blob: dad9219489ce3a9f995e5d5fdced886d5b9688bc (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
|
#!/bin/sh
set -e
. /usr/share/debconf/confmodule || true
in-target modprobe 9pnet_virtio || true
in-target modprobe 9p || true
virtfs="$(mktemp -d)"
mount -t 9p -o trans=virtio,version=9p2000.L virtfs "$virtfs" || true
trap 'umount "$virtfs"; rmdir "$virtfs"' EXIT TERM INT
#######################################################################
# Configuration SSHd
if [ -d /target/etc/ssh ]; then
in-target find /etc/ssh -maxdepth 1 -type f -a \
\( -name "ssh_host_*_key" -o -name "ssh_host_*_key.pub" \) \
-delete
in-target ssh-keygen -b 4096 -t rsa -N '' -C /etc/ssh/ssh_host_rsa_key -f /etc/ssh/ssh_host_rsa_key
in-target ssh-keygen -t ed25519 -N '' -C /etc/ssh/ssh_host_ed25519_key -f /etc/ssh/ssh_host_ed25519_key
for pk in $(find /target/etc/ssh -maxdepth 1 -type f -name "ssh_host_*_key.pub"); do
cp -f "$pk" "$virtfs"
done
cat >/target/etc/ssh/sshd_config <<- EOF
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will
# bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Change to yes to enable challenge-response passwords (beware issues
# with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
X11Forwarding no
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
EOF
if [ -f "/cdrom/authorized_keys" ]; then
authorized_keys="$(mktemp -p "/target/tmp")"
cat /cdrom/authorized_keys >"$authorized_keys"
authorized_keys="${authorized_keys#/target}"
if db_get passwd/username && [ "$RET" ]; then
username="$RET"
else
username="root"
fi
in-target sh -c "
install -m0700 -o $username -g $username --directory ~$username/.ssh
install -m0600 -o $username -g $username $authorized_keys ~$username/.ssh/authorized_keys
"
fi
fi
#######################################################################
# Configure salt-minion
if [ -d /target/etc/salt ]; then
in-target sh -c '
pkidir="/etc/salt/pki/minion"
mkdir -p -m0700 "$pkidir"
install -m0400 /dev/null "$pkidir/minion.pem"
openssl genrsa -rand /dev/urandom -f4 4096 >"$pkidir/minion.pem"
install -m0644 /dev/null "$pkidir/minion.pub"
openssl pkey -pubout <"$pkidir/minion.pem" >"$pkidir/minion.pub"
mkdir -p /etc/salt/minion.d
install -m0644 /dev/null /etc/salt/minion.d/9999user.conf
'
if db_get tdf-postinst/salt_master && [ "$RET" ]; then
echo "master: $RET" >>/target/etc/salt/minion.d/9999user.conf
fi
if db_get tdf-postinst/salt_master_fingerprint && [ "$RET" ]; then
echo "master_finger: '$RET'" >>/target/etc/salt/minion.d/9999user.conf
fi
echo "id: $(hostname).documentfoundation.org" >>/target/etc/salt/minion.d/9999user.conf
cp /target/etc/salt/pki/minion/minion.pub "$virtfs"
fi
|