On Fri, Feb 10, 2017 at 10:00:51AM +0100, Landry Breuil wrote:
> On Fri, Feb 10, 2017 at 09:36:16AM +0100, Antoine Jacoutot wrote:
> > On Thu, Feb 09, 2017 at 06:19:54PM +0100, Landry Breuil wrote:
> > > On Sun, Feb 05, 2017 at 08:37:31PM +0000, Stuart Henderson wrote:
> > > > On 2017/02/05 09:53, Robert Peichaer wrote:
> > > > > On Sun, Feb 05, 2017 at 10:46:41AM +0100, Landry Breuil wrote:
> > > > > > Hi,
> > > > > >
> > > > > > when installing 'throwaway' VMs (manually, not always using
> > > > > > autoinstall for
> > > > > > $REASONS) i've often found myself having to do right after the
> > > > > > install:
> > > > > > install -d -m 700 /root/.ssh
> > > > > > install -m 600 /dev/null /root/.ssh/authorized_keys
> > > > > > (or touch /root/.ssh/authorized_keys && chmod 600
> > > > > > /root/.ssh/authorized_keys, ymmv)
> > > > > >
> > > > > > those are present in /etc/skel for "real" users, so why not creating
> > > > > > them for the root account ? install.sub also creates /mnt/root/.ssh
> > > > > > when
> > > > > > using autoinstall and giving an ssh pubkey, so that'll be one less
> > > > > > step
> > > > > > to do there.
> > > > > >
> > > > > > We advise ppl to set prohibit-password for PermitRootLogin, so why
> > > > > > not make it
> > > > > > easier to use it ? This ways, the correct modes are set.. i often
> > > > > > fat-fingered
> > > > > > this, to see sshd complaining (rightly!) about bad modes on
> > > > > > .ssh/authorized_keys.
> > > > >
> > > > > Conceptually I'd like this going in.
> > > >
> > > > +1. (On "managed" systems I use root-owned authorized_keys in a system
> > > > directory,
> > > > but this doesn't get in the way, and it makes things easier on ad-hoc
> > > > installed
> > > > systems).
> > >
> > > Finally built a release with this, the empty file is created in
> > > /var/sysmerge/etc.tgz, and sysmerge didnt overwrite my own
> > > /root/.ssh/authorized_keys - so i think i can now explicitely ask for
> > > okays.
> > > dtucker@ mentioned that in ${INSTALL} -c idiom the -c was a noop, but i
> > > kept it
> > > for consistency.
> > > Hopefully more ppl can chime in and think of potential drawbacks this
> > > diff exposes...
> > >
> > > Sets diff added too, modeled after what's done for
> > > /etc/skel/.ssh/authorized_keys - dunno if it should be commited along the
> > > etc/
> > > change.
> >
> > Can you add it to mtree/special please?
>
> Sure ! Here's a new fuller diff touching files all around..
>
> Index: etc/Makefile
> ===================================================================
> RCS file: /cvs/src/etc/Makefile,v
> retrieving revision 1.449
> diff -u -r1.449 Makefile
> --- etc/Makefile 2 Feb 2017 21:35:05 -0000 1.449
> +++ etc/Makefile 10 Feb 2017 08:59:27 -0000
> @@ -110,6 +110,8 @@
> ${DESTDIR}/root/.Xdefaults; \
> ${INSTALL} -c -o root -g wheel -m 644 dot.cvsrc \
> ${DESTDIR}/root/.cvsrc; \
> + ${INSTALL} -c -o root -g wheel -m 600 /dev/null \
> + ${DESTDIR}/root/.ssh/authorized_keys; \
> rm -f ${DESTDIR}/.cshrc ${DESTDIR}/.profile; \
> ${INSTALL} -c -o root -g wheel -m 644 dot.cshrc \
> ${DESTDIR}/.cshrc; \
> Index: etc/mtree/4.4BSD.dist
> ===================================================================
> RCS file: /cvs/src/etc/mtree/4.4BSD.dist,v
> retrieving revision 1.293
> diff -u -r1.293 4.4BSD.dist
> --- etc/mtree/4.4BSD.dist 27 Dec 2016 09:17:52 -0000 1.293
> +++ etc/mtree/4.4BSD.dist 10 Feb 2017 08:59:27 -0000
> @@ -118,6 +118,8 @@
> mnt
> ..
> root mode=0700
> + .ssh uname=root mode=0700
> + ..
> ..
> sbin
> ..
> Index: etc/mtree/special
> ===================================================================
> RCS file: /cvs/src/etc/mtree/special,v
> retrieving revision 1.122
> diff -u -r1.122 special
> --- etc/mtree/special 27 Dec 2016 09:17:52 -0000 1.122
> +++ etc/mtree/special 10 Feb 2017 08:59:27 -0000
> @@ -121,6 +121,9 @@
> .login type=file mode=0644 uname=root gname=wheel
> .profile type=file mode=0644 uname=root gname=wheel
> .rhosts type=file mode=0600 uname=root gname=wheel optional
> +.ssh type=dir mode=0700 uname=root gname=wheel
> +.. #.ssh
Comment should say:
#root/.ssh
The rest looks fine to me.
> +authorized_keys type=file mode=0600 uname=root gname=wheel
> .. #root
>
> sbin type=dir mode=0755 uname=root gname=wheel ignore
> Index: distrib/miniroot/install.sub
> ===================================================================
> RCS file: /cvs/src/distrib/miniroot/install.sub,v
> retrieving revision 1.969
> diff -u -r1.969 install.sub
> --- distrib/miniroot/install.sub 8 Feb 2017 23:13:02 -0000 1.969
> +++ distrib/miniroot/install.sub 10 Feb 2017 08:59:27 -0000
> @@ -2868,7 +2868,6 @@
> # During autoinstall, add root user's public ssh key to authorized_keys.
> [[ -n "$_rootkey" ]] && (
> umask 077
> - mkdir /mnt/root/.ssh
> print -r -- "$_rootkey" >>/mnt/root/.ssh/authorized_keys
> )
>
> Index: distrib/sets/lists/base/mi
> ===================================================================
> RCS file: /cvs/src/distrib/sets/lists/base/mi,v
> retrieving revision 1.820
> diff -u -r1.820 mi
> --- distrib/sets/lists/base/mi 7 Feb 2017 21:32:48 -0000 1.820
> +++ distrib/sets/lists/base/mi 10 Feb 2017 08:59:28 -0000
> @@ -232,6 +232,7 @@
> ./home
> ./mnt
> ./root
> +./root/.ssh
> ./sbin
> ./sbin/atactl
> ./sbin/badsect
> Index: distrib/sets/lists/etc/mi
> ===================================================================
> RCS file: /cvs/src/distrib/sets/lists/etc/mi,v
> retrieving revision 1.211
> diff -u -r1.211 mi
> --- distrib/sets/lists/etc/mi 1 Oct 2016 16:58:29 -0000 1.211
> +++ distrib/sets/lists/etc/mi 10 Feb 2017 08:59:28 -0000
> @@ -50,6 +50,7 @@
> ./root/.cvsrc
> ./root/.login
> ./root/.profile
> +./root/.ssh/authorized_keys
> ./var/crash/minfree
> ./var/cron/at.deny
> ./var/cron/cron.deny
>
--
Antoine
