Raspi2-3_GenImage Files · bootstrap.d/32-sshd.sh · Collaboration Tremplin des Sciences

PATCHES for:...

PATCHES for: RPI4 Debian Bullseye Added and removed kernel options QEMU with 64bit kernel doenst fail anymore (untested) No more compile error on bluetooth firmware download Kernel bump from 4.14 to 4.19 flex,bison and libssl-dev required to build kernel

Unknown - - Load All Authors

Fichier de la dernière révision:

r338:5dd9ea36ae5f


                r665:c4237fcbc4c6

Download file

             32-sshd.sh
        
                    115 lines
            
             | 4.1 KiB
            
                | application/x-sh
            
             |
                BashLexer
            
             / bootstrap.d / 32-sshd.sh
          
                    Historique
                
                 |
                  Annotation
                 | Brut
                 |Copy content
                 |Copy permalink

      #

      # Setup SSH settings and public keys

      #

      # Load utility functions

      . ./functions.sh

      if [ "$ENABLE_SSHD" = true ] ; then

        DROPBEAR_ARGS=""

        if [ "$SSH_ENABLE_ROOT" = false ] ; then

          if [ "$ENABLE_REDUCE" = false ] || [ "$REDUCE_SSHD" = false ] ; then

            # User root is not allowed to log in

            sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin no|g" "${ETC_DIR}/ssh/sshd_config"

          else

            # User root is not allowed to log in

            DROPBEAR_ARGS="-w"

          fi

        fi

        if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then

          if [ "$ENABLE_REDUCE" = false ] || [ "$REDUCE_SSHD" = false ] ; then

            # Permit SSH root login

            sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin yes|g" "${ETC_DIR}/ssh/sshd_config"

          else

            # Permit SSH root login

            DROPBEAR_ARGS=""

          fi

          # Add SSH (v2) public key for user root

          if [ -n "$SSH_ROOT_PUB_KEY" ] ; then

            # Create root SSH config directory

            mkdir -p "${R}/root/.ssh"

            # Set permissions of root SSH config directory

            chroot_exec chmod 700 "/root/.ssh"

            chroot_exec chown root:root "/root/.ssh"

            # Add SSH (v2) public key(s) to authorized_keys file

            cat "$SSH_ROOT_PUB_KEY" >> "${R}/root/.ssh/authorized_keys"

            # Set permissions of root SSH authorized_keys file

            chroot_exec chmod 600 "/root/.ssh/authorized_keys"

            chroot_exec chown root:root "/root/.ssh/authorized_keys"

            if [ "$ENABLE_REDUCE" = false ] || [ "$REDUCE_SSHD" = false ] ; then

              # Allow SSH public key authentication

              sed -i "s|[#]*PubkeyAuthentication.*|PubkeyAuthentication yes|g" "${ETC_DIR}/ssh/sshd_config"

            fi

          fi

        fi

        if [ "$ENABLE_USER" = true ] ; then

          # Add SSH (v2) public key for user $USER_NAME

          if [ -n "$SSH_USER_PUB_KEY" ] ; then

            # Create $USER_NAME SSH config directory

            mkdir -p "${R}/home/${USER_NAME}/.ssh"

            # Set permissions of $USER_NAME SSH config directory

            chroot_exec chmod 700 "/home/${USER_NAME}/.ssh"

            chroot_exec chown "${USER_NAME}":"${USER_NAME}" "/home/${USER_NAME}/.ssh"

            # Add SSH (v2) public key(s) to authorized_keys file

            cat "$SSH_USER_PUB_KEY" >> "${R}/home/${USER_NAME}/.ssh/authorized_keys"

            # Set permissions of $USER_NAME SSH config directory

            chroot_exec chmod 600 "/home/${USER_NAME}/.ssh/authorized_keys"

            chroot_exec chown "${USER_NAME}":"${USER_NAME}" "/home/${USER_NAME}/.ssh/authorized_keys"

            if [ "$ENABLE_REDUCE" = false ] || [ "$REDUCE_SSHD" = false ] ; then

              # Allow SSH public key authentication

              sed -i "s|[#]*PubkeyAuthentication.*|PubkeyAuthentication yes|g" "${ETC_DIR}/ssh/sshd_config"

            fi

          fi

        fi

        # Limit the users that are allowed to login via SSH

        if [ "$SSH_LIMIT_USERS" = true ] && [ "$ENABLE_REDUCE" = false ] ; then

          allowed_users=""

          if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then

            allowed_users="root"

          fi

          if [ "$ENABLE_USER" = true ] ; then

            allowed_users="${allowed_users} ${USER_NAME}"

          fi

          if [ -n "$allowed_users" ] ; then

            echo "AllowUsers ${allowed_users}" >> "${ETC_DIR}/ssh/sshd_config"

          fi

        fi

        # Disable password-based authentication

        if [ "$SSH_DISABLE_PASSWORD_AUTH" = true ] ; then

          if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then

            if [ "$ENABLE_REDUCE" = false ] || [ "$REDUCE_SSHD" = false ] ; then

              sed -i "s|[#]*PermitRootLogin.*|PermitRootLogin without-password|g" "${ETC_DIR}/ssh/sshd_config"

            else

              DROPBEAR_ARGS="-g"

            fi

          fi

          if [ "$ENABLE_REDUCE" = false ] || [ "$REDUCE_SSHD" = false ] ; then

            sed -i "s|[#]*PasswordAuthentication.*|PasswordAuthentication no|g" "${ETC_DIR}/ssh/sshd_config"

            sed -i "s|[#]*ChallengeResponseAuthentication no.*|ChallengeResponseAuthentication no|g" "${ETC_DIR}/ssh/sshd_config"

            sed -i "s|[#]*UsePAM.*|UsePAM no|g" "${ETC_DIR}/ssh/sshd_config"

          else

            DROPBEAR_ARGS="${DROPBEAR_ARGS} -s"

          fi

        fi

        # Update dropbear SSH configuration

        if [ "$ENABLE_REDUCE" = true ] && [ "$REDUCE_SSHD" = true ] ; then

          sed "s|^DROPBEAR_EXTRA_ARGS=.*|DROPBEAR_EXTRA_ARGS=\"${DROPBEAR_ARGS}\"|g" "${ETC_DIR}/default/dropbear"

        fi

      fi

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Dépôts
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

				#
				# Setup SSH settings and public keys
				#

				# Load utility functions
				. ./functions.sh

				if [ "$ENABLE_SSHD" = true ] ; then
				DROPBEAR_ARGS=""

				if [ "$SSH_ENABLE_ROOT" = false ] ; then
				if [ "$ENABLE_REDUCE" = false ] \|\| [ "$REDUCE_SSHD" = false ] ; then
				# User root is not allowed to log in
				sed -i "s\|[#]PermitRootLogin.\|PermitRootLogin no\|g" "${ETC_DIR}/ssh/sshd_config"
				else
				# User root is not allowed to log in
				DROPBEAR_ARGS="-w"
				fi
				fi

				if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then
				if [ "$ENABLE_REDUCE" = false ] \|\| [ "$REDUCE_SSHD" = false ] ; then
				# Permit SSH root login
				sed -i "s\|[#]PermitRootLogin.\|PermitRootLogin yes\|g" "${ETC_DIR}/ssh/sshd_config"
				else
				# Permit SSH root login
				DROPBEAR_ARGS=""
				fi

				# Add SSH (v2) public key for user root
				if [ -n "$SSH_ROOT_PUB_KEY" ] ; then
				# Create root SSH config directory
				mkdir -p "${R}/root/.ssh"

				# Set permissions of root SSH config directory
				chroot_exec chmod 700 "/root/.ssh"
				chroot_exec chown root:root "/root/.ssh"

				# Add SSH (v2) public key(s) to authorized_keys file
				cat "$SSH_ROOT_PUB_KEY" >> "${R}/root/.ssh/authorized_keys"

				# Set permissions of root SSH authorized_keys file
				chroot_exec chmod 600 "/root/.ssh/authorized_keys"
				chroot_exec chown root:root "/root/.ssh/authorized_keys"

				if [ "$ENABLE_REDUCE" = false ] \|\| [ "$REDUCE_SSHD" = false ] ; then
				# Allow SSH public key authentication
				sed -i "s\|[#]PubkeyAuthentication.\|PubkeyAuthentication yes\|g" "${ETC_DIR}/ssh/sshd_config"
				fi
				fi
				fi

				if [ "$ENABLE_USER" = true ] ; then
				# Add SSH (v2) public key for user $USER_NAME
				if [ -n "$SSH_USER_PUB_KEY" ] ; then
				# Create $USER_NAME SSH config directory
				mkdir -p "${R}/home/${USER_NAME}/.ssh"

				# Set permissions of $USER_NAME SSH config directory
				chroot_exec chmod 700 "/home/${USER_NAME}/.ssh"
				chroot_exec chown "${USER_NAME}":"${USER_NAME}" "/home/${USER_NAME}/.ssh"

				# Add SSH (v2) public key(s) to authorized_keys file
				cat "$SSH_USER_PUB_KEY" >> "${R}/home/${USER_NAME}/.ssh/authorized_keys"

				# Set permissions of $USER_NAME SSH config directory
				chroot_exec chmod 600 "/home/${USER_NAME}/.ssh/authorized_keys"
				chroot_exec chown "${USER_NAME}":"${USER_NAME}" "/home/${USER_NAME}/.ssh/authorized_keys"

				if [ "$ENABLE_REDUCE" = false ] \|\| [ "$REDUCE_SSHD" = false ] ; then
				# Allow SSH public key authentication
				sed -i "s\|[#]PubkeyAuthentication.\|PubkeyAuthentication yes\|g" "${ETC_DIR}/ssh/sshd_config"
				fi
				fi
				fi

				# Limit the users that are allowed to login via SSH
				if [ "$SSH_LIMIT_USERS" = true ] && [ "$ENABLE_REDUCE" = false ] ; then
				allowed_users=""
				if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then
				allowed_users="root"
				fi

				if [ "$ENABLE_USER" = true ] ; then
				allowed_users="${allowed_users} ${USER_NAME}"
				fi

				if [ -n "$allowed_users" ] ; then
				echo "AllowUsers ${allowed_users}" >> "${ETC_DIR}/ssh/sshd_config"
				fi
				fi

				# Disable password-based authentication
				if [ "$SSH_DISABLE_PASSWORD_AUTH" = true ] ; then
				if [ "$ENABLE_ROOT" = true ] && [ "$SSH_ENABLE_ROOT" = true ] ; then
				if [ "$ENABLE_REDUCE" = false ] \|\| [ "$REDUCE_SSHD" = false ] ; then
				sed -i "s\|[#]PermitRootLogin.\|PermitRootLogin without-password\|g" "${ETC_DIR}/ssh/sshd_config"
				else
				DROPBEAR_ARGS="-g"
				fi
				fi

				if [ "$ENABLE_REDUCE" = false ] \|\| [ "$REDUCE_SSHD" = false ] ; then
				sed -i "s\|[#]PasswordAuthentication.\|PasswordAuthentication no\|g" "${ETC_DIR}/ssh/sshd_config"
				sed -i "s\|[#]ChallengeResponseAuthentication no.\|ChallengeResponseAuthentication no\|g" "${ETC_DIR}/ssh/sshd_config"
				sed -i "s\|[#]UsePAM.\|UsePAM no\|g" "${ETC_DIR}/ssh/sshd_config"
				else
				DROPBEAR_ARGS="${DROPBEAR_ARGS} -s"
				fi
				fi

				# Update dropbear SSH configuration
				if [ "$ENABLE_REDUCE" = true ] && [ "$REDUCE_SSHD" = true ] ; then
				sed "s\|^DROPBEAR_EXTRA_ARGS=.*\|DROPBEAR_EXTRA_ARGS=\"${DROPBEAR_ARGS}\"\|g" "${ETC_DIR}/default/dropbear"
				fi
				fi