-
Notifications
You must be signed in to change notification settings - Fork 60
/
setup-sshd.in
176 lines (155 loc) · 3.9 KB
/
setup-sshd.in
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
#!/bin/sh
PREFIX=@PREFIX@
: ${LIBDIR=$PREFIX/lib}
. "$LIBDIR/libalpine.sh"
usage() {
cat <<-__EOF__
usage: setup-sshd [-h] [-k authorized key] [openssh | dropbear | none]
Setup sshd daemon
options:
-h Show this help
-k Authorized key for root (HTTP(S)/FTP URL, the public key itself or 'none')
__EOF__
exit $1
}
root_login_help() {
cat <<-__EOF__
Valid options are:
yes root will be able to login with password or ssh key
no root will not be allowed to login with ssh
prohibit-password root will be able to login with ssh key but not with
password
__EOF__
}
set_sshd_config() {
local key="$1" value="$2"
sed -i -E -e "s/^#?\s*$key.*/$key $value/" \
"$ROOT"/etc/ssh/sshd_config 2>/dev/null
if ! grep -q -w "^$key" "$ROOT"/etc/ssh/sshd_config; then
echo "$key $value" >> "$ROOT"/etc/ssh/sshd_config
fi
}
get_sshd_config() {
local key="$1" value="$2"
awk -v key="$key" '$1 == key {print $2}' "$ROOT"/etc/ssh/sshd_config
}
authorized_key="$SSH_KEY"
while getopts "hc:k:" opt; do
case $opt in
h) usage 0;;
c) sshdchoice="$OPTARG";; # backwards compat
k) authorized_key="$OPTARG";;
'?') usage "1" >&2;;
esac
done
shift $(( $OPTIND - 1 ))
case "$1" in
openssh|dropbear|none) sshdchoice="$1" ;;
"") [ -z "$sshdchoice" ] && interactive=1;;
*) usage "1" >&2;;
esac
while [ -n "$interactive" ] && ! isin "$sshdchoice" openssh dropbear none; do
ask "Which ssh server? ('openssh', 'dropbear' or 'none')" openssh
sshdchoice="$resp"
done
if [ "$sshdchoice" = "none" ]; then
exit 0
fi
pkgs="$sshdchoice"
if [ "$sshdchoice" = "openssh" ] && apk info --quiet --installed acf-core; then
pkgs="$pkgs acf-openssh"
fi
apk add --quiet $pkgs
users=$(awk -F: '{if ($3<65000 && $3 >= 1000) print $1}' \
"$ROOT"/etc/passwd 2>/dev/null)
if [ "$sshdchoice" = "openssh" ] && [ -z "$authorized_key" ] && [ -z "$users" ]; then
suggest=prohibit-password
while [ -n "$interactive" ]; do
ask "Allow root ssh login? ('?' for help)" "$suggest"
case "$resp" in
'?')
root_login_help
continue
;;
"al "*)
suggest="https://gitlab.alpinelinux.org/${resp#* }.keys"
continue
;;
"gl "*)
suggest="https://gitlab.com/${resp#* }.keys"
continue
;;
"gh "*)
suggest="https://github.com/${resp#* }.keys"
continue
;;
yes|no|prohibit-password)
set_sshd_config PermitRootLogin "$resp"
break
;;
http://*|https://*)
authorized_key="$(wget -qO- "$resp")" || {
echo "Failed to fetch key from '$resp'"
continue
}
break
;;
esac
done
suggest=none
while [ -n "$interactive" ] && [ "$(get_sshd_config PermitRootLogin)" != "no" ]; do
ask "Enter ssh key or URL for root (or 'none')" "$suggest"
case "$resp" in
"al "*)
suggest="https://gitlab.alpinelinux.org/${resp#* }.keys"
continue
;;
"gl "*)
suggest="https://gitlab.com/${resp#* }.keys"
continue
;;
"gh "*)
suggest="https://github.com/${resp#* }.keys"
continue
;;
http://*|https://*)
authorized_key="$(wget -qO- "$resp")" || {
echo "Failed to fetch key from '$resp'"
continue
}
break
;;
none)
break
;;
*)
if printf "%s\n" "$resp" | ssh-keygen -l -f - >/dev/null; then
authorized_key="$resp"
break
fi
;;
esac
done
fi
# ask "Enter ssh key or URL for $username (or 'none')" none
svc=
case "$sshdchoice" in
openssh) svc=sshd;;
dropbear) svc=dropbear;;
esac
if [ -n "$svc" ]; then
rc-update add $svc default
rc-service $svc start
fi
if [ -n "$authorized_key" -a "$authorized_key" != "none" ]; then
# if the argument is an HTTP(S)/FTP URL, try to fetch the file contents
case "$authorized_key" in
http*://*|ftp://*)
key_url="$authorized_key"
authorized_key="$(wget -qO- "$key_url")" || die "Failed to fetch key from '$key_url'"
;;
esac
umask 077
mkdir -p "$ROOT"/root/.ssh
echo "$authorized_key" >> "$ROOT"/root/.ssh/authorized_keys
fi