Bug#592550: Provide support for SSH-Key authentication (Supports Eucalyptus and Amazon EC2)

[Charles Plessy <plessy@debian.org>]

Le Tue, Aug 10, 2010 at 04:49:51PM -0400, Kyle Moffett a écrit :
> 
> When performing partially-automated virtual-server installations (using
> services such as Eucalyptus or Amazon EC2, for example), it's not really
> practical or secure to use password-based authentication for the
> installer.
> 
> Furthermore, such virtual server environments provide an automatic
> method of provisioning public SSH keys during the installation process
> via an HTTP URL.
> 
> The Ubuntu guys seem to have a patch for this that never got merged:
>   https://bugs.launchpad.net/ubuntu/+source/network-console/+bug/184108

Dear all,

I think that it would wonderful if Ubuntu's patch were applied in Debian.  Here
is a slimmed down version of it, where I removed the Ubuntu-specific parts
changing debian/control, the changelog and .gitignore files, …

http://patches.ubuntu.com/n/network-console/network-console_1.28ubuntu1.patch

--- 1.28/debian/network-console.postinst	2011-01-19 04:51:17.000000000 +0000
+++ 1.28ubuntu1/debian/network-console.postinst	2011-05-04 00:19:29.000000000 +0100
@@ -26,7 +26,30 @@ case "$ARCHDETECT" in
 	;;
 esac
 
-while [ -z "$PASSWORD" ]; do
+db_get $TEMPLATE_ROOT/authorized_keys_url
+
+AUTHORIZED_KEYS_URL="$RET"
+AUTHORIZED_KEYS_DIRECTORY="/.ssh"
+AUTHORIZED_KEYS_FILE="$AUTHORIZED_KEYS_DIRECTORY/authorized_keys"
+
+if [ -n "$AUTHORIZED_KEYS_URL" ]; then
+	if [ ! -f "$AUTHORIZED_KEYS_FILE" ]; then
+		[ -d "$AUTHORIZED_KEYS_DIRECTORY" ] || \
+		    mkdir "$AUTHORIZED_KEYS_DIRECTORY"
+		chmod 0700 "$AUTHORIZED_KEYS_DIRECTORY"
+		if ! wget -q "$AUTHORIZED_KEYS_URL" -O "$AUTHORIZED_KEYS_FILE"; then
+			db_subst $TEMPLATE_ROOT/authorized_keys_fetch_failure \
+			    LOCATION "$AUTHORIZED_KEYS_URL"
+			db_input critical $TEMPLATE_ROOT/authorized_keys_fetch_failure \
+			    || true
+			db_go
+			exit 1
+		fi
+		chmod 0644 "$AUTHORIZED_KEYS_FILE" || true
+	fi
+fi
+
+while [ ! -f "$AUTHORIZED_KEYS_FILE" ] && [ -z "$PASSWORD" ]; do
 	db_input critical $TEMPLATE_ROOT/password || true
 	COMPARE_PW=''
 	db_input high $TEMPLATE_ROOT/password-again && COMPARE_PW=1 || true
diff -pruN 1.28/debian/network-console.templates 1.28ubuntu1/debian/network-console.templates
--- 1.28/debian/network-console.templates	2011-01-19 04:51:17.000000000 +0000
+++ 1.28ubuntu1/debian/network-console.templates	2011-05-04 00:19:29.000000000 +0100
@@ -75,3 +75,19 @@ _Description: Start SSH
  .
  Please check this carefully against the fingerprint reported by
  your SSH client.
+
+Template: network-console/authorized_keys_url
+Type: string
+Description: for internal use; can be preseeded
+ What URL contains a list of authorized SSH public keys?
+ .
+ The file at the given URL should be of the same form as a standard OpenSSH
+ authorized_keys file.
+
+Template: network-console/authorized_keys_fetch_failure
+Type: error
+# should be translated when committed upstream
+Description: Could not fetch OpenSSH authorized keys
+ An error occurred while fetching OpenSSH authorized keys from ${LOCATION}.
+ .
+ Check /var/log/syslog or see virtual console 4 for the details.


Please let me know how I can help to make this happen.

Cheers,

-- 
Charles Plessy
Tsurumi, Kanagawa, Japan