From 395fdb18920f41d36dc5e4f4d1ef5fbb1c236713 Mon Sep 17 00:00:00 2001 From: The MMGen Project Date: Mon, 29 Sep 2025 22:59:12 +0000 Subject: [PATCH] armbian_rootenc: APT sources fix, improve `authorized_keys` support --- scripts/armbian_rootenc_setup.sh | 44 +++++++++++++++++--------------- 1 file changed, 24 insertions(+), 20 deletions(-) diff --git a/scripts/armbian_rootenc_setup.sh b/scripts/armbian_rootenc_setup.sh index 7128fcb..04715d2 100755 --- a/scripts/armbian_rootenc_setup.sh +++ b/scripts/armbian_rootenc_setup.sh @@ -15,7 +15,6 @@ CONFIG_VARS=' NETMASK ADD_ALL_MODS ADD_MODS - USE_LOCAL_AUTHORIZED_KEYS USB_GADGET ETH_DEV NETCFG_IFUPDOWN @@ -34,7 +33,6 @@ USER_OPTS_INFO=" FORCE_REFORMAT_ROOT - force reformat of encrypted root partition ADD_ALL_MODS - add all currently loaded modules to initramfs ADD_MODS y add specified modules to initramfs - USE_LOCAL_AUTHORIZED_KEYS - use local 'authorized_keys' file if available PARTITION_ONLY - partition and create filesystems only ERASE - zero boot sector, boot partition and beginning of root partition ROOTENC_REUSE_FS - reuse existing filesystems (for development only) @@ -66,8 +64,6 @@ print_help() { '-U' Unmount source and target systems and exit '-p' Partition and create filesystems only. Do not copy data '-R' Force reformat of encrypted root partition - '-s' Use 'authorized_keys' file from working directory, if available - (see below) '-v' Be more verbose '-u' Perform an 'apt upgrade' after each 'apt update' '-z' Erase boot sector and first partition of SD card before partitioning @@ -95,12 +91,15 @@ print_help() { This script must be invoked as superuser on a running Armbian system. Packages will be installed using APT, so the system must be Internet- - connected and its clock correctly set. + connected, fully upgraded, and have its clock correctly set. After a + kernel upgrade the system must be rebooted. - If remote unlocking via SSH is desired, the unlocking host must be reachable. - Alternatively, SSH public keys for the unlocking host or hosts may be - provided in the file 'authorized_keys' in the current directory. This file - has the same format as a standard SSH 'authorized_keys' file. + If remote unlocking via SSH is desired, the unlocking host should be + reachable. If it is not, SSH public keys for unlocking host (or hosts) + may be provided in the file ‘authorized_keys’ in the current directory. + This file has the same format as the standard SSH ‘authorized_keys’ file. + Alternatively, the directory ‘authorized_keys.d’ may be created and SSH + public key or ‘authorized_keys’ files placed in it instead. Architecture of host and target (e.g. 64-bit or 32-bit ARM) must be the same. @@ -438,13 +437,21 @@ _test_sdcard_mounted() { } get_authorized_keys() { - [ -f 'authorized_keys' ] && rm -rf 'authorized_keys' # remove legacy file if present - authorized_keys_dir="authorized_keys-$UNLOCKING_USERHOST" - [ -e $authorized_keys_dir -a "$USE_LOCAL_AUTHORIZED_KEYS" ] || { - _test_unlocking_host_available - mkdir -p $authorized_keys_dir - rsync "$UNLOCKING_USERHOST:.ssh/id_*.pub" $authorized_keys_dir - NEW_AUTHORIZED_KEYS='y' + authorized_keys_dir="authorized_keys.d" + [ -e $authorized_keys_dir ] || { + if [ -f 'authorized_keys' ]; then + mkdir -p $authorized_keys_dir + mv 'authorized_keys' $authorized_keys_dir + NEW_AUTHORIZED_KEYS='y' + else + _test_unlocking_host_available + mkdir -p $authorized_keys_dir + rsync "$UNLOCKING_USERHOST:.ssh/id_*.pub" $authorized_keys_dir || { + rm -rf $authorized_keys_dir + return 1 + } + NEW_AUTHORIZED_KEYS='y' + fi } } @@ -681,9 +688,6 @@ _update_state_from_config_vars() { [ "$cUSB_GADGET" != "$USB_GADGET" ] && cfgvar_changed+=' USB_GADGET' target_configured='n' [ "$cETH_DEV" != "$ETH_DEV" ] && cfgvar_changed+=' ETH_DEV' target_configured='n' [ "$cNETCFG_IFUPDOWN" != "$NETCFG_IFUPDOWN" ] && cfgvar_changed+=' NETCFG_IFUPDOWN' target_configured='n' - [ "$IP_ADDRESS" -a "$cUSE_LOCAL_AUTHORIZED_KEYS" != "$USE_LOCAL_AUTHORIZED_KEYS" ] && { - cfgvar_changed+=' USE_LOCAL_AUTHORIZED_KEYS' target_configured='n' - } [ $card_partitioned == 'n' ] && { bootpart_copied='n' @@ -1056,6 +1060,7 @@ copy_etc_files_distro_specific() { for f in $files; do [ -e "$f" ] && _copy_to_target $f done + : else warn 'Warning: host and target distros do not match, attempting to rewrite files:' for f in $files; do @@ -1454,7 +1459,6 @@ do U) UMOUNT_TARGET_ONLY='y' ;; p) PARTITION_ONLY='y' ;; R) FORCE_REFORMAT_ROOT='y' ;; - s) USE_LOCAL_AUTHORIZED_KEYS='y' ;; u) APT_UPGRADE='y' ;; d) DEBUG='y' ;& v) VERBOSE='y' RSYNC_VERBOSITY='--verbose' ;;