hotplug.d script to unload ssh key/cert to usb device, and/or initialize password from usb
abnoeh
abnoeh at mail.com
Mon Oct 12 04:19:51 EDT 2020
it was originally part of Re: A proposal of https certificate assignment
system for luci thread but this derailed too much from there.
> Nice idea to be able to auto-load the config including key material.
> Might be very useful for larger installs.
>
> Nice idea to save SSH server keys as well. That will avoid warnings
> when connecting to the new box (at the same IP) for the first time.
> Obviously, one needs to be careful with plain text private keys and
> certs.
>
> Cheers,
>
> Bas.
I made a hotplug script to load and unload ssh key/cert to usb device
(if it have right kernel module included to mount USB partition, it will
look for whoareyou file and if it exsit it will export its ssh host key
and uhttpd cert, and if root password is empty, it will try to load
authorized_key and shadow file from root directory of USB.
Warning : this doesn't verify if it's valid /etc/shadow file, so if you
throw wrong file to it it may softlock you out of router need reflash,
but if you have empty root password you didn't lost much config anyway.
Maybe this can be real package :P
----script from here----
#/etc/hotplug.d/block/50-keyexchange
if [ "$ACTION" = "add" -a "$DEVTYPE" = "partition" ]; then
sleep 3
#is this patition mounted?
mountloc=`grep $DEVNAME /proc/mounts | cut -d' ' -f 2`
#tmpmount for thing not mounted otherwise
if [ "$mountloc" = "" ]; then
mkdir /tmp/tmppart
mount /dev/$DEVNAME /tmp/tmppart
mountloc="/tmp/tmppart"
fi
flagfile=$mountloc/whoareyou
echo $flagfile >> /tmp/debug.log
if [ -e $flagfile ]; then
logger -t usbkeyload "public key request found in
$flagfile, export dropbear and uhttpd keys to it"
cp /etc/dropbear/*_host_key $mountloc
cp /etc/uhttpd.crt $mountloc
#if root password shadow is empty default, load keys from usb too
if grep -q "root::0:0:99999:7:::" /etc/shadow; then
logger -t usbkeyload "root password is empty,
loading passwords and ssh key from usb"
cp -b $mountloc/autorized_keys
/etc/dropbear/autorized_keys
#would this be better (and with danger of
softlock router) or use plaintest password with passwd?
cp -b $mountloc/shadow /etc/shadow/
fi
fi
#if we used to mount thing to tmp location, unmount and clean it
if [ "$mountloc" = /tmp/tmppart ]; then
umount /tmp/tmppart
rm /tmp/tmppart
fi
fi
More information about the openwrt-devel
mailing list