-
Notifications
You must be signed in to change notification settings - Fork 7
/
sd-tinyssh
119 lines (98 loc) · 4.29 KB
/
sd-tinyssh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
#!/bin/bash
build() {
if ! pacman -Qi tinyssh >/dev/null 2>&1; then
error "Package tinyssh not installed"
return 1
fi
# make sure sh is present
# (other busybox applets are added also because they allocate nearly no space in initramfs)
add_binary /usr/lib/initcpio/busybox /usr/bin/busybox
local applet
for applet in $(/usr/lib/initcpio/busybox --list); do
add_symlink "/usr/bin/$applet" busybox
done
add_systemd_unit [email protected]
add_systemd_unit [email protected]
# enable tinysshd listening on TCP port $SD_TINYSSH_PORT (if set to legal port number)
if [[ -n "$SD_TINYSSH_PORT" ]]; then
if (( SD_TINYSSH_PORT < 1 || SD_TINYSSH_PORT > 65535 )); then
error "Illegal port value '$SD_TINYSSH_PORT'"
return 1
fi
else
SD_TINYSSH_PORT=22
fi
add_symlink /etc/systemd/system/sysinit.target.wants/tinyssh@$SD_TINYSSH_PORT.socket /usr/lib/systemd/system/[email protected]
local drop_in=(
'[Unit]'
'Requires=systemd-networkd.service'
'After=systemd-networkd.service'
'DefaultDependencies=no'
)
printf "%s\n" "${drop_in[@]}" | add_systemd_drop_in tinyssh@$SD_TINYSSH_PORT.socket override
drop_in=(
"[Unit]"
"DefaultDependencies=no"
""
"[Service]"
"ExecStart="
"ExecStart=-/usr/bin/tinysshd ${SD_TINYSSH_COMMAND:+-e '${SD_TINYSSH_COMMAND}' }/etc/tinyssh/sshkeydir"
)
printf "%s\n" "${drop_in[@]}" | add_systemd_drop_in [email protected] override
if [[ -r /etc/tinyssh/sshkeydir/ed25519.pk && -r /etc/tinyssh/sshkeydir/.ed25519.sk ]]; then
add_file /etc/tinyssh/sshkeydir/ed25519.pk
add_file /etc/tinyssh/sshkeydir/.ed25519.sk
elif [[ -r /etc/ssh/ssh_host_ed25519_key ]]; then
add_dir /etc/tinyssh
tinyssh-convert "$BUILDROOT/etc/tinyssh/sshkeydir" </etc/ssh/ssh_host_ed25519_key
else
error "Missing tinyssh host key"
return 1
fi
SD_TINYSSH_AUTHORIZED_KEYS=${SD_TINYSSH_AUTHORIZED_KEYS:-/root/.ssh/authorized_keys}
if [[ ! -r "$SD_TINYSSH_AUTHORIZED_KEYS" ]]; then
error "Keys file '$SD_TINYSSH_AUTHORIZED_KEYS' does not exist (or not readable)"
return 1
fi
add_dir /root/.ssh
grep '^ssh-ed25519 ' "$SD_TINYSSH_AUTHORIZED_KEYS" >"$BUILDROOT/root/.ssh/authorized_keys"
if [[ -s "$BUILDROOT/root/.ssh/authorized_keys" ]]; then
chmod 600 "$BUILDROOT/root/.ssh/authorized_keys"
chmod 700 "$BUILDROOT/root/.ssh"
else
error "No ED25519 key found for root"
return 1
fi
if [[ -z "$SD_TINYSSH_COMMAND" && -r "$SD_TINYSSH_SCRIPT" ]]; then
add_file "$SD_TINYSSH_SCRIPT" /root/.profile 600
fi
}
help() {
cat <<__EOF_HELP__
This hook enables tinysshd with systemd initramfs.
It copies all files and binaries required by tinyssh to initramfs and enables
listening TCP port 22. Host keys are either
o copied from /etc/tinyssh/sshkeydir if they exist or
o converted on the fly from the corresponding openssh ED25519 host key
/etc/ssh/ssh_host_ed25519_key. This requires python to be installed.
If none of the two sources exists the hook aborts.
By default tinyssh presents the busybox shell after successful login. Two
variables can be used to alter this behavior:
o SD_TINYSSH_COMMAND defines a shell command. The string is appended to
'sh -c', i.e. it may contain blanks, quotes and all kinds of special
characters that are interpreted by the shell. Example: To allow to unlock
LUKS encrypted volumes from remote (but nothing else, especially no shell
access) set:
SD_TINYSSH_COMMAND="systemd-tty-ask-password-agent --query --watch"
o SD_TINYSSH_SCRIPT defines a file with shell commands that are executed
before the interactive shell is presented. Example: To allow to unlock LUKS
encrypted volumes from remote but also escape to an interactive shell with CTRL-C
specify a file that contains
systemd-tty-ask-password-agent --query --watch
Only one of the two variables is taken into account. SD_TINYSSH_COMMAND takes
precedence.
Set SD_TINYSSH_PORT to specify a port other than 22.
Set SD_TINYSSH_AUTHORIZED_KEYS to specify a keys file other than /root/.ssh/authorized_keys.
The variables must be set somewhere in /etc/mkinitcpio.conf.
__EOF_HELP__
}