On Sun, Feb 05, 2017 at 08:37:31PM +0000, Stuart Henderson wrote:
> On 2017/02/05 09:53, Robert Peichaer wrote:
> > On Sun, Feb 05, 2017 at 10:46:41AM +0100, Landry Breuil wrote:
> > > Hi,
> > >
> > > when installing 'throwaway' VMs (manually, not always using autoinstall
> > > for
> > > $REASONS) i've often found myself having to do right after the install:
> > > install -d -m 700 /root/.ssh
> > > install -m 600 /dev/null /root/.ssh/authorized_keys
> > > (or touch /root/.ssh/authorized_keys && chmod 600
> > > /root/.ssh/authorized_keys, ymmv)
> > >
> > > those are present in /etc/skel for "real" users, so why not creating
> > > them for the root account ? install.sub also creates /mnt/root/.ssh when
> > > using autoinstall and giving an ssh pubkey, so that'll be one less step
> > > to do there.
> > >
> > > We advise ppl to set prohibit-password for PermitRootLogin, so why not
> > > make it
> > > easier to use it ? This ways, the correct modes are set.. i often
> > > fat-fingered
> > > this, to see sshd complaining (rightly!) about bad modes on
> > > .ssh/authorized_keys.
> >
> > Conceptually I'd like this going in.
>
> +1. (On "managed" systems I use root-owned authorized_keys in a system
> directory,
> but this doesn't get in the way, and it makes things easier on ad-hoc
> installed
> systems).
Finally built a release with this, the empty file is created in
/var/sysmerge/etc.tgz, and sysmerge didnt overwrite my own
/root/.ssh/authorized_keys - so i think i can now explicitely ask for okays.
dtucker@ mentioned that in ${INSTALL} -c idiom the -c was a noop, but i kept it
for consistency.
Hopefully more ppl can chime in and think of potential drawbacks this
diff exposes...
Sets diff added too, modeled after what's done for
/etc/skel/.ssh/authorized_keys - dunno if it should be commited along the etc/
change.
Landry
Index: etc/Makefile
===================================================================
RCS file: /cvs/src/etc/Makefile,v
retrieving revision 1.449
diff -u -r1.449 Makefile
--- etc/Makefile 2 Feb 2017 21:35:05 -0000 1.449
+++ etc/Makefile 9 Feb 2017 17:13:00 -0000
@@ -110,6 +110,8 @@
${DESTDIR}/root/.Xdefaults; \
${INSTALL} -c -o root -g wheel -m 644 dot.cvsrc \
${DESTDIR}/root/.cvsrc; \
+ ${INSTALL} -c -o root -g wheel -m 600 /dev/null \
+ ${DESTDIR}/root/.ssh/authorized_keys; \
rm -f ${DESTDIR}/.cshrc ${DESTDIR}/.profile; \
${INSTALL} -c -o root -g wheel -m 644 dot.cshrc \
${DESTDIR}/.cshrc; \
Index: etc/mtree/4.4BSD.dist
===================================================================
RCS file: /cvs/src/etc/mtree/4.4BSD.dist,v
retrieving revision 1.293
diff -u -r1.293 4.4BSD.dist
--- etc/mtree/4.4BSD.dist 27 Dec 2016 09:17:52 -0000 1.293
+++ etc/mtree/4.4BSD.dist 9 Feb 2017 17:13:00 -0000
@@ -118,6 +118,8 @@
mnt
..
root mode=0700
+ .ssh uname=root mode=0700
+ ..
..
sbin
..
Index: distrib/sets/lists/base/mi
===================================================================
RCS file: /cvs/src/distrib/sets/lists/base/mi,v
retrieving revision 1.820
diff -u -r1.820 mi
--- distrib/sets/lists/base/mi 7 Feb 2017 21:32:48 -0000 1.820
+++ distrib/sets/lists/base/mi 9 Feb 2017 17:12:42 -0000
@@ -232,6 +232,7 @@
./home
./mnt
./root
+./root/.ssh
./sbin
./sbin/atactl
./sbin/badsect
Index: distrib/sets/lists/etc/mi
===================================================================
RCS file: /cvs/src/distrib/sets/lists/etc/mi,v
retrieving revision 1.211
diff -u -r1.211 mi
--- distrib/sets/lists/etc/mi 1 Oct 2016 16:58:29 -0000 1.211
+++ distrib/sets/lists/etc/mi 9 Feb 2017 17:12:42 -0000
@@ -50,6 +50,7 @@
./root/.cvsrc
./root/.login
./root/.profile
+./root/.ssh/authorized_keys
./var/crash/minfree
./var/cron/at.deny
./var/cron/cron.deny
