bootstrap-plugins/ssh

#!/bin/bash

# bootstrap ssh access and key for pi user

# @example
# just generate new ssh key for pi user
# RPI_SSH_KEYGEN="true"
# RPI_SSH_KEY_ROUNDS=500

# @example
# authorize key and trigger regeneration of server keys
# RPI_SSH_KEYGEN_SERVER="true"
# RPI_SSH_AUTHORIZE="ssh-rsa AAAA... user@host"


# default options
RPI_SSH_KEY_TYPE="${RPI_SSH_KEY_TYPE:=ed25519}"
RPI_SSH_KEY_ROUNDS="${RPI_SSH_KEY_ROUNDS:=100}"
RPI_SSH_KEYGEN="${RPI_SSH_KEYGEN:=false}"
RPI_SSH_KEYGEN_SERVER="${RPI_SSH_KEYGEN_SERVER:=false}"
RPI_SSH_ON="${RPI_SSH_ON:=login}"
to_array RPI_SSH_AUTHORIZE

# load dependencies
plugin_load append || return 1
plugin_load dist || return 1
plugin_load chmod || return 1
plugin_load chown || return 1
plugin_load run || return 1


function run() {
    case "${RPI_SSH_ON}" in
        "login")
            rpi_run_on_first_login "$@"
            ;;

        "boot")
            rpi_run_on_first_boot "$@"
            ;;

        ?|*)
            error "invalid RPI_SSH_ON=${RPI_SSH_ON}"
    esac
}

function rpi_ssh_prerun() {
    true
}

function rpi_ssh_run() {
    # enable ssh if not enabled, yet
    sudo touch "${RPI_BOOT}/ssh" || error "touch ${RPI_BOOT}/ssh"

    # create ~/.ssh dir
    [[ -d "${RPI_ROOT}/home/pi/.ssh" ]] || sudo mkdir -p "${RPI_ROOT}/home/pi/.ssh" || error "mkdir"
    rpi_chmod_pi 0700 "/home/pi/.ssh" || error "chmod"

    # authorize configured keys?
    if [[ -n "${RPI_SSH_AUTHORIZE}" ]] ; then
        log "creating /home/pi/.ssh/authorized_keys ..."
        local key
        sudo touch "${RPI_ROOT}/home/pi/.ssh/authorized_keys" || error "touch"
        for key in "${RPI_SSH_AUTHORIZE[@]}" ; do
            rpi_append_to_file "${key}" "${RPI_ROOT}/home/pi/.ssh/authorized_keys" || error "append"
            log "  authorized: ${key}"
        done
        rpi_chmod_pi 0600 "/home/pi/.ssh/authorized_keys" "true" || error "chmod"
        rpi_chown_pi "/home/pi/.ssh/authorized_keys" "true" || error "chown"
    fi

    # copy dist files
    rpi_dist_cp_if_exist /etc/ssh/sshd_config 0600
    rpi_dist_cp_if_exist /home/pi/.ssh/authorized_keys 0600
    rpi_dist_cp_if_exist /home/pi/.ssh/config 0600
    rpi_dist_cp_if_exist /home/pi/.ssh/known_hosts 0600

    # generate ssh key?
    if [[ "${RPI_SSH_KEYGEN}" == "true" ]] ; then
        log "generating ${RPI_SSH_KEY_TYPE} key..."
        local keyname
        keyname="${RPI_ROOT}/home/pi/.ssh/id_${RPI_SSH_KEY_TYPE}"
        if ! sudo test -f "${keyname}" ; then
            # create key
            sudo ssh-keygen \
                -t "${RPI_SSH_KEY_TYPE}" \
                -a "${RPI_SSH_KEY_ROUNDS}" \
                -q -N \'\' \
                -f "${keyname}" || error "ssh-keygen"
            # replace hostname
            name="$(hostname)"
            sudo sed "s|${name}|${RPI_HOSTNAME}|g" -i "${keyname}.pub" || "sed"
            # set owner
            rpi_chown_pi "/home/pi/.ssh" "true" || error "chown"
            # print pubkey
            log "  created new pubkey for ${RPI_HOSTNAME}: $(< "${keyname}.pub")"
        fi
    fi

    # regenerate server keys?
    if [[ "${RPI_SSH_KEYGEN_SERVER}" == "true" ]] ; then
        log "regenerating /etc/ssh/ssh_host_*"
        sudo rm -f "${RPI_ROOT}/etc/ssh/ssh_host_"*
        run "sudo dpkg-reconfigure openssh-server"
    fi
}

function rpi_ssh_description() {
    echo "configure ssh"
}

function rpi_ssh_help_params() {
    help_param "RPI_SSH_KEY_TYPE" "key type to generate"
    help_param "RPI_SSH_KEY_ROUNDS" "KDF rounds for generated key"
    help_param "RPI_SSH_KEYGEN" "use local ssh-keygen to generate a key for the pi user"
    help_param "RPI_SSH_KEYGEN_SERVER" "(re)generate server keys on the pi"
    help_param "RPI_SSH_AUTHORIZE" "array of public keys to add to authorized_keys for the pi user"
    help_param "RPI_SSH_ON" "setup on first \"login\" or \"boot\""
}

function rpi_ssh_help_distfiles() {
    help_distfile "/etc/ssh/sshd_config"
    help_distfile "/home/pi/.ssh/authorized_keys"
    help_distfile "/home/pi/.ssh/config"
    help_distfile "/home/pi/.ssh/known_hosts"

}