On Sun, Feb 05, 2017 at 08:37:31PM +0000, Stuart Henderson wrote: > On 2017/02/05 09:53, Robert Peichaer wrote: > > On Sun, Feb 05, 2017 at 10:46:41AM +0100, Landry Breuil wrote: > > > Hi, > > > > > > when installing 'throwaway' VMs (manually, not always using autoinstall > > > for > > > $REASONS) i've often found myself having to do right after the install: > > > install -d -m 700 /root/.ssh > > > install -m 600 /dev/null /root/.ssh/authorized_keys > > > (or touch /root/.ssh/authorized_keys && chmod 600 > > > /root/.ssh/authorized_keys, ymmv) > > > > > > those are present in /etc/skel for "real" users, so why not creating > > > them for the root account ? install.sub also creates /mnt/root/.ssh when > > > using autoinstall and giving an ssh pubkey, so that'll be one less step > > > to do there. > > > > > > We advise ppl to set prohibit-password for PermitRootLogin, so why not > > > make it > > > easier to use it ? This ways, the correct modes are set.. i often > > > fat-fingered > > > this, to see sshd complaining (rightly!) about bad modes on > > > .ssh/authorized_keys. > > > > Conceptually I'd like this going in. > > +1. (On "managed" systems I use root-owned authorized_keys in a system > directory, > but this doesn't get in the way, and it makes things easier on ad-hoc > installed > systems).
Finally built a release with this, the empty file is created in /var/sysmerge/etc.tgz, and sysmerge didnt overwrite my own /root/.ssh/authorized_keys - so i think i can now explicitely ask for okays. dtucker@ mentioned that in ${INSTALL} -c idiom the -c was a noop, but i kept it for consistency. Hopefully more ppl can chime in and think of potential drawbacks this diff exposes... Sets diff added too, modeled after what's done for /etc/skel/.ssh/authorized_keys - dunno if it should be commited along the etc/ change. Landry Index: etc/Makefile =================================================================== RCS file: /cvs/src/etc/Makefile,v retrieving revision 1.449 diff -u -r1.449 Makefile --- etc/Makefile 2 Feb 2017 21:35:05 -0000 1.449 +++ etc/Makefile 9 Feb 2017 17:13:00 -0000 @@ -110,6 +110,8 @@ ${DESTDIR}/root/.Xdefaults; \ ${INSTALL} -c -o root -g wheel -m 644 dot.cvsrc \ ${DESTDIR}/root/.cvsrc; \ + ${INSTALL} -c -o root -g wheel -m 600 /dev/null \ + ${DESTDIR}/root/.ssh/authorized_keys; \ rm -f ${DESTDIR}/.cshrc ${DESTDIR}/.profile; \ ${INSTALL} -c -o root -g wheel -m 644 dot.cshrc \ ${DESTDIR}/.cshrc; \ Index: etc/mtree/4.4BSD.dist =================================================================== RCS file: /cvs/src/etc/mtree/4.4BSD.dist,v retrieving revision 1.293 diff -u -r1.293 4.4BSD.dist --- etc/mtree/4.4BSD.dist 27 Dec 2016 09:17:52 -0000 1.293 +++ etc/mtree/4.4BSD.dist 9 Feb 2017 17:13:00 -0000 @@ -118,6 +118,8 @@ mnt .. root mode=0700 + .ssh uname=root mode=0700 + .. .. sbin .. Index: distrib/sets/lists/base/mi =================================================================== RCS file: /cvs/src/distrib/sets/lists/base/mi,v retrieving revision 1.820 diff -u -r1.820 mi --- distrib/sets/lists/base/mi 7 Feb 2017 21:32:48 -0000 1.820 +++ distrib/sets/lists/base/mi 9 Feb 2017 17:12:42 -0000 @@ -232,6 +232,7 @@ ./home ./mnt ./root +./root/.ssh ./sbin ./sbin/atactl ./sbin/badsect Index: distrib/sets/lists/etc/mi =================================================================== RCS file: /cvs/src/distrib/sets/lists/etc/mi,v retrieving revision 1.211 diff -u -r1.211 mi --- distrib/sets/lists/etc/mi 1 Oct 2016 16:58:29 -0000 1.211 +++ distrib/sets/lists/etc/mi 9 Feb 2017 17:12:42 -0000 @@ -50,6 +50,7 @@ ./root/.cvsrc ./root/.login ./root/.profile +./root/.ssh/authorized_keys ./var/crash/minfree ./var/cron/at.deny ./var/cron/cron.deny