mirror of
				https://github.com/karl0ss/AnotterKiosk.git
				synced 2025-10-25 12:43:58 +01:00 
			
		
		
		
	Proper SSH key handling (host keys, authorized keys and private keys)
This commit is contained in:
		
							parent
							
								
									24d3e14bce
								
							
						
					
					
						commit
						3532537f55
					
				| @ -26,6 +26,10 @@ chown -hR 1000:1000 /home/pi/.config/chromium/ | ||||
| mkdir -p /home/pi/.pki/ | ||||
| chown -hR 1000:1000 /home/pi/.pki/ | ||||
| 
 | ||||
| mkdir -p /home/pi/.ssh | ||||
| chown -hR 1000:1000 /home/pi/.ssh | ||||
| mkdir -p /root/.ssh | ||||
| 
 | ||||
| # FIXME: readonly in /etc/fstab | ||||
| echo "tmpfs		/dev/shm	tmpfs	mode=0777	0	0" >> /etc/fstab | ||||
| echo "tmpfs		/tmp		tmpfs	mode=1777	0	0" >> /etc/fstab | ||||
| @ -36,6 +40,8 @@ echo "tmpfs		/var/lib/dhcpcd	tmpfs	defaults,noatime,nosuid,size=30m    0 0" >> / | ||||
| echo "tmpfs		/home/pi/.cache tmpfs mode=0755,nosuid,nodev,uid=1000,gid=1000  0       0" >> /etc/fstab | ||||
| echo "tmpfs		/home/pi/.config/chromium/ tmpfs mode=0755,nosuid,nodev,uid=1000,gid=1000  0       0" >> /etc/fstab | ||||
| echo "tmpfs		/home/pi/.pki/ tmpfs mode=0755,nosuid,nodev,uid=1000,gid=1000  0       0" >> /etc/fstab | ||||
| echo "tmpfs		/home/pi/.ssh/ tmpfs mode=0700,nosuid,nodev,uid=1000,gid=1000  0       0" >> /etc/fstab | ||||
| echo "tmpfs		/root/.ssh/ tmpfs mode=0700,nosuid,nodev,uid=0,gid=0  0       0" >> /etc/fstab | ||||
| 
 | ||||
| # Create symlinks for configuration files which will later get created at runtime (in /tmp) | ||||
| rm /etc/hosts | ||||
| @ -53,6 +59,7 @@ systemctl disable ModemManager | ||||
| systemctl disable avahi-daemon | ||||
| systemctl disable bluetooth | ||||
| 
 | ||||
| systemctl enable kiosk-ssh-keys | ||||
| systemctl enable kiosk-wifi | ||||
| systemctl enable kiosk-autossh | ||||
| systemctl enable kiosk-watchdog | ||||
|  | ||||
							
								
								
									
										1
									
								
								kiosk_skeleton/etc/default/crda
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										1
									
								
								kiosk_skeleton/etc/default/crda
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1 @@ | ||||
| REGDOMAIN=00 | ||||
| @ -1,2 +1,4 @@ | ||||
| PermitRootLogin prohibit-password | ||||
| PasswordAuthentication no | ||||
| HostKey /root/.ssh/ssh_host_rsa_key | ||||
| HostKey /root/.ssh/ssh_host_ed25519_key | ||||
							
								
								
									
										10
									
								
								kiosk_skeleton/etc/systemd/system/kiosk-ssh-keys.service
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										10
									
								
								kiosk_skeleton/etc/systemd/system/kiosk-ssh-keys.service
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,10 @@ | ||||
| [Unit] | ||||
| Description=Handle SSH host, private and authorized keys | ||||
| Before=ssh.service | ||||
| 
 | ||||
| [Service] | ||||
| Type=oneshot | ||||
| ExecStart=/usr/bin/kiosk-ssh-keys | ||||
| 
 | ||||
| [Install] | ||||
| WantedBy=multi-user.target | ||||
| @ -1,6 +1,6 @@ | ||||
| [Unit] | ||||
| Description=Generate wpa_supplicant.conf from kioskbrowser.ini | ||||
| Before=wpa_supplicant.service | ||||
| Before=wpa_supplicant.service dhcpcd.service | ||||
| 
 | ||||
| [Service] | ||||
| Type=oneshot | ||||
|  | ||||
| @ -1 +0,0 @@ | ||||
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMEtunV3AKNmKM3NeK5ZERUiQRKtpqFcmbH8ubNPy+zp7MfKiWwypltc5CStA95av76WeFHOQhRC75mjE98HOsyAgx9dgq4KvqSnqPu5j3hQI/BA0kp9a1oC+8DvoqWqrSop5+BPIQp23a0ILjlRsJ/JWfGTOp+4WAk9QEbQ4IBTDa/htMnI6/BYJHpvYB5QxT3BhjPCe00mCAvLIuO5xYwMDi1zl+VHsLjheSRjNku46Ivfgec8FFQVG9f5OTCT86TNWxO63Nvyk275JvyVRZdk8GfBS/tB9t2/JXCIPuEiE4p1VYHLcoGtNz6WLo8LNxQ8upmsMgXI6oX12Zysxnqsyt/L1YpD72rR3MLTdhLFrZO6EVFnzU9rqfx5Nr4krw+vuDx4LQ6sFc/IaCEmPwclgILFZi/zKNyypjRkuT1F3ejjoSkq3CA/WrEwWNVR/vOGbqQjkJ9eZJ6v3771bAbfY6yJOYjhRgDpaF4AUtYBDunOAaw0aEbopOqISzIZ0KydHQ/KAlNxPzWpIVVjvz8eqGTTy/xDggCddOTaj9mt6BeLK/xUyqu0gh/OD8ZqgNmyeNYfkAtV4mfrSV3MiwpJG2ItgMsPUZt8L87e0//s6K2XOZ0Dx3OeZyXdMLzwG+YR6Bj+qKG5TMPw5YKFfmVBxcwDNovthapOKkPT3fhw== Manawyrm | ||||
| @ -3,8 +3,19 @@ | ||||
| AUTOSSH_ENABLED=$(get-ini /boot/kioskbrowser.ini autossh enabled) | ||||
| if [ "${AUTOSSH_ENABLED}" -eq 1 ] | ||||
| then | ||||
| 	if [ -f "/boot/id_rsa" ]; then | ||||
| 		cp /boot/id_rsa /root/.ssh/id_rsa | ||||
| 		AUTOSSH_KEYPATH="-i /root/.ssh/id_rsa" | ||||
| 	fi | ||||
| 	if [ -f "/boot/id_ed25519" ]; then | ||||
| 		cp /boot/id_ed25519 /root/.ssh/id_ed25519 | ||||
| 		AUTOSSH_KEYPATH="-i /root/.ssh/id_ed25519" | ||||
| 	fi | ||||
| 	chown -hR root:root /root/.ssh | ||||
| 	chmod -R 700 /root/.ssh | ||||
| 
 | ||||
| 	AUTOSSH_ARGS=$(get-ini /boot/kioskbrowser.ini autossh args) | ||||
| 	export AUTOSSH_GATETIME=0 | ||||
| 	/usr/bin/autossh -N -q -o "ServerAliveInterval 60" -o "ServerAliveCountMax 3" ${AUTOSSH_ARGS} | ||||
| 	/usr/bin/autossh -N -q -o "ServerAliveInterval 60" -o "ServerAliveCountMax 3" -o "StrictHostKeyChecking=no" -o "UserKnownHostsFile=/dev/null" ${AUTOSSH_KEYPATH} ${AUTOSSH_ARGS} | ||||
| fi | ||||
| 
 | ||||
|  | ||||
							
								
								
									
										35
									
								
								kiosk_skeleton/usr/bin/kiosk-ssh-keys
									
									
									
									
									
										Executable file
									
								
							
							
						
						
									
										35
									
								
								kiosk_skeleton/usr/bin/kiosk-ssh-keys
									
									
									
									
									
										Executable file
									
								
							| @ -0,0 +1,35 @@ | ||||
| #!/bin/bash | ||||
| 
 | ||||
| # Generate host keys | ||||
| if [ ! -f "/boot/ssh_host_rsa_key" ]; then | ||||
| 	echo Generating new SSH host keys, please stand by... | ||||
| 	echo Remounting /boot FAT32 partition as writable. Do not power off! | ||||
| 	mount -o remount,rw /boot | ||||
| 
 | ||||
| 	ssh-keygen -q -N "" -t rsa -b 2048 -f /boot/ssh_host_rsa_key | ||||
| 	ssh-keygen -q -N "" -t ed25519 -f /boot/ssh_host_ed25519_key | ||||
| 
 | ||||
| 	mount -o remount,ro /boot | ||||
| 	sleep 5 | ||||
| 	mount -o remount,ro /boot | ||||
| 	sync | ||||
| 	echo Remounted /boot FAT32 partition as read-only. | ||||
| fi | ||||
| 
 | ||||
| # Copy host keys into temp dir | ||||
| cp /boot/ssh_host_ed25519_key /root/.ssh/ssh_host_ed25519_key | ||||
| cp /boot/ssh_host_ed25519_key.pub /root/.ssh/ssh_host_ed25519_key.pub | ||||
| cp /boot/ssh_host_rsa_key /root/.ssh/ssh_host_rsa_key | ||||
| cp /boot/ssh_host_rsa_key.pub /root/.ssh/ssh_host_rsa_key.pub | ||||
| 
 | ||||
| # Copy authorized_keys file into /root and /home/pi .ssh directories | ||||
| if [ -f "/boot/authorized_keys" ]; then | ||||
| 	cp /boot/authorized_keys /root/.ssh/authorized_keys | ||||
| 
 | ||||
| 	cp /boot/authorized_keys /home/pi/.ssh/authorized_keys | ||||
| 	chown -hR pi:pi /home/pi/.ssh | ||||
| 	chmod -R 700 /home/pi/.ssh | ||||
| fi | ||||
| 
 | ||||
| chown -hR root:root /root/.ssh | ||||
| chmod -R 700 /root/.ssh | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user
	 Manawyrm
						Manawyrm