logauth
/
setup
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

managing ssh-keys and maintenance keys

This commit is contained in:
xdrm-brackets 2017-01-21 16:21:57 +01:00
parent 57442f6464
commit 103f367059
3 changed files with 38 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@ -1 +1,4 @@
*.img
*.zip
clone/server/**

1
clone/authorized_keys
View File

@ -1 +0,0 @@
ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAF91ZI1TROEV5nYmqPv0qW6b4U7BrSD6fK91XxPE2r+Okf756gGJQfg3iRKtyI5noWVU4e7ib3vsOTMSvMDafSDCgFULLasr5OApCrv6/cI/SV5MIerPkZO9eMMD/cZxTuT9aTpsSOtCiv0ewkLkbWHFHvIM0q6uaPQpAYVmpV6wUzoZg== [ECDSA:521] SATS

56
clone/clone
View File

@ -34,7 +34,7 @@ step1(){
read -p " (!) umount $mounted (y/n) [n]" unmount;
test -n "$unmount" && test $unmount = "y" && sudo umount $mounted && echo "> unmounted";
test -n "$unmount" && test $unmount = "y" && sudo umount $mounted 2>> /dev/null >> /dev/null && echo " > unmounted";
done;
echo "<<< done";
@ -57,7 +57,9 @@ step2(){
# (2) Init gpt entry #
# echo " ))) replace by real code (((";
echo -e "g\nw" | sudo fdisk $DEV;
echo -e "g\nw" | sudo fdisk $DEV 2>> /dev/null >> /dev/null;
echo "<<< done";
step3;
}
@ -77,8 +79,7 @@ step3(){
test $confirm_burn != "y" && echo "<<< aborting" && exit;
# (2) Burning image into disk #
sudo dd if=./original.img of=$DEV bs=4M \
|| echo "<<< ERROR: dd command failed" && exit;
sudo dd if=./original.img of=$DEV bs=4M || $( echo "<<< error: dd command failed" && exit );
echo "<<< done";
@ -96,7 +97,7 @@ step4(){
echo "\n>>> [4] Mounting partition ${DEV}2";
# [1] Mount device partition
sudo mount ${DEV}2 /mnt || echo "<<< error: can't mount" && exit;
sudo mount ${DEV}2 /mnt || $( echo "<<< error: can't mount" && exit );
echo "<<< done";
@ -124,12 +125,14 @@ step5(){
echo " (.) Removing pi's login password";
# create temp file without pi's password
sudo cat /mnt/etc/shadow | sed 's/pi:[^:]\+:/pi:*:/' | sudo tee /mnt/etc/shadow.tmp > /dev/null;
#sudo cat /mnt/etc/shadow | sed 's/pi:[^:]\+:/pi:*:/' | sudo tee /mnt/etc/shadow.tmp > /dev/null;
# write original files
sudo cat /mnt/etc/shadow.tmp | sudo tee /mnt/etc/shadow > /dev/null;
sudo cat /mnt/etc/shadow.tmp | sudo tee /mnt/etc/shadow- > /dev/null;
#sudo cat /mnt/etc/shadow.tmp | sudo tee /mnt/etc/shadow > /dev/null;
#sudo cat /mnt/etc/shadow.tmp | sudo tee /mnt/etc/shadow- > /dev/null;
# remove temporary file
sudo rm /mnt/etc/shadow.tmp;
#sudo rm /mnt/etc/shadow.tmp;
echo "<<< done";
step6;
}
@ -152,6 +155,8 @@ step6(){
echo "sats-user:x:666:sats-user" | sudo tee -a /mnt/etc/group > /dev/null;
echo "sats-user:x:666:sats-user" | sudo tee -a /mnt/etc/group- > /dev/null;
echo "<<< done":
step7;
}
@ -165,11 +170,11 @@ step7(){
# (1) Create ssh key pair #
echo " (.) Create ssh key [ecdsa:521]";
ssh-keygen -t ecdsa -b 521 -C "[ECDSA:521] SATS" -f ./id_ecdsa;
echo -e "\n\n" | ssh-keygen -t ecdsa -b 521 -C "[ECDSA:521] SATS" -f tmp/id_ecdsa;
# (2) Add public key to server's `authorized_keys` file #
echo " (.) Add public key to server's list";
cat ./id_ecdsa.pub >> ./authorized_keys;
cat tmp/id_ecdsa.pub >> server/authorized_keys;
# (3) Create ssh file system #
echo " (.) init ssh folder (/home/sats-user/.ssh)";
@ -178,13 +183,21 @@ step7(){
# (4) Add both keys to sats-user files #
echo " (.) add keys to ssh folder";
sudo mv ./id_ecdsa /mnt/home/sats-user/.ssh/id_ecdsa;
sudo mv ./id_ecdsa.pub /mnt/home/sats-user/.ssh/id_ecdsa.pub;
sudo mv tmp/id_ecdsa /mnt/home/sats-user/.ssh/id_ecdsa;
sudo mv tmp/id_ecdsa.pub /mnt/home/sats-user/.ssh/id_ecdsa.pub;
# (5) Set up permissions #
# (5) Add maintenance keys #
echo " (.) Add maintenance keys'";
cat server/maintenance/*.pub | sudo tee /mnt/home/sats-user/.ssh/authorized_keys;
# (6) Set up permissions #
echo " (.) Set up permissions";
sudo chown -R 666:666 /mnt/home/sats-user/.ssh/;
sudo chmod 400 /mnt/home/sats-user/.ssh/id_ecdsa*;
sudo chmod 400 /mnt/home/sats-user/.ssh/*;
echo "<<< done";
step8;
}
@ -199,9 +212,11 @@ step8(){
# (1) Copy default login systemd script #
echo " (.) Copy default getty systemd script";
sudo cp /mnt/lib/systemd/system/getty@.service /mnt/etc/systemd/system/autologin@.service;
sudo chmod 755 /mnt/etc/systemd/system/autologin@.service;
# (2) Create link in order to be handled #
echo " (.) Create script link to be handled";
test -e /mnt/etc/systemd/system/getty.target.wants/getty@tty1.service && sudo rm /mnt/etc/systemd/system/getty.target.wants/getty@tty1.service;
sudo ln -s /mnt/etc/systemd/system/autologin@.service /mnt/etc/systemd/system/getty.target.wants/getty@tty1.service;
# (3) Update autologin script #
@ -210,15 +225,14 @@ step8(){
sed 's/^ExecStart=-\/sbin\/agetty --noclear/ExecStart=-\/sbin\/agetty --autologin sats-user/' | \
sed 's/^Restart=.\+$/Restart=no/' | \
sed 's/^Restart=.\+$/Restart=no/' | \
tee ./autologin.tmp > /dev/null;
# Add 'Alias` instruction #
echo "Alias=getty.target.wants/getty@tty1.service" > ./autologin.tmp;
sed 's/^[Service]$/bla/' | \
sed 's/^\[Service\]$/\[Service\]\nAlias=getty.target.wants\/getty@tty1.service/' | \
tee tmp/autologin > /dev/null;
# (4) Updating file from tmp update #
echo " (.) Copying temporary update to real file";
cat ./autologin.tmp | sudo tee /mnt/etc/systemd/system/autologin@.service > /dev/null;
rm ./autologin.tmp;
cat tmp/autologin | sudo tee /mnt/etc/systemd/system/autologin@.service > /dev/null;
rm tmp/autologin;
echo "<<< done";