summaryrefslogtreecommitdiff
path: root/setup-sshd.in
blob: 8ee99310e265ea65bfbdb1a69bda3572677fc726 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92

#!/bin/sh

PREFIX=@PREFIX@
: ${LIBDIR=$PREFIX/lib}
. "$LIBDIR/libalpine.sh"

usage() {
	cat <<-__EOF__
		usage: setup-sshd [-h] [-k authorized key] [openssh | dropbear | none]

		Setup sshd daemon

		options:
		 -h  Show this help
		 -k  Authorized key for root (HTTP(S)/FTP URL, the public key itself or 'none')
	__EOF__
	exit $1
}

authorized_key="$SSH_KEY"
while getopts "hc:k:" opt; do
	case $opt in
		h) usage 0;;
		c) sshdchoice="$OPTARG";; # backwards compat
		k) authorized_key="$OPTARG";;
	esac
done
shift $(( $OPTIND - 1 ))

case "$1" in
	openssh|dropbear|none) sshdchoice="$1" ;;
	"") ;;
	*) usage 1 >&2;;
esac

while ! isin "$sshdchoice" openssh dropbear none; do
	ask "Which SSH server? ('openssh', 'dropbear' or 'none')" openssh
	sshdchoice="$resp"
done

if [ "$sshdchoice" = "none" ]; then
	exit 0
fi

pkgs="$sshdchoice"
if [ "$sshdchoice" = "openssh" ] && apk info --quiet --installed acf-core; then
	pkgs="$pkgs acf-openssh"
fi

$MOCK apk add --quiet $pkgs

if [ "$sshdchoice" = "openssh" ] && [ -z "authorized_keys" ]; then
	while true; do
		ask "Allow root ssh login? ('yes', 'no', 'prohibit-password' or KEYURL) [prohibit-password]" prohibit-password
		case "$resp" in
			yes|no|prohibit-password)
				sed -i -E -e "s/^#?\s*PermitRootLogin.*/PermitRootLogin $resp/" /etc/ssh/sshd_config
				if ! grep -q ^PermitRootLogin /etc/ssh/sshd_config; then
					echo "PermitRootLogin $resp"  >> /etc/ssh/sshd_config
				fi
				break
				;;
			http://*|https://*)
				authorized_key="$($MOCK wget -qO- "$resp")" || { echo "Could not fetch key from '$resp'"; continue; }
				break
				;;
		esac
	done
fi

svc=
case "$sshdchoice" in
	openssh) svc=sshd;;
	dropbear) svc=dropbear;;
esac

if [ -n "$svc" ]; then
	$MOCK rc-update add $svc default
	$MOCK rc-service $svc start
fi

if [ -n "$authorized_key" -a "$authorized_key" != "none" ]; then
	# if the argument is an HTTP(S)/FTP URL, try to fetch the file contents
	case "$authorized_key" in
		http*://*|ftp://)
			key_url="$authorized_key"
			authorized_key="$(wget -qO- "$key_url")" || die "Could not fetch key from '$key_url'"
			;;
	esac
	mkdir -p ${ROOT}/root/.ssh
	echo "$authorized_key" >> ${ROOT}/root/.ssh/authorized_keys
fi
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-01 13:40:50 +0000