4767c7d54b76f7dd44d1077498cfd923968ce07d
[distro-setup] / rootsshsync
1 #!/bin/bash
2 # I, Ian Kelling, follow the GNU license recommendations at
3 # https://www.gnu.org/licenses/license-recommendations.en.html. They
4 # recommend that small programs, < 300 lines, be licensed under the
5 # Apache License 2.0. This file contains or is part of one or more small
6 # programs. If a small program grows beyond 300 lines, I plan to switch
7 # its license to GPL.
8
9 # Copyright 2024 Ian Kelling
10
11 # Licensed under the Apache License, Version 2.0 (the "License");
12 # you may not use this file except in compliance with the License.
13 # You may obtain a copy of the License at
14
15 # http://www.apache.org/licenses/LICENSE-2.0
16
17 # Unless required by applicable law or agreed to in writing, software
18 # distributed under the License is distributed on an "AS IS" BASIS,
19 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20 # See the License for the specific language governing permissions and
21 # limitations under the License.
22
23
24 set -eE -o pipefail
25 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
26
27 [[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
28
29 # leftover
30 if [[ -L /root/.ssh ]]; then
31 rm /root/.ssh
32 fi
33 mkdir -p /root/.ssh
34 chmod 700 /root/.ssh
35
36 user=$(id -un 1000)
37
38 user_ssh_dir=$(eval echo ~$user)/.ssh
39 if [[ ! -s $user_ssh_dir/authorized_keys ]]; then
40 echo missing $user_ssh_dir/authorized_keys. bad sign. bailing >&2
41 exit 1
42 fi
43
44 # remove broken links, or else rsync has error about them.
45 find $user_ssh_dir -xtype l -exec rm '{}' \;
46 # -t times, so it won't rewrite the file every time,
47 # -L resolve links
48 rsync --exclude=/h --exclude=/h.pub \
49 --exclude=/hrsa --exclude=/hrsa.pub \
50 --exclude /config --exclude /confighome -rtL --delete $user_ssh_dir/ /root/.ssh
51 if [[ -e /q/root/h ]]; then
52 cp -a /q/root/{h,hrsa}{,.pub} /root/.ssh
53 fi
54
55 if [[ -e $user_ssh_dir/config ]]; then
56 ### The h key is like the home key, but only a whitelist of commands allowed, and
57 # not encrypted, so cron and whatnot can use it.
58 # For any interactive ssh command we want to run as root that is not in that
59 # whitelist, we need to ssh -F $HOME/.ssh/confighome
60 ### I run a separate ssh-agent for root where I add keys without
61 # confirm. This the root ssh-agent is only available
62 # to root, and it allows us to have a working ssh when X isnt available,
63 # eg, in an ssh shell. confirm for regular user provides some protection
64 # that a rouge user program cant use my ssh key.
65 sed 's,^AddKeysToAgent confirm,AddKeysToAgent yes,;/^UserKnownHostsFile /d' $user_ssh_dir/config >/root/.ssh/confighome
66 sed 's,^IdentityFile ~/\.ssh/home$,IdentityFile ~/\.ssh/h,' /root/.ssh/confighome >/root/.ssh/config
67 fi
68 chown -R root:root /root/.ssh
69
70 # --update, -u skip files that are newer on the receiver
71 # I often push out a new hssh
72 rsync -tpu --chmod=755 --chown=root:root /a/bin/fai/fai/config/files/usr/local/bin/hssh/IANK /usr/local/bin/hssh
73
74 if [[ -e /a/opt/btrbk/ssh_filter_btrbk.sh ]]; then
75 install /a/opt/btrbk/ssh_filter_btrbk.sh /usr/local/bin
76 fi
77
78 if [[ -e /etc/systemd/system/ssh-agent-root.service ]]; then
79 systemctl enable --now ssh-agent-root
80 fi
81
82
83 # note: i previously had $auth_dir/root/.ssh/authorized_keys
84 # but /usr/share/doc/dropbear-initramfs/README.initramfs
85 # says differently. not sure what is up.
86
87 auth_dir=/etc/dropbear/initramfs/
88 candidate=$(apt-cache policy dropbear-initramfs | awk '$1 == "Candidate:" { print $2 }' | head -n1 ||:)
89 if [[ $candidate ]] && dpkg --compare-versions "$candidate" lt 2020.81-4; then
90 auth_dir=/etc/dropbear-initramfs
91 fi
92 auth_file=$auth_dir/authorized_keys
93 mkdir -p $auth_dir
94 if [[ ! -e $auth_file ]] || ! diff -q /root/.ssh/authorized_keys $auth_file; then
95 cp -p /root/.ssh/authorized_keys $auth_file
96 update-initramfs -u -k all
97 fi