hotplug.d script to unload ssh key/cert to usb device, and/or initialize password from usb

Mon, 12 Oct 2020 01:25:52 -0700

it was originally part of Re: A proposal of https certificate assignment system for luci thread but this derailed too much from there.
Nice idea to be able to auto-load the config including key material. Might be very useful for larger installs.
Nice idea to save SSH server keys as well. That will avoid warnings when connecting to the new box (at the same IP) for the first time. Obviously, one needs to be careful with plain text private keys and certs. 

Cheers,

Bas.



I made a hotplug script to load and unload ssh key/cert to usb device 
(if it have right kernel module included to mount USB partition, it will 
look for whoareyou file and if it exsit it will export its ssh host key 
and uhttpd cert, and if root password is empty, it will try to load 
authorized_key and shadow file from root directory of USB.



Warning : this doesn't verify if it's valid /etc/shadow file, so if you 
throw wrong file to it it may softlock you out of router need reflash, 
but if you have empty root password you didn't lost much config anyway.


Maybe this can be real package :P

----script from here----

#/etc/hotplug.d/block/50-keyexchange

if [ "$ACTION" = "add" -a "$DEVTYPE" = "partition" ]; then
        sleep 3
        #is this patition mounted?
        mountloc=`grep $DEVNAME /proc/mounts | cut -d' ' -f 2`
        #tmpmount for thing not mounted otherwise
        if [ "$mountloc" = "" ]; then
                mkdir /tmp/tmppart
                mount /dev/$DEVNAME /tmp/tmppart
                mountloc="/tmp/tmppart"
        fi
    flagfile=$mountloc/whoareyou
    echo $flagfile >> /tmp/debug.log
        if [ -e $flagfile ]; then

                logger -t usbkeyload "public key request found in 
$flagfile, export dropbear and uhttpd keys to it"

                cp /etc/dropbear/*_host_key $mountloc
                cp /etc/uhttpd.crt $mountloc
        #if root password shadow is empty default, load keys from usb too
                if grep -q "root::0:0:99999:7:::" /etc/shadow; then

                        logger -t usbkeyload "root password is empty, 
loading passwords and ssh key from usb"
                        cp -b $mountloc/autorized_keys 
/etc/dropbear/autorized_keys
                        #would this be better (and with danger of 
softlock router) or use plaintest password with passwd?

                        cp -b $mountloc/shadow /etc/shadow/
                fi
        fi
        #if we used to mount thing to tmp location, unmount and clean it
        if [ "$mountloc" = /tmp/tmppart ]; then
                umount /tmp/tmppart
                rm /tmp/tmppart
        fi
fi

_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
























					Reply via email to