From 3532537f55ce129079bdc5fdd0910d50cad7462c Mon Sep 17 00:00:00 2001
From: Manawyrm <git@tbspace.de>
Date: Fri, 30 Jun 2023 10:55:10 +0200
Subject: [PATCH] Proper SSH key handling (host keys, authorized keys and
 private keys)

---
 kiosk_skeleton/build.sh                       |  7 ++++
 kiosk_skeleton/etc/default/crda               |  1 +
 .../etc/ssh/sshd_config.d/kiosk.conf          |  2 ++
 .../etc/systemd/system/kiosk-ssh-keys.service | 10 ++++++
 .../etc/systemd/system/kiosk-wifi.service     |  2 +-
 kiosk_skeleton/home/pi/.ssh/authorized_keys   |  1 -
 kiosk_skeleton/usr/bin/kiosk-autossh          | 13 ++++++-
 kiosk_skeleton/usr/bin/kiosk-ssh-keys         | 35 +++++++++++++++++++
 8 files changed, 68 insertions(+), 3 deletions(-)
 create mode 100644 kiosk_skeleton/etc/default/crda
 create mode 100644 kiosk_skeleton/etc/systemd/system/kiosk-ssh-keys.service
 delete mode 100755 kiosk_skeleton/home/pi/.ssh/authorized_keys
 create mode 100755 kiosk_skeleton/usr/bin/kiosk-ssh-keys

diff --git a/kiosk_skeleton/build.sh b/kiosk_skeleton/build.sh
index 01cdbde..9987e1e 100755
--- a/kiosk_skeleton/build.sh
+++ b/kiosk_skeleton/build.sh
@@ -26,6 +26,10 @@ chown -hR 1000:1000 /home/pi/.config/chromium/
 mkdir -p /home/pi/.pki/
 chown -hR 1000:1000 /home/pi/.pki/
 
+mkdir -p /home/pi/.ssh
+chown -hR 1000:1000 /home/pi/.ssh
+mkdir -p /root/.ssh
+
 # FIXME: readonly in /etc/fstab
 echo "tmpfs		/dev/shm	tmpfs	mode=0777	0	0" >> /etc/fstab
 echo "tmpfs		/tmp		tmpfs	mode=1777	0	0" >> /etc/fstab
@@ -36,6 +40,8 @@ echo "tmpfs		/var/lib/dhcpcd	tmpfs	defaults,noatime,nosuid,size=30m    0 0" >> /
 echo "tmpfs		/home/pi/.cache tmpfs mode=0755,nosuid,nodev,uid=1000,gid=1000  0       0" >> /etc/fstab
 echo "tmpfs		/home/pi/.config/chromium/ tmpfs mode=0755,nosuid,nodev,uid=1000,gid=1000  0       0" >> /etc/fstab
 echo "tmpfs		/home/pi/.pki/ tmpfs mode=0755,nosuid,nodev,uid=1000,gid=1000  0       0" >> /etc/fstab
+echo "tmpfs		/home/pi/.ssh/ tmpfs mode=0700,nosuid,nodev,uid=1000,gid=1000  0       0" >> /etc/fstab
+echo "tmpfs		/root/.ssh/ tmpfs mode=0700,nosuid,nodev,uid=0,gid=0  0       0" >> /etc/fstab
 
 # Create symlinks for configuration files which will later get created at runtime (in /tmp)
 rm /etc/hosts
@@ -53,6 +59,7 @@ systemctl disable ModemManager
 systemctl disable avahi-daemon
 systemctl disable bluetooth
 
+systemctl enable kiosk-ssh-keys
 systemctl enable kiosk-wifi
 systemctl enable kiosk-autossh
 systemctl enable kiosk-watchdog
diff --git a/kiosk_skeleton/etc/default/crda b/kiosk_skeleton/etc/default/crda
new file mode 100644
index 0000000..7a145ca
--- /dev/null
+++ b/kiosk_skeleton/etc/default/crda
@@ -0,0 +1 @@
+REGDOMAIN=00
\ No newline at end of file
diff --git a/kiosk_skeleton/etc/ssh/sshd_config.d/kiosk.conf b/kiosk_skeleton/etc/ssh/sshd_config.d/kiosk.conf
index f742952..9b3cbff 100644
--- a/kiosk_skeleton/etc/ssh/sshd_config.d/kiosk.conf
+++ b/kiosk_skeleton/etc/ssh/sshd_config.d/kiosk.conf
@@ -1,2 +1,4 @@
 PermitRootLogin prohibit-password
 PasswordAuthentication no
+HostKey /root/.ssh/ssh_host_rsa_key
+HostKey /root/.ssh/ssh_host_ed25519_key
\ No newline at end of file
diff --git a/kiosk_skeleton/etc/systemd/system/kiosk-ssh-keys.service b/kiosk_skeleton/etc/systemd/system/kiosk-ssh-keys.service
new file mode 100644
index 0000000..d803b11
--- /dev/null
+++ b/kiosk_skeleton/etc/systemd/system/kiosk-ssh-keys.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Handle SSH host, private and authorized keys
+Before=ssh.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/kiosk-ssh-keys
+
+[Install]
+WantedBy=multi-user.target
\ No newline at end of file
diff --git a/kiosk_skeleton/etc/systemd/system/kiosk-wifi.service b/kiosk_skeleton/etc/systemd/system/kiosk-wifi.service
index d936510..75fb1e2 100644
--- a/kiosk_skeleton/etc/systemd/system/kiosk-wifi.service
+++ b/kiosk_skeleton/etc/systemd/system/kiosk-wifi.service
@@ -1,6 +1,6 @@
 [Unit]
 Description=Generate wpa_supplicant.conf from kioskbrowser.ini
-Before=wpa_supplicant.service
+Before=wpa_supplicant.service dhcpcd.service
 
 [Service]
 Type=oneshot
diff --git a/kiosk_skeleton/home/pi/.ssh/authorized_keys b/kiosk_skeleton/home/pi/.ssh/authorized_keys
deleted file mode 100755
index 4574257..0000000
--- a/kiosk_skeleton/home/pi/.ssh/authorized_keys
+++ /dev/null
@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMEtunV3AKNmKM3NeK5ZERUiQRKtpqFcmbH8ubNPy+zp7MfKiWwypltc5CStA95av76WeFHOQhRC75mjE98HOsyAgx9dgq4KvqSnqPu5j3hQI/BA0kp9a1oC+8DvoqWqrSop5+BPIQp23a0ILjlRsJ/JWfGTOp+4WAk9QEbQ4IBTDa/htMnI6/BYJHpvYB5QxT3BhjPCe00mCAvLIuO5xYwMDi1zl+VHsLjheSRjNku46Ivfgec8FFQVG9f5OTCT86TNWxO63Nvyk275JvyVRZdk8GfBS/tB9t2/JXCIPuEiE4p1VYHLcoGtNz6WLo8LNxQ8upmsMgXI6oX12Zysxnqsyt/L1YpD72rR3MLTdhLFrZO6EVFnzU9rqfx5Nr4krw+vuDx4LQ6sFc/IaCEmPwclgILFZi/zKNyypjRkuT1F3ejjoSkq3CA/WrEwWNVR/vOGbqQjkJ9eZJ6v3771bAbfY6yJOYjhRgDpaF4AUtYBDunOAaw0aEbopOqISzIZ0KydHQ/KAlNxPzWpIVVjvz8eqGTTy/xDggCddOTaj9mt6BeLK/xUyqu0gh/OD8ZqgNmyeNYfkAtV4mfrSV3MiwpJG2ItgMsPUZt8L87e0//s6K2XOZ0Dx3OeZyXdMLzwG+YR6Bj+qKG5TMPw5YKFfmVBxcwDNovthapOKkPT3fhw== Manawyrm
\ No newline at end of file
diff --git a/kiosk_skeleton/usr/bin/kiosk-autossh b/kiosk_skeleton/usr/bin/kiosk-autossh
index 1ba86c9..543c9b5 100755
--- a/kiosk_skeleton/usr/bin/kiosk-autossh
+++ b/kiosk_skeleton/usr/bin/kiosk-autossh
@@ -3,8 +3,19 @@
 AUTOSSH_ENABLED=$(get-ini /boot/kioskbrowser.ini autossh enabled)
 if [ "${AUTOSSH_ENABLED}" -eq 1 ]
 then
+	if [ -f "/boot/id_rsa" ]; then
+		cp /boot/id_rsa /root/.ssh/id_rsa
+		AUTOSSH_KEYPATH="-i /root/.ssh/id_rsa"
+	fi
+	if [ -f "/boot/id_ed25519" ]; then
+		cp /boot/id_ed25519 /root/.ssh/id_ed25519
+		AUTOSSH_KEYPATH="-i /root/.ssh/id_ed25519"
+	fi
+	chown -hR root:root /root/.ssh
+	chmod -R 700 /root/.ssh
+
 	AUTOSSH_ARGS=$(get-ini /boot/kioskbrowser.ini autossh args)
 	export AUTOSSH_GATETIME=0
-	/usr/bin/autossh -N -q -o "ServerAliveInterval 60" -o "ServerAliveCountMax 3" ${AUTOSSH_ARGS}
+	/usr/bin/autossh -N -q -o "ServerAliveInterval 60" -o "ServerAliveCountMax 3" -o "StrictHostKeyChecking=no" -o "UserKnownHostsFile=/dev/null" ${AUTOSSH_KEYPATH} ${AUTOSSH_ARGS}
 fi
 
diff --git a/kiosk_skeleton/usr/bin/kiosk-ssh-keys b/kiosk_skeleton/usr/bin/kiosk-ssh-keys
new file mode 100755
index 0000000..05a334a
--- /dev/null
+++ b/kiosk_skeleton/usr/bin/kiosk-ssh-keys
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+# Generate host keys
+if [ ! -f "/boot/ssh_host_rsa_key" ]; then
+	echo Generating new SSH host keys, please stand by...
+	echo Remounting /boot FAT32 partition as writable. Do not power off!
+	mount -o remount,rw /boot
+
+	ssh-keygen -q -N "" -t rsa -b 2048 -f /boot/ssh_host_rsa_key
+	ssh-keygen -q -N "" -t ed25519 -f /boot/ssh_host_ed25519_key
+
+	mount -o remount,ro /boot
+	sleep 5
+	mount -o remount,ro /boot
+	sync
+	echo Remounted /boot FAT32 partition as read-only.
+fi
+
+# Copy host keys into temp dir
+cp /boot/ssh_host_ed25519_key /root/.ssh/ssh_host_ed25519_key
+cp /boot/ssh_host_ed25519_key.pub /root/.ssh/ssh_host_ed25519_key.pub
+cp /boot/ssh_host_rsa_key /root/.ssh/ssh_host_rsa_key
+cp /boot/ssh_host_rsa_key.pub /root/.ssh/ssh_host_rsa_key.pub
+
+# Copy authorized_keys file into /root and /home/pi .ssh directories
+if [ -f "/boot/authorized_keys" ]; then
+	cp /boot/authorized_keys /root/.ssh/authorized_keys
+
+	cp /boot/authorized_keys /home/pi/.ssh/authorized_keys
+	chown -hR pi:pi /home/pi/.ssh
+	chmod -R 700 /home/pi/.ssh
+fi
+
+chown -hR root:root /root/.ssh
+chmod -R 700 /root/.ssh