Bug#592550: support for SSH-Key authentication (Supports Eucalyptus and Amazon EC2)

To: Debian Bug Tracking System <592550@bugs.debian.org>
Subject: Bug#592550: support for SSH-Key authentication (Supports Eucalyptus and Amazon EC2)
From: Kyle Moffett <Kyle.D.Moffett@boeing.com>
Date: Wed, 11 Aug 2010 19:58:04 -0400
Message-id: <[🔎] 20100811235804.27789.1735.reportbug@philyra.exmeritus.com>
Reply-to: Kyle Moffett <Kyle.D.Moffett@boeing.com>, 592550@bugs.debian.org

Package: network-console
Severity: normal
Tags: patch

I've spent some time fiddling with this feature, and I've prepared a
modified patch that makes the feature more secure and easier to use.

The modified installer now retrieves a "public-ip-url" and displays that
address in the console output instead of the IP found on the network
interface.  This correctly interoperates with Eucalyptus and Amazon EC2.

In those environments you would use the following bit of preseed:

  d-i network-console/password-disabled boolean true
  d-i network-console/public-ip-url string \
    http://169.254.169.254/2007-01-19/meta-data/public-ipv4
  d-i network-console/public-key-url string \
    http://169.254.169.254/2007-01-19/meta-data/public-keys/0/openssh-key

I'm also in the process of working on a small Debian-Installer patch to
automatically prepare a partially-preseeded D-I image following those
conventions.

I've built a modified network-console with this patch into a slightly
patched Debian-Installer and successfully used it to begin a network
install on an Amazon EC2 instance.

There are still several partitioning and bootloader-related things which
don't work yet, but this part seems to be fully functional.

Cheers,
Kyle Moffett

diff -ruN a/debian/network-console.postinst b/debian/network-console.postinst
--- a/debian/network-console.postinst	2010-02-15 00:11:01.000000000 -0500
+++ b/debian/network-console.postinst	2010-08-11 16:27:24.000000000 -0400
@@ -26,6 +26,41 @@
 	;;
 esac
 
+## Helper function
+download_ssh_keys()
+{
+	## Don't do anything if no URL was specified or there are
+	## preexisting SSH keys already in the initramfs
+	[ -n "$1" -a ! -f /.ssh/authorized_keys ] || return 0
+
+	## First make sure the directory is OK
+	[ -d /.ssh ] || mkdir /.ssh
+	chmod 700 /.ssh
+
+	## Next, download the file
+	if wget -q -O /.ssh/authorized_keys "$1"; then
+		chmod 0644 /.ssh/authorized_keys || true
+		return 0
+	fi
+
+	## Handle errors appropriately
+	db_subst $TEMPLATE_ROOT/public-key-fetch-failure LOCATION "$1"
+	db_input critical $TEMPLATE_ROOT/public-key-fetch-failure || true
+	db_go
+	exit 1
+}
+
+db_get $TEMPLATE_ROOT/public-key-url
+download_ssh_keys "${RET}"
+
+db_get $TEMPLATE_ROOT/password-disabled
+if [ "x${RET}" = "xtrue" ]; then
+	CRYPT_PASSWORD='*'
+	PASSWORD='*DISABLED*'
+else
+	PASSWORD=''
+fi
+
 while [ -z "$PASSWORD" ]; do
 	db_input critical $TEMPLATE_ROOT/password || true
 	COMPARE_PW=''
@@ -44,6 +79,7 @@
 		continue
 	fi
 	PASSWORD=$INST_PW
+	CRYPT_PASSWORD="$(gen-crypt "$PASSWORD")"
 
 	db_set $TEMPLATE_ROOT/password ""
 	db_set $TEMPLATE_ROOT/password-again ""
@@ -51,7 +87,7 @@
 	db_fset $TEMPLATE_ROOT/password-again seen false
 done
 
-echo "installer:$(gen-crypt $PASSWORD):1:0:99999:7:::" >> /etc/shadow
+echo "installer:${CRYPT_PASSWORD}:1:0:99999:7:::" >> /etc/shadow
 
 KEY_FINGERPRINT=$(ssh-keygen -l -f $KEY_FILE | cut -f2 -d ' ')
 
@@ -62,6 +98,15 @@
 
 IPADDR=$(ip addr | grep '^[[:space:]]*inet ' | grep -v "127\.0\." | \
 	 head -n 1 | sed 's/.*inet \([0-9.]*\).*/\1/')
+
+## If executed in a virtual hosting environment we might have a NAT'ed
+## public IP address.  If so, we should figure out what it is.
+db_get $TEMPLATE_ROOT/public-ip-url
+if [ -n "${RET}" ]; then
+	publicip="$(wget -q -O - "${RET}" || true)"
+	[ -z "${publicip}" ] || IPADDR="${publicip}"
+fi
+
 db_subst $TEMPLATE_ROOT/start ip $IPADDR
 db_subst $TEMPLATE_ROOT/start fingerprint $KEY_FINGERPRINT
 case "$ARCHDETECT" in
diff -ruN a/debian/network-console.templates b/debian/network-console.templates
--- a/debian/network-console.templates	2009-07-21 01:55:09.000000000 -0400
+++ b/debian/network-console.templates	2010-08-11 16:33:01.000000000 -0400
@@ -60,6 +60,13 @@
  The two passwords you entered were not the same. Please enter a password
  again.
 
+Template: network-console/password-disable
+Type: boolean
+Description: for internal use; can be preseeded
+ Disable password-based SSH login, require the use of public-keys.
+ .
+ See also "network-console/public-key-url"
+
 Template: network-console/start
 Type: note
 # :sl2:
@@ -75,3 +82,27 @@
  .
  Please check this carefully against the fingerprint reported by
  your SSH client.
+
+Template: network-console/public-key-url
+Type: string
+Description: for internal use; can be preseeded
+ What URL contains a list of authorized SSH public keys?
+ .
+ The file at the given URL should be of the same form as a standard OpenSSH
+ authorized_keys file.
+
+Template: network-console/public-key-fetch-failure
+Type: error
+# :sl2:
+_Description: Could not fetch OpenSSH authorized keys
+ An error occurred while fetching OpenSSH authorized keys from ${LOCATION}.
+ .
+ Check /var/log/syslog or see virtual console 4 for the details.
+
+Template: network-console/public-ip-url
+Type: string
+Description: for internal use; can be preseeded
+ What URL contains the public IP address to be displayed on the console?
+ .
+ The file at the given URL should be a simple plain-text IP address.
+

Reply to:

Prev by Date: Processed: your mail
Next by Date: Processed: your mail
Previous by thread: Processed: your mail
Next by thread: Bug#592684: debian-installer-utils: please don't check for /sys on Hurd
Index(es):
- Date
- Thread