aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBoris Kolpackov <boris@codesynthesis.com>2017-03-31 14:09:06 +0200
committerBoris Kolpackov <boris@codesynthesis.com>2017-03-31 14:09:06 +0200
commit5461c13bdcace38ce40494acde0e21d2cb3c9081 (patch)
treeffe2da2ce1c041465a995c942278e35fb3063aa3
parentce1b8892253d49b894e13215fc4b1415bfc1df29 (diff)
Use user build instead of root for SSH login
-rw-r--r--doc/manual.cli10
-rwxr-xr-xinit16
2 files changed, 15 insertions, 11 deletions
diff --git a/doc/manual.cli b/doc/manual.cli
index 1b9abed..e20c151 100644
--- a/doc/manual.cli
+++ b/doc/manual.cli
@@ -288,11 +288,11 @@ address, for example, \c{example.org} and \c{admin@example.org}).
\h#config-ssh|SSH|
-Build OS runs an OpenSSH server with password authentication disabled. As a
-result, the only way to login remotely is via a public key. To add a public
-key into the \c{root} user's \c{authorized_keys} file we can use the
-\c{buildos.ssh_key} kernel command line parameter. For example (note the
-quotes):
+Build OS runs an OpenSSH server with password authentication and \c{root}
+login disabled. As a result, the only way to login remotely is as user
+\c{build} using public key authentication. To add a public key into the
+\c{build}'s \c{authorized_keys} file we can use the \c{buildos.ssh_key}
+kernel command line parameter. For example (note the quotes):
\
buildos.ssh_key=\"ssh-rsa AAA...OA0DB user@host\"
diff --git a/init b/init
index 9c068c8..e29de66 100755
--- a/init
+++ b/init
@@ -394,10 +394,13 @@ newaliases
# - Change host key locations to (persistent) /state/etc/ssh/ and remove
# existing keys. If no corresponding key exists in /state, generate it.
#
+# - Disable root login.
+#
# - Disable password authentication.
#
sed -r -i \
-e "s%^#?HostKey +(.+)%HostKey /state\1%" \
+ -e "s%^#?PermitRootLogin.*%PermitRootLogin no%" \
-e "s%^#?PasswordAuthentication.*%PasswordAuthentication no%" \
/etc/ssh/sshd_config
@@ -412,15 +415,16 @@ for k in $(echo /etc/ssh/ssh_host_*_key | \
done
rm -f /etc/ssh/ssh_host_*_key*
-# Add buildos.ssh_key to root's authorized_keys.
+# Add buildos.ssh_key to build's authorized_keys.
#
if [ -n "$ssh_key" ]; then
- info "adding buildos.ssh_key to ~root/.ssh/authorized_keys"
- mkdir -p /root/.ssh
- chmod 700 /root/.ssh
+ info "adding buildos.ssh_key to ~build/.ssh/authorized_keys"
+ mkdir -p /build/.ssh
+ echo "$ssh_key" >>/build/.ssh/authorized_keys
- echo "$ssh_key" >>/root/.ssh/authorized_keys
- chmod 600 /root/.ssh/authorized_keys
+ chown build:build /build/.ssh /build/.ssh/authorized_keys
+ chmod 700 /build/.ssh
+ chmod 600 /build/.ssh/authorized_keys
fi
# Configure the TFTP server (tftpd-hpa).