From 271177a0f781a116ddaeb485ac62d28bc18fe74c Mon Sep 17 00:00:00 2001 From: Sam Tygier Date: Mon, 23 Dec 2019 14:21:08 +0000 Subject: [PATCH 1/5] Use tee with wpa_passphrase so errors are visable wpa_passphrase writes its error messages to stdout, so this needs to tee so that errors are visable to user. Also need to enable pipefail so that the error code still gets caught. --- stage2/02-net-tweaks/01-run.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/stage2/02-net-tweaks/01-run.sh b/stage2/02-net-tweaks/01-run.sh index 154e515..63fbff7 100755 --- a/stage2/02-net-tweaks/01-run.sh +++ b/stage2/02-net-tweaks/01-run.sh @@ -12,7 +12,8 @@ fi if [ -v WPA_ESSID ] && [ -v WPA_PASSWORD ]; then on_chroot <> "/etc/wpa_supplicant/wpa_supplicant.conf" +set -o pipefail +wpa_passphrase "${WPA_ESSID}" "${WPA_PASSWORD}" | tee -a "/etc/wpa_supplicant/wpa_supplicant.conf" EOF elif [ -v WPA_ESSID ]; then cat >> "${ROOTFS_DIR}/etc/wpa_supplicant/wpa_supplicant.conf" << EOL From 024840034e2fab7efe170a303ef726fed1314f82 Mon Sep 17 00:00:00 2001 From: Sam Tygier Date: Mon, 23 Dec 2019 14:29:09 +0000 Subject: [PATCH 2/5] Check WPA_PASSWORD length early WPA_PASSWORD needs to be between 8 adn 63 characters. Check early to avoid hitting error in stage2. --- build.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/build.sh b/build.sh index a396b06..4ef6296 100755 --- a/build.sh +++ b/build.sh @@ -220,6 +220,11 @@ if [[ -n "${APT_PROXY}" ]] && ! curl --silent "${APT_PROXY}" >/dev/null ; then exit 1 fi +if [[ ${#WPA_PASSWORD} -lt 8 || ${#WPA_PASSWORD} -gt 63 ]] ; then + echo "WPA_PASSWORD" must be between 8 and 63 characters + exit 1 +fi + mkdir -p "${WORK_DIR}" log "Begin ${BASE_DIR}" From 9d334bee66a75bd334b8f241f1c31ce6cc0f5f17 Mon Sep 17 00:00:00 2001 From: Sam Tygier Date: Tue, 7 Jan 2020 21:48:09 +0000 Subject: [PATCH 3/5] WPA_PASSWORD length check should only occur if set Test if WPA_PASSWORD is set before check that it has a valid length. --- build.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.sh b/build.sh index 4ef6296..9e78728 100755 --- a/build.sh +++ b/build.sh @@ -220,7 +220,7 @@ if [[ -n "${APT_PROXY}" ]] && ! curl --silent "${APT_PROXY}" >/dev/null ; then exit 1 fi -if [[ ${#WPA_PASSWORD} -lt 8 || ${#WPA_PASSWORD} -gt 63 ]] ; then +if [[ -n "${WPA_PASSWORD}" && ${#WPA_PASSWORD} -lt 8 || ${#WPA_PASSWORD} -gt 63 ]] ; then echo "WPA_PASSWORD" must be between 8 and 63 characters exit 1 fi From f9375cdcec9421a0b5290a1c34c899d976f60f31 Mon Sep 17 00:00:00 2001 From: Andrew Pattison <58046090+andrum99@users.noreply.github.com> Date: Wed, 8 Jan 2020 11:54:06 +0000 Subject: [PATCH 4/5] README.md - mention WPA_PASSWORD length requirement --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1f8524b..04e1caa 100644 --- a/README.md +++ b/README.md @@ -119,7 +119,7 @@ The following environment variables are supported: * `WPA_ESSID`, `WPA_PASSWORD` and `WPA_COUNTRY` (Default: unset) - If these are set, they are use to configure `wpa_supplicant.conf`, so that the raspberry pi can automatically connect to a wifi network on first boot. If `WPA_ESSID` is set and `WPA_PASSWORD` is unset an unprotected wifi network will be configured. + If these are set, they are use to configure `wpa_supplicant.conf`, so that the raspberry pi can automatically connect to a wifi network on first boot. If `WPA_ESSID` is set and `WPA_PASSWORD` is unset an unprotected wifi network will be configured. If set, `WPA_PASSWORD` must be between 8 and 63 characters. * `ENABLE_SSH` (Default: `0`) From f8f3d6fe93a6709f02f63f3a203a38bcd33a0c0d Mon Sep 17 00:00:00 2001 From: Andrew Pattison <58046090+andrum99@users.noreply.github.com> Date: Wed, 8 Jan 2020 11:55:34 +0000 Subject: [PATCH 5/5] capitalise Raspberry Pi --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 04e1caa..73d4961 100644 --- a/README.md +++ b/README.md @@ -119,11 +119,11 @@ The following environment variables are supported: * `WPA_ESSID`, `WPA_PASSWORD` and `WPA_COUNTRY` (Default: unset) - If these are set, they are use to configure `wpa_supplicant.conf`, so that the raspberry pi can automatically connect to a wifi network on first boot. If `WPA_ESSID` is set and `WPA_PASSWORD` is unset an unprotected wifi network will be configured. If set, `WPA_PASSWORD` must be between 8 and 63 characters. + If these are set, they are use to configure `wpa_supplicant.conf`, so that the Raspberry Pi can automatically connect to a wifi network on first boot. If `WPA_ESSID` is set and `WPA_PASSWORD` is unset an unprotected wifi network will be configured. If set, `WPA_PASSWORD` must be between 8 and 63 characters. * `ENABLE_SSH` (Default: `0`) - Setting to `1` will enable ssh server for remote log in. Note that if you are using a common password such as the defaults there is a high risk of attackers taking over you RaspberryPi. + Setting to `1` will enable ssh server for remote log in. Note that if you are using a common password such as the defaults there is a high risk of attackers taking over you Raspberry Pi. * `STAGE_LIST` (Default: `stage*`)