From 3865f3eeb7510ee90c03f65b1b1ae85d731b4600 Mon Sep 17 00:00:00 2001 From: Michael Prokop Date: Wed, 3 Jun 2020 14:16:08 +0200 Subject: [PATCH] Refactor new --sshcopyid behavior into separate cmdline option --sshcopyauth Related to commit 07e835eac7 and the discussion within https://github.com/grml/grml-debootstrap/pull/153 If execution of --sshcopyid fails, then user might want to be aware of it. So instead of implementing the copying of .ssh/authorized_keys as fallback of --sshcopyid, let's provide it via cmdline option --sshcopyauth. Reviewed-by: Chris Hofstaedtler Reviewed-by: Darshaka Pathirana Closes: https://github.com/grml/grml-debootstrap/pull/153 --- grml-debootstrap | 36 ++++++++++++++++++++++++++++++++++-- grml-debootstrap.8.txt | 7 +++++++ 2 files changed, 41 insertions(+), 2 deletions(-) diff --git a/grml-debootstrap b/grml-debootstrap index 4957e8f..380bcd4 100755 --- a/grml-debootstrap +++ b/grml-debootstrap @@ -155,6 +155,7 @@ Configuration options: --hostname Hostname of Debian system. --nopassword Do not prompt for the root password. --password Use specified password as password for user root. + --sshcopyauth Use ${HOME}/.ssh/authorized_keys to authorise root login on the target system. --sshcopyid Use locally available public keys to authorise root login on the target system. --bootappend Add specified appendline to kernel whilst booting. --chroot-scripts Execute chroot scripts from specified directory. @@ -343,7 +344,7 @@ fi # }}} # cmdline handling {{{ -CMDLINE_OPTS=mirror:,iso:,release:,target:,mntpoint:,debopt:,defaultinterfaces,interactive,nodebootstrap,nointerfaces,nokernel,nopackages,filesystem:,config:,confdir:,packages:,chroot-scripts:,scripts:,post-scripts:,pre-scripts:,debconf:,vm,vmfile,vmsize:,keep_src_list,hostname:,password:,nopassword,grmlrepos,backportrepos,bootappend:,grub:,efi:,arch:,insecure,verbose,help,version,force,debug,contrib,non-free,remove-configs,sshcopyid +CMDLINE_OPTS=mirror:,iso:,release:,target:,mntpoint:,debopt:,defaultinterfaces,interactive,nodebootstrap,nointerfaces,nokernel,nopackages,filesystem:,config:,confdir:,packages:,chroot-scripts:,scripts:,post-scripts:,pre-scripts:,debconf:,vm,vmfile,vmsize:,keep_src_list,hostname:,password:,nopassword,grmlrepos,backportrepos,bootappend:,grub:,efi:,arch:,insecure,verbose,help,version,force,debug,contrib,non-free,remove-configs,sshcopyid,sshcopyauth _opt_temp=$(getopt --name grml-debootstrap -o +m:i:r:t:p:c:d:vhV --long \ $CMDLINE_OPTS -- "$@") @@ -460,6 +461,9 @@ while :; do --sshcopyid) # Use locally available public keys to authorise root login on the target system _opt_sshcopyid=T ;; + --sshcopyauth) # Use .ssh/authorized_keys to authorise root login on the target system + _opt_sshcopyauth=T + ;; --grmlrepos) # Enable Grml repository _opt_grmlrepos=T ;; @@ -561,6 +565,7 @@ done [ "$_opt_nointerfaces" ] && NOINTERFACES="true" [ "$_opt_nokernel" ] && NOKERNEL="true" [ "$_opt_sshcopyid" ] && SSHCOPYID="true" +[ "$_opt_sshcopyauth" ] && SSHCOPYAUTH="true" [ "$_opt_bootappend" ] && BOOT_APPEND=$_opt_bootappend [ "$_opt_grub" ] && GRUB=$_opt_grub [ "$_opt_efi" ] && EFI=$_opt_efi @@ -589,6 +594,12 @@ if [ "$_opt_grub" ] && [ "$_opt_vmfile" ] ; then bailout 1 fi +if [ "${_opt_sshcopyid}" ] && [ "${_opt_sshcopyauth}" ] ; then + eerror "The --sshcopyid option is incompatible with --sshcopyauth, please drop either of them from your command line." + eend 1 + bailout 1 +fi + if [ -n "$ISO" ] && [[ "$DEBOOTSTRAP" =~ mmdebstrap$ ]] ; then eerror "The ISO option is incompatible with usage of mmdebstrap for bootstrapping." eerror "Either drop the --iso ... option or use plain debootstrap instead." @@ -1810,7 +1821,28 @@ iface ${interface} inet dhcp bailout 1 fi else - eerror "Could not open a connection to your authentication agent or the agent has no identites." + eerror "Error: Could not open a connection to your authentication agent or the agent has no identities." + eend 1 + bailout 1 + fi + fi + + if [ -n "${SSHCOPYAUTH}" ] ; then + AUTHORIZED_KEYS_SOURCE=${AUTHORIZED_KEYS_SOURCE:-${HOME}/.ssh/authorized_keys} + + if ! [ -f "${AUTHORIZED_KEYS_SOURCE}" ]; then + eerror "Error: could not read '${AUTHORIZED_KEYS_SOURCE}' for setting up SSH key login." + eend 1 + bailout 1 + fi + + AUTHORIZED_KEYS_TARGET="${MNTPOINT}/root/.ssh/" + einfo "Copying '${AUTHORIZED_KEYS_SOURCE}' to '${AUTHORIZED_KEYS_TARGET}' as requested via --sshcopyauth option." + mkdir -m 0700 -p "${AUTHORIZED_KEYS_TARGET}" + if cp "${AUTHORIZED_KEYS_SOURCE}" "${AUTHORIZED_KEYS_TARGET}" ; then + eend 0 + else + eerror "Error: copying '${AUTHORIZED_KEYS_SOURCE}' to '${AUTHORIZED_KEYS_TARGET}' failed." eend 1 bailout 1 fi diff --git a/grml-debootstrap.8.txt b/grml-debootstrap.8.txt index 6bfaa52..111ca97 100644 --- a/grml-debootstrap.8.txt +++ b/grml-debootstrap.8.txt @@ -226,6 +226,13 @@ Options and environment variables Delete grml-debootstrap configuration files (/etc/debootstrap/*) from installed system. Useful for reproducible builds or if you don't want to leak information. +*--sshcopyauth*:: + + Use locally available _$HOME/.ssh/authorized_keys_ to authorise root login on the target system. + This installs _$HOME/.ssh/authorized_keys_ as _/root/.ssh/authorized_keys_ on + the target system. If a different file than _$HOME/.ssh/authorized_keys_ should + be used, the environment variable _AUTHORIZED_KEYS_SOURCE_ can be used. + *--sshcopyid*:: Use locally available public keys to authorise root login on the target system. -- 2.1.4