diff options
author | Boris Kolpackov <boris@codesynthesis.com> | 2017-03-31 14:09:06 +0200 |
---|---|---|
committer | Boris Kolpackov <boris@codesynthesis.com> | 2017-03-31 14:09:06 +0200 |
commit | 5461c13bdcace38ce40494acde0e21d2cb3c9081 (patch) | |
tree | ffe2da2ce1c041465a995c942278e35fb3063aa3 | |
parent | ce1b8892253d49b894e13215fc4b1415bfc1df29 (diff) |
Use user build instead of root for SSH login
-rw-r--r-- | doc/manual.cli | 10 | ||||
-rwxr-xr-x | init | 16 |
2 files changed, 15 insertions, 11 deletions
diff --git a/doc/manual.cli b/doc/manual.cli index 1b9abed..e20c151 100644 --- a/doc/manual.cli +++ b/doc/manual.cli @@ -288,11 +288,11 @@ address, for example, \c{example.org} and \c{admin@example.org}). \h#config-ssh|SSH| -Build OS runs an OpenSSH server with password authentication disabled. As a -result, the only way to login remotely is via a public key. To add a public -key into the \c{root} user's \c{authorized_keys} file we can use the -\c{buildos.ssh_key} kernel command line parameter. For example (note the -quotes): +Build OS runs an OpenSSH server with password authentication and \c{root} +login disabled. As a result, the only way to login remotely is as user +\c{build} using public key authentication. To add a public key into the +\c{build}'s \c{authorized_keys} file we can use the \c{buildos.ssh_key} +kernel command line parameter. For example (note the quotes): \ buildos.ssh_key=\"ssh-rsa AAA...OA0DB user@host\" @@ -394,10 +394,13 @@ newaliases # - Change host key locations to (persistent) /state/etc/ssh/ and remove # existing keys. If no corresponding key exists in /state, generate it. # +# - Disable root login. +# # - Disable password authentication. # sed -r -i \ -e "s%^#?HostKey +(.+)%HostKey /state\1%" \ + -e "s%^#?PermitRootLogin.*%PermitRootLogin no%" \ -e "s%^#?PasswordAuthentication.*%PasswordAuthentication no%" \ /etc/ssh/sshd_config @@ -412,15 +415,16 @@ for k in $(echo /etc/ssh/ssh_host_*_key | \ done rm -f /etc/ssh/ssh_host_*_key* -# Add buildos.ssh_key to root's authorized_keys. +# Add buildos.ssh_key to build's authorized_keys. # if [ -n "$ssh_key" ]; then - info "adding buildos.ssh_key to ~root/.ssh/authorized_keys" - mkdir -p /root/.ssh - chmod 700 /root/.ssh + info "adding buildos.ssh_key to ~build/.ssh/authorized_keys" + mkdir -p /build/.ssh + echo "$ssh_key" >>/build/.ssh/authorized_keys - echo "$ssh_key" >>/root/.ssh/authorized_keys - chmod 600 /root/.ssh/authorized_keys + chown build:build /build/.ssh /build/.ssh/authorized_keys + chmod 700 /build/.ssh + chmod 600 /build/.ssh/authorized_keys fi # Configure the TFTP server (tftpd-hpa). |