-
Notifications
You must be signed in to change notification settings - Fork 2
/
dropbear-monkeysphere
executable file
·81 lines (68 loc) · 2.5 KB
/
dropbear-monkeysphere
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
#!/bin/bash
# Tool to install and configure dropbear-initramfs with a set of ssh
# keys manageable through monkeysphere
if [[ -d /etc/apt ]]; then
APT=true
SUDO=sudo
#elif [[ -d /etc/yum ]]; then
# YUM=true
# SUDO=wheel
else
echo "Distribution not supported!"
exit -1
fi
# Use nonstandard ssh port; prevents warnings about changed server key
PORT=2222
if [ -z "$(find /var/cache/apt/pkgcache.bin -mmin -60)" ]; then
apt-get update
fi
apt-get install dropbear-initramfs
# Create a dummy user so that monkeysphere can manage its keys
if ! getent passwd dropbear-initramfs; then
adduser --system --disabled-password --disabled-login \
--shell /bin/false --home /var/run/dropbear-initramfs \
dropbear-initramfs
fi
ln -sf /var/lib/monkeysphere/authorized_keys/dropbear-initramfs /etc/dropbear-initramfs/authorized_keys
echo "Adding the IDs of all users in group ${SUDO} to dropbear-initramfs user"
if [[ -f /etc/monkeysphere/authorized_user_ids/root ]]; then
# Add root first, use this to trash stale config
cat /etc/monkeysphere/authorized_user_ids/root > /etc/monkeysphere/authorized_user_ids/dropbear-initramfs
else
echo > /etc/monkeysphere/authorized_user_ids/dropbear-initramfs
fi
chown dropbear-initramfs:root /etc/monkeysphere/authorized_user_ids/dropbear-initramfs
IFS=, read -ra users <<< "$(getent group ${SUDO} | awk -F: '{print $4}')"
for user in "${users[@]}"; do
if [[ -e /etc/monkeysphere/authorized_user_ids/$user ]]; then
cat /etc/monkeysphere/authorized_user_ids/$user >> /etc/monkeysphere/authorized_user_ids/dropbear-initramfs
fi
done
cat <<EOF >/etc/dropbear-initramfs/config
#
# Configuration options for the dropbear-initramfs boot scripts.
#
# Command line options to pass to dropbear(8)
#
DROPBEAR_OPTIONS="-p ${PORT}"
#
# On local (non-NFS) mounts, interfaces matching this pattern are
# brought down before exiting the ramdisk to avoid dirty network
# configuration in the normal kernel.
# The special value 'none' keeps all interfaces up and preserves routing
# tables and addresses.
#
#IFDOWN=*
EOF
# Now update user keys and rebuild initramfs
monkeysphere-authentication u
update-initramfs -u -k all
# Populate monkeysphere-host database with dropbear's RSA key
serverlist="$(hostname --fqdn -A | sed 's/ /\n/g' | sort -u)"
if [[ $serverlist ]]; then
for server in $serverlist; do
monkeysphere-host import-key /etc/dropbear-initramfs/dropbear_rsa_host_key ssh://${server}:${PORT}
done
else
echo "WARNING: no valid FQDNs found. Not populating monkeysphere-host DB"
fi