#!/bin/sh set -e . /usr/share/debconf/confmodule || true in-target modprobe 9pnet_virtio || true in-target modprobe 9p || true virtfs="$(mktemp -d)" mount -t 9p -o trans=virtio,version=9p2000.L virtfs "$virtfs" || true trap 'umount "$virtfs"; rmdir "$virtfs"' EXIT TERM INT ####################################################################### # Configuration SSHd if [ -d /target/etc/ssh ]; then in-target find /etc/ssh -maxdepth 1 -type f -a \ \( -name "ssh_host_*_key" -o -name "ssh_host_*_key.pub" \) \ -delete in-target ssh-keygen -b 4096 -t rsa -N '' -C /etc/ssh/ssh_host_rsa_key -f /etc/ssh/ssh_host_rsa_key in-target ssh-keygen -t ed25519 -N '' -C /etc/ssh/ssh_host_ed25519_key -f /etc/ssh/ssh_host_ed25519_key for pk in $(find /target/etc/ssh -maxdepth 1 -type f -name "ssh_host_*_key.pub"); do cp -f "$pk" "$virtfs" done cat >/target/etc/ssh/sshd_config <<- EOF # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will # bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ed25519_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin without-password StrictModes yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Change to yes to enable challenge-response passwords (beware issues # with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords PasswordAuthentication no X11Forwarding no PrintMotd no PrintLastLog yes TCPKeepAlive yes # Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server EOF if [ -f "/cdrom/authorized_keys" ]; then authorized_keys="$(mktemp -p "/target/tmp")" cat /cdrom/authorized_keys >"$authorized_keys" authorized_keys="${authorized_keys#/target}" if db_get passwd/username && [ "$RET" ]; then username="$RET" else username="root" fi in-target sh -c " install -m0700 -o $username -g $username --directory ~$username/.ssh install -m0600 -o $username -g $username $authorized_keys ~$username/.ssh/authorized_keys " fi fi ####################################################################### # Configure salt-minion if [ -d /target/etc/salt ]; then in-target sh -c ' HOME="$(echo ~root)" pkidir="/etc/salt/pki/minion" mkdir -p -m0700 "$pkidir" install -m0400 /dev/null "$pkidir/minion.pem" openssl genrsa -rand /dev/urandom -f4 4096 >"$pkidir/minion.pem" install -m0644 /dev/null "$pkidir/minion.pub" openssl pkey -pubout <"$pkidir/minion.pem" >"$pkidir/minion.pub" mkdir -p /etc/salt/minion.d install -m0644 /dev/null /etc/salt/minion.d/9999user.conf ' if db_get tdf-postinst/salt_master && [ "$RET" ]; then echo "master: $RET" >>/target/etc/salt/minion.d/9999user.conf fi if db_get tdf-postinst/salt_master_fingerprint && [ "$RET" ]; then echo "master_finger: '$RET'" >>/target/etc/salt/minion.d/9999user.conf fi echo "id: $(hostname).documentfoundation.org" >>/target/etc/salt/minion.d/9999user.conf cp /target/etc/salt/pki/minion/minion.pub "$virtfs" fi