Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/distrib/utils/embedded add a method to add user accounts or ...
details: https://anonhg.NetBSD.org/src/rev/36bb449e7ae9
branches: trunk
changeset: 451898:36bb449e7ae9
user: mrg <mrg%NetBSD.org@localhost>
date: Tue Jun 11 10:50:57 2019 +0000
description:
add a method to add user accounts or ssh keys to the embedded
(installable) images which may be run entirely headless and
have no current method to edit the installation without another
netbsd host to modify the root (FFS) partition.
creds_msdos reads the creds.txt file from the msdos boot
partition and provides 4 basic methods:
sshkeyfile <user> <path on msdos>
sshkey <user> <entry>
useraddhash <user> <passwd hash>
useradd <user> <passwd>
the first two create a user with ssh key(s), and the second
two create a user with a password. if the last method is used
and raw passwords are given, the creds.txt file will be
shredded and deleted by rm -P.
inspired by a request from a pine64 user. ok jmcneill@.
diffstat:
distrib/utils/embedded/conf/evbarm.conf | 12 +-
distrib/utils/embedded/files/creds_msdos | 192 +++++++++++++++++++++++++++++
distrib/utils/embedded/files/creds_msdos.8 | 117 +++++++++++++++++
3 files changed, 317 insertions(+), 4 deletions(-)
diffs (truncated from 350 to 300 lines):
diff -r 4b53c40278c5 -r 36bb449e7ae9 distrib/utils/embedded/conf/evbarm.conf
--- a/distrib/utils/embedded/conf/evbarm.conf Tue Jun 11 10:23:36 2019 +0000
+++ b/distrib/utils/embedded/conf/evbarm.conf Tue Jun 11 10:50:57 2019 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: evbarm.conf,v 1.32 2018/12/02 15:43:04 jmcneill Exp $
+# $NetBSD: evbarm.conf,v 1.33 2019/06/11 10:50:57 mrg Exp $
# evbarm shared config
#
image=$HOME/${board}.img
@@ -141,6 +141,8 @@
dhcpcd=YES
ntpd=YES
ntpd_flags="-g"
+creds_msdos=YES
+creds_msdos_partition=/boot
EOF
if $resize; then
@@ -156,9 +158,11 @@
>> "$tmp/selected_sets"
mkdir ${mnt}/etc/rc.d
- cp ${DIR}/files/resize_disklabel ${mnt}/etc/rc.d/resize_disklabel
- echo "./etc/rc.d/resize_disklabel type=file uname=root gname=wheel mode=0555" \
- >> "$tmp/selected_sets"
+ for _f in resize_disklabel creds_msdos; do
+ cp ${DIR}/files/${_f} ${mnt}/etc/rc.d/${_f}
+ echo "./etc/rc.d/${_f} type=file uname=root gname=wheel mode=0555" \
+ >> "$tmp/selected_sets"
+ done
if [ ! -f ${release}/dev/MAKEDEV ]; then
echo ${PROG}: Missing ${release}/dev/MAKEDEV 1>&2
diff -r 4b53c40278c5 -r 36bb449e7ae9 distrib/utils/embedded/files/creds_msdos
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/distrib/utils/embedded/files/creds_msdos Tue Jun 11 10:50:57 2019 +0000
@@ -0,0 +1,192 @@
+#!/bin/sh
+#
+# $NetBSD: creds_msdos,v 1.1 2019/06/11 10:50:57 mrg Exp $
+#
+# Copyright (c) 2019 Matthew R. Green
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+# 3. The name of the author may not be used to endorse or promote products
+# derived from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+# AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+#
+# If "creds_msdos_partition" is an msdos partition and has a creds.txt
+# in it, perform these commands:
+# "sshkeyfile <user> <path on msdos>"
+# "sshkey <user> <entry>"
+# "useraddhash <user> <passwd hash>"
+# "useradd <user> <passwd>"
+# If the "useradd" method is used, this the creds.txt file will be
+# shredded and deleted with rm -P.
+
+# PROVIDE: creds_msdos
+# REQUIRE: mountall
+
+$_rc_subr_loaded . /etc/rc.subr
+
+name="creds_msdos"
+start_cmd="creds_msdos_start"
+stop_cmd=":"
+fstab_file=/etc/fstab
+
+fail() {
+ echo "$@" 1>&2
+ exit 1
+}
+
+sshkey_setup() {
+ local user="$1"
+ local group="wheel"
+
+ # don't create existing users
+ id=$(id -u $user 2>/dev/null)
+ if [ $? -ne 0 ]; then
+ useradd -m -G "${group}" "$user" || fail "Useradd failed."
+ fi
+
+ eval sshdir=~"${user}/.ssh"
+ eval mkdir -p -m 755 "${sshdir}" || fail "mkdir ~/.ssh failed."
+ chown "${user}" "${sshdir}"
+ eval userkeys="${sshdir}/authorized_keys"
+}
+
+sshkey_finish() {
+ local user="$1"
+ local userkeys="$2"
+
+ chmod 644 "${userkeys}"
+ chown "${user}" "${userkeys}"
+}
+
+do_sshkeyfile() {
+ local user="$1"
+ local newkeys="${creds_msdos_partition}/$2"
+
+ if [ ! -f "${newkeys}" ]; then
+ return
+ fi
+
+ sshkey_setup "$user"
+
+ # check entry is not present
+ while read type keydata name; do
+ if fgrep -q "${keydata}" "${userkeys}" 2>/dev/null; then
+ continue
+ fi
+ echo "${type} ${keydata} ${name}" >> "${userkeys}"
+ done < "${newkeys}"
+
+ sshkey_finish "$user" "${userkeys}"
+}
+
+do_sshkey() {
+ local user="$1"
+ local newkey="$2"
+
+ sshkey_setup "$user"
+
+ echo "${newkey}" >> "${userkeys}"
+
+ sshkey_finish "$user" "${userkeys}"
+}
+
+do_useraddpwhash() {
+ local user="$1"
+ local pwhash="$2"
+ local group="wheel"
+
+ # don't add to existing users
+ id=$(id -u "${user}" 2>/dev/null)
+ if [ $? -eq 0 ]; then
+ return
+ fi
+
+ useradd -m -p "${pwhash}" -G "${group}" "${user}" || fail "Useradd failed."
+}
+
+do_useradd() {
+ local user="$1"
+ local password="$2"
+
+ local pwhash=$(pwhash "$password")
+ do_useraddpwhash "${user}" "${pwhash}"
+}
+
+creds_msdos_start()
+{
+ if [ -z "${creds_msdos_partition}" ]; then
+ echo "Not looking for credientials on msdos"
+ return;
+ fi
+ check_fs=
+ while read junk1 mp fstype junk2; do
+ if [ "${mp}" != "${creds_msdos_partition}" ]; then
+ continue
+ fi
+ if [ "${fstype}" != "msdos" ]; then
+ echo "Not checking for creds on ${creds_msdos_partition}: not an msdos file system"
+ return;
+ fi
+ break
+ done < "${fstab_file}"
+
+ delete_creds=no
+ creds_file="${creds_msdos_partition}/creds.txt"
+
+ if [ -f "${creds_file}" ]; then
+ while read type user arg1; do
+ case "$type" in
+ \#*|'')
+ continue
+ ;;
+ sshkeyfile)
+ echo "Added user ${user} via ssh key file method."
+ do_sshkeyfile "${user}" "${arg1}"
+ ;;
+ sshkey)
+ echo "Added user ${user} via ssh key string method."
+ do_sshkey "${user}" "${arg1}"
+ ;;
+ useraddpwhash)
+ echo "Added user ${user} via password hash method."
+ do_useraddpwhash "${user}" "${arg1}"
+ ;;
+ useradd)
+ echo "Added user ${user} via password method, shredding credentials file."
+ do_useradd "${user}" "${arg1}"
+ delete_creds=yes
+ ;;
+ *)
+ echo "Do not understand '$type' creds" 1>&2
+ exit 1
+ ;;
+ esac
+ done < "${creds_file}"
+ fi
+
+ if [ $delete_creds = yes ]; then
+ rm -P -f "${creds_file}"
+ fi
+}
+
+load_rc_config $name
+run_rc_command "$1"
diff -r 4b53c40278c5 -r 36bb449e7ae9 distrib/utils/embedded/files/creds_msdos.8
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/distrib/utils/embedded/files/creds_msdos.8 Tue Jun 11 10:50:57 2019 +0000
@@ -0,0 +1,117 @@
+.\" $NetBSD: creds_msdos.8,v 1.1 2019/06/11 10:50:57 mrg Exp $
+.\"
+.\" Copyright (c) 2019 Matthew R. Green
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote products
+.\" derived from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+.\" AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+.\" OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.Dd June 10, 2019
+.Dt CREDS_MSDOS 8
+.Os
+.Sh NAME
+.Nm creds_msdos
+.Nd automatically add login credentials from MSDOS partition
+.Sh SYNOPSIS
+.Nm
+.Ar start
+.Sh DESCRIPTION
+The
+.Nm
+rc.d script allows automatic addition of login credential during boot
+using a special file found on the MSDOS partition of a bootable image.
+This script is not distributed with the normal system and is only
+be included with pre-installed bootable images.
+The goal is to allow remote access of the system without having to
+edit the primary root file system (which may not be accessible from
+the host the image is being written from), but place this information
+in the MSDOS partition that most platforms can easily access.
+.Pp
+Typically, an installable image (such as
+.Pa arm64.img )
+is written to an SD card or similar media, and has both a native FFS
+partition as well as an MSDOS partition for booting.
+If this script is enabled and has been pointed the boot partition
+it will inspect the file
+.Pa creds.txt
+for any credentials to be added to the system.
+.Pp
+These are the supported option in the credentials files:
+.Bl -tag -compact -width "sshkeyfilepl"
+.Pp
+.It Sy sshkeyfile
+<user> <keyfile>
+.It Sy sshkey
+<user> <keystring>
+.It Sy useraddpwhash
+<user> <pwhash>
Home |
Main Index |
Thread Index |
Old Index