hotplug.d script to unload ssh key/cert to usb device, and/or initialize password from usb

abnoeh abnoeh at mail.com
Mon Oct 12 04:19:51 EDT 2020


it was originally part of Re: A proposal of https certificate assignment 
system for luci thread but this derailed too much from there.
> Nice idea to be able to auto-load the config including key material. 
> Might be very useful for larger installs.
>
> Nice idea to save SSH server keys as well. That will avoid warnings 
> when connecting to the new box (at the same IP) for the first time.
> Obviously, one needs to be careful with plain text private keys and 
> certs.
>
> Cheers,
>
> Bas.

I made a hotplug script to load and unload ssh key/cert to usb device 
(if it have right kernel module included to mount USB partition, it will 
look for whoareyou file and if it exsit it will export its ssh host key 
and uhttpd cert, and if root password is empty, it will try to load 
authorized_key and shadow file from root directory of USB.

Warning : this doesn't verify if it's valid /etc/shadow file, so if you 
throw wrong file to it it may softlock you out of router need reflash, 
but if you have empty root password you didn't lost much config anyway.

Maybe this can be real package :P

----script from here----

#/etc/hotplug.d/block/50-keyexchange

if [ "$ACTION" = "add" -a "$DEVTYPE" = "partition" ]; then
         sleep 3
         #is this patition mounted?
         mountloc=`grep $DEVNAME /proc/mounts | cut -d' ' -f 2`
         #tmpmount for thing not mounted otherwise
         if [ "$mountloc" = "" ]; then
                 mkdir /tmp/tmppart
                 mount /dev/$DEVNAME /tmp/tmppart
                 mountloc="/tmp/tmppart"
         fi
     flagfile=$mountloc/whoareyou
     echo $flagfile >> /tmp/debug.log
         if [ -e $flagfile ]; then
                 logger -t usbkeyload "public key request found in 
$flagfile, export dropbear and uhttpd keys to it"
                 cp /etc/dropbear/*_host_key $mountloc
                 cp /etc/uhttpd.crt $mountloc
         #if root password shadow is empty default, load keys from usb too
                 if grep -q "root::0:0:99999:7:::" /etc/shadow; then
                         logger -t usbkeyload "root password is empty, 
loading passwords and ssh key from usb"
                         cp -b $mountloc/autorized_keys 
/etc/dropbear/autorized_keys
                         #would this be better (and with danger of 
softlock router) or use plaintest password with passwd?
                         cp -b $mountloc/shadow /etc/shadow/
                 fi
         fi
         #if we used to mount thing to tmp location, unmount and clean it
         if [ "$mountloc" = /tmp/tmppart ]; then
                 umount /tmp/tmppart
                 rm /tmp/tmppart
         fi
fi



More information about the openwrt-devel mailing list