2) authorized keys file for user $USER_NAME
+                # Install SSH (v2) authorized keys file for user $USER_NAME
-              if [ ! -z "$SSH_USER_AUTHORIZED_KEYS" ] ; then
+                if [ ! -z "$SSH_USER_AUTHORIZED_KEYS" ] ; then
-                install_readonly "$SSH_USER_AUTHORIZED_KEYS" "${R}/home/${USER_NAME}/.ssh/authorized_keys2"
+                  install_readonly "$SSH_USER_AUTHORIZED_KEYS" "${R}/home/${USER_NAME}/.ssh/authorized_keys2"
-              fi
+                fi
-              # Add SSH (v2) public key for user $USER_NAME
+                # Add SSH (v2) public key for user $USER_NAME
-              if [ ! -z "$SSH_USER_PUB_KEY" ] ; then
+                if [ ! -z "$SSH_USER_PUB_KEY" ] ; then
-                cat "$SSH_USER_PUB_KEY" >> "${R}/home/${USER_NAME}/.ssh/authorized_keys2"
+                  cat "$SSH_USER_PUB_KEY" >> "${R}/home/${USER_NAME}/.ssh/authorized_keys2"
-              fi
+                fi
-              # Set permissions of $USER_NAME SSH authorized keys file
+                # Set permissions of $USER_NAME SSH authorized keys file
-              if [ -f  "${R}/home/${USER_NAME}/.ssh/authorized_keys2" ] ; then
+                if [ -f  "${R}/home/${USER_NAME}/.ssh/authorized_keys2" ] ; then
-                chroot_exec chmod 600 "/home/${USER_NAME}/.ssh/authorized_keys2"
+                  chroot_exec chmod 600 "/home/${USER_NAME}/.ssh/authorized_keys2"
-                chroot_exec chown ${USER_NAME}:${USER_NAME} "/home/${USER_NAME}/.ssh/authorized_keys2"
+                  chroot_exec chown ${USER_NAME}:${USER_NAME} "/home/${USER_NAME}/.ssh/authorized_keys2"
-                # Allow SSH public key authentication
+                  # Allow SSH public key authentication
-                sed -i "s|[#]*PubkeyAuthentication.*|PubkeyAuthentication yes|g" "${ETC_DIR}/ssh/sshd_config"
+                  sed -i "s|[#]*PubkeyAuthentication.*|PubkeyAuthentication yes|g" "${ETC_DIR}/ssh/sshd_config"
+                fi
               fi
               # Limit the users that are allowed to login via SSH
               if [ "$SSH_LIMIT_USERS" = true ] ; then
+                allowed_users=""
                 if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then
-                  echo "AllowUsers root ${USER_NAME}" >> "${ETC_DIR}/ssh/sshd_config"
+                  allowed_users="root"
-                else
+                fi
-                  echo "AllowUsers ${USER_NAME}" >> "${ETC_DIR}/ssh/sshd_config"
+                if [ "$ENABLE_USER" = true ] ; then
+                  allowed_users="${allowed_users} ${USER_NAME}"
+                fi
+                if [ ! -z "$allowed_users" ] ; then
+                  echo "AllowUsers ${allowed_users}" >> "${ETC_DIR}/ssh/sshd_config"
                 fi
               fi
               # Disable password-based authentication
               if [ "$SSH_DISABLE_PASSWORD_AUTH" = true ] ; then
                 if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then
                   sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin without-password|g" "${ETC_DIR}/ssh/sshd_config"
                 fi
                 sed -i "s|[#]*PasswordAuthentication.*|PasswordAuthentication no|g" "${ETC_DIR}/ssh/sshd_config"
                 sed -i "s|[#]*ChallengeResponseAuthentication no.*|ChallengeResponseAuthentication no|g" "${ETC_DIR}/ssh/sshd_config"
                 sed -i "s|[#]*UsePAM.*|UsePAM no|g" "${ETC_DIR}/ssh/sshd_config"
               fi
             fi