From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 7188033154287927296
X-Received: by 2002:a05:6871:a3:b0:15f:c36d:3caa with SMTP id u35-20020a05687100a300b0015fc36d3caamr1706950oaa.26.1674632221768;
        Tue, 24 Jan 2023 23:37:01 -0800 (PST)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a05:6808:1a11:b0:363:22a6:79a9 with SMTP id
 bk17-20020a0568081a1100b0036322a679a9ls5427770oib.0.-pod-prod-gmail; Tue, 24
 Jan 2023 23:37:01 -0800 (PST)
X-Google-Smtp-Source: AMrXdXvzsr9Cen2yD2tpNHyA16Uw8K7B6VerpzEbTxo4fTBt7z+pbABPtbeWgdj0IW6qO68UR4C5
X-Received: by 2002:aca:5c02:0:b0:360:d307:c23c with SMTP id q2-20020aca5c02000000b00360d307c23cmr23586555oib.25.1674632221196;
        Tue, 24 Jan 2023 23:37:01 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1674632221; cv=none;
        d=google.com; s=arc-20160816;
        b=bbagoTVrrBbEXYhQr3gKIJ1/13CMk9SLP/dF9jAsdZ64Zj/Kl8AaEgmgBp3FLCkK60
         oLrv/zoutlBzcSOVjdlCR0MWArx1HtNMeEJs+E60srjrBLqZi6uzSwYGLBvPafVsPnJ5
         Byvuu/Ua2ytYWJEXoxkJeJ5TfzpL0MGP/BpYUdZg6oSRNEWd04FC8egJPdh7ZOZNZ2vo
         YN4NyTeEonr5ZpYVGq0e7J/k1Pc3d4l6sJBXePSYVjt4fYkfJuU0skMHUfnttD0UojKB
         4HwwW+PVytmVOK9Wn1IJieUV4YrYyCiYy+xdIxR1TtKfeTPmYUUpizP3wE6mv4SnKrge
         36Yg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from;
        bh=ZU99RnPlcnAlrIrZo/wv1SsYQ/a+LQn5lsbR0L5OBaw=;
        b=HIBPVKV73TDci/JUuaK88Qlxz63jL4rLBqjf84NdUz8CuXnJu98GqRd7JmDKRXhzar
         7+yzCb4rZ7UqtNgk0mTw8C887oJBnW1qnYinWpCGweHc9hMAJbJdZXF9lUDVBh+8aOt9
         z7PxBZdSvbqzp+4zW+W7Raa3mQqLNvtLK+lqwgQxr8DJJ4tsFY/kdR4JU5eYFaBk+Le4
         Z+rZysN8Jcw2aqzaLTKhLE0Hp/Xf5XRvC5HtygY3GdRnig3J6uawKVWcLxvz6XqmllS8
         WZvMs9WgT/063qy//rkrEB7p/qPh+Hf5lVstTFvJZAD412bE7aN5LMUmzvCYL0hJWy2O
         VY2Q==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: domain of ubely@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=ubely@ilbers.de
Return-Path: <ubely@ilbers.de>
Received: from shymkent.ilbers.de (shymkent.ilbers.de. [85.214.156.166])
        by gmr-mx.google.com with ESMTPS id ci10-20020a05683063ca00b00686566f6f48si787787otb.0.2023.01.24.23.37.00
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
        Tue, 24 Jan 2023 23:37:01 -0800 (PST)
Received-SPF: pass (google.com: domain of ubely@ilbers.de designates 85.214.156.166 as permitted sender) client-ip=85.214.156.166;
Authentication-Results: gmr-mx.google.com;
       spf=pass (google.com: domain of ubely@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=ubely@ilbers.de
Received: from hp.localnet (host-80-81-17-52.static.customer.m-online.net [80.81.17.52])
	(authenticated bits=0)
	by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPSA id 30P7awoH025607
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Wed, 25 Jan 2023 08:36:59 +0100
From: Uladzimir Bely <ubely@ilbers.de>
To: Henning Schild <henning.schild@siemens.com>
Cc: isar-users@googlegroups.com
Subject: Re: [PATCH 05/11] image-account-extension: Add copy-ci-key flag for user
Date: Wed, 25 Jan 2023 10:36:55 +0300
Message-ID: <1900519.7Z3S40VBb9@hp>
In-Reply-To: <20230124081828.3ecd59bb@md1za8fc.ad001.siemens.net>
References: <20230113071942.22506-1-ubely@ilbers.de> <20230124080924.5c7d5a99@md1za8fc.ad001.siemens.net> <20230124081828.3ecd59bb@md1za8fc.ad001.siemens.net>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED
	autolearn=unavailable autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de
X-TUID: VoqA5SGrutua

In mail from =D0=B2=D1=82=D0=BE=D1=80=D0=BD=D0=B8=D0=BA, 24 =D1=8F=D0=BD=D0=
=B2=D0=B0=D1=80=D1=8F 2023 =D0=B3. 10:18:28 +03 user Henning Schild=20
wrote:
> Am Tue, 24 Jan 2023 08:09:24 +0100
>=20
> schrieb Henning Schild <henning.schild@siemens.com>:
> > Am Fri, 13 Jan 2023 08:19:36 +0100
> >=20
> > schrieb Uladzimir Bely <ubely@ilbers.de>:
> > > If the flag enabled, CI ssh public key is copied `authorized_keys`
> > > in `$USER/.ssh/` directory.
> > >=20
> > > This allows non-interactive SSH access to the machine with executing
> > > custom commands on the guest VM.
> >=20
> > I would suggest to make that a debian raw package, examples on how to
> > do that can be found in many public layers.
> >=20
> > You could i.e. drop an authorized-keys file into /etc/ssh/ and using
> > postinst append/change the AuthorizedKeysFile line in the global ssh
> > config
>=20
> Create the user ci like we create the user isar in example-raw, and
> drop that file into HOME/.ssh/, maybe depend on sudo and make sure that
> user can run any command without password.
> We could also use a trivial password and not have a key at all.
>=20
> And when it is a package we can depend on regen-keys.
>=20
> Henning
>=20

Yes, it sounds reasonable. I't should be easier to manage everything in one=
=20
recipe, instead of specific image and image extensions.

I'm just not sure we can avoid using keys - I didn't manage to execute=20
commands (by running `ssh <options> <cmd>` ) in non-interactive way with on=
ly=20
user passwords.

> > That way we know which package owned that file and if we have a prerm
> > we can even remove everything with apt.
> >=20
> > Henning
> >=20
> > > Signed-off-by: Uladzimir Bely <ubely@ilbers.de>
> > > ---
> > >=20
> > >  meta/classes/image-account-extension.bbclass | 14 +++++++++++++-
> > >  1 file changed, 13 insertions(+), 1 deletion(-)
> > >=20
> > > diff --git a/meta/classes/image-account-extension.bbclass
> > > b/meta/classes/image-account-extension.bbclass index
> > > 70950a7b..c9b86250 100644 ---
> > > a/meta/classes/image-account-extension.bbclass +++
> > > b/meta/classes/image-account-extension.bbclass @@ -17,7 +17,7 @@
> > > USERS ??=3D "" #USER_root[home] =3D "/home/root"
> > >=20
> > >  #USER_root[shell] =3D "/bin/sh"
> > >  #USER_root[groups] =3D "audio video"
> > >=20
> > > -#USER_root[flags] =3D "no-create-home create-home system
> > > allow-empty-password clear-text-password force-passwd-change"
> > > +#USER_root[flags] =3D "no-create-home create-home system
> > > allow-empty-password clear-text-password force-passwd-change
> > > copy-ci-key" GROUPS ??=3D ""
> > > @@ -263,5 +263,17 @@ image_postprocess_accounts() {
> > >=20
> > >              sudo -E chroot '${ROOTFSDIR}' \
> > >             =20
> > >                  /usr/bin/passwd --expire "$name"
> > >         =20
> > >          fi
> > >=20
> > > +
> > > +        # Add CI ssh key for noninteractive login
> > > +        if [ "${flags}" !=3D "${flags%*,copy-ci-key,*}" ]; then
> > > +            echo "Add CI ssh key for \"$name\""
> > > +            sudo sh -c " \
> > > +                mkdir -p ${ROOTFSDIR}/${home}/.ssh && \
> > > +                cat ${TESTSUITEDIR}/keys/ssh/id_rsa.pub >
> > > ${ROOTFSDIR}/${home}/.ssh/authorized_keys && \
> > > +                chmod -R go-rwx ${ROOTFSDIR}/${home}/.ssh
> > > +            "
> > > +            sudo -E chroot '${ROOTFSDIR}' \
> > > +                chown -R ${name}:${gid} ${home}/.ssh
> > > +        fi
> > >=20
> > >      done
> > > =20
> > >  }