chore: pin ssh key and disable password login

2026-06-22 15:16:59 +08:00
parent 33638a5c0a
commit 0c8c90f42f
5 changed files with 27 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@
 *.asc
 image/*.raw
 *.raw
+secret/*
--- a/BUILD.sh
+++ b/BUILD.sh
@@ -9,6 +9,11 @@ if [ "$UID" != "0" ]; then
 	 exit 2
 fi

+if ! command -v "ssh-keygen"; then
+	 echo "ssh-keygen is required for guest setup."
+	 exit 1
+fi
+
 PATH="$PWD/scripts:$PATH"

 if [[ "$CLOUD_CONFIG_REPO" -eq "" ]]; then
@@ -42,9 +47,25 @@ IMAGE_NAME=${IMAGE_NAME:-bearcloud}
 echo "Image tag: $IMAGE_NAME:$IMAGE_TAG and $IMAGE_NAME:latest"
 echo "Additional arguments for VM image: $VM_OPTS"
 echo "Additional arguments for Hypervisor Image: $HY_OPTS"
+echo "Missing secret files like ssh host key will be automatically created."
 echo "Continue?"
 read

+declare -A PRIVATE_KEYS=(["ssh_host_ecdsa_key"]="ecdsa" 
+	 ["ssh_host_ed25519_key"]="ed25519" 
+	 ["ssh_host_rsa_key"]="rsa")
+
+for item in "${!PRIVATE_KEYS[@]}"; do
+	 subject="secret/$item"
+	 if [[ ! -f $subject ]]; then
+		  echo "Creating missing secret $subject"
+		  ssh-keygen -t "${PRIVATE_KEYS[$item]}" -f "$subject" \
+				-C "automatically generated bearcloud ssh key" \
+				-N ""
+		  ssh-keygen -y -f "$subject" > "${subject}_pub"
+	 fi
+done
+
 BUILDERS=$(docker buildx ls)
 if ! (echo $BUILDERS | grep -q "bearcloud"); then
    docker buildx create --name bearcloud --buildkitd-flags '--allow-insecure-entitlement security.insecure'
--- a/image/overlay/etc/ssh/ssh_config.d/10-disable-password.conf
+++ b/image/overlay/etc/ssh/ssh_config.d/10-disable-password.conf
@@ -0,0 +1,4 @@
+KbdInteractiveAuthentication no
+PasswordAuthentication no
+PubkeyAuthentication yes
+
--- a/secret/.gitkeep
+++ b/secret/.gitkeep
--- a/vm.Dockerfile
+++ b/vm.Dockerfile
@@ -21,6 +21,7 @@ RUN sed -i "s#_REPO_#$CLOUD_CONFIG_REPO#g" /kitchen/overlay/daemon/update-keys.s
    sed -i "s#GATEWAY_ADDRESS#$CLOUD_GATEWAY_ADDRESS#g" /kitchen/overlay/etc/network/interfaces
 COPY --from=bubble-builder --chmod=755 /build/daemon /kitchen/overlay/usr/bin/bubble
 COPY --from=bubble-builder --chmod=755 /build/auth_server /kitchen/overlay/usr/bin/auth-server
+COPY ./secret/* /kitchen/overlay/etc/ssh/
 RUN --security=insecure \
 	 --mount=type=bind,from=host-modules,source=/,target=/lib/modules \
    cd /kitchen && rm -f vm.raw && ALPINE_BRANCH="3.24" ./build-image.sh