From 5461c13bdcace38ce40494acde0e21d2cb3c9081 Mon Sep 17 00:00:00 2001
From: Boris Kolpackov <boris@codesynthesis.com>
Date: Fri, 31 Mar 2017 14:09:06 +0200
Subject: Use user build instead of root for SSH login

---
 init | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

(limited to 'init')

diff --git a/init b/init
index 9c068c8..e29de66 100755
--- a/init
+++ b/init
@@ -394,10 +394,13 @@ newaliases
 # - Change host key locations to (persistent) /state/etc/ssh/ and remove
 #   existing keys. If no corresponding key exists in /state, generate it.
 #
+# - Disable root login.
+#
 # - Disable password authentication.
 #
 sed -r -i \
   -e "s%^#?HostKey +(.+)%HostKey /state\1%" \
+  -e "s%^#?PermitRootLogin.*%PermitRootLogin no%" \
   -e "s%^#?PasswordAuthentication.*%PasswordAuthentication no%" \
  /etc/ssh/sshd_config
 
@@ -412,15 +415,16 @@ for k in $(echo /etc/ssh/ssh_host_*_key | \
 done
 rm -f /etc/ssh/ssh_host_*_key*
 
-# Add buildos.ssh_key to root's authorized_keys.
+# Add buildos.ssh_key to build's authorized_keys.
 #
 if [ -n "$ssh_key" ]; then
-  info "adding buildos.ssh_key to ~root/.ssh/authorized_keys"
-  mkdir -p /root/.ssh
-  chmod 700 /root/.ssh
+  info "adding buildos.ssh_key to ~build/.ssh/authorized_keys"
+  mkdir -p /build/.ssh
+  echo "$ssh_key" >>/build/.ssh/authorized_keys
 
-  echo "$ssh_key" >>/root/.ssh/authorized_keys
-  chmod 600 /root/.ssh/authorized_keys
+  chown build:build /build/.ssh /build/.ssh/authorized_keys
+  chmod 700 /build/.ssh
+  chmod 600 /build/.ssh/authorized_keys
 fi
 
 # Configure the TFTP server (tftpd-hpa).
-- 
cgit v1.1