Enable adding SSH pubkey and setting pubkey only

This commit add the ability to specify an SSH public key as well as the
option to disable password authentication and only allow public key
authentication for SSH.

Signed-off-by: Daniel F. Dickinson <cshored@thecshore.com>
This commit is contained in:
Daniel F. Dickinson 2020-01-17 22:45:03 -05:00
parent f8f3d6fe93
commit bfbd76f612
3 changed files with 32 additions and 0 deletions

View File

@ -125,6 +125,18 @@ The following environment variables are supported:
Setting to `1` will enable ssh server for remote log in. Note that if you are using a common password such as the defaults there is a high risk of attackers taking over you Raspberry Pi. Setting to `1` will enable ssh server for remote log in. Note that if you are using a common password such as the defaults there is a high risk of attackers taking over you Raspberry Pi.
* `PUBKEY_SSH_FIRST_USER` (Default: unset)
Setting this to a value will make that value the contents of the FIRST_USER_NAME's ~/.ssh/authorized_keys. Obviously the value should
therefore be a valid authorized_keys file. Note that this does not
automatically enable SSH.
* `PUBKEY_ONLY_SSH` (Default: `0`)
* Setting to `1` will disable password authentication for SSH and enable
public key authentication. Note that if SSH is not enabled this will take
effect when SSH becomes enabled.
* `STAGE_LIST` (Default: `stage*`) * `STAGE_LIST` (Default: `stage*`)
If set, then instead of working through the numeric stages in order, this list will be followed. For example setting to `"stage0 stage1 mystage stage2"` will run the contents of `mystage` before stage2. Note that quotes are needed around the list. An absolute or relative path can be given for stages outside the pi-gen directory. If set, then instead of working through the numeric stages in order, this list will be followed. For example setting to `"stage0 stage1 mystage stage2"` will run the contents of `mystage` before stage2. Note that quotes are needed around the list. An absolute or relative path can be given for stages outside the pi-gen directory.

View File

@ -170,6 +170,7 @@ export WPA_ESSID
export WPA_PASSWORD export WPA_PASSWORD
export WPA_COUNTRY export WPA_COUNTRY
export ENABLE_SSH="${ENABLE_SSH:-0}" export ENABLE_SSH="${ENABLE_SSH:-0}"
export PUBKEY_ONLY_SSH="${PUBKEY_ONLY_SSH:-0}"
export LOCALE_DEFAULT="${LOCALE_DEFAULT:-en_GB.UTF-8}" export LOCALE_DEFAULT="${LOCALE_DEFAULT:-en_GB.UTF-8}"
@ -180,6 +181,8 @@ export TIMEZONE_DEFAULT="${TIMEZONE_DEFAULT:-Europe/London}"
export GIT_HASH=${GIT_HASH:-"$(git rev-parse HEAD)"} export GIT_HASH=${GIT_HASH:-"$(git rev-parse HEAD)"}
export PUBKEY_SSH_FIRST_USER
export CLEAN export CLEAN
export IMG_NAME export IMG_NAME
export APT_PROXY export APT_PROXY
@ -225,6 +228,11 @@ if [[ -n "${WPA_PASSWORD}" && ${#WPA_PASSWORD} -lt 8 || ${#WPA_PASSWORD} -gt 63
exit 1 exit 1
fi fi
if [[ "${PUBKEY_ONLY_SSH}" = "1" && -z "${PUBKEY_SSH_FIRST_USER}" ]]; then
echo "Must set 'PUBKEY_SSH_FIRST_USER' to a valid SSH public key if using PUBKEY_ONLY_SSH"
exit 1
fi
mkdir -p "${WORK_DIR}" mkdir -p "${WORK_DIR}"
log "Begin ${BASE_DIR}" log "Begin ${BASE_DIR}"

View File

@ -11,6 +11,18 @@ install -m 644 files/console-setup "${ROOTFS_DIR}/etc/default/"
install -m 755 files/rc.local "${ROOTFS_DIR}/etc/" install -m 755 files/rc.local "${ROOTFS_DIR}/etc/"
if [ -n "${PUBKEY_SSH_FIRST_USER}" ]; then
install -v -m 0700 -o 1000 -g 1000 -d "${ROOTFS_DIR}"/home/"${FIRST_USER_NAME}"/.ssh
echo "${PUBKEY_SSH_FIRST_USER}" >"${ROOTFS_DIR}"/home/"${FIRST_USER_NAME}"/.ssh/authorized_keys
chown 1000:1000 "${ROOTFS_DIR}"/home/"${FIRST_USER_NAME}"/.ssh/authorized_keys
chmod 0600 "${ROOTFS_DIR}"/home/"${FIRST_USER_NAME}"/.ssh/authorized_keys
fi
if [ "${PUBKEY_ONLY_SSH}" = "1" ]; then
sed -i -Ee 's/^#?[[:blank:]]*PubkeyAuthentication[[:blank:]]*no[[:blank:]]*$/PubkeyAuthentication yes/
s/^#?[[:blank:]]*PasswordAuthentication[[:blank:]]*yes[[:blank:]]*$/PasswordAuthentication no/' "${ROOTFS_DIR}"/etc/ssh/sshd_config
fi
on_chroot << EOF on_chroot << EOF
systemctl disable hwclock.sh systemctl disable hwclock.sh
systemctl disable nfs-common systemctl disable nfs-common