From 9fc64c47806fb1c643f7c90e848a17da45eaeca2 Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Wed, 17 Nov 2021 13:45:43 +0100 Subject: main/alpine-conf: backport SSH_KEY support for setup-sshd This allows user to do things like: export SSH_KEY=https://github.com/ncopa.keys --- ...etup-sshd-Ask-for-authorized-key-for-root.patch | 66 ++++++++++++++++++++++ ...p-sshd-use-SSH_KEY-instead-of-prompt-user.patch | 53 +++++++++++++++++ main/alpine-conf/APKBUILD | 6 +- 3 files changed, 124 insertions(+), 1 deletion(-) create mode 100644 main/alpine-conf/0001-setup-sshd-Ask-for-authorized-key-for-root.patch create mode 100644 main/alpine-conf/0002-setup-sshd-use-SSH_KEY-instead-of-prompt-user.patch diff --git a/main/alpine-conf/0001-setup-sshd-Ask-for-authorized-key-for-root.patch b/main/alpine-conf/0001-setup-sshd-Ask-for-authorized-key-for-root.patch new file mode 100644 index 00000000000..1551e69e372 --- /dev/null +++ b/main/alpine-conf/0001-setup-sshd-Ask-for-authorized-key-for-root.patch @@ -0,0 +1,66 @@ +From 4c6ddb022367965dc7475e8bee762734c3262107 Mon Sep 17 00:00:00 2001 +From: Lukas Bestle +Date: Sat, 10 Jul 2021 21:36:26 +0200 +Subject: [PATCH 1/2] setup-sshd: Ask for authorized key for root + +Fixes #10459. +--- + setup-sshd.in | 25 +++++++++++++++++++++++-- + 1 file changed, 23 insertions(+), 2 deletions(-) + +diff --git a/setup-sshd.in b/setup-sshd.in +index 67cb8a0..caf8f1c 100644 +--- a/setup-sshd.in ++++ b/setup-sshd.in +@@ -6,21 +6,23 @@ PREFIX= + + usage() { + cat <<-__EOF__ +- usage: setup-sshd [-h] [-c choice of SSH daemon] ++ usage: setup-sshd [-h] [-c choice of SSH daemon] [-k authorized key] + + Setup sshd daemon + + options: + -h Show this help + -c Choice of SSH daemon: openssh dropbear none ++ -k Authorized key for root (HTTP(S)/FTP URL, the public key itself or 'none') + __EOF__ + exit 1 + } + +-while getopts "hc:" opt; do ++while getopts "hc:k:" opt; do + case $opt in + h) usage;; + c) sshdchoice="$OPTARG";; ++ k) authorized_key="$OPTARG";; + esac + done + +@@ -50,3 +52,22 @@ if [ -n "$svc" ]; then + rc-update add $svc default + rc-service $svc start + fi ++ ++if [ -z "$authorized_key" ]; then ++ ask "Authorized SSH public key for root? (HTTP(S)/FTP URL or the public key itself)" none ++ authorized_key="$resp" ++fi ++ ++if [ -n "$authorized_key" -a "$authorized_key" != "none" ]; then ++ # if the argument is an HTTP(S)/FTP URL, try to fetch the file contents ++ if [ -z "$(echo "$authorized_key" | sed -E 's~^(https?|ftp)://.+$~~')" ]; then ++ key_url="$authorized_key" ++ authorized_key="$(wget -qO- "$key_url")" || die "Could not fetch key from '$key_url'" ++ ++ echo "Received authorized SSH key from '$key_url':" ++ echo "$authorized_key" ++ fi ++ ++ mkdir -p ${ROOT}/root/.ssh ++ echo "$authorized_key" >> ${ROOT}/root/.ssh/authorized_keys ++fi +-- +2.34.0 + diff --git a/main/alpine-conf/0002-setup-sshd-use-SSH_KEY-instead-of-prompt-user.patch b/main/alpine-conf/0002-setup-sshd-use-SSH_KEY-instead-of-prompt-user.patch new file mode 100644 index 00000000000..2db026b8699 --- /dev/null +++ b/main/alpine-conf/0002-setup-sshd-use-SSH_KEY-instead-of-prompt-user.patch @@ -0,0 +1,53 @@ +From ee3be974167b62f91c2e4b9f64f05fa91ebcba15 Mon Sep 17 00:00:00 2001 +From: Natanael Copa +Date: Wed, 17 Nov 2021 12:45:44 +0100 +Subject: [PATCH 2/2] setup-sshd: use SSH_KEY instead of prompt user + +Do not ask user for ssh key, but support the use of SSH_KEY env var. +--- + setup-sshd.in | 20 +++++++------------- + 1 file changed, 7 insertions(+), 13 deletions(-) + +diff --git a/setup-sshd.in b/setup-sshd.in +index caf8f1c..271ad79 100644 +--- a/setup-sshd.in ++++ b/setup-sshd.in +@@ -18,6 +18,7 @@ usage() { + exit 1 + } + ++authorized_key="$SSH_KEY" + while getopts "hc:k:" opt; do + case $opt in + h) usage;; +@@ -53,21 +54,14 @@ if [ -n "$svc" ]; then + rc-service $svc start + fi + +-if [ -z "$authorized_key" ]; then +- ask "Authorized SSH public key for root? (HTTP(S)/FTP URL or the public key itself)" none +- authorized_key="$resp" +-fi +- + if [ -n "$authorized_key" -a "$authorized_key" != "none" ]; then + # if the argument is an HTTP(S)/FTP URL, try to fetch the file contents +- if [ -z "$(echo "$authorized_key" | sed -E 's~^(https?|ftp)://.+$~~')" ]; then +- key_url="$authorized_key" +- authorized_key="$(wget -qO- "$key_url")" || die "Could not fetch key from '$key_url'" +- +- echo "Received authorized SSH key from '$key_url':" +- echo "$authorized_key" +- fi +- ++ case "$authorized_key" in ++ http*://*|ftp://) ++ key_url="$authorized_key" ++ authorized_key="$(wget -qO- "$key_url")" || die "Could not fetch key from '$key_url'" ++ ;; ++ esac + mkdir -p ${ROOT}/root/.ssh + echo "$authorized_key" >> ${ROOT}/root/.ssh/authorized_keys + fi +-- +2.34.0 + diff --git a/main/alpine-conf/APKBUILD b/main/alpine-conf/APKBUILD index 435aa2bf9dd..4eeefbcd312 100644 --- a/main/alpine-conf/APKBUILD +++ b/main/alpine-conf/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa pkgname=alpine-conf pkgver=3.13.0_rc2 -pkgrel=1 +pkgrel=2 pkgdesc="Alpine configuration management scripts" url="https://git.alpinelinux.org/alpine-conf/about" arch="all" @@ -9,6 +9,8 @@ license="MIT" depends="openrc>=0.24.1-r6 busybox>=1.26.1-r3" source="https://gitlab.alpinelinux.org/alpine/alpine-conf/-/archive/$pkgver/alpine-conf-$pkgver.tar.gz 0001-setup-disk-enable-password-verification-in-luksForma.patch + 0001-setup-sshd-Ask-for-authorized-key-for-root.patch + 0002-setup-sshd-use-SSH_KEY-instead-of-prompt-user.patch " builddir="$srcdir"/$pkgname-$pkgver @@ -28,4 +30,6 @@ package() { sha512sums=" 467078896f8452afb83e61b3838887f5f2e5a6725108ee4fc1ae7463ae7f452c1a2eef1071f47a6ecbfd1b773d8acf548fe1faf5927dbef294fbcfa1a3c251d7 alpine-conf-3.13.0_rc2.tar.gz 6a7a1528ee1e8868f3f4fe3aaac01569fd8cf47a10fcd2065bce2159e8945cd7627d0af31c99afff5efd9c9b433c09f3a212372dde204c6e6fd098694dfc8113 0001-setup-disk-enable-password-verification-in-luksForma.patch +e3e358a988ee3b97874b46acc37d24d519b4165e97a8fdcd14e1b47ebe6b5b7057918f30ce503d5c8387ec0c75e596b6974cf4b5d9e151bbbbe2b0c5e22dfd9e 0001-setup-sshd-Ask-for-authorized-key-for-root.patch +bec6ed65f325ee3abc3635454bd5dcfe2ec53745dfcbf61ef7fa38f432c2d1d4bd1dde8cd85c3290cf175952dd144bdc26bb6229d4a784b82c941dd168014d0a 0002-setup-sshd-use-SSH_KEY-instead-of-prompt-user.patch " -- cgit v1.2.3