From 1a16bbc6fbe43233b43b0c82092d248880448b17 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Thu, 3 Dec 2009 15:20:28 -0800 Subject: Add script for loading public key Variation on existing config file loader that is useful for loading public key. --- Makefile.am | 1 + scripts/vyatta-load-user-key.pl | 141 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 142 insertions(+) create mode 100644 scripts/vyatta-load-user-key.pl diff --git a/Makefile.am b/Makefile.am index df8c34b5..f21a165f 100644 --- a/Makefile.am +++ b/Makefile.am @@ -43,6 +43,7 @@ sbin_SCRIPTS += scripts/vyatta-raid-event sbin_SCRIPTS += scripts/vyatta-update-arp-params sbin_SCRIPTS += scripts/zone-mgmt/vyatta-zone.pl sbin_SCRIPTS += scripts/vyatta-banner.pl +sbin_SCRIPTS += scripts/vyatta-load-user-key.pl sbin_SCRIPTS += scripts/install/install-get-partition sbin_SCRIPTS += scripts/install/install-functions sbin_SCRIPTS += scripts/install/install-image-new diff --git a/scripts/vyatta-load-user-key.pl b/scripts/vyatta-load-user-key.pl new file mode 100644 index 00000000..ba436efe --- /dev/null +++ b/scripts/vyatta-load-user-key.pl @@ -0,0 +1,141 @@ +#! /bin/perl + +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2006, 2007 Vyatta, Inc. +# All Rights Reserved. +# +# Author: Stephen Hemminger +# Date: 2009 +# +# **** End License **** + +use strict; +use lib "/opt/vyatta/share/perl5/"; + +sub usage { + print "Usage: $0 user filename|url\n"; + exit 1; +} + +sub check_http { + my ($url) = @_; + + # + # error codes are send back in html, so 1st try a header + # and look for "HTTP/1.1 200 OK" + # + my $rc = `curl -q -I $url 2>&1`; + if ( $rc =~ /HTTP\/\d+\.?\d\s+(\d+)\s+(.*)$/mi ) { + my $rc_code = $1; + my $rc_string = $2; + + die "http error: [$rc_code] $rc_string\n" + unless ( $rc_code == 200 ); + } else { + die "Error: $rc\n"; + } +} + +sub load_url { + my ($url, $tmpfile) = @_; + my $proto; + + if ( $url =~ /^(\w+):\/\/\w/ ) { + $proto = lc($1); + } else { + die "Invalid url [$url]\n"; + } + + die "Invalid url protocol [$proto]\n" + unless( $proto eq 'tftp' || + $proto eq 'ftp' || + $proto eq 'http' || + $proto eq 'scp' ); + + check_http($url) + if ($proto eq 'http'); + + system("curl -# -o $tmpfile $url") == 0 + or die "Can not fetch remote file $url\n"; +} + +usage unless ($#ARGV != 2); + +my $user = $ARGV[0]; +my $loadfile = $ARGV[1]; + +my $sbindir = $ENV{vyatta_sbindir}; +my $config = new Vyatta::Config; +$config->setLevel("system login user"); + +die "$user does not exist in configuration\n" + unless $config->exists($user); + +if ( $loadfile =~ /^[^\/]\w+:\// ) { + my $tmp_file = "/tmp/key.$user.$$"; + + load_url ($loadfile, $tmp_file); + $loadfile = $tmp_file; +} + +open(my $cfg, '<', $loadfile) + or die "Cannot open file $loadfile: $!\n"; + +while (<$cfg>) { + chomp; + # public key (format 2) consist of: + # options, keytype, base64-encoded key, comment. + # The options field is optional (but not supported). + my ($keytype, $keycode, $comment) = split / /; + die "Not a valid key file format (see man sshd)" + unless $keycode; + + die "Not a valid ssh public file format\n" + unless ($keytype =~ /ssh-rsa|ssh-dsa/); + + my $cmd = "set system login user $user authorized-key $keycode" + . " key-type $keytype"; + system ("$sbindir/my_$cmd"); + if ($? >> 8) { + die "\"$cmd\" failed\n"; + } + + if ($comment) { + $cmd = "set system login user $user authorized-key $keycode" + ." description $comment"; + system ("$sbindir/my_$cmd"); + if ($? >> 8) { + die "\"$cmd\" failed\n"; + } + } +} +close $cfg; + +system("$sbindir/my_commit"); +if ( $? >> 8 ) { + print "Load failed (commit failed)\n"; + exit 1; +} + +print "Done\n"; +exit 0; + + + + + + + + + + -- cgit v1.2.3 From 1e64d65f2aa75817294fe76937f0170bf8d4f81a Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Thu, 3 Dec 2009 16:13:02 -0800 Subject: Preserve ssh host keys in install-image Similar to previous change to install-system --- scripts/install/install-get-partition | 126 +++++++++++++++++++++------------- scripts/install/install-postinst-new | 6 ++ 2 files changed, 84 insertions(+), 48 deletions(-) diff --git a/scripts/install/install-get-partition b/scripts/install/install-get-partition index d79200e9..5ab44a86 100755 --- a/scripts/install/install-get-partition +++ b/scripts/install/install-get-partition @@ -402,44 +402,62 @@ rename_old_config() { ## check_config_partition # look to see if this partition contains a config file # and back it up -check_config_partition() { - lpart=$1 +save_old_config() { # Cleanup from possible partial last run rm -fr /mnt/config - # Look to see if this is a config partition - mkdir -p /mnt/tmp - output=$(mount /dev/$lpart /mnt/tmp 2>&1) - if [ $? != 0 ]; then - lecho "Cannot mount /dev/$lpart"."\nmount /dev/$ldrive$part /mnt/tmp\nExiting..." - lecho "$output" - else - # Look to see if there is a config partition there - if [ -f /mnt/tmp/opt/vyatta/etc/config/.vyatta_config ] \ - || [ -f /mnt/tmp/.vyatta_config ]; then - response='' - while [ -z "$response" ]; do + # Look to see if there is a config partition there + response='' + while [ -z "$response" ]; do echo "/dev/$lpart has an old configuration directory!" echo -ne "Would you like me to save the data on it\nbefore I delete it? (Yes/No) [Yes]: " response=$(get_response "Yes" "Yes No Y N") - if [ "$response" == "yes" ] || [ "$response" == "y" ]; then - mkdir -p /mnt/config - if [ -d /mnt/tmp/opt/vyatta/etc/config ]; then - output=$(cp -pR /mnt/tmp/opt/vyatta/etc/config/* /mnt/config) - else - output=$(cp -pR /mnt/tmp/* /mnt/config) - fi - if [ -n "$output" ]; then - echo -e "Warning: error in copying the old config partition.\nSee $INSTALL_LOG for more details." + done + + if [ "$response" == "yes" ] || [ "$response" == "y" ]; then + mkdir -p /mnt/config + if [ -d /mnt/tmp/opt/vyatta/etc/config ]; then + output=$(cp -pR /mnt/tmp/opt/vyatta/etc/config/* /mnt/config) + else + output=$(cp -pR /mnt/tmp/* /mnt/config) + fi + if [ -n "$output" ]; then + echo -e "Warning: error in copying the old config partition.\nSee $INSTALL_LOG for more details." lecho "Warning: error in copying the old config partition.\ncp -pR /mnt/tmp/* /mnt/config\n$output\n" fi - rename_old_config + rename_old_config + fi +} + +save_old_keys() { + local response='' + + while [ -z "$response" ] + do + echo "/dev/$lpart has SSH host keys" + echo -ne "Would you like me to keep SSH keys on new install? (Yes/No) [Yes]: " + response=$(get_response "Yes" "Yes No Y N") + done + + if [ "$response" == "yes" ] || [ "$response" == "y" ]; then + mkdir -p /mnt/ssh + output=$(cp -p /mnt/tmp/etc/ssh/ssh_host_* /mnt/ssh) + + if [ -n "$output" ]; then + echo -e "Warning: error in copying the old ssh keys." + echo -e "See $INSTALL_LOG for more details." + echo "Warning: error in copying the old ssh keys." >> $INSTALL_LOG + echo "cp -pR /mnt/tmp/etc/ssh/ssh_host_* /mnt/ssh" >> $INSTALL_LOG + echo "$output\n">> $INSTALL_LOG + return fi - done + + # reset modes on keys (should already be set) + chmod 600 /mnt/ssh/*_key + chmod 644 /mnt/ssh/*.pub + chown root /mnt/ssh/* fi - umount /mnt/tmp - fi } # Delete all existing partitions for an automated install @@ -453,22 +471,40 @@ delete_partitions () { partitions=$(cat /proc/partitions | grep $ldrive[p]*[0-9] \ | awk '{ print $4 }' | sed 's/\(.*\)\([0-9]$\)/\2/g' \ | grep -v "^$") + mkdir -p /mnt/tmp # now for each part, blow it away for part in $partitions; do - # Look to see if this is a config partition - check_config_partition "$ldrive$part" - - lecho "Removing partition $part on /dev/$ldrive" - output=$(parted /dev/$ldrive rm $part) - status=$? - if [ "$status" != 0 ]; then - echo -e "Warning: cannot delete partition $part on $ldrive.\nPlease see $INSTALL_LOG for more details." - lecho "Warning: cannot delete partition $part on $ldrive.\nparted /dev/$ldrive rm $part\n$output" - fi - - # We add a bogus sleep here because the loop needs to wait for udev - sleep 5 + output=$(mount /dev/$lpart /mnt/tmp 2>&1) + if [ $? != 0 ]; then + lecho "Cannot mount /dev/$lpart"."\n" + lecho "mount /dev/$ldrive$part /mnt/tmp\nExiting..." + lecho "$output" + else + # Look to see if this is a config partition + if [ -f /mnt/tmp/opt/vyatta/etc/config/.vyatta_config ] \ + || [ -f /mnt/tmp/.vyatta_config ]; then + save_old_config + fi + if [ -d /mnt/tmp/etc/ssh ]; then + save_old_keys + fi + + umount /mnt/tmp + fi + + lecho "Removing partition $part on /dev/$ldrive" + output=$(parted /dev/$ldrive rm $part) + status=$? + if [ "$status" != 0 ]; then + echo -e "Warning: cannot delete partition $part on $ldrive.\n" + echo -e "Please see $INSTALL_LOG for more details." + lecho "Warning: cannot delete partition $part on $ldrive.\n" + lecho "parted /dev/$ldrive rm $part\n$output" + fi + + # We add a bogus sleep here because the loop needs to wait for udev + sleep 5 done } @@ -542,14 +578,8 @@ create_partitions() { # sets ROOT_FSTYPE based on disk size set_root_fstype () { local drv=$1 - local sz=$(get_drive_size "$drv") - # If disk is small, it is probably a CF device or virtual environment - # so avoid the overhead of a journal - if (( $sz < 11000 )); then - ROOT_FSTYPE=ext2 - else - ROOT_FSTYPE=ext3 - fi + # always use ext3 for stability + ROOT_FSTYPE=ext3 } # ask for user input on the parted and skip setup methods diff --git a/scripts/install/install-postinst-new b/scripts/install/install-postinst-new index 84b96989..d2187434 100755 --- a/scripts/install/install-postinst-new +++ b/scripts/install/install-postinst-new @@ -77,6 +77,12 @@ copy_config () { chgrp vyattacfg $cfg_dir/config.boot chmod 775 $cfg_dir/config.boot fi + + # copy ssh keys + if [ -d /mnt/ssh ]; then + echo "Copying SSH keys." + cp -p /mnt/ssh/* $rootfsdir/etc/ssh + fi } # setup grub on the boot sector of a user selected drive -- cgit v1.2.3