cryptonas
/
cryptonas
3
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

define TERM setting 

comments for development actions added to cbox.sh
source local configure scripts
examples for local configure scripts added:
  - set_root_pw
  - import_authorized_keys
This commit is contained in:
lars 2005-08-02 06:49:08 +00:00
parent e3f4cb49e3
commit 6fec846638
6 changed files with 93 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
cbox-build.sh
View File

@ -6,7 +6,7 @@
# dfsbuild - create the image directory with dfsbuild and copy it to # dfsbuild - create the image directory with dfsbuild and copy it to
# the working directory # the working directory
# config - apply cryptobox specific changes to the working directory # config - apply cryptobox specific changes to the working directory
# harden - remove unnecessary packages (for release CD) # harden - remove unnecessary packages and disable developer features
# iso - create the iso image (out of the working directory) # iso - create the iso image (out of the working directory)
# burn - tries to burn the the image on a cd-rw (maybe it works) # burn - tries to burn the the image on a cd-rw (maybe it works)
# #
@ -16,6 +16,9 @@
# devel - enable developer features like sshd, writable templates and # devel - enable developer features like sshd, writable templates and
# the test-suite (can be undone by "revert") # the test-suite (can be undone by "revert")
# revert - reset the working directory to the image created by dfsbuild # revert - reset the working directory to the image created by dfsbuild
# upload - copy local working copy to tmpfs on a running cryptobox
# diff - compare tmpfs-files on a running cryptobox with the original
# merge - apply the diff to the local copy
# #
# final action: # final action:
# release - the same as "dfsbuild config iso" # release - the same as "dfsbuild config iso"
@ -60,7 +63,7 @@ LOCALCONF_DIR=local.conf.d
SSH_CONFIG_FILE="$LOCALCONF_DIR/ssh-options" SSH_CONFIG_FILE="$LOCALCONF_DIR/ssh-options"
SSH_HOST=cryptobox SSH_HOST=cryptobox
REMOTE_COMMAND="/usr/lib/cryptobox/devel-features.sh" REMOTE_COMMAND="/usr/lib/cryptobox/devel-features.sh"
CUSTOM_CONFIGURE_DIR=$LOCALCONF_DIR/custom-configure.d
function run_dfsbuild() function run_dfsbuild()
@ -117,13 +120,13 @@ function configure_cb()
exit exit
fi fi
echo "Copying files into the box ..." echo "Copying files to the box ..."
[ -e "$TMP_DIR" ] && rm -rf "$TMP_DIR" [ -e "$TMP_DIR" ] && rm -rf "$TMP_DIR"
cp -dr "$TEMPLATE_DIR/." "$TMP_DIR" cp -dr "$TEMPLATE_DIR/." "$TMP_DIR"
rm -rf `find "$TMP_DIR" -type d -name ".svn"` rm -rf `find "$TMP_DIR" -type d -name ".svn"`
cp -dr "$TMP_DIR/." "$IMAGE_DIR" cp -dr "$TMP_DIR/." "$IMAGE_DIR"
rm -rf "$TMP_DIR" rm -rf "$TMP_DIR"
echo "Configuring the cryptobox ..." echo "Configuring the cryptobox ..."
# "harden" removes /etc/issue ... # "harden" removes /etc/issue ...
if [ -e "$IMAGE_DIR/etc/issue" ] if [ -e "$IMAGE_DIR/etc/issue" ]
@ -132,6 +135,16 @@ function configure_cb()
fi fi
fetch_revision >"$IMAGE_DIR/etc/cryptobox/revision" fetch_revision >"$IMAGE_DIR/etc/cryptobox/revision"
chroot "$IMAGE_DIR" "$CHROOTSTART" /usr/lib/cryptobox/configure-cryptobox.sh normal chroot "$IMAGE_DIR" "$CHROOTSTART" /usr/lib/cryptobox/configure-cryptobox.sh normal
# source local configure scripts
[ -d "$CUSTOM_CONFIGURE_DIR" ] && \
find "$CUSTOM_CONFIGURE_DIR" -xtype f | sort | while read file
do echo "Sourcing custom configure script $(basename $file):"
# execute it in its own environment (to be safe)
# 'source' implicitly imports all current settings
# indent these lines to improve the output
( source "$file" ) 2>&1 | sed 's/^/\t/'
done
} }
@ -143,8 +156,9 @@ function fetch_revision()
function check_ssh_defaults() function check_ssh_defaults()
{ {
[ ! -d "$LOCALCONF_DIR" ] && mkdir "$LOCALCONF_DIR"
if [ ! -e "$SSH_CONFIG_FILE" ] if [ ! -e "$SSH_CONFIG_FILE" ]
then [ ! -d "$LOCALCONF_DIR" ] && mkdir "$LOCALCONF_DIR" then echo "Copying default ssh_config file to '$SSH_CONFIG_FILE' ..."
cp misc/ssh-options.default "$SSH_CONFIG_FILE" cp misc/ssh-options.default "$SSH_CONFIG_FILE"
fi fi
} }

15
cryptobox.conf.d/usr/lib/cryptobox/configure-cryptobox.sh
View File

@ -35,10 +35,15 @@ function configure_normal()
######### bashrc ########### ######### bashrc ###########
# remove dfshints from bashrc # remove dfshints from bashrc
sed -i "/^dfshints$/d" $RUNTIMEDIR/root/.bashrc sed -i "/^dfshints$/d" "$RUNTIMEDIR/root/.bashrc"
########### TERM ###########
# set a usable default
sed -i '/^export TERM=/d' "$RUNTIMEDIR/root/.profile"
echo 'export TERM=vt100' >>"$RUNTIMEDIR/root/.profile"
########## sshd ############
if [ -e "/etc/ssh" ]; then if [ -e "/etc/ssh" ]; then
########## sshd ############
# allow empty passwords for ssh # allow empty passwords for ssh
# the daemon is NOT started automatically, so you have to start it # the daemon is NOT started automatically, so you have to start it
# manually in case of need - as the root pw is empty and passwd is ro, you # manually in case of need - as the root pw is empty and passwd is ro, you
@ -62,8 +67,12 @@ function configure_secure()
# remove unnecessary packages # remove unnecessary packages
dpkg --force-all -P $SECURITY_REMOVE_PACKAGES 2>&1 | grep -v "which isn't installed." dpkg --force-all -P $SECURITY_REMOVE_PACKAGES 2>&1 | grep -v "which isn't installed."
# remove development files # remove the development features script
rm -f "$DEV_FEATURES_SCRIPT" rm -f "$DEV_FEATURES_SCRIPT"
# maybe an authorized_keys file was created - but it is not dangerous,
# as the openssh package was removed anyway
rm -rf /root/.ssh
} }

25
misc/custom-configure.d/README Normal file
View File

@ -0,0 +1,25 @@
1) Overview
the files in this directory are examples specific hook scripts to change the
configuration of the box
2) How to use these scripts
Copy the scripts, you would like to use into local.conf.d/custom-configure.d.
They will be sourced in alphabetic order AFTER the default configuration of the
cryptobox.
3) The examples
set_root_pw
- replace the empty root password (the default) with a choosen password
- useful if your development cryptobox:
- is located in an insecure environment
- or your development team is geographically distributed, so the
cryptobox for testing has to be publicly available
import_authorized_keys
- create a new rsa key (local.conf.d/id_rsa) and copy the public
key to the working image directory
- IMPORTANT: you have to activate the 'IdentityFile' setting in
local.conf.d/ssh-options to enable this feature
- this is useful, if you secured the development cryptobox with a
password (see 'set_root_pw')

23
misc/custom-configure.d/import_authorized_keys Normal file
View File

@ -0,0 +1,23 @@
# import a public rsa key into the cryptobox for ssh authentication
#
# see README in misc/custom-configure.d for details
#
# do not forget to activate the 'IdentityFile' setting in
# local.conf.d/ssh-options
#
SSH_KEY_FILE="$LOCALCONF_DIR/id_rsa"
# create a rsa key if it does not yet exist
if [ ! -e "$SSH_KEY_FILE" ]
then echo "Creating ssh key ($SSH_KEY_FILE) ..."
mkdir -p $(dirname "$SSH_KEY_FILE")
ssh-keygen -t rsa -b 1024 -N '' -q -f "$SSH_KEY_FILE"
fi
# copy new public ssh key to ~/.ssh/authorized_keys on cryptobox
check_ssh_defaults
echo "Copying local public ssh key file to the box ..."
mkdir -p "$IMAGE_DIR/opt/dfsbuild/runtimerd/root/.ssh"
cp "${SSH_KEY_FILE}.pub" "$IMAGE_DIR/opt/dfsbuild/runtimerd/root/.ssh/authorized_keys"

10
misc/custom-configure.d/set_root_pw Normal file
View File

@ -0,0 +1,10 @@
# replace the empty root password of an development cryptobox with a choosen one
#
# see misc/custom-configure.d/README for details
#
# set the password to your needs
NEW_ROOT_PASSWORD=foobar
echo "Setting a root password ..."
echo "root:$NEW_ROOT_PASSWORD" | chroot "$IMAGE_DIR" "$CHROOTSTART" chpasswd root

4
misc/ssh-options.default
View File

@ -4,6 +4,10 @@ Host cryptobox
HostName 192.168.0.23 HostName 192.168.0.23
Port 22 Port 22
# maybe you want to use rsa authentication?
# see misc/custom-configure.s/README for examples
#IdentityFile local.conf.d/id_rsa
# this should be valid for everyone # this should be valid for everyone
User root User root
CheckHostIP no CheckHostIP no