Proper SSH key handling (host keys, authorized keys and private keys)

kiosk_skeleton/build.sh

@@ -26,6 +26,10 @@ chown -hR 1000:1000 /home/pi/.config/chromium/
 mkdir -p /home/pi/.pki/
 chown -hR 1000:1000 /home/pi/.pki/
 
+mkdir -p /home/pi/.ssh
+chown -hR 1000:1000 /home/pi/.ssh
+mkdir -p /root/.ssh
+
 # FIXME: readonly in /etc/fstab
 echo "tmpfs		/dev/shm	tmpfs	mode=0777	0	0" >> /etc/fstab
 echo "tmpfs		/tmp		tmpfs	mode=1777	0	0" >> /etc/fstab
@@ -36,6 +40,8 @@ echo "tmpfs		/var/lib/dhcpcd	tmpfs	defaults,noatime,nosuid,size=30m    0 0" >> /
 echo "tmpfs		/home/pi/.cache tmpfs mode=0755,nosuid,nodev,uid=1000,gid=1000  0       0" >> /etc/fstab
 echo "tmpfs		/home/pi/.config/chromium/ tmpfs mode=0755,nosuid,nodev,uid=1000,gid=1000  0       0" >> /etc/fstab
 echo "tmpfs		/home/pi/.pki/ tmpfs mode=0755,nosuid,nodev,uid=1000,gid=1000  0       0" >> /etc/fstab
+echo "tmpfs		/home/pi/.ssh/ tmpfs mode=0700,nosuid,nodev,uid=1000,gid=1000  0       0" >> /etc/fstab
+echo "tmpfs		/root/.ssh/ tmpfs mode=0700,nosuid,nodev,uid=0,gid=0  0       0" >> /etc/fstab
 
 # Create symlinks for configuration files which will later get created at runtime (in /tmp)
 rm /etc/hosts
@@ -53,6 +59,7 @@ systemctl disable ModemManager
 systemctl disable avahi-daemon
 systemctl disable bluetooth
 
+systemctl enable kiosk-ssh-keys
 systemctl enable kiosk-wifi
 systemctl enable kiosk-autossh
 systemctl enable kiosk-watchdog

kiosk_skeleton/etc/default/crda

@@ -0,0 +1 @@
+REGDOMAIN=00

kiosk_skeleton/etc/ssh/sshd_config.d/kiosk.conf

@@ -1,2 +1,4 @@
 PermitRootLogin prohibit-password
 PasswordAuthentication no
+HostKey /root/.ssh/ssh_host_rsa_key
+HostKey /root/.ssh/ssh_host_ed25519_key

kiosk_skeleton/etc/systemd/system/kiosk-ssh-keys.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=Handle SSH host, private and authorized keys
+Before=ssh.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/kiosk-ssh-keys
+
+[Install]
+WantedBy=multi-user.target

kiosk_skeleton/etc/systemd/system/kiosk-wifi.service

@@ -1,6 +1,6 @@
 [Unit]
 Description=Generate wpa_supplicant.conf from kioskbrowser.ini
-Before=wpa_supplicant.service
+Before=wpa_supplicant.service dhcpcd.service
 
 [Service]
 Type=oneshot

kiosk_skeleton/home/pi/.ssh/authorized_keys

@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMEtunV3AKNmKM3NeK5ZERUiQRKtpqFcmbH8ubNPy+zp7MfKiWwypltc5CStA95av76WeFHOQhRC75mjE98HOsyAgx9dgq4KvqSnqPu5j3hQI/BA0kp9a1oC+8DvoqWqrSop5+BPIQp23a0ILjlRsJ/JWfGTOp+4WAk9QEbQ4IBTDa/htMnI6/BYJHpvYB5QxT3BhjPCe00mCAvLIuO5xYwMDi1zl+VHsLjheSRjNku46Ivfgec8FFQVG9f5OTCT86TNWxO63Nvyk275JvyVRZdk8GfBS/tB9t2/JXCIPuEiE4p1VYHLcoGtNz6WLo8LNxQ8upmsMgXI6oX12Zysxnqsyt/L1YpD72rR3MLTdhLFrZO6EVFnzU9rqfx5Nr4krw+vuDx4LQ6sFc/IaCEmPwclgILFZi/zKNyypjRkuT1F3ejjoSkq3CA/WrEwWNVR/vOGbqQjkJ9eZJ6v3771bAbfY6yJOYjhRgDpaF4AUtYBDunOAaw0aEbopOqISzIZ0KydHQ/KAlNxPzWpIVVjvz8eqGTTy/xDggCddOTaj9mt6BeLK/xUyqu0gh/OD8ZqgNmyeNYfkAtV4mfrSV3MiwpJG2ItgMsPUZt8L87e0//s6K2XOZ0Dx3OeZyXdMLzwG+YR6Bj+qKG5TMPw5YKFfmVBxcwDNovthapOKkPT3fhw== Manawyrm

kiosk_skeleton/usr/bin/kiosk-autossh

@@ -3,8 +3,19 @@
 AUTOSSH_ENABLED=$(get-ini /boot/kioskbrowser.ini autossh enabled)
 if [ "${AUTOSSH_ENABLED}" -eq 1 ]
 then
+	if [ -f "/boot/id_rsa" ]; then
+		cp /boot/id_rsa /root/.ssh/id_rsa
+		AUTOSSH_KEYPATH="-i /root/.ssh/id_rsa"
+	fi
+	if [ -f "/boot/id_ed25519" ]; then
+		cp /boot/id_ed25519 /root/.ssh/id_ed25519
+		AUTOSSH_KEYPATH="-i /root/.ssh/id_ed25519"
+	fi
+	chown -hR root:root /root/.ssh
+	chmod -R 700 /root/.ssh
+
 	AUTOSSH_ARGS=$(get-ini /boot/kioskbrowser.ini autossh args)
 	export AUTOSSH_GATETIME=0
-	/usr/bin/autossh -N -q -o "ServerAliveInterval 60" -o "ServerAliveCountMax 3" ${AUTOSSH_ARGS}
+	/usr/bin/autossh -N -q -o "ServerAliveInterval 60" -o "ServerAliveCountMax 3" -o "StrictHostKeyChecking=no" -o "UserKnownHostsFile=/dev/null" ${AUTOSSH_KEYPATH} ${AUTOSSH_ARGS}
 fi
 

kiosk_skeleton/usr/bin/kiosk-ssh-keys

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+# Generate host keys
+if [ ! -f "/boot/ssh_host_rsa_key" ]; then
+	echo Generating new SSH host keys, please stand by...
+	echo Remounting /boot FAT32 partition as writable. Do not power off!
+	mount -o remount,rw /boot
+
+	ssh-keygen -q -N "" -t rsa -b 2048 -f /boot/ssh_host_rsa_key
+	ssh-keygen -q -N "" -t ed25519 -f /boot/ssh_host_ed25519_key
+
+	mount -o remount,ro /boot
+	sleep 5
+	mount -o remount,ro /boot
+	sync
+	echo Remounted /boot FAT32 partition as read-only.
+fi
+
+# Copy host keys into temp dir
+cp /boot/ssh_host_ed25519_key /root/.ssh/ssh_host_ed25519_key
+cp /boot/ssh_host_ed25519_key.pub /root/.ssh/ssh_host_ed25519_key.pub
+cp /boot/ssh_host_rsa_key /root/.ssh/ssh_host_rsa_key
+cp /boot/ssh_host_rsa_key.pub /root/.ssh/ssh_host_rsa_key.pub
+
+# Copy authorized_keys file into /root and /home/pi .ssh directories
+if [ -f "/boot/authorized_keys" ]; then
+	cp /boot/authorized_keys /root/.ssh/authorized_keys
+
+	cp /boot/authorized_keys /home/pi/.ssh/authorized_keys
+	chown -hR pi:pi /home/pi/.ssh
+	chmod -R 700 /home/pi/.ssh
+fi
+
+chown -hR root:root /root/.ssh
+chmod -R 700 /root/.ssh