diff -ru network-console-1.29/debian/changelog network-console-1.29+euca01/debian/changelog --- network-console-1.29/debian/changelog 2011-07-24 09:24:00.000000000 -0400 +++ network-console-1.29+euca01/debian/changelog 2011-07-26 19:42:28.000000000 -0400 @@ -1,3 +1,12 @@ +network-console (1.29+euca01) unreleased; urgency=low + + * Add support for installing into a virtual server enviroments such as + Eucalyptus or Amazon EC2. + * Copy the authorized-keys file to the final installed system, using the + user-account setup to figure out exactly where they belong. + + -- Kyle Moffett Wed, 11 Aug 2010 15:39:25 -0400 + network-console (1.29) unstable; urgency=low [ Samuel Thibault ] diff -ru network-console-1.29/debian/network-console.postinst network-console-1.29+euca01/debian/network-console.postinst --- network-console-1.29/debian/network-console.postinst 2011-07-24 09:23:48.000000000 -0400 +++ network-console-1.29+euca01/debian/network-console.postinst 2011-07-26 19:44:30.000000000 -0400 @@ -26,6 +26,41 @@ ;; esac +## Helper function +download_ssh_keys() +{ + ## Don't do anything if no URL was specified or there are + ## preexisting SSH keys already in the initramfs + [ -n "$1" -a ! -f /.ssh/authorized_keys ] || return 0 + + ## First make sure the directory is OK + [ -d /.ssh ] || mkdir /.ssh + chmod 700 /.ssh + + ## Next, download the file + if wget -q -O /.ssh/authorized_keys "$1"; then + chmod 0644 /.ssh/authorized_keys || true + return 0 + fi + + ## Handle errors appropriately + db_subst $TEMPLATE_ROOT/public-key-fetch-failure LOCATION "$1" + db_input critical $TEMPLATE_ROOT/public-key-fetch-failure || true + db_go + exit 1 +} + +db_get $TEMPLATE_ROOT/public-key-url +download_ssh_keys "${RET}" + +db_get $TEMPLATE_ROOT/password-disabled +if [ "x${RET}" = "xtrue" ]; then + CRYPT_PASSWORD='*' + PASSWORD='*DISABLED*' +else + PASSWORD='' +fi + while [ -z "$PASSWORD" ]; do db_input critical $TEMPLATE_ROOT/password || true COMPARE_PW='' @@ -44,6 +79,7 @@ continue fi PASSWORD=$INST_PW + CRYPT_PASSWORD="$(gen-crypt "$PASSWORD")" db_set $TEMPLATE_ROOT/password "" db_set $TEMPLATE_ROOT/password-again "" @@ -51,7 +87,7 @@ db_fset $TEMPLATE_ROOT/password-again seen false done -echo "installer:$(gen-crypt $PASSWORD):1:0:99999:7:::" >> /etc/shadow +echo "installer:${CRYPT_PASSWORD}:1:0:99999:7:::" >> /etc/shadow KEY_FINGERPRINT=$(ssh-keygen -l -f $KEY_FILE | cut -f2 -d ' ') @@ -77,6 +113,14 @@ ;; esac +## If executed in a virtual hosting environment we might have a NAT'ed +## public IP address. If so, we should figure out what it is. +db_get $TEMPLATE_ROOT/public-ip-url +if [ -n "${RET}" ]; then + publicip="$(wget -q -O - "${RET}" || true)" + [ -z "${publicip}" ] || IPADDR="${publicip}" +fi + db_subst $TEMPLATE_ROOT/start ip $IPADDR db_subst $TEMPLATE_ROOT/start fingerprint $KEY_FINGERPRINT case "$ARCHDETECT" in Only in network-console-1.29+euca01/debian: network-console.postinst.orig Only in network-console-1.29+euca01/debian: network-console.postinst.rej diff -ru network-console-1.29/debian/network-console.templates network-console-1.29+euca01/debian/network-console.templates --- network-console-1.29/debian/network-console.templates 2011-06-18 22:40:08.000000000 -0400 +++ network-console-1.29+euca01/debian/network-console.templates 2011-07-26 19:43:10.000000000 -0400 @@ -60,6 +60,13 @@ The two passwords you entered were not the same. Please enter a password again. +Template: network-console/password-disable +Type: boolean +Description: for internal use; can be preseeded + Disable password-based SSH login, require the use of public-keys. + . + See also "network-console/public-key-url" + Template: network-console/start Type: note # :sl2: @@ -75,3 +82,27 @@ . Please check this carefully against the fingerprint reported by your SSH client. + +Template: network-console/public-key-url +Type: string +Description: for internal use; can be preseeded + What URL contains a list of authorized SSH public keys? + . + The file at the given URL should be of the same form as a standard OpenSSH + authorized_keys file. + +Template: network-console/public-key-fetch-failure +Type: error +# :sl2: +_Description: Could not fetch OpenSSH authorized keys + An error occurred while fetching OpenSSH authorized keys from ${LOCATION}. + . + Check /var/log/syslog or see virtual console 4 for the details. + +Template: network-console/public-ip-url +Type: string +Description: for internal use; can be preseeded + What URL contains the public IP address to be displayed on the console? + . + The file at the given URL should be a simple plain-text IP address. + diff -ru network-console-1.29/post-base-installer.d/80network-console network-console-1.29+euca01/post-base-installer.d/80network-console --- network-console-1.29/post-base-installer.d/80network-console 2011-06-18 22:40:08.000000000 -0400 +++ network-console-1.29+euca01/post-base-installer.d/80network-console 2011-07-26 19:43:10.000000000 -0400 @@ -1,7 +1,44 @@ #!/bin/sh set -e -DIR=/etc/ssh/ +. /usr/share/debconf/confmodule + +TARGET="/target" +instkeys="/.ssh/authorized_keys" + +## First copy over the SSH host keys +mkdir -p "${TARGET}/etc/ssh" +cp /etc/ssh/ssh_host_rsa_key* "${TARGET}/etc/ssh/" + +## If we don't have any SSH authorized keys, there's nothing else to do +[ -f /.ssh/authorized_keys ] || exit 0 + +db_get passwd/root-login ; root_login="$RET" +db_get passwd/make-user ; make_user="$RET" +db_get passwd/username ; username="$RET" + +## Determine whether keys should be added to "root" or to a different user +if [ "x$root_login" = "xfalse" -a "x$make_user" = "xtrue" -a \ + -n "$username" -a -d "/home/$username" ]; then + + ## Everything was valid, so add it to that user + userhome="/home/$username" + userids="${username}:${username}" + +else + + ## Otherwise just add it to the root user + username="root" + userhome="/root" + userids="0:0" + +fi + +## Ensure that the .ssh directory exists +mkdir -p -m 0755 "${TARGET}${userhome}/.ssh" +in-target chown "${userids}" "${userhome}/.ssh" + +## Append to the authorized_keys file +cat "$instkeys" >>"${TARGET}${userhome}/.ssh/authorized_keys" +in-target chown "${userids}" "${userhome}/.ssh/authorized_keys" -mkdir -p /target/$DIR -cp $DIR/ssh_host_rsa_key* /target/$DIR