Module Name: src
Committed By: mrg
Date: Tue Jun 11 10:50:58 UTC 2019
Modified Files:
src/distrib/utils/embedded/conf: evbarm.conf
Added Files:
src/distrib/utils/embedded/files: creds_msdos creds_msdos.8
Log Message:
add a method to add user accounts or ssh keys to the embedded
(installable) images which may be run entirely headless and
have no current method to edit the installation without another
netbsd host to modify the root (FFS) partition.
creds_msdos reads the creds.txt file from the msdos boot
partition and provides 4 basic methods:
sshkeyfile <user> <path on msdos>
sshkey <user> <entry>
useraddhash <user> <passwd hash>
useradd <user> <passwd>
the first two create a user with ssh key(s), and the second
two create a user with a password. if the last method is used
and raw passwords are given, the creds.txt file will be
shredded and deleted by rm -P.
inspired by a request from a pine64 user. ok jmcneill@.
To generate a diff of this commit:
cvs rdiff -u -r1.32 -r1.33 src/distrib/utils/embedded/conf/evbarm.conf
cvs rdiff -u -r0 -r1.1 src/distrib/utils/embedded/files/creds_msdos \
src/distrib/utils/embedded/files/creds_msdos.8
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/distrib/utils/embedded/conf/evbarm.conf
diff -u src/distrib/utils/embedded/conf/evbarm.conf:1.32 src/distrib/utils/embedded/conf/evbarm.conf:1.33
--- src/distrib/utils/embedded/conf/evbarm.conf:1.32 Sun Dec 2 15:43:04 2018
+++ src/distrib/utils/embedded/conf/evbarm.conf Tue Jun 11 10:50:57 2019
@@ -1,4 +1,4 @@
-# $NetBSD: evbarm.conf,v 1.32 2018/12/02 15:43:04 jmcneill Exp $
+# $NetBSD: evbarm.conf,v 1.33 2019/06/11 10:50:57 mrg Exp $
# evbarm shared config
#
image=$HOME/${board}.img
@@ -141,6 +141,8 @@ sshd=YES
dhcpcd=YES
ntpd=YES
ntpd_flags="-g"
+creds_msdos=YES
+creds_msdos_partition=/boot
EOF
if $resize; then
@@ -156,9 +158,11 @@ EOF
>> "$tmp/selected_sets"
mkdir ${mnt}/etc/rc.d
- cp ${DIR}/files/resize_disklabel ${mnt}/etc/rc.d/resize_disklabel
- echo "./etc/rc.d/resize_disklabel type=file uname=root gname=wheel mode=0555" \
- >> "$tmp/selected_sets"
+ for _f in resize_disklabel creds_msdos; do
+ cp ${DIR}/files/${_f} ${mnt}/etc/rc.d/${_f}
+ echo "./etc/rc.d/${_f} type=file uname=root gname=wheel mode=0555" \
+ >> "$tmp/selected_sets"
+ done
if [ ! -f ${release}/dev/MAKEDEV ]; then
echo ${PROG}: Missing ${release}/dev/MAKEDEV 1>&2
Added files:
Index: src/distrib/utils/embedded/files/creds_msdos
diff -u /dev/null src/distrib/utils/embedded/files/creds_msdos:1.1
--- /dev/null Tue Jun 11 10:50:58 2019
+++ src/distrib/utils/embedded/files/creds_msdos Tue Jun 11 10:50:57 2019
@@ -0,0 +1,192 @@
+#!/bin/sh
+#
+# $NetBSD: creds_msdos,v 1.1 2019/06/11 10:50:57 mrg Exp $
+#
+# Copyright (c) 2019 Matthew R. Green
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+# 3. The name of the author may not be used to endorse or promote products
+# derived from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+# AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+#
+# If "creds_msdos_partition" is an msdos partition and has a creds.txt
+# in it, perform these commands:
+# "sshkeyfile <user> <path on msdos>"
+# "sshkey <user> <entry>"
+# "useraddhash <user> <passwd hash>"
+# "useradd <user> <passwd>"
+# If the "useradd" method is used, this the creds.txt file will be
+# shredded and deleted with rm -P.
+
+# PROVIDE: creds_msdos
+# REQUIRE: mountall
+
+$_rc_subr_loaded . /etc/rc.subr
+
+name="creds_msdos"
+start_cmd="creds_msdos_start"
+stop_cmd=":"
+fstab_file=/etc/fstab
+
+fail() {
+ echo "$@" 1>&2
+ exit 1
+}
+
+sshkey_setup() {
+ local user="$1"
+ local group="wheel"
+
+ # don't create existing users
+ id=$(id -u $user 2>/dev/null)
+ if [ $? -ne 0 ]; then
+ useradd -m -G "${group}" "$user" || fail "Useradd failed."
+ fi
+
+ eval sshdir=~"${user}/.ssh"
+ eval mkdir -p -m 755 "${sshdir}" || fail "mkdir ~/.ssh failed."
+ chown "${user}" "${sshdir}"
+ eval userkeys="${sshdir}/authorized_keys"
+}
+
+sshkey_finish() {
+ local user="$1"
+ local userkeys="$2"
+
+ chmod 644 "${userkeys}"
+ chown "${user}" "${userkeys}"
+}
+
+do_sshkeyfile() {
+ local user="$1"
+ local newkeys="${creds_msdos_partition}/$2"
+
+ if [ ! -f "${newkeys}" ]; then
+ return
+ fi
+
+ sshkey_setup "$user"
+
+ # check entry is not present
+ while read type keydata name; do
+ if fgrep -q "${keydata}" "${userkeys}" 2>/dev/null; then
+ continue
+ fi
+ echo "${type} ${keydata} ${name}" >> "${userkeys}"
+ done < "${newkeys}"
+
+ sshkey_finish "$user" "${userkeys}"
+}
+
+do_sshkey() {
+ local user="$1"
+ local newkey="$2"
+
+ sshkey_setup "$user"
+
+ echo "${newkey}" >> "${userkeys}"
+
+ sshkey_finish "$user" "${userkeys}"
+}
+
+do_useraddpwhash() {
+ local user="$1"
+ local pwhash="$2"
+ local group="wheel"
+
+ # don't add to existing users
+ id=$(id -u "${user}" 2>/dev/null)
+ if [ $? -eq 0 ]; then
+ return
+ fi
+
+ useradd -m -p "${pwhash}" -G "${group}" "${user}" || fail "Useradd failed."
+}
+
+do_useradd() {
+ local user="$1"
+ local password="$2"
+
+ local pwhash=$(pwhash "$password")
+ do_useraddpwhash "${user}" "${pwhash}"
+}
+
+creds_msdos_start()
+{
+ if [ -z "${creds_msdos_partition}" ]; then
+ echo "Not looking for credientials on msdos"
+ return;
+ fi
+ check_fs=
+ while read junk1 mp fstype junk2; do
+ if [ "${mp}" != "${creds_msdos_partition}" ]; then
+ continue
+ fi
+ if [ "${fstype}" != "msdos" ]; then
+ echo "Not checking for creds on ${creds_msdos_partition}: not an msdos file system"
+ return;
+ fi
+ break
+ done < "${fstab_file}"
+
+ delete_creds=no
+ creds_file="${creds_msdos_partition}/creds.txt"
+
+ if [ -f "${creds_file}" ]; then
+ while read type user arg1; do
+ case "$type" in
+ \#*|'')
+ continue
+ ;;
+ sshkeyfile)
+ echo "Added user ${user} via ssh key file method."
+ do_sshkeyfile "${user}" "${arg1}"
+ ;;
+ sshkey)
+ echo "Added user ${user} via ssh key string method."
+ do_sshkey "${user}" "${arg1}"
+ ;;
+ useraddpwhash)
+ echo "Added user ${user} via password hash method."
+ do_useraddpwhash "${user}" "${arg1}"
+ ;;
+ useradd)
+ echo "Added user ${user} via password method, shredding credentials file."
+ do_useradd "${user}" "${arg1}"
+ delete_creds=yes
+ ;;
+ *)
+ echo "Do not understand '$type' creds" 1>&2
+ exit 1
+ ;;
+ esac
+ done < "${creds_file}"
+ fi
+
+ if [ $delete_creds = yes ]; then
+ rm -P -f "${creds_file}"
+ fi
+}
+
+load_rc_config $name
+run_rc_command "$1"
Index: src/distrib/utils/embedded/files/creds_msdos.8
diff -u /dev/null src/distrib/utils/embedded/files/creds_msdos.8:1.1
--- /dev/null Tue Jun 11 10:50:58 2019
+++ src/distrib/utils/embedded/files/creds_msdos.8 Tue Jun 11 10:50:57 2019
@@ -0,0 +1,117 @@
+.\" $NetBSD: creds_msdos.8,v 1.1 2019/06/11 10:50:57 mrg Exp $
+.\"
+.\" Copyright (c) 2019 Matthew R. Green
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote products
+.\" derived from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+.\" AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+.\" OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.Dd June 10, 2019
+.Dt CREDS_MSDOS 8
+.Os
+.Sh NAME
+.Nm creds_msdos
+.Nd automatically add login credentials from MSDOS partition
+.Sh SYNOPSIS
+.Nm
+.Ar start
+.Sh DESCRIPTION
+The
+.Nm
+rc.d script allows automatic addition of login credential during boot
+using a special file found on the MSDOS partition of a bootable image.
+This script is not distributed with the normal system and is only
+be included with pre-installed bootable images.
+The goal is to allow remote access of the system without having to
+edit the primary root file system (which may not be accessible from
+the host the image is being written from), but place this information
+in the MSDOS partition that most platforms can easily access.
+.Pp
+Typically, an installable image (such as
+.Pa arm64.img )
+is written to an SD card or similar media, and has both a native FFS
+partition as well as an MSDOS partition for booting.
+If this script is enabled and has been pointed the boot partition
+it will inspect the file
+.Pa creds.txt
+for any credentials to be added to the system.
+.Pp
+These are the supported option in the credentials files:
+.Bl -tag -compact -width "sshkeyfilepl"
+.Pp
+.It Sy sshkeyfile
+<user> <keyfile>
+.It Sy sshkey
+<user> <keystring>
+.It Sy useraddpwhash
+<user> <pwhash>
+.It Sy useradd
+<user> <password>
+.El
+.Pp
+In all cases <user> is the username added, and the user will be
+added to the
+.Dq wheel
+group.
+.Pp
+The sshkeyfile method looks in the MSDOS boot partition for
+the specified file and merges ssh keys from this file into
+<user>'s
+.Pa ~/.ssh/authorized_keys
+file.
+.Pp
+The sshkey method adds the <keystring> to the
+<user>'s
+.Pa ~/.ssh/authorized_keys
+file.
+.Pp
+The useraddpwhash method uses <pwhash> as the users's password hash.
+.Pp
+The above three methods are the preferred methods.
+.Pp
+For the useradd method <password> is an unencrypted raw password
+that will be hashed and added to the system.
+This method is not recommended as it leaves unencrypted passwords
+around until such time that the script runs.
+If this method is used then the
+.Pa creds.txt
+file will be shredded and deleted using
+.Dq rm -P
+after the credentials are updated.
+.Sh FILES
+.Pa /boot/creds.txt
+.Sh SEE ALSO
+.Xr pwhash 1 ,
+.Xr rm 1 ,
+.Xr ssh 1 ,
+.Xr ssh_config 5 ,
+.Xr mount_msdos 8 ,
+.Xr sshd 8 ,
+.Xr useradd 8
+.Sh HISTORY
+The
+.Nm
+script appeared in
+.Nx 9.0 .
+.Sh AUTHORS
+.An Matthew R. Green Aq Mt m...@eterna.com.au .
