-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathstart-root-sshd
executable file
·103 lines (95 loc) · 4.04 KB
/
start-root-sshd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
#!/usr/bin/env bash
#
############
# WHAT/WHY #
############
# - start a local openssh daemon running as root
# - work around brain-dead PR_SET_NO_NEW_PRIVS/sudo brokenness
# - "why would someone who has their chromebook/chromebox in dev mode need to be root on the desktop?"
# - well, let me think... okay, here's one: it's my computer
# - that's it
# - it's my computer
# - i am unbelievably frustrated with google
# - doubly so with the chromeos team
# - every day i take another step towards stock debian
#
#######
# HOW #
#######
# this *REQUIRES* your chromeos device be in dev mode. how could it not?
# this *MUST* be run as *ROOT* via a console vty
# - setup ssh keys for the "chronos" user if you haven't; ed25519 is good
# - something like...
# test -e ~/.ssh || mkdir -p ~/.ssh
# test -e ~/.ssh/id_ed25519 || ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519
# cat ~/.ssh/id_ed25519.pub >> ~/.ssh/authorized_keys
# - append the public key portion to your ~/.ssh/authorized_keys file
# - press ctrl-alt-forward a couple times
# - you should (eventually) be prompted with a white-on-black scary note
# - type root (no quotes, nothing, just "root") and press enter
# - if you've set a dev-mode password, login as chronos and sudo to root
# - type "bash /usr/local/crosware/scripts/start-root-sshd" (no quotes again) and press enter
# - become the chronos user and verify you can "ssh chronos@localhost" or similar w/o a password
# - do the same with "ssh root@localhost"
#
############################################
# via /etc/init/openssh-server.conf.README #
############################################
#
# 3. Manually start sshd.
# This is the least convenient option, but doesn't require OOBE or rootfs
# verification removal, so can be used without changing the system too much.
#
# Unlike the above methods, this will not auto-start sshd on boot.
# Additionally, password access is not possible without rootfs verification
# removal, so test keys must be used to SSH into the device.
#
# # Create host keys (only needs to be done once).
# $ mkdir -p /mnt/stateful_partition/etc/ssh
# $ ssh-keygen -f /mnt/stateful_partition/etc/ssh/ssh_host_rsa_key -N '' -t rsa
# $ ssh-keygen -f /mnt/stateful_partition/etc/ssh/ssh_host_ed25519_key -N '' -t ed25519
#
# # Open firewall and start sshd (must be done on every boot).
# $ iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# $ ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
# $ /usr/sbin/sshd \
# -oAuthorizedKeysFile=/usr/share/chromeos-ssh-config/keys/authorized_keys
#
#########
# NOTES #
#########
# - normally on chromeos, i setup a dropbear to run via ~/.ssh_config via a ProxyCommand
# - this port is forwarded to my jumphost over ssh, and is key-only
# - no firewall stuff to open
# - as long as i have an ssh connection open i can tunnel back to my chromeos terminal
# - and then into my debian vm running openssh or dropbear
# - demonic
#
set -eu
set -o pipefail
scriptname="$(basename -- ${BASH_SOURCE[0]})"
if [[ ${UID} != 0 ]] ; then
echo "${scriptname}: please run as root" 1>&2
exit 1
fi
test -e /mnt/stateful_partition/etc/ssh || mkdir -p /mnt/stateful_partition/etc/ssh
for a in rsa ed25519 ; do
test -e /mnt/stateful_partition/etc/ssh/ssh_host_${a}_key || ssh-keygen -f /mnt/stateful_partition/etc/ssh/ssh_host_${a}_key -N '' -t ${a}
done
if [[ ! -e /mnt/stateful_partition/etc/ssh/authorized_keys ]] ; then
cat /home/chronos/user/.ssh/authorized_keys >>/mnt/stateful_partition/etc/ssh/authorized_keys 2>/dev/null || true
fi
chmod 640 /mnt/stateful_partition/etc/ssh/authorized_keys
chown root:chronos /mnt/stateful_partition/etc/ssh/authorized_keys 1>&2 || true
if [[ -e /var/run/sshd.pid ]] ; then
echo "${scriptname}: sshd is already running (or stale pid file)"
echo "pid: $(pgrep sshd)"
echo "pidfile: $(cat /var/run/sshd.pid)"
else
echo "${scriptname}: starting sshd"
/usr/sbin/sshd -o AuthorizedKeysFile=/mnt/stateful_partition/etc/ssh/authorized_keys -p 2222
fi
echo "${scriptname}: restarting sslh"
initctl stop sslh &>/dev/null || true
initctl start sslh
initctl status sslh