From 16f8c2c5d7d19c33df7925cbaea4ca785cd915c6 Mon Sep 17 00:00:00 2001 From: Jonathan Dahan Date: Tue, 17 Sep 2024 12:47:44 -0400 Subject: [PATCH] build: create userpass service to change the first password --- utilities/build/config.template | 1 - utilities/build/installation.md | 58 +++++++++---------- .../00-install-solar-protocol/01-run.sh | 23 +++++++- .../files/10-hello.template | 3 - .../files/20-warning.template | 6 -- .../files/etc/issue.template | 1 + .../files/etc/systemd/system/userpass.service | 15 +++++ .../files/etc/ufw/user.rules | 52 +++++++++++++++++ .../files/etc/update-motd.d/10-hello.template | 3 + .../files/home/pi/disable-ssh-password-auth | 4 ++ .../usr/lib/userpass-pi/userpass-service | 32 ++++++++++ 11 files changed, 156 insertions(+), 42 deletions(-) delete mode 100755 utilities/build/stage-solar/00-install-solar-protocol/files/10-hello.template delete mode 100755 utilities/build/stage-solar/00-install-solar-protocol/files/20-warning.template create mode 100644 utilities/build/stage-solar/00-install-solar-protocol/files/etc/issue.template create mode 100644 utilities/build/stage-solar/00-install-solar-protocol/files/etc/systemd/system/userpass.service create mode 100644 utilities/build/stage-solar/00-install-solar-protocol/files/etc/ufw/user.rules create mode 100755 utilities/build/stage-solar/00-install-solar-protocol/files/etc/update-motd.d/10-hello.template create mode 100755 utilities/build/stage-solar/00-install-solar-protocol/files/home/pi/disable-ssh-password-auth create mode 100755 utilities/build/stage-solar/00-install-solar-protocol/files/usr/lib/userpass-pi/userpass-service diff --git a/utilities/build/config.template b/utilities/build/config.template index 57904b0a..ef64ff72 100644 --- a/utilities/build/config.template +++ b/utilities/build/config.template @@ -10,7 +10,6 @@ FIRST_USER_PASS="$FIRST_USER_PASS" WPA_COUNTRY="US" ENABLE_SSH="1" DEPLOY_COMPRESSION="xz" -PUBKEY_ONLY_SSH="1" PUBKEY_SSH_FIRST_USER="$PUBKEY_SSH_FIRST_USER" STAGE_LIST="stage0 stage1 stage2 stage-solar" IMG_NAME="solar-protocol" diff --git a/utilities/build/installation.md b/utilities/build/installation.md index 2d9e98e6..56ef5f16 100644 --- a/utilities/build/installation.md +++ b/utilities/build/installation.md @@ -2,57 +2,57 @@ Here are some manual steps after booting the raspberry pi to finnish installaion -Update the password for the `pi` user +## Create ssh key and connect to the pi - passwd +On your computer, generate a new key, with a new password -## Enable firewal + ssh-keygen -f ~/.ssh/solar-protocol -This will make sure people can only access the website +Add the key to your keychain, using the password you just gave - sudo ufw allow ssh - sudo ufw allow http comment "Solar Protocol" - sudo ufw allow http-alt comment "Solar Protocol (alt)" - sudo ufw allow https comment "Solar Protocol" - sudo ufw allow 8443 comment "Solar Protocol (alt)" - sudo ufw enable - sudo ufw status + ssh-add ~/.ssh/solar-protocol -## Forward ports from your router to the raspberry pi +Install it to the raspberry pi - use the regular password -It is strongly recommended to do this only after key-based authentication has been enabled and password authentication has be disabled. + ssh-copy-id -i ~/.ssh/solar-protocol pi@solar-protocol.local + +Connect to the pi - there should be no password prompt here -Open and forward these ports on your router + ssh pi@solar-protocol.local -* 443 -> 443 (https) -* 80 -> 80 (http) +Once connected, disable password authentication -If your home internet does not allow people to connect on ports 443 or 80, you can use these alternative ports + sudo ./disable-ssh-password-auth -* 8443 -> 443 (alt-https) -* 8080 -> 80 (alt-http) -* 2222 -> 22 (For SSH) - -## Add SSL Certificates +## Secure firewall and website -Reach out to a network admin, who will follow the instructions in [network/ssl-management.md]() +Once you have confirmed that key authentication works over ssh, enable the firewall -## Fix permissions - -Set permissions for all files - this script must be run everytime you pull from the repository + sudo ufw enable - sh /home/pi/solar-protocol/utilities/setAllPermissions.sh +Next, reach out to a network admin, who will follow the instructions in [network/ssl-management.md]() to add secure certificates for the website ## Join the network -Enter api keys to join the network - Log in to the admin console via the browser [http://solar-protocol.local/admin]() Enter API keys and update the gateway list with appropriate credentials Enter your info on the settings page +## Forward ports from your router to the raspberry pi + +Open and forward these ports on your router + +* 443 -> 443 (https) +* 80 -> 80 (http) + +If your home internet does not allow people to connect on ports 443 or 80, you can use these alternative ports + +* 8443 -> 443 (alt-https) +* 8080 -> 80 (alt-http) +* 2222 -> 22 (For SSH) + ## Congratulations Give yourself a big hug! diff --git a/utilities/build/stage-solar/00-install-solar-protocol/01-run.sh b/utilities/build/stage-solar/00-install-solar-protocol/01-run.sh index 18f6e8ec..37ba57e7 100755 --- a/utilities/build/stage-solar/00-install-solar-protocol/01-run.sh +++ b/utilities/build/stage-solar/00-install-solar-protocol/01-run.sh @@ -25,6 +25,9 @@ EOF # -e 's|;date.timezone.*|date.timezone = ${{ steps.config.outputs.timezone_default }}|' \ # ${ROOTFS_DIR}/etc/php/8.2/apache2/php.ini +# TODO: check if needed or install to @reboot cron +# sh /home/pi/solar-protocol/utilities/setAllPermissions.sh + echo 'PubkeyAcceptedAlgorithms +ssh-rsa' >> ${ROOTFS_DIR}/etc/ssh/sshd_config sed -i \ @@ -45,12 +48,26 @@ cat >> ${ROOTFS_DIR}/etc/apache2/apache2.conf < EOF +export VERSION rm ${ROOTFS_DIR}/etc/motd rm ${ROOTFS_DIR}/etc/update-motd.d/10-uname -envsubst < files/10-hello.template > ${ROOTFS_DIR}/etc/update-motd.d/10-hello +envsubst < files/etc/update-motd.d/10-hello.template > ${ROOTFS_DIR}/etc/update-motd.d/10-hello chmod a+x ${ROOTFS_DIR}/etc/update-motd.d/10-hello -envsubst < files/20-warning.template > ${ROOTFS_DIR}/etc/update-motd.d/20-warning -chmod a+x ${ROOTFS_DIR}/etc/update-motd.d/20-warning + +rm ${ROOTFS_DIR}/etc/issue +envsubst < files/etc/issue.template > ${ROOTFS_DIR}/etc/issue + +cp files/etc/systemd/system/userpass.service ${ROOTFS_DIR}/etc/systemd/system/userpass.service +mkdir -p ${ROOTFS_DIR}/usr/lib/userpass-pi +cp files/usr/lib/userpass-pi/userpass-service ${ROOTFS_DIR}/usr/lib/userpass-pi/userpass-service + +on_chroot << EOF + systemctl disable userconfig.service + systemctl daemon-reload + systemctl enable userpass.service +EOF + +cp files/home/pi/disable-ssh-password-auth ${ROOTFS_DIR}/home/pi/disable-ssh-password-auth on_chroot << EOF pushd /home/pi/solar-protocol diff --git a/utilities/build/stage-solar/00-install-solar-protocol/files/10-hello.template b/utilities/build/stage-solar/00-install-solar-protocol/files/10-hello.template deleted file mode 100755 index 1ec9b820..00000000 --- a/utilities/build/stage-solar/00-install-solar-protocol/files/10-hello.template +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/bash - -echo ☀️ solar protocol ${VERSION} \ No newline at end of file diff --git a/utilities/build/stage-solar/00-install-solar-protocol/files/20-warning.template b/utilities/build/stage-solar/00-install-solar-protocol/files/20-warning.template deleted file mode 100755 index 7263f4b0..00000000 --- a/utilities/build/stage-solar/00-install-solar-protocol/files/20-warning.template +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/bash - -echo "" -echo "!!! run 'passwd' to change the password before connecting to the network !!!" -echo "you can silence this warning by removing /etc/update-motd.d/20-warning" -echo "" diff --git a/utilities/build/stage-solar/00-install-solar-protocol/files/etc/issue.template b/utilities/build/stage-solar/00-install-solar-protocol/files/etc/issue.template new file mode 100644 index 00000000..8815e8cb --- /dev/null +++ b/utilities/build/stage-solar/00-install-solar-protocol/files/etc/issue.template @@ -0,0 +1 @@ +☀️ solar protocol ${VERSION} \l diff --git a/utilities/build/stage-solar/00-install-solar-protocol/files/etc/systemd/system/userpass.service b/utilities/build/stage-solar/00-install-solar-protocol/files/etc/systemd/system/userpass.service new file mode 100644 index 00000000..fcd9ef10 --- /dev/null +++ b/utilities/build/stage-solar/00-install-solar-protocol/files/etc/systemd/system/userpass.service @@ -0,0 +1,15 @@ +[Unit] +Description=User password dialog +After=systemd-user-sessions.service +Before=lightdm.service +[Service] +Type=oneshot +ExecStart=/usr/lib/userpass-pi/userpass-service +StandardInput=tty +Restart=on-failure +TTYPath=/dev/tty8 +TTYReset=yes +TTYVHangup=yes +TTYVTDisallocate=yes +[Install] +WantedBy=multi-user.target diff --git a/utilities/build/stage-solar/00-install-solar-protocol/files/etc/ufw/user.rules b/utilities/build/stage-solar/00-install-solar-protocol/files/etc/ufw/user.rules new file mode 100644 index 00000000..bec1158d --- /dev/null +++ b/utilities/build/stage-solar/00-install-solar-protocol/files/etc/ufw/user.rules @@ -0,0 +1,52 @@ +*filter +:ufw-user-input - [0:0] +:ufw-user-output - [0:0] +:ufw-user-forward - [0:0] +:ufw-before-logging-input - [0:0] +:ufw-before-logging-output - [0:0] +:ufw-before-logging-forward - [0:0] +:ufw-user-logging-input - [0:0] +:ufw-user-logging-output - [0:0] +:ufw-user-logging-forward - [0:0] +:ufw-after-logging-input - [0:0] +:ufw-after-logging-output - [0:0] +:ufw-after-logging-forward - [0:0] +:ufw-logging-deny - [0:0] +:ufw-logging-allow - [0:0] +:ufw-user-limit - [0:0] +:ufw-user-limit-accept - [0:0] +### RULES ### + +### tuple ### allow tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +-A ufw-user-input -p tcp --dport 22 -j ACCEPT + +### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 in comment=536f6c61722050726f746f636f6c +-A ufw-user-input -p tcp --dport 80 -j ACCEPT + +### tuple ### allow any 8443 0.0.0.0/0 any 0.0.0.0/0 in comment=536f6c61722050726f746f636f6c2028736563757265292028616c7429 +-A ufw-user-input -p tcp --dport 8443 -j ACCEPT +-A ufw-user-input -p udp --dport 8443 -j ACCEPT + +### tuple ### allow tcp 8080 0.0.0.0/0 any 0.0.0.0/0 in comment=536f6c61722050726f746f636f6c2028616c7429 +-A ufw-user-input -p tcp --dport 8080 -j ACCEPT + +### tuple ### allow any 443 0.0.0.0/0 any 0.0.0.0/0 in comment=536f6c61722050726f746f636f6c202873656375726529 +-A ufw-user-input -p tcp --dport 443 -j ACCEPT +-A ufw-user-input -p udp --dport 443 -j ACCEPT + +### END RULES ### + +### LOGGING ### +-A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +-A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 +-A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +-A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +### END LOGGING ### + +### RATE LIMITING ### +-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] " +-A ufw-user-limit -j REJECT +-A ufw-user-limit-accept -j ACCEPT +### END RATE LIMITING ### +COMMIT diff --git a/utilities/build/stage-solar/00-install-solar-protocol/files/etc/update-motd.d/10-hello.template b/utilities/build/stage-solar/00-install-solar-protocol/files/etc/update-motd.d/10-hello.template new file mode 100755 index 00000000..6b0a3366 --- /dev/null +++ b/utilities/build/stage-solar/00-install-solar-protocol/files/etc/update-motd.d/10-hello.template @@ -0,0 +1,3 @@ +#!/bin/bash + +echo ☀️ solar protocol ${VERSION} diff --git a/utilities/build/stage-solar/00-install-solar-protocol/files/home/pi/disable-ssh-password-auth b/utilities/build/stage-solar/00-install-solar-protocol/files/home/pi/disable-ssh-password-auth new file mode 100755 index 00000000..f53fd551 --- /dev/null +++ b/utilities/build/stage-solar/00-install-solar-protocol/files/home/pi/disable-ssh-password-auth @@ -0,0 +1,4 @@ +#!/bin/bash + +sed -i -Ee 's/^#?[[:blank:]]*PubkeyAuthentication[[:blank:]]*no[[:blank:]]*$/PubkeyAuthentication yes/ +s/^#?[[:blank:]]*PasswordAuthentication[[:blank:]]*yes[[:blank:]]*$/PasswordAuthentication no/' "${ROOTFS_DIR}"/etc/ssh/sshd_config diff --git a/utilities/build/stage-solar/00-install-solar-protocol/files/usr/lib/userpass-pi/userpass-service b/utilities/build/stage-solar/00-install-solar-protocol/files/usr/lib/userpass-pi/userpass-service new file mode 100755 index 00000000..ad91bd5c --- /dev/null +++ b/utilities/build/stage-solar/00-install-solar-protocol/files/usr/lib/userpass-pi/userpass-service @@ -0,0 +1,32 @@ +#!/bin/sh -e + +validate_password() { + if [ -z "$NEW_PASS" ]; then + echo "Password cannot be empty." + return 1 + fi +} + +if [ ! "$(raspi-config nonint get_boot_cli)" -eq 0 ]; then + return +fi + +VT="$(tty | sed 's|/dev/tty||')" +ORIG_VT="1" +if [ -t 0 ]; then + chvt "$VT" +fi +FIRST_USER="$(getent passwd 1000 | cut -d: -f1)" + +while true; do + NEW_PASS="$(whiptail --passwordbox "Please set a password for $FIRST_USER:" 20 60 3>&1 1>&2 2>&3)" + if [ "$(whiptail --passwordbox "Please confirm the password:" 20 60 3>&1 1>&2 2>&3)" != "$NEW_PASS" ]; then + MSG="Passwords did not match" + elif MSG=$(validate_password); then + break + fi + whiptail --msgbox "$MSG" 20 60 +done + +echo "$FIRST_USER:$NEW_PASS" | chpasswd +chvt "$ORIG_VT"