Bug#592550: support for SSH-Key authentication (Supports Eucalyptus and Amazon EC2)
Package: network-console
Severity: normal
Tags: patch
I've spent some time fiddling with this feature, and I've prepared a
modified patch that makes the feature more secure and easier to use.
The modified installer now retrieves a "public-ip-url" and displays that
address in the console output instead of the IP found on the network
interface. This correctly interoperates with Eucalyptus and Amazon EC2.
In those environments you would use the following bit of preseed:
d-i network-console/password-disabled boolean true
d-i network-console/public-ip-url string \
http://169.254.169.254/2007-01-19/meta-data/public-ipv4
d-i network-console/public-key-url string \
http://169.254.169.254/2007-01-19/meta-data/public-keys/0/openssh-key
I'm also in the process of working on a small Debian-Installer patch to
automatically prepare a partially-preseeded D-I image following those
conventions.
I've built a modified network-console with this patch into a slightly
patched Debian-Installer and successfully used it to begin a network
install on an Amazon EC2 instance.
There are still several partitioning and bootloader-related things which
don't work yet, but this part seems to be fully functional.
Cheers,
Kyle Moffett
diff -ruN a/debian/network-console.postinst b/debian/network-console.postinst
--- a/debian/network-console.postinst 2010-02-15 00:11:01.000000000 -0500
+++ b/debian/network-console.postinst 2010-08-11 16:27:24.000000000 -0400
@@ -26,6 +26,41 @@
;;
esac
+## Helper function
+download_ssh_keys()
+{
+ ## Don't do anything if no URL was specified or there are
+ ## preexisting SSH keys already in the initramfs
+ [ -n "$1" -a ! -f /.ssh/authorized_keys ] || return 0
+
+ ## First make sure the directory is OK
+ [ -d /.ssh ] || mkdir /.ssh
+ chmod 700 /.ssh
+
+ ## Next, download the file
+ if wget -q -O /.ssh/authorized_keys "$1"; then
+ chmod 0644 /.ssh/authorized_keys || true
+ return 0
+ fi
+
+ ## Handle errors appropriately
+ db_subst $TEMPLATE_ROOT/public-key-fetch-failure LOCATION "$1"
+ db_input critical $TEMPLATE_ROOT/public-key-fetch-failure || true
+ db_go
+ exit 1
+}
+
+db_get $TEMPLATE_ROOT/public-key-url
+download_ssh_keys "${RET}"
+
+db_get $TEMPLATE_ROOT/password-disabled
+if [ "x${RET}" = "xtrue" ]; then
+ CRYPT_PASSWORD='*'
+ PASSWORD='*DISABLED*'
+else
+ PASSWORD=''
+fi
+
while [ -z "$PASSWORD" ]; do
db_input critical $TEMPLATE_ROOT/password || true
COMPARE_PW=''
@@ -44,6 +79,7 @@
continue
fi
PASSWORD=$INST_PW
+ CRYPT_PASSWORD="$(gen-crypt "$PASSWORD")"
db_set $TEMPLATE_ROOT/password ""
db_set $TEMPLATE_ROOT/password-again ""
@@ -51,7 +87,7 @@
db_fset $TEMPLATE_ROOT/password-again seen false
done
-echo "installer:$(gen-crypt $PASSWORD):1:0:99999:7:::" >> /etc/shadow
+echo "installer:${CRYPT_PASSWORD}:1:0:99999:7:::" >> /etc/shadow
KEY_FINGERPRINT=$(ssh-keygen -l -f $KEY_FILE | cut -f2 -d ' ')
@@ -62,6 +98,15 @@
IPADDR=$(ip addr | grep '^[[:space:]]*inet ' | grep -v "127\.0\." | \
head -n 1 | sed 's/.*inet \([0-9.]*\).*/\1/')
+
+## If executed in a virtual hosting environment we might have a NAT'ed
+## public IP address. If so, we should figure out what it is.
+db_get $TEMPLATE_ROOT/public-ip-url
+if [ -n "${RET}" ]; then
+ publicip="$(wget -q -O - "${RET}" || true)"
+ [ -z "${publicip}" ] || IPADDR="${publicip}"
+fi
+
db_subst $TEMPLATE_ROOT/start ip $IPADDR
db_subst $TEMPLATE_ROOT/start fingerprint $KEY_FINGERPRINT
case "$ARCHDETECT" in
diff -ruN a/debian/network-console.templates b/debian/network-console.templates
--- a/debian/network-console.templates 2009-07-21 01:55:09.000000000 -0400
+++ b/debian/network-console.templates 2010-08-11 16:33:01.000000000 -0400
@@ -60,6 +60,13 @@
The two passwords you entered were not the same. Please enter a password
again.
+Template: network-console/password-disable
+Type: boolean
+Description: for internal use; can be preseeded
+ Disable password-based SSH login, require the use of public-keys.
+ .
+ See also "network-console/public-key-url"
+
Template: network-console/start
Type: note
# :sl2:
@@ -75,3 +82,27 @@
.
Please check this carefully against the fingerprint reported by
your SSH client.
+
+Template: network-console/public-key-url
+Type: string
+Description: for internal use; can be preseeded
+ What URL contains a list of authorized SSH public keys?
+ .
+ The file at the given URL should be of the same form as a standard OpenSSH
+ authorized_keys file.
+
+Template: network-console/public-key-fetch-failure
+Type: error
+# :sl2:
+_Description: Could not fetch OpenSSH authorized keys
+ An error occurred while fetching OpenSSH authorized keys from ${LOCATION}.
+ .
+ Check /var/log/syslog or see virtual console 4 for the details.
+
+Template: network-console/public-ip-url
+Type: string
+Description: for internal use; can be preseeded
+ What URL contains the public IP address to be displayed on the console?
+ .
+ The file at the given URL should be a simple plain-text IP address.
+
Reply to: