[debian-lan-devel] [SCM] Debian-LAN development and packaging branch, master, updated. 0.6-34-g26195d5

Andreas B. Mundt andi at debian.org
Thu Aug 30 16:55:51 UTC 2012 

The following commit has been merged in the master branch:
commit 0e7fe841e5280720992e54c4399644ec1ca08821
Author: Andreas B. Mundt <andi at debian.org>
Date:   Thu Aug 30 18:07:23 2012 +0200

    Allow root to login on all clients from the mainserver.  Fixes.
    
    Create ssh key pair for root on the mainserver.  Copy the public key
    to the config space and install it on all clients to allow root access
    without password.  This feature will be used to distribute kerberos
    keytabs during installation.
    
    Restrict access to the FAI config space.  Fix keytab permissions.

diff --git a/fai/config/files/etc/rc.local/FAISERVER b/fai/config/files/etc/rc.local/FAISERVER
index 28b24c6..ff0f3a9 100755
--- a/fai/config/files/etc/rc.local/FAISERVER
+++ b/fai/config/files/etc/rc.local/FAISERVER
@@ -53,8 +53,10 @@ if wget --quiet --output-document=/tmp/fai-setup $URL ; then
 
     ## Use git to track modifications of the config space:
     cd $FAI_CONFIGDIR
-    git config --global user.name "root"
+    HOME="/root"
+    git config --global user.name  root
     git config --global user.email root@`hostname --fqdn`
+    git config --global color.ui auto
     git init
     git add .
     git commit -m "Initial commit"
diff --git a/fai/config/files/usr/sbin/debian-lan/SERVER_A b/fai/config/files/usr/local/sbin/debian-lan/SERVER_A
similarity index 98%
rename from fai/config/files/usr/sbin/debian-lan/SERVER_A
rename to fai/config/files/usr/local/sbin/debian-lan/SERVER_A
index c631e64..4186bcb 100755
--- a/fai/config/files/usr/sbin/debian-lan/SERVER_A
+++ b/fai/config/files/usr/local/sbin/debian-lan/SERVER_A
@@ -168,7 +168,7 @@ case $COMMAND in
 	;;
     addmachine)
 	for MACHINE in $@ ; do
-	    scp $DATADIR/${MACHINE}.keytab root@${MACHINE}:/etc/krb5.keytab
+	    scp -p $DATADIR/${MACHINE}.keytab root@${MACHINE}:/etc/krb5.keytab
 	    MUNIN_CONFDIR='/etc/munin/munin-conf.d/'
 	    if [ -d $MUNIN_CONFDIR ] && ! grep -sq ${MACHINE} $MUNIN_CONFDIR/nodes.conf ;  then
 		cat >> $MUNIN_CONFDIR/nodes.conf <<EOF
diff --git a/fai/config/files/usr/sbin/nbdswapd/DISKLESS_SERVER b/fai/config/files/usr/local/sbin/nbdswapd/DISKLESS_SERVER
similarity index 100%
rename from fai/config/files/usr/sbin/nbdswapd/DISKLESS_SERVER
rename to fai/config/files/usr/local/sbin/nbdswapd/DISKLESS_SERVER
diff --git a/fai/config/scripts/CLIENT_A/20-misc b/fai/config/scripts/CLIENT_A/20-misc
index 1464b64..0f817e3 100755
--- a/fai/config/scripts/CLIENT_A/20-misc
+++ b/fai/config/scripts/CLIENT_A/20-misc
@@ -5,6 +5,9 @@ set -e
 ## faiconfig:
 fcopy -ir /etc/fai
 
+## authorized_keys for root:
+fcopy -ir /root
+
 ## Fetch proxy information from wpad.dat:
 WPAD=/tmp/wpad.dat
 http_proxy=""; wget --output-document=$WPAD http://wpad.intern/wpad.dat
diff --git a/fai/config/scripts/FAISERVER/20-configspace b/fai/config/scripts/FAISERVER/20-configspace
index 08a41af..a3c2b6c 100755
--- a/fai/config/scripts/FAISERVER/20-configspace
+++ b/fai/config/scripts/FAISERVER/20-configspace
@@ -9,5 +9,7 @@ if [ $FAI_ACTION == "install" ] ; then
     echo "done."
 
     cp -a /var/lib/fai/config $target/srv/fai/
+    chmod 770 $target/srv/fai/config/
+    chown root:adm $target/srv/fai/config/
     echo "New config space copied to faiserver."
 fi
diff --git a/fai/config/scripts/SERVER_A/10-misc b/fai/config/scripts/SERVER_A/10-misc
index 30411e1..b67d3b7 100755
--- a/fai/config/scripts/SERVER_A/10-misc
+++ b/fai/config/scripts/SERVER_A/10-misc
@@ -12,9 +12,21 @@ if [ ! -z $USERNAME ] && ! $ROOTCMD getent passwd $USERNAME ; then
     $ROOTCMD usermod --groups adm,sudo  $USERNAME
 fi
 
+## Prepare ssh key pair for root:
+KEY="/root/.ssh/id_rsa"
+if [ ! -e $KEY ]; then
+    $ROOTCMD ssh-keygen -t rsa -N '' -f $KEY
+fi
+if ifclass FAISERVER ; then
+    ## Add public key to fai config space:
+    DIR="/srv/fai/config/files/root/.ssh/authorized_keys/"
+    $ROOTCMD mkdir -pv $DIR
+    $ROOTCMD cp -v ${KEY}.pub $DIR/CLIENT_A
+fi
+
 ## Make debian-lan-scripts available:
 
-fcopy -m root,root,0700 /usr/sbin/debian-lan
+fcopy -rm root,root,0700 /usr/local/sbin/
 
 if [ $FAI_ACTION != "install" ]; then
     exit 0

-- 
Debian-LAN development and packaging

More information about the debian-lan-devel mailing list