diff --git a/imagebuild/tinyipa/README.rst b/imagebuild/tinyipa/README.rst index e7d9e28f1..aa2165213 100644 --- a/imagebuild/tinyipa/README.rst +++ b/imagebuild/tinyipa/README.rst @@ -77,3 +77,14 @@ instead of loading some things at runtime (this results in a slightly bigger ramdisk), before running make or build-tinyipa.sh run:: export BUILD_AND_INSTALL_TINYIPA=true + +If you want to enable SSH access to the image, set ``ENABLE_SSH`` variable in +your shell before building the tinyipa:: + + export ENABLE_SSH=true + +By default it will use public RSA or DSA keys of the user running the build. +To provide other public SSH key, export path to it in your shell before +building tinyipa as follows:: + + export SSH_PUBLIC_KEY= diff --git a/imagebuild/tinyipa/build_files/bootlocal.sh b/imagebuild/tinyipa/build_files/bootlocal.sh index f93a538bd..244cc4f9c 100755 --- a/imagebuild/tinyipa/build_files/bootlocal.sh +++ b/imagebuild/tinyipa/build_files/bootlocal.sh @@ -9,6 +9,12 @@ date export HOME=/root +# Start SSHd +if [ -f /usr/local/etc/init.d/openssh ]; then + echo "Starting OpenSSH server:" + /usr/local/etc/init.d/openssh start +fi + # Maybe save some RAM? #rm -rf /tmp/builtin diff --git a/imagebuild/tinyipa/finalise-tinyipa.sh b/imagebuild/tinyipa/finalise-tinyipa.sh index c24306a65..023130be3 100755 --- a/imagebuild/tinyipa/finalise-tinyipa.sh +++ b/imagebuild/tinyipa/finalise-tinyipa.sh @@ -6,6 +6,8 @@ BUILDDIR="$WORKDIR/tinyipabuild" FINALDIR="$WORKDIR/tinyipafinal" BUILD_AND_INSTALL_TINYIPA=${BUILD_AND_INSTALL_TINYIPA:-true} TINYCORE_MIRROR_URL=${TINYCORE_MIRROR_URL:-"http://repo.tinycorelinux.net/"} +ENABLE_SSH=${ENABLE_SSH:-false} +SSH_PUBLIC_KEY=${SSH_PUBLIC_KEY:-} TC=1001 STAFF=50 @@ -16,6 +18,27 @@ TC_CHROOT_CMD="sudo chroot --userspec=$TC:$STAFF $FINALDIR /usr/bin/env -i PATH= echo "Finalising tinyipa:" +if $ENABLE_SSH ; then + echo "Validating location of public SSH key" + if [ -n "$SSH_PUBLIC_KEY" ]; then + if [ -f "$SSH_PUBLIC_KEY" ]; then + _found_ssh_key="$SSH_PUBLIC_KEY" + fi + else + for fmt in rsa dsa; do + if [ -f "$HOME/.ssh/id_$fmt.pub" ]; then + _found_ssh_key="$HOME/.ssh/id_$fmt.pub" + break + fi + done + fi + + if [ -z $_found_ssh_key ]; then + echo "Failed to find neither provided nor default SSH key" + exit 1 + fi +fi + sudo -v if [ -d "$FINALDIR" ]; then @@ -68,6 +91,30 @@ while read line; do $TC_CHROOT_CMD tce-load -wic $line done < $WORKDIR/build_files/finalreqs.lst +if $ENABLE_SSH ; then + # Install and configure bare minimum for SSH access + $TC_CHROOT_CMD tce-load -wic openssh + # Configure OpenSSH + $CHROOT_CMD cp /usr/local/etc/ssh/sshd_config.orig /usr/local/etc/ssh/sshd_config + echo "PasswordAuthentication no" | $CHROOT_CMD tee -a /usr/local/etc/ssh/sshd_config + # Generate and configure host keys - RSA, DSA, Ed25519 + # NOTE(pas-ha) ECDSA host key will still be re-generated fresh on every image boot + $CHROOT_CMD ssh-keygen -t rsa -N "" -f /usr/local/etc/ssh/ssh_host_rsa_key + $CHROOT_CMD ssh-keygen -t dsa -N "" -f /usr/local/etc/ssh/ssh_host_dsa_key + $CHROOT_CMD ssh-keygen -t ed25519 -N "" -f /usr/local/etc/ssh/ssh_host_ed25519_key + echo "HostKey /usr/local/etc/ssh/ssh_host_rsa_key" | $CHROOT_CMD tee -a /usr/local/etc/ssh/sshd_config + echo "HostKey /usr/local/etc/ssh/ssh_host_dsa_key" | $CHROOT_CMD tee -a /usr/local/etc/ssh/sshd_config + echo "HostKey /usr/local/etc/ssh/ssh_host_ed25519_key" | $CHROOT_CMD tee -a /usr/local/etc/ssh/sshd_config + + # setup user and SSH keys + $CHROOT_CMD mkdir -p /home/tc + $CHROOT_CMD chown -R tc.staff /home/tc + $TC_CHROOT_CMD mkdir -p /home/tc/.ssh + cat $_found_ssh_key | $TC_CHROOT_CMD tee /home/tc/.ssh/authorized_keys + $CHROOT_CMD chown tc.staff /home/tc/.ssh/authorized_keys + $TC_CHROOT_CMD chmod 600 /home/tc/.ssh/authorized_keys +fi + $TC_CHROOT_CMD tce-load -ic /tmp/builtin/optional/tgt.tcz $TC_CHROOT_CMD tce-load -ic /tmp/builtin/optional/qemu-utils.tcz diff --git a/releasenotes/notes/tinyipa-ssh-e8a3a01a3f3ff5f4.yaml b/releasenotes/notes/tinyipa-ssh-e8a3a01a3f3ff5f4.yaml new file mode 100644 index 000000000..74725464b --- /dev/null +++ b/releasenotes/notes/tinyipa-ssh-e8a3a01a3f3ff5f4.yaml @@ -0,0 +1,6 @@ +--- +other: + - When building the TinyIPA ramdisk, it is now possible to enable SSH + access to it. + Use ``ENABLE_SSH`` and ``SSH_PUBLIC_KEY`` environment variables + for that (see TinyIPA's README for more details).