diff mbox series

[09/11] dropbear: add a uci-defaults script for loading authorized keys

Message ID 20240923171825.148902-10-john@phrozen.org
State Under Review
Delegated to: John Crispin
Headers show
Series allow loading default credentials from flash | expand

Commit Message

John Crispin Sept. 23, 2024, 5:18 p.m. UTC 
Write the ssh authorized key to /etc/dropbear/ssh_authorized_keys if present
inside boad.json.

Signed-off-by: John Crispin <john@phrozen.org>
---
 package/network/services/dropbear/Makefile        |  2 ++
 .../services/dropbear/files/dropbear.defaults     | 15 +++++++++++++++
 2 files changed, 17 insertions(+)
 create mode 100644 package/network/services/dropbear/files/dropbear.defaults

Comments

Bjørn Mork Sept. 24, 2024, 8:47 a.m. UTC | #1 
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
John Crispin <john@phrozen.org> writes:

> +		echo -n "$ssh_authorized_key" > /etc/dropbear/authorized_keys

This will unnecessarily break an image built with one or more
pre-defined keys.


Bjørn
John Crispin Sept. 24, 2024, 4:11 p.m. UTC | #2 
On 24.09.24 10:47, Bjørn Mork wrote:
> John Crispin <john@phrozen.org> writes:
>
>> +		echo -n "$ssh_authorized_key" > /etc/dropbear/authorized_keys
> This will unnecessarily break an image built with one or more
> pre-defined keys.
>
>
> Bjørn
yeash, I'll check if the file exists and if so do nothing.
diff mbox series

Patch

diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
index 3367fd7f74..e9f3bd693c 100644
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@@ -227,6 +227,8 @@  define Package/dropbear/install
 	$(INSTALL_DIR) $(1)/etc/dropbear
 	$(INSTALL_DIR) $(1)/lib/preinit
 	$(INSTALL_DATA) ./files/dropbear.failsafe $(1)/lib/preinit/99_10_failsafe_dropbear
+	$(INSTALL_DIR) $(1)/etc/uci-defaults
+	$(INSTALL_DATA) ./files/dropbear.defaults $(1)/etc/uci-defaults/50-dropbear
 	$(foreach f,$(filter /etc/dropbear/%,$(Package/dropbear/conffiles)),$(if $(wildcard $(TOPDIR)/files/$(f)),chmod 0600 $(TOPDIR)/files/$(f) || :; ))
 endef
 
diff --git a/package/network/services/dropbear/files/dropbear.defaults b/package/network/services/dropbear/files/dropbear.defaults
new file mode 100644
index 0000000000..ad831521b1
--- /dev/null
+++ b/package/network/services/dropbear/files/dropbear.defaults
@@ -0,0 +1,15 @@ 
+[ ! -s /etc/dropbear/authorized_keys ] || exit 0
+
+. /usr/share/libubox/jshn.sh
+
+json_init
+json_load "$(cat /etc/board.json)"
+
+json_select credentials
+	json_get_vars ssh_authorized_keys ssh_authorized_key
+	[ -z "$ssh_authorized_key" ] || {
+		echo -n "$ssh_authorized_key" > /etc/dropbear/authorized_keys
+		uci set dropbear.@dropbear[-1].PasswordAuth='off'
+		uci set dropbear.@dropbear[-1].RootPasswordAuth='off'
+	}
+json_select ..