Karl/AnotterKiosk
1
0
Fork 0
mirror of https://github.com/karl0ss/AnotterKiosk.git synced 2025-04-28 10:33:41 +01:00
Code Issues Packages Projects Releases Wiki Activity

Proper SSH key handling (host keys, authorized keys and private keys)

Browse Source
This commit is contained in:
Manawyrm 2023-06-30 10:55:10 +02:00
parent 24d3e14bce
commit 3532537f55
8 changed files with 68 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
kiosk_skeleton/build.sh
View File

@ -26,6 +26,10 @@ chown -hR 1000:1000 /home/pi/.config/chromium/
mkdir -p /home/pi/.pki/
chown -hR 1000:1000 /home/pi/.pki/
mkdir -p /home/pi/.ssh
chown -hR 1000:1000 /home/pi/.ssh
mkdir -p /root/.ssh
# FIXME: readonly in /etc/fstab
echo "tmpfs /dev/shm tmpfs mode=0777 0 0" >> /etc/fstab
echo "tmpfs /tmp tmpfs mode=1777 0 0" >> /etc/fstab
@ -36,6 +40,8 @@ echo "tmpfs /var/lib/dhcpcd tmpfs defaults,noatime,nosuid,size=30m 0 0" >> /
echo "tmpfs /home/pi/.cache tmpfs mode=0755,nosuid,nodev,uid=1000,gid=1000 0 0" >> /etc/fstab
echo "tmpfs /home/pi/.config/chromium/ tmpfs mode=0755,nosuid,nodev,uid=1000,gid=1000 0 0" >> /etc/fstab
echo "tmpfs /home/pi/.pki/ tmpfs mode=0755,nosuid,nodev,uid=1000,gid=1000 0 0" >> /etc/fstab
echo "tmpfs /home/pi/.ssh/ tmpfs mode=0700,nosuid,nodev,uid=1000,gid=1000 0 0" >> /etc/fstab
echo "tmpfs /root/.ssh/ tmpfs mode=0700,nosuid,nodev,uid=0,gid=0 0 0" >> /etc/fstab
# Create symlinks for configuration files which will later get created at runtime (in /tmp)
rm /etc/hosts
@ -53,6 +59,7 @@ systemctl disable ModemManager
systemctl disable avahi-daemon
systemctl disable bluetooth
systemctl enable kiosk-ssh-keys
systemctl enable kiosk-wifi
systemctl enable kiosk-autossh
systemctl enable kiosk-watchdog

1
kiosk_skeleton/etc/default/crda Normal file
View File

@ -0,0 +1 @@
REGDOMAIN=00

2
kiosk_skeleton/etc/ssh/sshd_config.d/kiosk.conf
View File

@ -1,2 +1,4 @@
PermitRootLogin prohibit-password
PasswordAuthentication no
HostKey /root/.ssh/ssh_host_rsa_key
HostKey /root/.ssh/ssh_host_ed25519_key

10
kiosk_skeleton/etc/systemd/system/kiosk-ssh-keys.service Normal file
View File

@ -0,0 +1,10 @@
[Unit]
Description=Handle SSH host, private and authorized keys
Before=ssh.service
[Service]
Type=oneshot
ExecStart=/usr/bin/kiosk-ssh-keys
[Install]
WantedBy=multi-user.target

2
kiosk_skeleton/etc/systemd/system/kiosk-wifi.service
View File

@ -1,6 +1,6 @@
[Unit]
Description=Generate wpa_supplicant.conf from kioskbrowser.ini
Before=wpa_supplicant.service
Before=wpa_supplicant.service dhcpcd.service
[Service]
Type=oneshot

1
kiosk_skeleton/home/pi/.ssh/authorized_keys
View File

@ -1 +0,0 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMEtunV3AKNmKM3NeK5ZERUiQRKtpqFcmbH8ubNPy+zp7MfKiWwypltc5CStA95av76WeFHOQhRC75mjE98HOsyAgx9dgq4KvqSnqPu5j3hQI/BA0kp9a1oC+8DvoqWqrSop5+BPIQp23a0ILjlRsJ/JWfGTOp+4WAk9QEbQ4IBTDa/htMnI6/BYJHpvYB5QxT3BhjPCe00mCAvLIuO5xYwMDi1zl+VHsLjheSRjNku46Ivfgec8FFQVG9f5OTCT86TNWxO63Nvyk275JvyVRZdk8GfBS/tB9t2/JXCIPuEiE4p1VYHLcoGtNz6WLo8LNxQ8upmsMgXI6oX12Zysxnqsyt/L1YpD72rR3MLTdhLFrZO6EVFnzU9rqfx5Nr4krw+vuDx4LQ6sFc/IaCEmPwclgILFZi/zKNyypjRkuT1F3ejjoSkq3CA/WrEwWNVR/vOGbqQjkJ9eZJ6v3771bAbfY6yJOYjhRgDpaF4AUtYBDunOAaw0aEbopOqISzIZ0KydHQ/KAlNxPzWpIVVjvz8eqGTTy/xDggCddOTaj9mt6BeLK/xUyqu0gh/OD8ZqgNmyeNYfkAtV4mfrSV3MiwpJG2ItgMsPUZt8L87e0//s6K2XOZ0Dx3OeZyXdMLzwG+YR6Bj+qKG5TMPw5YKFfmVBxcwDNovthapOKkPT3fhw== Manawyrm

13
kiosk_skeleton/usr/bin/kiosk-autossh
View File

@ -3,8 +3,19 @@
AUTOSSH_ENABLED=$(get-ini /boot/kioskbrowser.ini autossh enabled)
if [ "${AUTOSSH_ENABLED}" -eq 1 ]
then
if [ -f "/boot/id_rsa" ]; then
cp /boot/id_rsa /root/.ssh/id_rsa
AUTOSSH_KEYPATH="-i /root/.ssh/id_rsa"
fi
if [ -f "/boot/id_ed25519" ]; then
cp /boot/id_ed25519 /root/.ssh/id_ed25519
AUTOSSH_KEYPATH="-i /root/.ssh/id_ed25519"
fi
chown -hR root:root /root/.ssh
chmod -R 700 /root/.ssh
AUTOSSH_ARGS=$(get-ini /boot/kioskbrowser.ini autossh args)
export AUTOSSH_GATETIME=0
/usr/bin/autossh -N -q -o "ServerAliveInterval 60" -o "ServerAliveCountMax 3" ${AUTOSSH_ARGS}
/usr/bin/autossh -N -q -o "ServerAliveInterval 60" -o "ServerAliveCountMax 3" -o "StrictHostKeyChecking=no" -o "UserKnownHostsFile=/dev/null" ${AUTOSSH_KEYPATH} ${AUTOSSH_ARGS}
fi

35
kiosk_skeleton/usr/bin/kiosk-ssh-keys Executable file
View File

@ -0,0 +1,35 @@
#!/bin/bash
# Generate host keys
if [ ! -f "/boot/ssh_host_rsa_key" ]; then
echo Generating new SSH host keys, please stand by...
echo Remounting /boot FAT32 partition as writable. Do not power off!
mount -o remount,rw /boot
ssh-keygen -q -N "" -t rsa -b 2048 -f /boot/ssh_host_rsa_key
ssh-keygen -q -N "" -t ed25519 -f /boot/ssh_host_ed25519_key
mount -o remount,ro /boot
sleep 5
mount -o remount,ro /boot
sync
echo Remounted /boot FAT32 partition as read-only.
fi
# Copy host keys into temp dir
cp /boot/ssh_host_ed25519_key /root/.ssh/ssh_host_ed25519_key
cp /boot/ssh_host_ed25519_key.pub /root/.ssh/ssh_host_ed25519_key.pub
cp /boot/ssh_host_rsa_key /root/.ssh/ssh_host_rsa_key
cp /boot/ssh_host_rsa_key.pub /root/.ssh/ssh_host_rsa_key.pub
# Copy authorized_keys file into /root and /home/pi .ssh directories
if [ -f "/boot/authorized_keys" ]; then
cp /boot/authorized_keys /root/.ssh/authorized_keys
cp /boot/authorized_keys /home/pi/.ssh/authorized_keys
chown -hR pi:pi /home/pi/.ssh
chmod -R 700 /home/pi/.ssh
fi
chown -hR root:root /root/.ssh
chmod -R 700 /root/.ssh