From 103f3670597d33a69f9b5553c7885bfeb6549403 Mon Sep 17 00:00:00 2001 From: xdrm-brackets Date: Sat, 21 Jan 2017 16:21:57 +0100 Subject: [PATCH] managing ssh-keys and maintenance keys --- .gitignore | 3 +++ clone/authorized_keys | 1 - clone/clone | 56 +++++++++++++++++++++++++++---------------- 3 files changed, 38 insertions(+), 22 deletions(-) delete mode 100644 clone/authorized_keys diff --git a/.gitignore b/.gitignore index a89285e..b28efb9 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,4 @@ *.img +*.zip + +clone/server/** diff --git a/clone/authorized_keys b/clone/authorized_keys deleted file mode 100644 index 6e2fe29..0000000 --- a/clone/authorized_keys +++ /dev/null @@ -1 +0,0 @@ -ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAF91ZI1TROEV5nYmqPv0qW6b4U7BrSD6fK91XxPE2r+Okf756gGJQfg3iRKtyI5noWVU4e7ib3vsOTMSvMDafSDCgFULLasr5OApCrv6/cI/SV5MIerPkZO9eMMD/cZxTuT9aTpsSOtCiv0ewkLkbWHFHvIM0q6uaPQpAYVmpV6wUzoZg== [ECDSA:521] SATS diff --git a/clone/clone b/clone/clone index f53074d..ce80edd 100755 --- a/clone/clone +++ b/clone/clone @@ -34,7 +34,7 @@ step1(){ read -p " (!) umount $mounted (y/n) [n]" unmount; - test -n "$unmount" && test $unmount = "y" && sudo umount $mounted && echo "> unmounted"; + test -n "$unmount" && test $unmount = "y" && sudo umount $mounted 2>> /dev/null >> /dev/null && echo " > unmounted"; done; echo "<<< done"; @@ -57,7 +57,9 @@ step2(){ # (2) Init gpt entry # # echo " ))) replace by real code ((("; - echo -e "g\nw" | sudo fdisk $DEV; + echo -e "g\nw" | sudo fdisk $DEV 2>> /dev/null >> /dev/null; + + echo "<<< done"; step3; } @@ -77,8 +79,7 @@ step3(){ test $confirm_burn != "y" && echo "<<< aborting" && exit; # (2) Burning image into disk # - sudo dd if=./original.img of=$DEV bs=4M \ - || echo "<<< ERROR: dd command failed" && exit; + sudo dd if=./original.img of=$DEV bs=4M || $( echo "<<< error: dd command failed" && exit ); echo "<<< done"; @@ -96,7 +97,7 @@ step4(){ echo "\n>>> [4] Mounting partition ${DEV}2"; # [1] Mount device partition - sudo mount ${DEV}2 /mnt || echo "<<< error: can't mount" && exit; + sudo mount ${DEV}2 /mnt || $( echo "<<< error: can't mount" && exit ); echo "<<< done"; @@ -124,12 +125,14 @@ step5(){ echo " (.) Removing pi's login password"; # create temp file without pi's password - sudo cat /mnt/etc/shadow | sed 's/pi:[^:]\+:/pi:*:/' | sudo tee /mnt/etc/shadow.tmp > /dev/null; + #sudo cat /mnt/etc/shadow | sed 's/pi:[^:]\+:/pi:*:/' | sudo tee /mnt/etc/shadow.tmp > /dev/null; # write original files - sudo cat /mnt/etc/shadow.tmp | sudo tee /mnt/etc/shadow > /dev/null; - sudo cat /mnt/etc/shadow.tmp | sudo tee /mnt/etc/shadow- > /dev/null; + #sudo cat /mnt/etc/shadow.tmp | sudo tee /mnt/etc/shadow > /dev/null; + #sudo cat /mnt/etc/shadow.tmp | sudo tee /mnt/etc/shadow- > /dev/null; # remove temporary file - sudo rm /mnt/etc/shadow.tmp; + #sudo rm /mnt/etc/shadow.tmp; + + echo "<<< done"; step6; } @@ -152,6 +155,8 @@ step6(){ echo "sats-user:x:666:sats-user" | sudo tee -a /mnt/etc/group > /dev/null; echo "sats-user:x:666:sats-user" | sudo tee -a /mnt/etc/group- > /dev/null; + echo "<<< done": + step7; } @@ -165,11 +170,11 @@ step7(){ # (1) Create ssh key pair # echo " (.) Create ssh key [ecdsa:521]"; - ssh-keygen -t ecdsa -b 521 -C "[ECDSA:521] SATS" -f ./id_ecdsa; + echo -e "\n\n" | ssh-keygen -t ecdsa -b 521 -C "[ECDSA:521] SATS" -f tmp/id_ecdsa; # (2) Add public key to server's `authorized_keys` file # echo " (.) Add public key to server's list"; - cat ./id_ecdsa.pub >> ./authorized_keys; + cat tmp/id_ecdsa.pub >> server/authorized_keys; # (3) Create ssh file system # echo " (.) init ssh folder (/home/sats-user/.ssh)"; @@ -178,13 +183,21 @@ step7(){ # (4) Add both keys to sats-user files # echo " (.) add keys to ssh folder"; - sudo mv ./id_ecdsa /mnt/home/sats-user/.ssh/id_ecdsa; - sudo mv ./id_ecdsa.pub /mnt/home/sats-user/.ssh/id_ecdsa.pub; + sudo mv tmp/id_ecdsa /mnt/home/sats-user/.ssh/id_ecdsa; + sudo mv tmp/id_ecdsa.pub /mnt/home/sats-user/.ssh/id_ecdsa.pub; - # (5) Set up permissions # + + # (5) Add maintenance keys # + echo " (.) Add maintenance keys'"; + cat server/maintenance/*.pub | sudo tee /mnt/home/sats-user/.ssh/authorized_keys; + + # (6) Set up permissions # echo " (.) Set up permissions"; sudo chown -R 666:666 /mnt/home/sats-user/.ssh/; - sudo chmod 400 /mnt/home/sats-user/.ssh/id_ecdsa*; + sudo chmod 400 /mnt/home/sats-user/.ssh/*; + + + echo "<<< done"; step8; } @@ -199,9 +212,11 @@ step8(){ # (1) Copy default login systemd script # echo " (.) Copy default getty systemd script"; sudo cp /mnt/lib/systemd/system/getty@.service /mnt/etc/systemd/system/autologin@.service; + sudo chmod 755 /mnt/etc/systemd/system/autologin@.service; # (2) Create link in order to be handled # echo " (.) Create script link to be handled"; + test -e /mnt/etc/systemd/system/getty.target.wants/getty@tty1.service && sudo rm /mnt/etc/systemd/system/getty.target.wants/getty@tty1.service; sudo ln -s /mnt/etc/systemd/system/autologin@.service /mnt/etc/systemd/system/getty.target.wants/getty@tty1.service; # (3) Update autologin script # @@ -210,15 +225,14 @@ step8(){ sed 's/^ExecStart=-\/sbin\/agetty --noclear/ExecStart=-\/sbin\/agetty --autologin sats-user/' | \ sed 's/^Restart=.\+$/Restart=no/' | \ sed 's/^Restart=.\+$/Restart=no/' | \ - tee ./autologin.tmp > /dev/null; - - # Add 'Alias` instruction # - echo "Alias=getty.target.wants/getty@tty1.service" > ./autologin.tmp; + sed 's/^[Service]$/bla/' | \ + sed 's/^\[Service\]$/\[Service\]\nAlias=getty.target.wants\/getty@tty1.service/' | \ + tee tmp/autologin > /dev/null; # (4) Updating file from tmp update # echo " (.) Copying temporary update to real file"; - cat ./autologin.tmp | sudo tee /mnt/etc/systemd/system/autologin@.service > /dev/null; - rm ./autologin.tmp; + cat tmp/autologin | sudo tee /mnt/etc/systemd/system/autologin@.service > /dev/null; + rm tmp/autologin; echo "<<< done";