On Thu, Feb 09, 2017 at 06:19:54PM +0100, Landry Breuil wrote:
> On Sun, Feb 05, 2017 at 08:37:31PM +0000, Stuart Henderson wrote:
> > On 2017/02/05 09:53, Robert Peichaer wrote:
> > > On Sun, Feb 05, 2017 at 10:46:41AM +0100, Landry Breuil wrote:
> > > > Hi,
> > > >
> > > > when installing 'throwaway' VMs (manually, not always using autoinstall
> > > > for
> > > > $REASONS) i've often found myself having to do right after the install:
> > > > install -d -m 700 /root/.ssh
> > > > install -m 600 /dev/null /root/.ssh/authorized_keys
> > > > (or touch /root/.ssh/authorized_keys && chmod 600
> > > > /root/.ssh/authorized_keys, ymmv)
> > > >
> > > > those are present in /etc/skel for "real" users, so why not creating
> > > > them for the root account ? install.sub also creates /mnt/root/.ssh when
> > > > using autoinstall and giving an ssh pubkey, so that'll be one less step
> > > > to do there.
> > > >
> > > > We advise ppl to set prohibit-password for PermitRootLogin, so why not
> > > > make it
> > > > easier to use it ? This ways, the correct modes are set.. i often
> > > > fat-fingered
> > > > this, to see sshd complaining (rightly!) about bad modes on
> > > > .ssh/authorized_keys.
> > >
> > > Conceptually I'd like this going in.
> >
> > +1. (On "managed" systems I use root-owned authorized_keys in a system
> > directory,
> > but this doesn't get in the way, and it makes things easier on ad-hoc
> > installed
> > systems).
>
> Finally built a release with this, the empty file is created in
> /var/sysmerge/etc.tgz, and sysmerge didnt overwrite my own
> /root/.ssh/authorized_keys - so i think i can now explicitely ask for okays.
> dtucker@ mentioned that in ${INSTALL} -c idiom the -c was a noop, but i kept
> it
> for consistency.
Agree with that.
> Hopefully more ppl can chime in and think of potential drawbacks this
> diff exposes...
FWIW, I don't see a downside to this diff.
> Sets diff added too, modeled after what's done for
> /etc/skel/.ssh/authorized_keys - dunno if it should be commited along the etc/
> change.
Yes, please commit the sets diff at the same time as the etc/Makefile
and the mtree diff, otherwise sysmerge won't pick it up. Also, please
commit this trivial diff for the installer at the same time so people
won't complain about autinstall warnings.
with that
ok tb
Index: install.sub
===================================================================
RCS file: /var/cvs/src/distrib/miniroot/install.sub,v
retrieving revision 1.969
diff -u -p -r1.969 install.sub
--- install.sub 8 Feb 2017 23:13:02 -0000 1.969
+++ install.sub 9 Feb 2017 19:25:09 -0000
@@ -2868,7 +2868,6 @@ do_install(){
# During autoinstall, add root user's public ssh key to authorized_keys.
[[ -n "$_rootkey" ]] && (
umask 077
- mkdir /mnt/root/.ssh
print -r -- "$_rootkey" >>/mnt/root/.ssh/authorized_keys
)
