LiveCD ssetup Issue with autoconfigurator

Started by affinityv, September 04, 2020, 08:27:05 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 04, 2020, 08:27:05 PM
I tried to setup a USB with the /conf directory tree on it using freebsd-usfs file system type, but the autoconfigurator seems to only work with msdos_fs, so I reformatted the USB to use vfat32and added  the /conf directory tree to it.

As the autoconfigurator option from USB boot (vga version) only wants to mount msdos_fs the sshd keys have incorrect permissions; I have to login to the console (usually a headless box) and adjust the permissions for the /conf/sshd/*key files to 600 and then manually start sshd.

I would have thought that a freebsd system should be able to read the freeebsd-ufs partition's /conf directory tree for use with the autoconfigurator.

Is there a better way to solve this so that the sshd key files have the appropriate permissions without needing to fix it with a login shell?  The autoconfigurator should adjust file permissions for the sshd keys...

It would also be good if the autoconfigurator could scan the devices and only present the one(s) that have a valid /conf directory and if only one valid device is found, then use it after a short delay without requiring any user action -- the machine could then be headless and keyboardless again.
September 04, 2020, 11:26:23 PM #1
Hi,

The importer supports a number of formats. The common denominator for these (excluding MSDOS as you found out) is that they resemble correctly installed OPNsense layouts:

https://github.com/opnsense/core/blob/5301999708823064c9509bce00e6115c10d64efc/src/sbin/opnsense-importer#L158-L169

The reason for this is that the importer is for moving the existing OPNsense install to a new home.

You are right about the keys in MSDOS having the wrong permission since the file system does not have these properties. The following should fix it.

https://github.com/opnsense/core/commit/530199970

I don't think we will be auto-inspecting the available ones and probing all of them for seemingly correct content. It runs the risk of doing what it should but that not being what the user intended (i.e. restoring the wrong /conf directory).

In any case thanks for your feedback. Was rather refreshing to see since the component hasn't received any feedback in almost two years. :)


Cheers,
Franco
September 04, 2020, 11:51:20 PM #2
Thanks.

The reason I come across this is that upgrades have become a problem for me of late.

This time I had a completely unbootable system, but the m.2 SATA SSD in place was able to be used to fetch the config and run LiveCD environment.  Then I tried the installer and it took forever adding a partition.  Eventually I rebooted and cleaned the internal disk and am now running just with LiveCD environment until I can check out the SSD which seems to be giving people grief with older installed systems like mine is now.

It would be handy to have smarttools and/or other diagnostics included to help check the health of disks.
September 05, 2020, 12:04:37 AM #3
Well, as I said you can always install them in live mode (i.e. os-smart). The core system is stripped of third party glue as much as it makes sense for the bulk of users.


Cheers,
Franco
September 05, 2020, 12:06:52 AM #4
I believe this would work too for the keys:

find /conf -name '*key' -print0|xargs -0r chmod 600

As we always have the /conf directory at that time, there is no need to check for sshd directory or to process each found file separately -- it's only a minor change, but it's neater I think.  What's more, if no files are found then xargs won't run chmod at all.
September 05, 2020, 12:09:34 AM #5
Uh, there should be keys in sshd directory, not everywhere else as well.
September 05, 2020, 12:33:39 AM #6 Last Edit: September 05, 2020, 04:06:47 AM by affinityv
Line 322 has a couple of errors, it won't work as far as I can tell.

After taking away the dash before the f for -type, you still get this problem:

Code Select

# for FILE in "$(find /conf/sshd -type f -name '*key')";do ls "${FILE}";echo;done
ls: /conf/sshd/ssh_host_rsa_key
/conf/sshd/ssh_host_ecdsa_key
/conf/sshd/ssh_host_ed25519_key: No such file or directory


You will need to remove the double quotes.

This works:
Code Select

# for FILE in $(find /conf/sshd -type f -name '*key');do ls "${FILE}";echo;done
/conf/sshd/ssh_host_rsa_key

/conf/sshd/ssh_host_ecdsa_key

/conf/sshd/ssh_host_ed25519_key


The above is testing....

This is the code replacement I think is needed if you want to include just the sshd directory, but you will still need to test for the existence of the directory:

Code Select

find /conf/sshd -name '*key' -print0|xargs -0r chmod 600


And for what it's worth, if we want verbose-ness to show exactly what was changed and how, then add -vv with chmod

Code Select

find /conf/sshd -name '*key' -print0|xargs -0r chmod -vv 600
September 05, 2020, 12:51:14 AM #7 Last Edit: September 05, 2020, 01:27:15 AM by affinityv
Line 317 (unless it is done by line 314), creates the sshd directory if it doesn't exist, so perhaps still no need to check if it exists?
September 05, 2020, 07:00:45 AM #8
You are right, it was already past midnight yesterday. ;)

I changed it in the repository.


Cheers,
Franco
Print
Go Up Pages1
User actions