Hi,
when installing 'throwaway' VMs (manually, not always using autoinstall for
$REASONS) i've often found myself having to do right after the install:
install -d -m 700 /root/.ssh
install -m 600 /dev/null /root/.ssh/authorized_keys
(or touch /root/.ssh/authorized_keys && chmod 600
/root/.ssh/authorized_keys, ymmv)
those are present in /etc/skel for "real" users, so why not creating
them for the root account ? install.sub also creates /mnt/root/.ssh when
using autoinstall and giving an ssh pubkey, so that'll be one less step
to do there.
We advise ppl to set prohibit-password for PermitRootLogin, so why not make it
easier to use it ? This ways, the correct modes are set.. i often fat-fingered
this, to see sshd complaining (rightly!) about bad modes on
.ssh/authorized_keys.
Conceptual (untested) diff below for discussion, i'll build a release with it
depending on the feedback/opinions..
Landry
Index: Makefile
===================================================================
RCS file: /cvs/src/etc/Makefile,v
retrieving revision 1.449
diff -u -r1.449 Makefile
--- Makefile 2 Feb 2017 21:35:05 -0000 1.449
+++ Makefile 5 Feb 2017 09:34:58 -0000
@@ -110,6 +110,8 @@
${DESTDIR}/root/.Xdefaults; \
${INSTALL} -c -o root -g wheel -m 644 dot.cvsrc \
${DESTDIR}/root/.cvsrc; \
+ ${INSTALL} -c -o root -g wheel -m 600 /dev/null \
+ ${DESTDIR}/root/.ssh/authorized_keys
rm -f ${DESTDIR}/.cshrc ${DESTDIR}/.profile; \
${INSTALL} -c -o root -g wheel -m 644 dot.cshrc \
${DESTDIR}/.cshrc; \
Index: mtree/4.4BSD.dist
===================================================================
RCS file: /cvs/src/etc/mtree/4.4BSD.dist,v
retrieving revision 1.293
diff -u -r1.293 4.4BSD.dist
--- mtree/4.4BSD.dist 27 Dec 2016 09:17:52 -0000 1.293
+++ mtree/4.4BSD.dist 5 Feb 2017 09:34:58 -0000
@@ -118,6 +118,8 @@
mnt
..
root mode=0700
+ .ssh uname=root mode=0700
+ ..
..
sbin
..
