##// END OF EJS Templates
Raspi2-3_GenImage
RSS

Cloner depuis https://github.com/drtyhlpr/rpi23-gen-image.git

Fixed: ssh public key and AllowUsers for ENABLE_USER=false
drtyhlpr -
r122:1e776801295f
parent child
Show More
Show file before | Show file after | Hide comments
@@ -1,90 +1,99
1 #
1 #
2 # Setup SSH settings and public keys
2 # Setup SSH settings and public keys
3 #
3 #
4
4
5 # Load utility functions
5 # Load utility functions
6 . ./functions.sh
6 . ./functions.sh
7
7
8 if [ "$ENABLE_SSHD" = true ] ; then
8 if [ "$ENABLE_SSHD" = true ] ; then
9 if [ "$SSH_ENABLE_ROOT" = false ] ; then
9 if [ "$SSH_ENABLE_ROOT" = false ] ; then
10 # User root is not allowed to log in
10 # User root is not allowed to log in
11 sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin no|g" "${ETC_DIR}/ssh/sshd_config"
11 sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin no|g" "${ETC_DIR}/ssh/sshd_config"
12 fi
12 fi
13
13
14 if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then
14 if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then
15 # Permit SSH root login
15 # Permit SSH root login
16 sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin yes|g" "${ETC_DIR}/ssh/sshd_config"
16 sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin yes|g" "${ETC_DIR}/ssh/sshd_config"
17
17
18 # Create root SSH config directory
18 # Create root SSH config directory
19 mkdir -p "${R}/root/.ssh"
19 mkdir -p "${R}/root/.ssh"
20
20
21 # Set permissions of root SSH config directory
21 # Set permissions of root SSH config directory
22 chroot_exec chmod 700 "/root/.ssh"
22 chroot_exec chmod 700 "/root/.ssh"
23 chroot_exec chown root:root "/root/.ssh"
23 chroot_exec chown root:root "/root/.ssh"
24
24
25 # Install SSH (v2) authorized keys file for user root
25 # Install SSH (v2) authorized keys file for user root
26 if [ ! -z "$SSH_ROOT_AUTHORIZED_KEYS" ] ; then
26 if [ ! -z "$SSH_ROOT_AUTHORIZED_KEYS" ] ; then
27 install_readonly "$SSH_ROOT_AUTHORIZED_KEYS" "${R}/root/.ssh/authorized_keys2"
27 install_readonly "$SSH_ROOT_AUTHORIZED_KEYS" "${R}/root/.ssh/authorized_keys2"
28 fi
28 fi
29
29
30 # Add SSH (v2) public key for user root
30 # Add SSH (v2) public key for user root
31 if [ ! -z "$SSH_ROOT_PUB_KEY" ] ; then
31 if [ ! -z "$SSH_ROOT_PUB_KEY" ] ; then
32 cat "$SSH_ROOT_PUB_KEY" >> "${R}/root/.ssh/authorized_keys2"
32 cat "$SSH_ROOT_PUB_KEY" >> "${R}/root/.ssh/authorized_keys2"
33 fi
33 fi
34
34
35 # Set permissions of root SSH authorized keys file
35 # Set permissions of root SSH authorized keys file
36 if [ -f "${R}/root/.ssh/authorized_keys2" ] ; then
36 if [ -f "${R}/root/.ssh/authorized_keys2" ] ; then
37 chroot_exec chmod 600 "/root/.ssh/authorized_keys2"
37 chroot_exec chmod 600 "/root/.ssh/authorized_keys2"
38 chroot_exec chown root:root "/root/.ssh/authorized_keys2"
38 chroot_exec chown root:root "/root/.ssh/authorized_keys2"
39
39
40 # Allow SSH public key authentication
40 # Allow SSH public key authentication
41 sed -i "s|[#]*PubkeyAuthentication.*|PubkeyAuthentication yes|g" "${ETC_DIR}/ssh/sshd_config"
41 sed -i "s|[#]*PubkeyAuthentication.*|PubkeyAuthentication yes|g" "${ETC_DIR}/ssh/sshd_config"
42 fi
42 fi
43 fi
43 fi
44
44
45 if [ "$ENABLE_USER" = true ] ; then
45 # Create $USER_NAME SSH config directory
46 # Create $USER_NAME SSH config directory
46 mkdir -p "${R}/home/${USER_NAME}/.ssh"
47 mkdir -p "${R}/home/${USER_NAME}/.ssh"
47
48
48 # Set permissions of $USER_NAME SSH config directory
49 # Set permissions of $USER_NAME SSH config directory
49 chroot_exec chmod 700 "/home/${USER_NAME}/.ssh"
50 chroot_exec chmod 700 "/home/${USER_NAME}/.ssh"
50 chroot_exec chown ${USER_NAME}:${USER_NAME} "/home/${USER_NAME}/.ssh"
51 chroot_exec chown ${USER_NAME}:${USER_NAME} "/home/${USER_NAME}/.ssh"
51
52
52 # Install SSH (v2) authorized keys file for user $USER_NAME
53 # Install SSH (v2) authorized keys file for user $USER_NAME
53 if [ ! -z "$SSH_USER_AUTHORIZED_KEYS" ] ; then
54 if [ ! -z "$SSH_USER_AUTHORIZED_KEYS" ] ; then
54 install_readonly "$SSH_USER_AUTHORIZED_KEYS" "${R}/home/${USER_NAME}/.ssh/authorized_keys2"
55 install_readonly "$SSH_USER_AUTHORIZED_KEYS" "${R}/home/${USER_NAME}/.ssh/authorized_keys2"
55 fi
56 fi
56
57
57 # Add SSH (v2) public key for user $USER_NAME
58 # Add SSH (v2) public key for user $USER_NAME
58 if [ ! -z "$SSH_USER_PUB_KEY" ] ; then
59 if [ ! -z "$SSH_USER_PUB_KEY" ] ; then
59 cat "$SSH_USER_PUB_KEY" >> "${R}/home/${USER_NAME}/.ssh/authorized_keys2"
60 cat "$SSH_USER_PUB_KEY" >> "${R}/home/${USER_NAME}/.ssh/authorized_keys2"
60 fi
61 fi
61
62
62 # Set permissions of $USER_NAME SSH authorized keys file
63 # Set permissions of $USER_NAME SSH authorized keys file
63 if [ -f "${R}/home/${USER_NAME}/.ssh/authorized_keys2" ] ; then
64 if [ -f "${R}/home/${USER_NAME}/.ssh/authorized_keys2" ] ; then
64 chroot_exec chmod 600 "/home/${USER_NAME}/.ssh/authorized_keys2"
65 chroot_exec chmod 600 "/home/${USER_NAME}/.ssh/authorized_keys2"
65 chroot_exec chown ${USER_NAME}:${USER_NAME} "/home/${USER_NAME}/.ssh/authorized_keys2"
66 chroot_exec chown ${USER_NAME}:${USER_NAME} "/home/${USER_NAME}/.ssh/authorized_keys2"
66
67
67 # Allow SSH public key authentication
68 # Allow SSH public key authentication
68 sed -i "s|[#]*PubkeyAuthentication.*|PubkeyAuthentication yes|g" "${ETC_DIR}/ssh/sshd_config"
69 sed -i "s|[#]*PubkeyAuthentication.*|PubkeyAuthentication yes|g" "${ETC_DIR}/ssh/sshd_config"
69 fi
70 fi
71 fi
70
72
71 # Limit the users that are allowed to login via SSH
73 # Limit the users that are allowed to login via SSH
72 if [ "$SSH_LIMIT_USERS" = true ] ; then
74 if [ "$SSH_LIMIT_USERS" = true ] ; then
75 allowed_users=""
73 if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then
76 if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then
74 echo "AllowUsers root ${USER_NAME}" >> "${ETC_DIR}/ssh/sshd_config"
77 allowed_users="root"
75 else
78 fi
76 echo "AllowUsers ${USER_NAME}" >> "${ETC_DIR}/ssh/sshd_config"
79
80 if [ "$ENABLE_USER" = true ] ; then
81 allowed_users="${allowed_users} ${USER_NAME}"
82 fi
83
84 if [ ! -z "$allowed_users" ] ; then
85 echo "AllowUsers ${allowed_users}" >> "${ETC_DIR}/ssh/sshd_config"
77 fi
86 fi
78 fi
87 fi
79
88
80 # Disable password-based authentication
89 # Disable password-based authentication
81 if [ "$SSH_DISABLE_PASSWORD_AUTH" = true ] ; then
90 if [ "$SSH_DISABLE_PASSWORD_AUTH" = true ] ; then
82 if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then
91 if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then
83 sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin without-password|g" "${ETC_DIR}/ssh/sshd_config"
92 sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin without-password|g" "${ETC_DIR}/ssh/sshd_config"
84 fi
93 fi
85
94
86 sed -i "s|[#]*PasswordAuthentication.*|PasswordAuthentication no|g" "${ETC_DIR}/ssh/sshd_config"
95 sed -i "s|[#]*PasswordAuthentication.*|PasswordAuthentication no|g" "${ETC_DIR}/ssh/sshd_config"
87 sed -i "s|[#]*ChallengeResponseAuthentication no.*|ChallengeResponseAuthentication no|g" "${ETC_DIR}/ssh/sshd_config"
96 sed -i "s|[#]*ChallengeResponseAuthentication no.*|ChallengeResponseAuthentication no|g" "${ETC_DIR}/ssh/sshd_config"
88 sed -i "s|[#]*UsePAM.*|UsePAM no|g" "${ETC_DIR}/ssh/sshd_config"
97 sed -i "s|[#]*UsePAM.*|UsePAM no|g" "${ETC_DIR}/ssh/sshd_config"
89 fi
98 fi
90 fi
99 fi
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant