2 # I, Ian Kelling, follow the GNU license recommendations at
3 # https://www.gnu.org/licenses/license-recommendations.en.html. They
4 # recommend that small programs, < 300 lines, be licensed under the
5 # Apache License 2.0. This file contains or is part of one or more small
6 # programs. If a small program grows beyond 300 lines, I plan to switch
9 # Copyright 2024 Ian Kelling
11 # Licensed under the Apache License, Version 2.0 (the "License");
12 # you may not use this file except in compliance with the License.
13 # You may obtain a copy of the License at
15 # http://www.apache.org/licenses/LICENSE-2.0
17 # Unless required by applicable law or agreed to in writing, software
18 # distributed under the License is distributed on an "AS IS" BASIS,
19 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20 # See the License for the specific language governing permissions and
21 # limitations under the License.
25 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
27 [[ $EUID == 0 ]] ||
exec sudo
-E "${BASH_SOURCE[0]}" "$@"
30 if [[ -L /root
/.
ssh ]]; then
38 user_ssh_dir
=$
(eval echo ~
$user)/.
ssh
39 if [[ ! -s $user_ssh_dir/authorized_keys
]]; then
40 echo missing
$user_ssh_dir/authorized_keys. bad sign. bailing
>&2
44 # remove broken links, or else rsync has error about them.
45 find $user_ssh_dir -xtype l
-exec rm '{}' \
;
46 # -t times, so it won't rewrite the file every time,
48 rsync
--exclude=/h
--exclude=/h.pub \
49 --exclude=/hrsa
--exclude=/hrsa.pub \
50 --exclude /config
--exclude /confighome
-rtL --delete $user_ssh_dir/ /root
/.
ssh
51 if [[ -e /q
/root
/h
]]; then
52 cp -a /q
/root
/{h
,hrsa
}{,.pub
} /root
/.
ssh
55 if [[ -e $user_ssh_dir/config
]]; then
56 ### The h key is like the home key, but only a whitelist of commands allowed, and
57 # not encrypted, so cron and whatnot can use it.
58 # For any interactive ssh command we want to run as root that is not in that
59 # whitelist, we need to ssh -F $HOME/.ssh/confighome
60 ### I run a separate ssh-agent for root where I add keys without
61 # confirm. This the root ssh-agent is only available
62 # to root, and it allows us to have a working ssh when X isnt available,
63 # eg, in an ssh shell. confirm for regular user provides some protection
64 # that a rouge user program cant use my ssh key.
65 sed 's,^AddKeysToAgent confirm,AddKeysToAgent yes,;/^UserKnownHostsFile /d' $user_ssh_dir/config
>/root
/.ssh
/confighome
66 sed 's,^IdentityFile ~/\.ssh/home$,IdentityFile ~/\.ssh/h,' /root
/.ssh
/confighome
>/root
/.ssh
/config
68 chown
-R root
:root
/root
/.
ssh
70 # --update, -u skip files that are newer on the receiver
71 # I often push out a new hssh
72 rsync
-tpu --chmod=755 --chown=root
:root
/a
/bin
/fai
/fai
/config
/files
/usr
/local
/bin
/hssh
/IANK
/usr
/local
/bin
/hssh
74 if [[ -e /a
/opt
/btrbk
/ssh_filter_btrbk.sh
]]; then
75 install /a
/opt
/btrbk
/ssh_filter_btrbk.sh
/usr
/local
/bin
78 if [[ -e /etc
/systemd
/system
/ssh-agent-root.service
]]; then
79 systemctl
enable --now ssh-agent-root
83 # note: i previously had $auth_dir/root/.ssh/authorized_keys
84 # but /usr/share/doc/dropbear-initramfs/README.initramfs
85 # says differently. not sure what is up.
87 auth_dir
=/etc
/dropbear
/initramfs
/
88 candidate
=$
(apt-cache policy dropbear-initramfs |
awk '$1 == "Candidate:" { print $2 }' |
head -n1 ||
:)
89 if [[ $candidate ]] && dpkg
--compare-versions "$candidate" lt
2020.81-4; then
90 auth_dir
=/etc
/dropbear-initramfs
92 auth_file
=$auth_dir/authorized_keys
94 if [[ ! -e $auth_file ]] ||
! diff -q /root
/.ssh
/authorized_keys
$auth_file; then
95 cp -p /root
/.ssh
/authorized_keys
$auth_file
96 update-initramfs
-u -k all
iankelling.org / git / distro-setup / blob