From 4aef8c9e30d4c14c801a50aa94eed983ab4ae2c5 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Fri, 8 May 2015 17:23:03 +0200
Subject: Jessie fixups.

---
 src/fripost-partman-udeb/base.sh | 30 +++++++++++++++++-------------
 1 file changed, 17 insertions(+), 13 deletions(-)

(limited to 'src/fripost-partman-udeb/base.sh')

diff --git a/src/fripost-partman-udeb/base.sh b/src/fripost-partman-udeb/base.sh
index 449d3ae..b6af4d1 100644
--- a/src/fripost-partman-udeb/base.sh
+++ b/src/fripost-partman-udeb/base.sh
@@ -35,7 +35,7 @@ fatal() {
 
 # Ensure stdout is opened with line buffering. If some day stdbuf(1) is
 # available in busybox, we should replace the LD_PRELOAD by 'stdbuf -oL -eL'.
-# XXX: see #751394
+# XXX: workaround for #751394
 stdbuf() {
     LD_PRELOAD=/lib/fripost-partman/stdbuf.so "$@"
 }
@@ -298,12 +298,15 @@ fripost_encrypt() {
 
 			AllowAgentForwarding no
 			AllowTcpForwarding no
+			PermitOpen none
+			PermitTTY no
+			PermitUserRC no
 			ForceCommand /bin/cat >$keyfile
 		EOF
 
         # Populate the authorized keys.
         [ -d ~root/.ssh ] || mkdir -m0700 ~root/.ssh
-        copy_authorized_keys $import/authorized_keys ~root/.ssh/authorized_keys 'no-pty'
+        copy_authorized_keys $import/authorized_keys ~root/.ssh/authorized_keys
 
         # Start the SSH daemon
         touch /var/log/lastlog
@@ -312,7 +315,7 @@ fripost_encrypt() {
         # Tell the user we're ready
         db_subst fripost/encryption-slurpkey_text IPv4 "$(getIPv4)"
         db_subst fripost/encryption-slurpkey_text SSHFPR_SERVER \
-            "$(/usr/bin/ssh-keygen -lf $sshHostKey)"
+            "$(sshfprs ${sshHostKey}.pub)"
         db_subst fripost/encryption-slurpkey_text SSHFPR_AUTHORIZED \
             "$(sshfprs ~root/.ssh/authorized_keys '    - ')"
 
@@ -379,21 +382,22 @@ fripost_encrypt() {
 
 
 # Like ssh-keygen -lf, but for a file such as authorized_keys, which
-# may contain multiple keys.
+# may contain multiple keys.  Also, use the comment associated with the
+# key rather than the filename.
 #
-# Usage: sshfprs.sh file [prefix]
+# Usage: sshfprs file [prefix]
 
 sshfprs() {
-    local file="$1" prefix="${2:-}" pk
+    local file="$1" prefix="${2:-}" type pk comment pkf=$(mktemp)
 
-    while read pk; do
+    sed -nr "s#^([^#]+\s)?(ssh-(dss|rsa|ed25519)|ecdsa-sha2-nistp(256|384|521))\s#\2 #p" "$file" | \
+    while read type pk comment; do
         # /usr/bin/ssh-keygen can't read from STDIN, and the '<<<' is
         # not POSIX, so we save each pubkey in a temporary file
-        pkf=$(mktemp)
-        echo "$pk" > "$pkf"
-        echo "${prefix}$(/usr/bin/ssh-keygen -lf $pkf)"
-        rm -f "$pkf"
-    done < "$file"
+        echo "$type $pk $comment" > "$pkf"
+        echo "${prefix}$(/usr/bin/ssh-keygen -lf $pkf | sed "s#$pkf#$comment#")"
+    done
+    rm -f "$pkf"
 }
 
 # Copy an authorized_keys file, possibly adding some options. The input
@@ -403,7 +407,7 @@ sshfprs() {
 copy_authorized_keys() {
     local from="$1" to="$2"
     if [ $# -gt 2 ]; then
-        sed -r "s#^([^#]+\s)?(ssh-(dss|rsa)|ecdsa-sha2-nistp(256|384|521))\s#$3 \2 #" \
+        sed -r "s#^([^#]+\s)?(ssh-(dss|rsa|ed25519)|ecdsa-sha2-nistp(256|384|521))\s#$3 \2 #" \
             "$from" > "$to"
     else
         cp "$from" "$to"
-- 
cgit v1.2.3