On Fri, Feb 10, 2017 at 10:00:51AM +0100, Landry Breuil wrote: > On Fri, Feb 10, 2017 at 09:36:16AM +0100, Antoine Jacoutot wrote: > > On Thu, Feb 09, 2017 at 06:19:54PM +0100, Landry Breuil wrote: > > > On Sun, Feb 05, 2017 at 08:37:31PM +0000, Stuart Henderson wrote: > > > > On 2017/02/05 09:53, Robert Peichaer wrote: > > > > > On Sun, Feb 05, 2017 at 10:46:41AM +0100, Landry Breuil wrote: > > > > > > Hi, > > > > > > > > > > > > when installing 'throwaway' VMs (manually, not always using > > > > > > autoinstall for > > > > > > $REASONS) i've often found myself having to do right after the > > > > > > install: > > > > > > install -d -m 700 /root/.ssh > > > > > > install -m 600 /dev/null /root/.ssh/authorized_keys > > > > > > (or touch /root/.ssh/authorized_keys && chmod 600 > > > > > > /root/.ssh/authorized_keys, ymmv) > > > > > > > > > > > > those are present in /etc/skel for "real" users, so why not creating > > > > > > them for the root account ? install.sub also creates /mnt/root/.ssh > > > > > > when > > > > > > using autoinstall and giving an ssh pubkey, so that'll be one less > > > > > > step > > > > > > to do there. > > > > > > > > > > > > We advise ppl to set prohibit-password for PermitRootLogin, so why > > > > > > not make it > > > > > > easier to use it ? This ways, the correct modes are set.. i often > > > > > > fat-fingered > > > > > > this, to see sshd complaining (rightly!) about bad modes on > > > > > > .ssh/authorized_keys. > > > > > > > > > > Conceptually I'd like this going in. > > > > > > > > +1. (On "managed" systems I use root-owned authorized_keys in a system > > > > directory, > > > > but this doesn't get in the way, and it makes things easier on ad-hoc > > > > installed > > > > systems). > > > > > > Finally built a release with this, the empty file is created in > > > /var/sysmerge/etc.tgz, and sysmerge didnt overwrite my own > > > /root/.ssh/authorized_keys - so i think i can now explicitely ask for > > > okays. > > > dtucker@ mentioned that in ${INSTALL} -c idiom the -c was a noop, but i > > > kept it > > > for consistency. > > > Hopefully more ppl can chime in and think of potential drawbacks this > > > diff exposes... > > > > > > Sets diff added too, modeled after what's done for > > > /etc/skel/.ssh/authorized_keys - dunno if it should be commited along the > > > etc/ > > > change. > > > > Can you add it to mtree/special please? > > Sure ! Here's a new fuller diff touching files all around.. > > Index: etc/Makefile > =================================================================== > RCS file: /cvs/src/etc/Makefile,v > retrieving revision 1.449 > diff -u -r1.449 Makefile > --- etc/Makefile 2 Feb 2017 21:35:05 -0000 1.449 > +++ etc/Makefile 10 Feb 2017 08:59:27 -0000 > @@ -110,6 +110,8 @@ > ${DESTDIR}/root/.Xdefaults; \ > ${INSTALL} -c -o root -g wheel -m 644 dot.cvsrc \ > ${DESTDIR}/root/.cvsrc; \ > + ${INSTALL} -c -o root -g wheel -m 600 /dev/null \ > + ${DESTDIR}/root/.ssh/authorized_keys; \ > rm -f ${DESTDIR}/.cshrc ${DESTDIR}/.profile; \ > ${INSTALL} -c -o root -g wheel -m 644 dot.cshrc \ > ${DESTDIR}/.cshrc; \ > Index: etc/mtree/4.4BSD.dist > =================================================================== > RCS file: /cvs/src/etc/mtree/4.4BSD.dist,v > retrieving revision 1.293 > diff -u -r1.293 4.4BSD.dist > --- etc/mtree/4.4BSD.dist 27 Dec 2016 09:17:52 -0000 1.293 > +++ etc/mtree/4.4BSD.dist 10 Feb 2017 08:59:27 -0000 > @@ -118,6 +118,8 @@ > mnt > .. > root mode=0700 > + .ssh uname=root mode=0700 > + .. > .. > sbin > .. > Index: etc/mtree/special > =================================================================== > RCS file: /cvs/src/etc/mtree/special,v > retrieving revision 1.122 > diff -u -r1.122 special > --- etc/mtree/special 27 Dec 2016 09:17:52 -0000 1.122 > +++ etc/mtree/special 10 Feb 2017 08:59:27 -0000 > @@ -121,6 +121,9 @@ > .login type=file mode=0644 uname=root gname=wheel > .profile type=file mode=0644 uname=root gname=wheel > .rhosts type=file mode=0600 uname=root gname=wheel optional > +.ssh type=dir mode=0700 uname=root gname=wheel > +.. #.ssh
Comment should say: #root/.ssh The rest looks fine to me. > +authorized_keys type=file mode=0600 uname=root gname=wheel > .. #root > > sbin type=dir mode=0755 uname=root gname=wheel ignore > Index: distrib/miniroot/install.sub > =================================================================== > RCS file: /cvs/src/distrib/miniroot/install.sub,v > retrieving revision 1.969 > diff -u -r1.969 install.sub > --- distrib/miniroot/install.sub 8 Feb 2017 23:13:02 -0000 1.969 > +++ distrib/miniroot/install.sub 10 Feb 2017 08:59:27 -0000 > @@ -2868,7 +2868,6 @@ > # During autoinstall, add root user's public ssh key to authorized_keys. > [[ -n "$_rootkey" ]] && ( > umask 077 > - mkdir /mnt/root/.ssh > print -r -- "$_rootkey" >>/mnt/root/.ssh/authorized_keys > ) > > Index: distrib/sets/lists/base/mi > =================================================================== > RCS file: /cvs/src/distrib/sets/lists/base/mi,v > retrieving revision 1.820 > diff -u -r1.820 mi > --- distrib/sets/lists/base/mi 7 Feb 2017 21:32:48 -0000 1.820 > +++ distrib/sets/lists/base/mi 10 Feb 2017 08:59:28 -0000 > @@ -232,6 +232,7 @@ > ./home > ./mnt > ./root > +./root/.ssh > ./sbin > ./sbin/atactl > ./sbin/badsect > Index: distrib/sets/lists/etc/mi > =================================================================== > RCS file: /cvs/src/distrib/sets/lists/etc/mi,v > retrieving revision 1.211 > diff -u -r1.211 mi > --- distrib/sets/lists/etc/mi 1 Oct 2016 16:58:29 -0000 1.211 > +++ distrib/sets/lists/etc/mi 10 Feb 2017 08:59:28 -0000 > @@ -50,6 +50,7 @@ > ./root/.cvsrc > ./root/.login > ./root/.profile > +./root/.ssh/authorized_keys > ./var/crash/minfree > ./var/cron/at.deny > ./var/cron/cron.deny > -- Antoine