icybear/bearnet
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: pin ssh key and disable password login

Browse Source
This commit is contained in:
iceBear67
2026-06-22 15:16:59 +08:00
parent 33638a5c0a
commit 0c8c90f42f
5 changed files with 27 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -2,3 +2,4 @@
*.asc *.asc
image/*.raw image/*.raw
*.raw *.raw
secret/*

21
BUILD.sh
View File

@@ -9,6 +9,11 @@ if [ "$UID" != "0" ]; then
exit 2 exit 2
fi fi
if ! command -v "ssh-keygen"; then
echo "ssh-keygen is required for guest setup."
exit 1
fi
PATH="$PWD/scripts:$PATH" PATH="$PWD/scripts:$PATH"
if [[ "$CLOUD_CONFIG_REPO" -eq "" ]]; then if [[ "$CLOUD_CONFIG_REPO" -eq "" ]]; then
@@ -42,9 +47,25 @@ IMAGE_NAME=${IMAGE_NAME:-bearcloud}
echo "Image tag: $IMAGE_NAME:$IMAGE_TAG and $IMAGE_NAME:latest" echo "Image tag: $IMAGE_NAME:$IMAGE_TAG and $IMAGE_NAME:latest"
echo "Additional arguments for VM image: $VM_OPTS" echo "Additional arguments for VM image: $VM_OPTS"
echo "Additional arguments for Hypervisor Image: $HY_OPTS" echo "Additional arguments for Hypervisor Image: $HY_OPTS"
echo "Missing secret files like ssh host key will be automatically created."
echo "Continue?" echo "Continue?"
read read
declare -A PRIVATE_KEYS=(["ssh_host_ecdsa_key"]="ecdsa"
["ssh_host_ed25519_key"]="ed25519"
["ssh_host_rsa_key"]="rsa")
for item in "${!PRIVATE_KEYS[@]}"; do
subject="secret/$item"
if [[ ! -f $subject ]]; then
echo "Creating missing secret $subject"
ssh-keygen -t "${PRIVATE_KEYS[$item]}" -f "$subject" \
-C "automatically generated bearcloud ssh key" \
-N ""
ssh-keygen -y -f "$subject" > "${subject}_pub"
fi
done
BUILDERS=$(docker buildx ls) BUILDERS=$(docker buildx ls)
if ! (echo $BUILDERS | grep -q "bearcloud"); then if ! (echo $BUILDERS | grep -q "bearcloud"); then
docker buildx create --name bearcloud --buildkitd-flags '--allow-insecure-entitlement security.insecure' docker buildx create --name bearcloud --buildkitd-flags '--allow-insecure-entitlement security.insecure'

4
image/overlay/etc/ssh/ssh_config.d/10-disable-password.conf Normal file
View File

@@ -0,0 +1,4 @@
KbdInteractiveAuthentication no
PasswordAuthentication no
PubkeyAuthentication yes

0
secret/.gitkeep Normal file
View File

1
vm.Dockerfile
View File

@@ -21,6 +21,7 @@ RUN sed -i "s#_REPO_#$CLOUD_CONFIG_REPO#g" /kitchen/overlay/daemon/update-keys.s
sed -i "s#GATEWAY_ADDRESS#$CLOUD_GATEWAY_ADDRESS#g" /kitchen/overlay/etc/network/interfaces sed -i "s#GATEWAY_ADDRESS#$CLOUD_GATEWAY_ADDRESS#g" /kitchen/overlay/etc/network/interfaces
COPY --from=bubble-builder --chmod=755 /build/daemon /kitchen/overlay/usr/bin/bubble COPY --from=bubble-builder --chmod=755 /build/daemon /kitchen/overlay/usr/bin/bubble
COPY --from=bubble-builder --chmod=755 /build/auth_server /kitchen/overlay/usr/bin/auth-server COPY --from=bubble-builder --chmod=755 /build/auth_server /kitchen/overlay/usr/bin/auth-server
COPY ./secret/* /kitchen/overlay/etc/ssh/
RUN --security=insecure \ RUN --security=insecure \
--mount=type=bind,from=host-modules,source=/,target=/lib/modules \ --mount=type=bind,from=host-modules,source=/,target=/lib/modules \
cd /kitchen && rm -f vm.raw && ALPINE_BRANCH="3.24" ./build-image.sh cd /kitchen && rm -f vm.raw && ALPINE_BRANCH="3.24" ./build-image.sh