Enable adding SSH pubkey and setting pubkey only
This commit add the ability to specify an SSH public key as well as the option to disable password authentication and only allow public key authentication for SSH. Signed-off-by: Daniel F. Dickinson <cshored@thecshore.com>
This commit is contained in:
parent
f8f3d6fe93
commit
bfbd76f612
12
README.md
12
README.md
|
@ -125,6 +125,18 @@ The following environment variables are supported:
|
||||||
|
|
||||||
Setting to `1` will enable ssh server for remote log in. Note that if you are using a common password such as the defaults there is a high risk of attackers taking over you Raspberry Pi.
|
Setting to `1` will enable ssh server for remote log in. Note that if you are using a common password such as the defaults there is a high risk of attackers taking over you Raspberry Pi.
|
||||||
|
|
||||||
|
* `PUBKEY_SSH_FIRST_USER` (Default: unset)
|
||||||
|
|
||||||
|
Setting this to a value will make that value the contents of the FIRST_USER_NAME's ~/.ssh/authorized_keys. Obviously the value should
|
||||||
|
therefore be a valid authorized_keys file. Note that this does not
|
||||||
|
automatically enable SSH.
|
||||||
|
|
||||||
|
* `PUBKEY_ONLY_SSH` (Default: `0`)
|
||||||
|
|
||||||
|
* Setting to `1` will disable password authentication for SSH and enable
|
||||||
|
public key authentication. Note that if SSH is not enabled this will take
|
||||||
|
effect when SSH becomes enabled.
|
||||||
|
|
||||||
* `STAGE_LIST` (Default: `stage*`)
|
* `STAGE_LIST` (Default: `stage*`)
|
||||||
|
|
||||||
If set, then instead of working through the numeric stages in order, this list will be followed. For example setting to `"stage0 stage1 mystage stage2"` will run the contents of `mystage` before stage2. Note that quotes are needed around the list. An absolute or relative path can be given for stages outside the pi-gen directory.
|
If set, then instead of working through the numeric stages in order, this list will be followed. For example setting to `"stage0 stage1 mystage stage2"` will run the contents of `mystage` before stage2. Note that quotes are needed around the list. An absolute or relative path can be given for stages outside the pi-gen directory.
|
||||||
|
|
8
build.sh
8
build.sh
|
@ -170,6 +170,7 @@ export WPA_ESSID
|
||||||
export WPA_PASSWORD
|
export WPA_PASSWORD
|
||||||
export WPA_COUNTRY
|
export WPA_COUNTRY
|
||||||
export ENABLE_SSH="${ENABLE_SSH:-0}"
|
export ENABLE_SSH="${ENABLE_SSH:-0}"
|
||||||
|
export PUBKEY_ONLY_SSH="${PUBKEY_ONLY_SSH:-0}"
|
||||||
|
|
||||||
export LOCALE_DEFAULT="${LOCALE_DEFAULT:-en_GB.UTF-8}"
|
export LOCALE_DEFAULT="${LOCALE_DEFAULT:-en_GB.UTF-8}"
|
||||||
|
|
||||||
|
@ -180,6 +181,8 @@ export TIMEZONE_DEFAULT="${TIMEZONE_DEFAULT:-Europe/London}"
|
||||||
|
|
||||||
export GIT_HASH=${GIT_HASH:-"$(git rev-parse HEAD)"}
|
export GIT_HASH=${GIT_HASH:-"$(git rev-parse HEAD)"}
|
||||||
|
|
||||||
|
export PUBKEY_SSH_FIRST_USER
|
||||||
|
|
||||||
export CLEAN
|
export CLEAN
|
||||||
export IMG_NAME
|
export IMG_NAME
|
||||||
export APT_PROXY
|
export APT_PROXY
|
||||||
|
@ -225,6 +228,11 @@ if [[ -n "${WPA_PASSWORD}" && ${#WPA_PASSWORD} -lt 8 || ${#WPA_PASSWORD} -gt 63
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [[ "${PUBKEY_ONLY_SSH}" = "1" && -z "${PUBKEY_SSH_FIRST_USER}" ]]; then
|
||||||
|
echo "Must set 'PUBKEY_SSH_FIRST_USER' to a valid SSH public key if using PUBKEY_ONLY_SSH"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
mkdir -p "${WORK_DIR}"
|
mkdir -p "${WORK_DIR}"
|
||||||
log "Begin ${BASE_DIR}"
|
log "Begin ${BASE_DIR}"
|
||||||
|
|
||||||
|
|
|
@ -11,6 +11,18 @@ install -m 644 files/console-setup "${ROOTFS_DIR}/etc/default/"
|
||||||
|
|
||||||
install -m 755 files/rc.local "${ROOTFS_DIR}/etc/"
|
install -m 755 files/rc.local "${ROOTFS_DIR}/etc/"
|
||||||
|
|
||||||
|
if [ -n "${PUBKEY_SSH_FIRST_USER}" ]; then
|
||||||
|
install -v -m 0700 -o 1000 -g 1000 -d "${ROOTFS_DIR}"/home/"${FIRST_USER_NAME}"/.ssh
|
||||||
|
echo "${PUBKEY_SSH_FIRST_USER}" >"${ROOTFS_DIR}"/home/"${FIRST_USER_NAME}"/.ssh/authorized_keys
|
||||||
|
chown 1000:1000 "${ROOTFS_DIR}"/home/"${FIRST_USER_NAME}"/.ssh/authorized_keys
|
||||||
|
chmod 0600 "${ROOTFS_DIR}"/home/"${FIRST_USER_NAME}"/.ssh/authorized_keys
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "${PUBKEY_ONLY_SSH}" = "1" ]; then
|
||||||
|
sed -i -Ee 's/^#?[[:blank:]]*PubkeyAuthentication[[:blank:]]*no[[:blank:]]*$/PubkeyAuthentication yes/
|
||||||
|
s/^#?[[:blank:]]*PasswordAuthentication[[:blank:]]*yes[[:blank:]]*$/PasswordAuthentication no/' "${ROOTFS_DIR}"/etc/ssh/sshd_config
|
||||||
|
fi
|
||||||
|
|
||||||
on_chroot << EOF
|
on_chroot << EOF
|
||||||
systemctl disable hwclock.sh
|
systemctl disable hwclock.sh
|
||||||
systemctl disable nfs-common
|
systemctl disable nfs-common
|
||||||
|
|
Loading…
Reference in New Issue
Block a user