From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 7188033154287927296 X-Received: by 2002:a05:6402:10d2:b0:49b:52b3:cae3 with SMTP id p18-20020a05640210d200b0049b52b3cae3mr3432293edu.105.1674544720716; Mon, 23 Jan 2023 23:18:40 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a05:6402:430d:b0:43d:b3c4:cd21 with SMTP id m13-20020a056402430d00b0043db3c4cd21ls12833015edc.2.-pod-prod-gmail; Mon, 23 Jan 2023 23:18:39 -0800 (PST) X-Google-Smtp-Source: AMrXdXtis2PQzZ9yKig/iLG7hWpmnhs03ut9GVoiBjIFdKxKU4SN9A1UZp4x+eM2eddsiKSBvVBF X-Received: by 2002:aa7:cc91:0:b0:46c:6ed1:83b0 with SMTP id p17-20020aa7cc91000000b0046c6ed183b0mr27646779edt.9.1674544719591; Mon, 23 Jan 2023 23:18:39 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1674544719; cv=pass; d=google.com; s=arc-20160816; b=xIGVcfFhSf0wusIsUmMnjn4d4OzNbE9jXNScZZaRojn5//8oOJaRHX9Z9MDQP4AXg5 wEVQwcjSx+63oo1fr7kmOSix4rSm4BQu7TKfPzSr2209tNDgcXijRidWJnm0p97+twqT +4bSfav2vhPw22E2VhJhCLhEvrDGpercDL1Jw24YDVylfmRbMovlYxLNUL+5OOKqO0Xg noyFoxyo33V2KdXpDThcInjEirLizlSGxg+FUUNLyfzm+YsU4BWK3DMYWffHmvPlJXmY 4+Xp4zxn4zKktvk0r++swgIASzNXQzkubSi17iOXVlpt/uDnN3sbaSo7o/EJWwFCtVDW VtwQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:content-transfer-encoding:references:in-reply-to :message-id:subject:cc:to:from:date:dkim-signature; bh=9iKmmJtNO+Sh9CkuCd7bBKwVQHw0RMws2iXqSrSasfQ=; b=mrHBMr2TIfQun8ZwzlQTEdrU98197fwXkJ2E/S8laywFJf4lf+IeDyn+qP6FHOgw1S YuiRUq/gFKcmrlr5d9HG37qbjtwsBcykyV3ANjpjHNSJF3BvUgISsSycywn+sgyYIyMi 1iY0gppUYOIkdTmNz0AgMPowuxa5CpqN71f+Ex3MbbjpMRFW9Er+jzqYyesFYVZfhf7W aCT21h4uVvoFXUm6Pv9IUpQLlRkdVYZOv5tstsHYFcv3bZWty7qo/jdKcVk6zdV5Aw4Z NuH71YApqppIdlbVCoqLVhqYW6pcucn5Gh2VqtewWHxcIXadkehtGnW5WVxlpBuTbijF lJdw== ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=OHhK0s7b; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of henning.schild@siemens.com designates 40.107.21.89 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2089.outbound.protection.outlook.com. [40.107.21.89]) by gmr-mx.google.com with ESMTPS id a6-20020a1709063a4600b0086e09d5ce59si51819ejf.2.2023.01.23.23.18.39 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 23 Jan 2023 23:18:39 -0800 (PST) Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 40.107.21.89 as permitted sender) client-ip=40.107.21.89; Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=OHhK0s7b; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of henning.schild@siemens.com designates 40.107.21.89 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RraxH9pAF1j27ztVKttpSceY7au1Z/tLfu4l0mdZo+GSuq6lojQzqJBAk4YvbwTUAmBbZMXFaDvcNUtZw76dCu88KTrUdbgs89l70ZOCpiFkKXveaOr4txyuox3wlKyJrvKpDFbui3J9ChqARcUCPNwqjK984AE3KCk2u73ht6b7WzXFDpAlsRBrHyQ77CAMkeGp5TS2mkKeUOeBj44iQnr0CNK+LoflM0Y5Ut8dDz4o93X5fK09Ab59CXKG3SLLcVBvZiy0CllsoTw8/MFfX3WEms4q0+ojfuZTcYnZbz7nypNrAQOrkRjwFRgPnzsFYR3ci54djxfofo0A53T9Sg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=9iKmmJtNO+Sh9CkuCd7bBKwVQHw0RMws2iXqSrSasfQ=; b=WKALF1Sst30i+V2UCXioYFGOQMhbN5wYiRNfbaRM41+KSXkY272fx8b/dkeIyhawUDfG4m5oZerdazF45oZjdGOSW4Z40VmWy9ZIZNaMvjFdim7PNjXx0l6TFRs7Cly9WwRSxB+Ig9VRQ5haF3yKXv5A6NTOrtAZ8NBXd3SixWzLy4dDlhlxnOKK5pp/l/jD2D3BG4ceLsvIXWUxaXnFYGiH/ZoMk0sY8T2k0Z0pu0yaAIsib1+EgIrj0WS/Vlqhpmj2kBd+a8HXEueTz+78mxpTOvNdGwAi5amSedyvJyhxKEGx8eQw/IpqcawwS8XC1j6S7cGcJ3SXpXpKRMUxsQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9iKmmJtNO+Sh9CkuCd7bBKwVQHw0RMws2iXqSrSasfQ=; b=OHhK0s7bDVeSwF7CiPuw6MQTbUvPX1jE6CINjPr7oeNKtktLB504F2V/fNf8+6X5OMFKDzB7eTA7oQdfLqAGCvIVlSiFlUkbfsaZ6q/Lq9RG2e0Te1+5iFjbHNONxpLV0MYlS5d6d3R/5cEXl2C/qBKQemfuRPi7eHprog2+TjgZyPubokdA+jPNMKNPvwQZ8Srt97sThGUwhxiXK7vrwx8Ave2/2SCP86bAH36GI1Kg2SkNZJeZ+a6t+pywX2U4az+A9ZqyNey5MDjphoIo2XyoOCRH+/bHC9FBrBR1KYruTClku710o2QfEVRB0Sa8xsE2mL0dYcwSH9eBWqM7IQ== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com; Received: from PA4PR10MB5780.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:269::8) by DB9PR10MB6315.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:39f::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.33; Tue, 24 Jan 2023 07:18:37 +0000 Received: from PA4PR10MB5780.EURPRD10.PROD.OUTLOOK.COM ([fe80::bdf0:fdeb:f955:bc79]) by PA4PR10MB5780.EURPRD10.PROD.OUTLOOK.COM ([fe80::bdf0:fdeb:f955:bc79%4]) with mapi id 15.20.6002.033; Tue, 24 Jan 2023 07:18:37 +0000 Date: Tue, 24 Jan 2023 08:18:28 +0100 From: Henning Schild To: Uladzimir Bely Cc: isar-users@googlegroups.com Subject: Re: [PATCH 05/11] image-account-extension: Add copy-ci-key flag for user Message-ID: <20230124081828.3ecd59bb@md1za8fc.ad001.siemens.net> In-Reply-To: <20230124080924.5c7d5a99@md1za8fc.ad001.siemens.net> References: <20230113071942.22506-1-ubely@ilbers.de> <20230113071942.22506-6-ubely@ilbers.de> <20230124080924.5c7d5a99@md1za8fc.ad001.siemens.net> X-Mailer: Claws Mail 4.1.0 (GTK 3.24.35; x86_64-pc-linux-gnu) Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-ClientProxiedBy: CH0P221CA0023.NAMP221.PROD.OUTLOOK.COM (2603:10b6:610:11c::24) To PA4PR10MB5780.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:269::8) Return-Path: henning.schild@siemens.com MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PA4PR10MB5780:EE_|DB9PR10MB6315:EE_ X-MS-Office365-Filtering-Correlation-Id: 0f66b51e-1f7a-45b6-a609-08dafddb3633 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: RjOxVd84f68Z5JoKlaMHYiTkRiyIu8sSysbshLNpFrJKp/qJ3R0w+8+flKD5sJYX81HfJcNVUwtjTFz6Vb4g/Ex6+TQZWkOn+JMxSWoO9ol8ahV3d1db+E+iUwxHM9q83h16e16EPE5Dk/mYpoSDoRg0VtDcghAoGJ7cNNE99kyG0T6+yCbDkpOUsZWWp6Jchie68xFHW+fuLyK8LS6C3g9nBsCrhiOOd7jTAIGR+iTfi6C8rzxXFWI9NqTcfhNf4+GqiwnTjRlEuP1M8T+xiW2SL+LG9klg+ZOH6crFM3N9+K30d4vbVZD83HioHACZaAq6ZOwcZvjMBKQpF8SUfD7H//ip1ehmLteOqKPKLCvBhS+p/Q714j/QohyNPra3D3MKhuKXqwj290aotakJF4zQyAe2dXEMWFMjUISLXOzPcUCzwb8rqD2ikZ/5cGc/tfbwIl+34/0SWxlcDGEeaDl8Z0o0PBOG2BnQQdnV+dw/iSvJch+FVc/BAWivzA6UPLEFKBAqIsPlP79OOy4hfRmAyJ4/8+rtGMpqE7qbtCJcV4gcHkyVMvrPG5o8e0DswrV1G3IYavx/8OYSLb9vJtkspiAvToXo4mflDM95N/iQncwKA4R4tvW367LCEYSGX562SVbOpa+KqSJzsYcUog== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PA4PR10MB5780.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230022)(4636009)(366004)(39860400002)(396003)(376002)(136003)(346002)(451199015)(1076003)(66946007)(8676002)(4326008)(66556008)(66476007)(6486002)(6916009)(83380400001)(6666004)(41300700001)(9686003)(6512007)(8936002)(44832011)(186003)(15650500001)(6506007)(2906002)(5660300002)(82960400001)(316002)(478600001)(86362001)(38100700002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?6DDfUCNuewwvjShxKv1W6B2Mvnq+9FUaIPhHz3EUjFy33rTCtO3rCXi98HC9?= =?us-ascii?Q?JFBkMlWpZEXI81OfnkiQpIZl2Yzn+WPL+mtPTuyEn6PH3bxJcKoCwMTbcl7c?= =?us-ascii?Q?tfFpW3l64KWj1nzDkhbyf1ea2AcY28wMNdhQPLyRhYyt2e3j4FqueRKaRSpb?= =?us-ascii?Q?GNaK0ISvRE4E2NujvjsxJlQrZsfbfeNlgiCiTeNvePH0VPTTgBD376OKEQRb?= =?us-ascii?Q?q0bXEPWcGIwzEBdPL/HLZFnzomLuhkv0dr3nLmmxgm4VL303ZuI9QS4RW/U3?= =?us-ascii?Q?ukRyD/yf0pmB6J9n5dY758O2suXLmIWuWzDIoB1Z9HiY0TKso+PvbH2P1h6l?= =?us-ascii?Q?xB914WphcNrAYd7fKp1qu0GGKPqNQjxrs8b94cuvDgjL653RENSK9Fh/LjDI?= =?us-ascii?Q?JNgnVvd19zuPxydEnX9BPoN80nODpUlQEznYnTjrED3iNY2RCyCWhKCUDtfB?= =?us-ascii?Q?/lE8ZSZi0v0tn4ukFl5xpYrn97T/IfzhRU4A6PiyK8xypefBM4ZEe3giL3Q8?= =?us-ascii?Q?2kky5+lfJV9L2eZ1AFpsCHyWJGAT/bEnd4jyvvXTDUp5rsXKQIhiTqiQo7nI?= =?us-ascii?Q?zqqyGlTQgotja800Qyk9+022mwqUx1PIHb1JVOMHOctAg85XkuFSawEe9TDu?= =?us-ascii?Q?KYCNRCOu9DrTovzJbHat1zdXIoJLH9wR2y02+1LGzDu3xESUBxFBh9eOETE7?= =?us-ascii?Q?bsj0xlOlrUXk3vD0EDcvlzCyYWbFysatHG0cJ4YesZCA67UqXhwa43qyPT7p?= =?us-ascii?Q?ZqmI9N+ogAbEBRnMNNrnNUhKwL9OEJ2+mn5DJWdpzzGIVxNX2nxr+p4u1XRw?= =?us-ascii?Q?GGj0CFAJ5lm0mDg36+ybBwWr5pLw5P52Jj+iYfAUHGUafBEcmr/6A0puJSpl?= =?us-ascii?Q?rbIiSER7XqFPcFk/kWD/zopg6LuEcR/S960zBeWydR2azILkaa0G4VYbs+au?= =?us-ascii?Q?xCxDOQQJIb4bfmNVF//tTl5fujbqpN+JU0j+4tCl4UsuK5eCK6oWPK2FQ94G?= =?us-ascii?Q?7n4xnKokdtXz8Yh3oAPO7+Kw32aTFNoC8ZqCd2UpZIEKjeYtTj9aBZxg3jfv?= =?us-ascii?Q?AS9HZoVwJqFbmNhGM6Q4gcPM8Vkwx2BfcSxuR6XYDa2DGC6PvAEsN65HqAyK?= =?us-ascii?Q?pJmWc/+z/V/Xxi2EZezsvGiKLYkwzKZHD3eBYyGOfpTKKE8VEKH8VkxX6TNq?= =?us-ascii?Q?jXztkhxodrIT1NVnjOjkdCASa6k9BcgVERaUVx2+CuiweqZ2d86NKLm/12kZ?= =?us-ascii?Q?NZmcGo6lTf8p+g1JulN0wha3x5Maad7QINoKhn5S2KOIwL1rvzoDn+DfqkRM?= =?us-ascii?Q?BlN/8qnysemkj4Vhz7DYJKBaJ5hnoDQd/SPrxtYXc45yYAlDtu4obb3YzsjE?= =?us-ascii?Q?8xp1CNiW8qW4QgpBSLOTez9T18PhirWwuXAPSY3RztwZgr7cAAvT6lrXr0N3?= =?us-ascii?Q?wrrSbPG1TEd+Mka7+EdSVibkFT6w+4IoY1Nohf300KbvaL7WH1is/lQCe80E?= =?us-ascii?Q?fjY67dncRfoUJFiMUdhzD30zwuRNadj4W1/8EJAOhRxTNRfOlmdSDSr3PLOs?= =?us-ascii?Q?kOjNYHC8zoY15axjOHvC3cOaQRMJ0FyGtOHh3krhNL45EibOxWwDZ/6CjYey?= =?us-ascii?Q?bWznViupFrLNAeE/E59zzuJ31l/KAqM/FGv2zZcpqeity5zghKbh7tBqW1TC?= =?us-ascii?Q?2Tb+3Q=3D=3D?= X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: 0f66b51e-1f7a-45b6-a609-08dafddb3633 X-MS-Exchange-CrossTenant-AuthSource: PA4PR10MB5780.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Jan 2023 07:18:37.8178 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: yanlLlptl4m0stw8hJkc3LkT2g/KyBzbhXf6ZIhQ0mkhWQO0mJU2eq2Mr7riGBWgizhyBSpdsEPE05CuM74OC0Fg+TpvZJZX3UOdoESYbgg= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR10MB6315 X-TUID: yaNcF/uSKFZZ Am Tue, 24 Jan 2023 08:09:24 +0100 schrieb Henning Schild : > Am Fri, 13 Jan 2023 08:19:36 +0100 > schrieb Uladzimir Bely : > > > If the flag enabled, CI ssh public key is copied `authorized_keys` > > in `$USER/.ssh/` directory. > > > > This allows non-interactive SSH access to the machine with executing > > custom commands on the guest VM. > > I would suggest to make that a debian raw package, examples on how to > do that can be found in many public layers. > > You could i.e. drop an authorized-keys file into /etc/ssh/ and using > postinst append/change the AuthorizedKeysFile line in the global ssh > config Create the user ci like we create the user isar in example-raw, and drop that file into HOME/.ssh/, maybe depend on sudo and make sure that user can run any command without password. We could also use a trivial password and not have a key at all. And when it is a package we can depend on regen-keys. Henning > That way we know which package owned that file and if we have a prerm > we can even remove everything with apt. > > Henning > > > Signed-off-by: Uladzimir Bely > > --- > > meta/classes/image-account-extension.bbclass | 14 +++++++++++++- > > 1 file changed, 13 insertions(+), 1 deletion(-) > > > > diff --git a/meta/classes/image-account-extension.bbclass > > b/meta/classes/image-account-extension.bbclass index > > 70950a7b..c9b86250 100644 --- > > a/meta/classes/image-account-extension.bbclass +++ > > b/meta/classes/image-account-extension.bbclass @@ -17,7 +17,7 @@ > > USERS ??= "" #USER_root[home] = "/home/root" > > #USER_root[shell] = "/bin/sh" > > #USER_root[groups] = "audio video" > > -#USER_root[flags] = "no-create-home create-home system > > allow-empty-password clear-text-password force-passwd-change" > > +#USER_root[flags] = "no-create-home create-home system > > allow-empty-password clear-text-password force-passwd-change > > copy-ci-key" GROUPS ??= "" > > @@ -263,5 +263,17 @@ image_postprocess_accounts() { > > sudo -E chroot '${ROOTFSDIR}' \ > > /usr/bin/passwd --expire "$name" > > fi > > + > > + # Add CI ssh key for noninteractive login > > + if [ "${flags}" != "${flags%*,copy-ci-key,*}" ]; then > > + echo "Add CI ssh key for \"$name\"" > > + sudo sh -c " \ > > + mkdir -p ${ROOTFSDIR}/${home}/.ssh && \ > > + cat ${TESTSUITEDIR}/keys/ssh/id_rsa.pub > > > ${ROOTFSDIR}/${home}/.ssh/authorized_keys && \ > > + chmod -R go-rwx ${ROOTFSDIR}/${home}/.ssh > > + " > > + sudo -E chroot '${ROOTFSDIR}' \ > > + chown -R ${name}:${gid} ${home}/.ssh > > + fi > > > > > done > > } >