From patchwork Mon Sep 23 17:18:23 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Crispin X-Patchwork-Id: 1988676 X-Patchwork-Delegate: blogic@openwrt.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=Q3Sgd7gG; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XC8t01bGlz1xsp for ; Tue, 24 Sep 2024 03:21:28 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Reply-To:Cc:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=B2ObzYSEQH6rr22twARYvoU1PyI99L5GiM/YGP8vhM4=; b=Q3Sgd7gGK1PA5c mxeS/cqmO5EP30eyu0Y4Xj02TvO+0rYIxTBeBcRg0hprUx3728eQFm+QFv0U8Fz+Bx/QLj5WNSkmG 82+XD+haK/MV9SScrbDUIU1uBUlj1Ho5gXpyDZrjgabSHVEh7WUtI+SPPXfdy4eVP53ulnc0BDBe+ lN4Jru4/QoMGgNOZWPNSjEQ+em079+dpNXZaNVpPrRfGOnJanw/Ef8WN1gHSvCCketVinCaw7QZvO 1hSK8YX19OyG/HtQWmRMsbokYOHJq7d9LXzw+4LmwgopNLkRWEvb1lVw/rfTPS0buLFt5GRct/6XX vOHvhht8wV9kUNQG+3zQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.98 #2 (Red Hat Linux)) id 1ssmhy-000000006vk-0sqv; Mon, 23 Sep 2024 17:18:46 +0000 Received: from nbd.name ([46.4.11.11]) by bombadil.infradead.org with esmtps (Exim 4.98 #2 (Red Hat Linux)) id 1ssmhp-000000006rx-1ue9 for openwrt-devel@lists.openwrt.org; Mon, 23 Sep 2024 17:18:40 +0000 Received: from [2a04:4540:1404:e800:43a1:93c8:f672:7397] (helo=bertha10..) by ds12 with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1ssmhm-00HS5P-1s for openwrt-devel@lists.openwrt.org; Mon, 23 Sep 2024 19:18:34 +0200 From: John Crispin To: openwrt-devel@lists.openwrt.org Subject: [PATCH 09/11] dropbear: add a uci-defaults script for loading authorized keys Date: Mon, 23 Sep 2024 19:18:23 +0200 Message-Id: <20240923171825.148902-10-john@phrozen.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240923171825.148902-1-john@phrozen.org> References: <20240923171825.148902-1-john@phrozen.org> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240923_101837_525608_90E20A02 X-CRM114-Status: GOOD ( 10.12 ) X-Spam-Score: -1.9 (-) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Write the ssh authorized key to /etc/dropbear/ssh_authorized_keys if present inside boad.json. Signed-off-by: John Crispin --- package/network/services/dropbear/Makefile | 2 ++ .../services/dropbear/files/dropbear.defaults | 15 +++++++++++++++ 2 files changed, 17 insertions(+ [...] Content analysis details: (-1.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [46.4.11.11 listed in sa-accredit.habeas.com] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [46.4.11.11 listed in bl.score.senderscore.com] 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [46.4.11.11 listed in sa-trusted.bondedsender.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org Write the ssh authorized key to /etc/dropbear/ssh_authorized_keys if present inside boad.json. Signed-off-by: John Crispin --- package/network/services/dropbear/Makefile | 2 ++ .../services/dropbear/files/dropbear.defaults | 15 +++++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 package/network/services/dropbear/files/dropbear.defaults diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index 3367fd7f74..e9f3bd693c 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -227,6 +227,8 @@ define Package/dropbear/install $(INSTALL_DIR) $(1)/etc/dropbear $(INSTALL_DIR) $(1)/lib/preinit $(INSTALL_DATA) ./files/dropbear.failsafe $(1)/lib/preinit/99_10_failsafe_dropbear + $(INSTALL_DIR) $(1)/etc/uci-defaults + $(INSTALL_DATA) ./files/dropbear.defaults $(1)/etc/uci-defaults/50-dropbear $(foreach f,$(filter /etc/dropbear/%,$(Package/dropbear/conffiles)),$(if $(wildcard $(TOPDIR)/files/$(f)),chmod 0600 $(TOPDIR)/files/$(f) || :; )) endef diff --git a/package/network/services/dropbear/files/dropbear.defaults b/package/network/services/dropbear/files/dropbear.defaults new file mode 100644 index 0000000000..ad831521b1 --- /dev/null +++ b/package/network/services/dropbear/files/dropbear.defaults @@ -0,0 +1,15 @@ +[ ! -s /etc/dropbear/authorized_keys ] || exit 0 + +. /usr/share/libubox/jshn.sh + +json_init +json_load "$(cat /etc/board.json)" + +json_select credentials + json_get_vars ssh_authorized_keys ssh_authorized_key + [ -z "$ssh_authorized_key" ] || { + echo -n "$ssh_authorized_key" > /etc/dropbear/authorized_keys + uci set dropbear.@dropbear[-1].PasswordAuth='off' + uci set dropbear.@dropbear[-1].RootPasswordAuth='off' + } +json_select ..