2020-05-14 17:36:23 +00:00
|
|
|
#!/bin/sh
|
|
|
|
|
|
|
|
# This script runs when install is finished, but while the installer
|
|
|
|
# is still running, with the to-be-booted system mounted in /mnt
|
|
|
|
|
|
|
|
# Carry over install-time ssh material into installed system
|
|
|
|
mkdir -p /mnt/root/.ssh/
|
|
|
|
chmod 700 /mnt/root/.ssh/
|
|
|
|
cp /root/.ssh/authorized_keys /mnt/root/.ssh/
|
|
|
|
chmd 600 /mnt/root/.ssh/authorized_keys
|
|
|
|
cp /etc/ssh/*key* /mnt/etc/ssh/
|
|
|
|
for i in /etc/ssh/*-cert.pub; do
|
|
|
|
echo HostCertificate $i >> /mnt/etc/ssh/sshd_config
|
|
|
|
done
|
|
|
|
for i in /ssh/*.ca; do
|
|
|
|
echo '@cert-authority *' $(cat $i) >> /mnt/etc/ssh/ssh_known_hosts
|
|
|
|
done
|
|
|
|
# Enable ~/.shosts, for the sake of root user, who is forbidden from using shosts.equiv
|
|
|
|
echo IgnoreRhosts no >> /mnt/etc/ssh/sshd_config
|
|
|
|
echo HostbasedAuthentication yes >> /mnt/etc/ssh/sshd_config
|
|
|
|
echo HostbasedUsesNameFromPacketOnly yes >> /mnt/etc/ssh/sshd_config
|
|
|
|
echo Host '*' >> /mnt/etc/ssh/ssh_config
|
|
|
|
echo " HostbasedAuthentication yes" >> /mnt/etc/ssh/ssh_config
|
|
|
|
echo " EnableSSHKeysign yes" >> /mnt/etc/ssh/ssh_config
|
|
|
|
# Limit the attempts of using host key. This prevents client from using 3 or 4
|
|
|
|
# authentication attempts through host based attempts
|
|
|
|
echo " HostbasedKeyTypes *ed25519*" >> /mnt/etc/ssh/ssh_config
|
|
|
|
|
|
|
|
# In SUSE platform, setuid for ssh-keysign is required for host based,
|
|
|
|
# and also must be opted into.
|
|
|
|
echo /usr/lib/ssh/ssh-keysign root:root 4711 >> /mnt/etc/permissions.local
|
|
|
|
chmod 4711 /mnt/usr/lib/ssh/ssh-keysign
|
|
|
|
|
|
|
|
# Download list of nodes from confluent, and put it into shosts.equiv (for most users) and .shosts (for root)
|
2020-05-16 15:42:19 +00:00
|
|
|
nodename=$(grep ^NODENAME /tmp/confluent.info|awk '{print $2}')
|
2020-05-14 17:36:23 +00:00
|
|
|
curl -f -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $(cat /tmp/confluent.apikey)" https://$mgr/confluent-api/self/nodelist > /tmp/allnodes
|
|
|
|
cp /tmp/allnodes /mnt/root/.shosts
|
|
|
|
cp /tmp/allnodes /mnt/etc/ssh/shosts.equiv
|
|
|
|
|
|
|
|
# carry over deployment configuration and api key for OS install action
|
|
|
|
mkdir -p /mnt/etc/confluent
|
|
|
|
chmod 700 /mnt/etc/confluent
|
2020-05-19 14:51:32 +00:00
|
|
|
chmod 600 /tmp/confluent.*
|
2020-05-14 17:36:23 +00:00
|
|
|
cp /tmp/confluent.* /mnt/etc/confluent/
|
|
|
|
cp -a /tls /mnt/etc/confluent/
|
2020-05-18 21:00:05 +00:00
|
|
|
cp -a /tls/* /mnt/var/lib/ca-certificates/openssl
|
2020-05-19 14:38:31 +00:00
|
|
|
cp -a /tls/* /mnt/var/lib/ca-certificates/pem
|
2020-05-19 02:07:03 +00:00
|
|
|
cp -a /tls/*.cert /mnt/etc/pki/trust/anchors
|
2020-05-14 17:36:23 +00:00
|
|
|
|