mirror of
https://github.com/xcat2/confluent.git
synced 2024-11-23 10:02:04 +00:00
66f0e8225e
Prior to copying them, make sure only root can interact. The directory should protect them as well, but best to not have anything controversial.
50 lines
2.1 KiB
Bash
50 lines
2.1 KiB
Bash
#!/bin/sh
|
|
|
|
# This script runs when install is finished, but while the installer
|
|
# is still running, with the to-be-booted system mounted in /mnt
|
|
|
|
# Carry over install-time ssh material into installed system
|
|
mkdir -p /mnt/root/.ssh/
|
|
chmod 700 /mnt/root/.ssh/
|
|
cp /root/.ssh/authorized_keys /mnt/root/.ssh/
|
|
chmd 600 /mnt/root/.ssh/authorized_keys
|
|
cp /etc/ssh/*key* /mnt/etc/ssh/
|
|
for i in /etc/ssh/*-cert.pub; do
|
|
echo HostCertificate $i >> /mnt/etc/ssh/sshd_config
|
|
done
|
|
for i in /ssh/*.ca; do
|
|
echo '@cert-authority *' $(cat $i) >> /mnt/etc/ssh/ssh_known_hosts
|
|
done
|
|
# Enable ~/.shosts, for the sake of root user, who is forbidden from using shosts.equiv
|
|
echo IgnoreRhosts no >> /mnt/etc/ssh/sshd_config
|
|
echo HostbasedAuthentication yes >> /mnt/etc/ssh/sshd_config
|
|
echo HostbasedUsesNameFromPacketOnly yes >> /mnt/etc/ssh/sshd_config
|
|
echo Host '*' >> /mnt/etc/ssh/ssh_config
|
|
echo " HostbasedAuthentication yes" >> /mnt/etc/ssh/ssh_config
|
|
echo " EnableSSHKeysign yes" >> /mnt/etc/ssh/ssh_config
|
|
# Limit the attempts of using host key. This prevents client from using 3 or 4
|
|
# authentication attempts through host based attempts
|
|
echo " HostbasedKeyTypes *ed25519*" >> /mnt/etc/ssh/ssh_config
|
|
|
|
# In SUSE platform, setuid for ssh-keysign is required for host based,
|
|
# and also must be opted into.
|
|
echo /usr/lib/ssh/ssh-keysign root:root 4711 >> /mnt/etc/permissions.local
|
|
chmod 4711 /mnt/usr/lib/ssh/ssh-keysign
|
|
|
|
# Download list of nodes from confluent, and put it into shosts.equiv (for most users) and .shosts (for root)
|
|
nodename=$(grep ^NODENAME /tmp/confluent.info|awk '{print $2}')
|
|
curl -f -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $(cat /tmp/confluent.apikey)" https://$mgr/confluent-api/self/nodelist > /tmp/allnodes
|
|
cp /tmp/allnodes /mnt/root/.shosts
|
|
cp /tmp/allnodes /mnt/etc/ssh/shosts.equiv
|
|
|
|
# carry over deployment configuration and api key for OS install action
|
|
mkdir -p /mnt/etc/confluent
|
|
chmod 700 /mnt/etc/confluent
|
|
chmod 600 /tmp/confluent.*
|
|
cp /tmp/confluent.* /mnt/etc/confluent/
|
|
cp -a /tls /mnt/etc/confluent/
|
|
cp -a /tls/* /mnt/var/lib/ca-certificates/openssl
|
|
cp -a /tls/* /mnt/var/lib/ca-certificates/pem
|
|
cp -a /tls/*.cert /mnt/etc/pki/trust/anchors
|
|
|