From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 7188033154287927296 X-Received: by 2002:adf:f6c9:0:b0:2bf:95d9:7d89 with SMTP id y9-20020adff6c9000000b002bf95d97d89mr504351wrp.350.1674544177212; Mon, 23 Jan 2023 23:09:37 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a05:600c:3b90:b0:3d1:be63:3b63 with SMTP id n16-20020a05600c3b9000b003d1be633b63ls9451893wms.1.-pod-canary-gmail; Mon, 23 Jan 2023 23:09:36 -0800 (PST) X-Google-Smtp-Source: AMrXdXvDMXYdhT64+k6pJawQ2h2K1pzsHni2rQkyPc56RYGeagJOKdCbGd3Bv+r+5g6uW7FCkiFI X-Received: by 2002:a05:600c:3489:b0:3db:693:3fc9 with SMTP id a9-20020a05600c348900b003db06933fc9mr25575702wmq.27.1674544176130; Mon, 23 Jan 2023 23:09:36 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1674544176; cv=pass; d=google.com; s=arc-20160816; b=blEF3+xxJh3WrsjwekDwa+wOg8z4Ek9mPmjpYkTiR4/XCvZx1RzCsiStUT5EK1p4Qf PDaSvFzwLv6wRr4YDgDjjL/nv/b99TO8QtPXes+SEFRumxJ+VmjPPNKhQZw/juXBpBPe mQ2uA/XJe0MG46bo0RvY7ST8iKZP1gOfZ1W1w+IdXSi1MJuFUxCcTZ4WtOR6u6H4LAz2 QZPd0euEqCLu+UAmGwRylwC8wCJVcjDbAPBBZbDPxOqWFiIUmgBlbpM5ANQOy/Ugc3NC zN5h3Nd6wVdad9KKKxXmMRk40Yoi3BJ1xVGLSAma4GI66EnCRUM0VNHhjU27jW/GqOHu VsNg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:content-transfer-encoding:references:in-reply-to :message-id:subject:cc:to:from:date:dkim-signature; bh=wbFHOeGchQRgI5fB0aOzkpmpRHg4+ilXJjhFljl0s58=; b=VP62E6zWKl3mWz8ghvXgIwoTfta3W8YL4oscrpyywVHGOiSKMbjgLgcEi28qUmrLcR +au3G/jJXddQYd5LB0iT+hg497BncLLnvM1sb0wowrFJh84XYkPZ3FkrYN0mMyLKsoog VwzsbRcfJzHB+lJO4Z6i2l+AsnJVSuUHeK0uisn9c4jKILcpvyvpmzzwEGh7+QBYrELX DB/7rdUGk1J62FB4oMoaqPeqeJFA8qLSplxLeLpD6WwzMrnqt0nlQACjiiC3p9K3Fl3B 2hjQh66pgLaPA8NW+5+J9qopjVYiPUtJJZfLg+RenD3JTvQ7kkSqKl3OlWaxRfE+bmad AWgg== ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=wS+dz4L6; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of henning.schild@siemens.com designates 40.107.15.73 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01on2073.outbound.protection.outlook.com. [40.107.15.73]) by gmr-mx.google.com with ESMTPS id e9-20020a05600c4e4900b003d9c73c820asi41420wmq.3.2023.01.23.23.09.35 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 23 Jan 2023 23:09:36 -0800 (PST) Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 40.107.15.73 as permitted sender) client-ip=40.107.15.73; Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=wS+dz4L6; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of henning.schild@siemens.com designates 40.107.15.73 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mFI7mfSRf2XnwnuymG79TBMW2BmPFVq2kstaCutonQmKer9g4mtFaDuQxPt600FoFVgbFqvpuZLhkjdB/UdsCvxGap9oVV18X7md49mBIq1/4ScVATolT+LWYWoAdKniLZWS+GBMamFJFHR/8Mq+wbz+ajYVCCQTjqL7EvcPaql/TM9DQKPA/hsNGgICnFc4lLdcrijMuYJu3LGuZ3OOHmuuaJRG/anquA+BIuTXcZJHqu/l2VPzrkMx8M9XZOJpuDNBVI00w5NtPBDzsZw9TWGvs4dwmnnDnHivzXR0kC866ZG9jhE1cMzM02qawx/tgFxjW0VM+8vr2x3yWqQhzQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=wbFHOeGchQRgI5fB0aOzkpmpRHg4+ilXJjhFljl0s58=; b=CcxxSJqNWW7+i8l+sA5hEWtqPW4HgCMlvH9vJ5lNyEbBgdL3LCKskMy+zVwj+Z4uw249rw3SB1oedvoGfInvEafJnC23BVsIz+SDF8vm956TJHSXclLyw5I2BP8tMIYvfavU+s5RW1nyybFZWo5CG3/SezlLv/5XmSRTEzg/IUhRLC89MJjYRoppWF6ViyYqNTcmLTVGVT+nEKtk3dsHTt6C4OfkwHsCeDuyK9171Bc945QDEi+xBu6imnX5mc0Fr5y9XXM1gdSMz4CJ8tZxcaeYJPjFFBxrjMRPeYkueN4Rjb+J8im2f4cEZC/gpwOh1AsJobGuPXI3YgEHkJacNQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wbFHOeGchQRgI5fB0aOzkpmpRHg4+ilXJjhFljl0s58=; b=wS+dz4L6UvnGAlu0RTYxmHvsp8wAJzVs7XIwMODs8x9BKp5elEFkL3OeToGc+41d63lbzkJW8rwKcMaOMdvr7nG2235fNkWCj4ngxXIi33fQxP0nfc9uEyvnmiqvENs8Xwmp2wepG3TJkO7wC7fdl8omHsLfWBKjPF/9KjsYbUr73PpsKoTJIe5UFedhkJq1MRwpuEbs6auNUZtCGzl5WV2WrVRQmU+7J6/ncTOcOtQWUL025/SHYT4Jmcje45pnZoTdvWWnfhN/vSG11/gQ5PCI7d6FUjIPeX2IRaBID/oaq2y6SyDgAlAey2/XT55b21VG0vl+Le8mxKwUkkO6rg== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com; Received: from PA4PR10MB5780.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:269::8) by VI1PR10MB3501.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:800:132::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.33; Tue, 24 Jan 2023 07:09:34 +0000 Received: from PA4PR10MB5780.EURPRD10.PROD.OUTLOOK.COM ([fe80::bdf0:fdeb:f955:bc79]) by PA4PR10MB5780.EURPRD10.PROD.OUTLOOK.COM ([fe80::bdf0:fdeb:f955:bc79%4]) with mapi id 15.20.6002.033; Tue, 24 Jan 2023 07:09:34 +0000 Date: Tue, 24 Jan 2023 08:09:24 +0100 From: Henning Schild To: Uladzimir Bely Cc: isar-users@googlegroups.com Subject: Re: [PATCH 05/11] image-account-extension: Add copy-ci-key flag for user Message-ID: <20230124080924.5c7d5a99@md1za8fc.ad001.siemens.net> In-Reply-To: <20230113071942.22506-6-ubely@ilbers.de> References: <20230113071942.22506-1-ubely@ilbers.de> <20230113071942.22506-6-ubely@ilbers.de> X-Mailer: Claws Mail 4.1.0 (GTK 3.24.35; x86_64-pc-linux-gnu) Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-ClientProxiedBy: CH2PR07CA0049.namprd07.prod.outlook.com (2603:10b6:610:5b::23) To PA4PR10MB5780.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:269::8) Return-Path: henning.schild@siemens.com MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PA4PR10MB5780:EE_|VI1PR10MB3501:EE_ X-MS-Office365-Filtering-Correlation-Id: 7cd956cd-05d9-4d12-ea52-08dafdd9f27c X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 8cwxM4MSBYYgDARAYsA9rxfMfymGadhGMoXBcYy15JEv0b78kiqbxazRmS3+AL3dgTP0sLizR1kducyAz0mKfsvfH1qlKk2+oQhXk4KzE/TrXjb7OVIP/3m5D1jcoWNHk6w0OaBpqIdyEDZqAbb3RP2lb77h0S4xNH/wdjrinA/bpFfjbX5vBDNhM1Ov/X5woDPpnDly7aGw62QGXg97Vmv0FfZAvxPuM+wXrJP7d4Ssg0epjEHDzC+8W6fwsXSzsJ43NybeFAFCsMe3P4a0WVqf+RwSi4lJ+szWaEnJQHd033wNZ0w2CUGzHAtFOAWclRkjWkOnkxh4124t4HlCNbYptz4Fl6khDf3cjP0hJSfOFHqJcAMSbRUzqa3qQxqFuADsNYtf8FoM3ntRyFgtHwsQbJmV1hIceNRlW1eWAgdFiV7siQqaG5Cyw09aV/1zgUupzyW4ld9ly70uoIInnr/M5wa6zKtLxR/KmWHYDOOhwGqbpEyJBV2szVq8p84GPeuW5LQ26x+7NEUAZMEPMHaND8yUCOGksRJvDfIjyFLYH1UuRQFLNBOSys2GQbKGAogXcrK2Wb5zV4NLc/gRWAvwkWQpOtggU2FrAQXQRPztX28Ff0I+Qkqktkra4TTsHk8irIJhRiPRMbeKXddglA== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PA4PR10MB5780.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230022)(4636009)(346002)(39860400002)(376002)(396003)(136003)(366004)(451199015)(6486002)(6506007)(478600001)(2906002)(9686003)(6666004)(1076003)(6512007)(186003)(316002)(8936002)(8676002)(66556008)(4326008)(66476007)(6916009)(41300700001)(83380400001)(44832011)(15650500001)(5660300002)(66946007)(38100700002)(82960400001)(86362001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?zpE5bMYerNc93XuOZN/ByAejSyTQ+HZHRvnlIYeDe5cynUmBEFMy2QHqWE2z?= =?us-ascii?Q?5uG6XC+Qrw97XVSpu0s87fuX3JZ+ZrCNzljac9LUC082fAr4CVrTyP1mcxZ9?= =?us-ascii?Q?KAlECWHvk5rykZ3771SPa7RLyadDEgOxvii4QNwFiTQI1RlyZ20QpUguVmgu?= =?us-ascii?Q?9LnBNNCW7GzFYNwhswi+TcLGpV0nB5Zq+hAFRSciGQsgQILITFQEGB19GTXh?= =?us-ascii?Q?fYO+ifkpeF5sbA562f0U0eBH5RAduSfmw2kjOTGdKZRHOzmq2FbYX1/U0U1X?= =?us-ascii?Q?tfh+fdDTwRGJxoJ7QAMx2oVjDg1/h2Iji1Yfpy1soa9wD+2uvriMlZiCm+yt?= =?us-ascii?Q?EfZizkPmiu3b+NK1eQM3WOvYrhVJbKJ9m3nxUDaG4tFlbpzpEji+bBnpwNEh?= =?us-ascii?Q?EuCnmoDUbQMEiSYSnRTN3ZpCa1ZWXQmuCVA4JWxxwDhNJV82nm+e1W+zTSCY?= =?us-ascii?Q?SAHbqtpC8iGFcEvweu8WaW+y/Ntw3q3agDIW28M9W/8FDdklDC8W95AO+Hmb?= =?us-ascii?Q?TeeikWmVbiv6lOwVC2snMGL6XbmVOk/foPt6NbxbeEQ7cx+I2blCfOojsGbh?= =?us-ascii?Q?eIi9oazadzs/XuqAqkNljCQJ3eezXrG8oYGMBLrkJNki2Q/MqLwYpPG0B4nK?= =?us-ascii?Q?M+ydDBJ2rUCEwwPBCSwzset62Ibe5obyqrTTfWM4VoJkBczqzFvnPRy2TDRB?= =?us-ascii?Q?t8dKT45Mgt12LDbaU1W6yeDKaI4Kqy1UgHKjQnI9a38FmfHivI4Wa9lRcTaP?= =?us-ascii?Q?uhz02RSaVcx16mT+mch40q0nvJMPx2YWnv+I/OG01y6aSEoHcGviQUHTcY9n?= =?us-ascii?Q?5x15EQeCoIjorJcqv+63rP2BAHV3ZfHclM68iAmv/bPoVcMnVORubzHC4kPR?= =?us-ascii?Q?sBW1vs9892dMyrRKQ9XKckoDIHwvTc+tgDA2B9I6pAIw8Ej4F/zq7cihYhCq?= =?us-ascii?Q?B8z3Wj4WeO2IulGziaH8ncl/j9myhRsdXtYGLPwufrLcRBARtGA6OJqgOwAe?= =?us-ascii?Q?+kTkvofE4jjej/WkQy5s8v1nWGJ9YouFMamnniC9jSWWOtcNJIssPciIeHtJ?= =?us-ascii?Q?sRkHXTzJlFUwJosH2dLjsMftYtZRLzEk89A/gBKsy2S7MnqloeRmmSfrGpiC?= =?us-ascii?Q?6U9ZsLZylxO8zKUIfsL6imP5fcJgobXNL6iV1CXieW4r+ijdr9i/2Rj40Ulb?= =?us-ascii?Q?DJNwphgcIAyBdpiMLhViKelD6iSRuZgwxuMFOvrtsz2H2FEc6Ov8OJSoFQHk?= =?us-ascii?Q?xA8n58kO59710UOEkdFaIi3fOR994Xdf5/FbTdj9CevvCv3qgIT+qe01FlXz?= =?us-ascii?Q?aj5q4wxKg45ztzH5bSXwY7fqwPPSbb6cnn7Uc7r5OMHsS25+StV6anb0CtVK?= =?us-ascii?Q?0pQick7lB+goDVlMTT2pE0OJ5VHqVm/iz5BzU6dNxt0IGZ2JdSFw8x2THSDD?= =?us-ascii?Q?gS27h++H91jEIHZ/nnMetmcc0xrAIPufw5e97bvBoTp0uihCFL0ksxqEC644?= =?us-ascii?Q?BkZe82lJuqT9xxRTM3xdk8ZyFdA9ufDEDIsq8A4LVzQQ2WfaNGQQInuyNo25?= =?us-ascii?Q?uz25mVDwZ2Ss+2o/rbNKvS176SMa0ei9sirCEV6/z041kS/Yw/IO6bxvFy2T?= =?us-ascii?Q?st5FlPuvSvabBbtsYjBBAT24B3auwGhQ0prAsgmDu/lyQscPe7wMONBlBc+Q?= =?us-ascii?Q?V0O+uw=3D=3D?= X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: 7cd956cd-05d9-4d12-ea52-08dafdd9f27c X-MS-Exchange-CrossTenant-AuthSource: PA4PR10MB5780.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Jan 2023 07:09:34.6693 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: SceJEk3kyOU2Bp6wZ0gDDcM+cGjr54+k9inaKVntAR5HoLlVKrxq65kKNCPREPlLZtVUIVVsfOPnzF+H9h3YjE0YN2M5rgs7B7IZzBIhW7w= X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR10MB3501 X-TUID: unZw+xX46yWx Am Fri, 13 Jan 2023 08:19:36 +0100 schrieb Uladzimir Bely : > If the flag enabled, CI ssh public key is copied `authorized_keys` > in `$USER/.ssh/` directory. > > This allows non-interactive SSH access to the machine with executing > custom commands on the guest VM. I would suggest to make that a debian raw package, examples on how to do that can be found in many public layers. You could i.e. drop an authorized-keys file into /etc/ssh/ and using postinst append/change the AuthorizedKeysFile line in the global ssh config That way we know which package owned that file and if we have a prerm we can even remove everything with apt. Henning > Signed-off-by: Uladzimir Bely > --- > meta/classes/image-account-extension.bbclass | 14 +++++++++++++- > 1 file changed, 13 insertions(+), 1 deletion(-) > > diff --git a/meta/classes/image-account-extension.bbclass > b/meta/classes/image-account-extension.bbclass index > 70950a7b..c9b86250 100644 --- > a/meta/classes/image-account-extension.bbclass +++ > b/meta/classes/image-account-extension.bbclass @@ -17,7 +17,7 @@ > USERS ??= "" #USER_root[home] = "/home/root" > #USER_root[shell] = "/bin/sh" > #USER_root[groups] = "audio video" > -#USER_root[flags] = "no-create-home create-home system > allow-empty-password clear-text-password force-passwd-change" > +#USER_root[flags] = "no-create-home create-home system > allow-empty-password clear-text-password force-passwd-change > copy-ci-key" GROUPS ??= "" > @@ -263,5 +263,17 @@ image_postprocess_accounts() { > sudo -E chroot '${ROOTFSDIR}' \ > /usr/bin/passwd --expire "$name" > fi > + > + # Add CI ssh key for noninteractive login > + if [ "${flags}" != "${flags%*,copy-ci-key,*}" ]; then > + echo "Add CI ssh key for \"$name\"" > + sudo sh -c " \ > + mkdir -p ${ROOTFSDIR}/${home}/.ssh && \ > + cat ${TESTSUITEDIR}/keys/ssh/id_rsa.pub > > ${ROOTFSDIR}/${home}/.ssh/authorized_keys && \ > + chmod -R go-rwx ${ROOTFSDIR}/${home}/.ssh > + " > + sudo -E chroot '${ROOTFSDIR}' \ > + chown -R ${name}:${gid} ${home}/.ssh > + fi > done > }