Use key(and password-)less SSH authentication
authorTobias Brunner <tobias@strongswan.org>
Wed, 5 Dec 2012 17:53:20 +0000 (18:53 +0100)
committerTobias Brunner <tobias@strongswan.org>
Thu, 17 Jan 2013 14:22:09 +0000 (15:22 +0100)
testing/do-tests
testing/hosts/default/etc/ssh/sshd_config [new file with mode: 0644]
testing/scripts/build-baseimage
testing/scripts/build-umlrootfs
testing/ssh_config
testing/testing.conf

index 353cfa6..b002072 100755 (executable)
@@ -105,7 +105,7 @@ done
 #
 for host in $STRONGSWANHOSTS
 do
-    ssh $SSHCONF -N root@`eval echo \\\$ipv4_$host` &
+    ssh $SSHCONF -N root@`eval echo \\\$ipv4_$host` >/dev/null 2>&1 &
     eval ssh_pid_$host="`echo $!`"
 done
 
diff --git a/testing/hosts/default/etc/ssh/sshd_config b/testing/hosts/default/etc/ssh/sshd_config
new file mode 100644 (file)
index 0000000..07b7e78
--- /dev/null
@@ -0,0 +1,13 @@
+Port 22
+Protocol 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+UsePrivilegeSeparation no
+PermitRootLogin yes
+StrictModes no
+PubkeyAuthentication no
+PermitEmptyPasswords yes
+PrintMotd no
+PrintLastLog no
+UsePAM no
index c26e246..4372e54 100755 (executable)
@@ -50,8 +50,8 @@ execute "mount -o bind $CACHEDIR $APTCACHE"
 echo " * Running debootstrap ..."
 execute "debootstrap --arch=$ROOTFSARCH --include=$PACKAGES $ROOTFSSUITE $LOOPDIR $ROOTFSMIRROR"
 
-echo " * Setting root password to '$ROOTFSPW' ..."
-echo root:$ROOTFSPW | chroot $LOOPDIR chpasswd
+echo " * Disabling root password ..."
+chroot $LOOPDIR passwd -d root
 
 echo " * Disabling services ..."
 for service in $SERVICES
index 85682fa..5a885ce 100755 (executable)
@@ -96,67 +96,5 @@ echo "none /root/compile hostfs $ROOTFSCOMPILEDIR" >> $LOOPDIR/etc/fstab
 cecho " * Removing /etc/resolv.conf"
 rm -f $LOOPDIR/etc/resolv.conf
 
-#####################################
-# preparing ssh for PK authentication
-#
-if [ ! -d ~/.ssh ]
-then
-       cecho-n " * Creating directory '~/.ssh'.."
-       mkdir ~/.ssh
-       cgecho "done"
-fi
-
-cecho-n " * Checking for ssh rsa key '~/.ssh/id_rsa.pub'.."
-if [ -f ~/.ssh/id_rsa.pub ]
-then
-       cecho "already exists"
-else
-       cecho "not found"
-       cecho-n " * Generating ssh rsa key pair.."
-       echo "" | ssh-keygen -N "" -t rsa -f ~/.ssh/id_rsa >> $LOGFILE 2>&1
-       cgecho "done"
-fi
-
-if [ -f ~/.ssh/known_hosts ]
-then
-       cecho-n " * Backing up ~/.ssh/known_hosts to '~/.ssh/known_hosts.before_uml'.."
-       cp -fp ~/.ssh/known_hosts ~/.ssh/known_hosts.before_uml
-       cgecho "done"
-fi
-rm ~/.ssh/known_hosts
-cecho-n " * Creating new '~/.ssh/known_hosts'.."
-touch ~/.ssh/known_hosts
-cgecho "done"
-
-for host in $HOSTNAMEIPV4
-do
-       HOSTNAME=`echo $host | awk -F, '{ print $1 }'`
-       IP=`echo $host | awk -F, '{ print $2 }'`
-       cecho-n " * Adding uml host $HOSTNAME ($IP) to '~/.ssh/known_hosts'.."
-       echo "$HOSTNAME,$IP `cat $LOOPDIR/etc/ssh/ssh_host_rsa_key.pub`" >> ~/.ssh/known_hosts
-       cgecho "done"
-done
-
-######################################################
-# copying the host's ssh public key
-#
-if [ ! -d $LOOPDIR/root/.ssh ]
-then
-    mkdir $LOOPDIR/root/.ssh
-fi
-cp ~/.ssh/id_rsa.pub $LOOPDIR/root/.ssh/authorized_keys
-
-######################################################
-# setup public key based login among all hosts
-#
-cp $LOOPDIR/etc/ssh/ssh_host_rsa_key $LOOPDIR/root/.ssh/id_rsa
-
-for host in $STRONGSWANHOSTS
-do
-    eval ip="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F- '{ print $1 }' | awk '{ print $1 }'`"
-    echo "$host,$ip `cat $LOOPDIR/etc/ssh/ssh_host_rsa_key.pub`" >> $LOOPDIR/root/.ssh/known_hosts
-    echo "`cat $LOOPDIR/etc/ssh/ssh_host_rsa_key.pub` root@$host" >> $LOOPDIR/root/.ssh/authorized_keys
-done
-
 umount $LOOPDIR/proc
 umount $LOOPDIR
index 36569c0..831b9dc 100644 (file)
@@ -1,7 +1,8 @@
 Host *
        # debian default
        SendEnv LANG LC_*
-       HashKnownHosts yes
+       StrictHostKeyChecking no
+       UserKnownHostsFile /dev/null
        GSSAPIAuthentication yes
        # faster encryption
        Ciphers arcfour
index 611fd4e..a931155 100755 (executable)
@@ -53,7 +53,6 @@ ROOTFSSUITE=wheezy
 ROOTFSARCH=amd64
 ROOTFS=$BUILDDIR/debian-$ROOTFSSUITE-$ROOTFSARCH.img
 ROOTFSMIRROR=http://cdn.debian.net/debian
-ROOTFSPW=root
 ROOTFSCOMPILEDIR=$BUILDDIR/compile
 
 # Filename of the built UML Kernel