New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tweak how ssh user is copied in usr/share/rear/rescue/default/500_ssh.sh #1489
Conversation
…ue/default/500_ssh.sh
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems OK, could be improved to make it more consistent with the other recent developments.
I also noticed that we check for $1$
in the ssh password which is probably not working any more. Probably better to check for $?$
or so to catch all encryption formats.
@@ -24,10 +24,14 @@ if has_binary sshd; then | |||
Log "Adding required libfreeblpriv3.so to LIBS" | |||
|
|||
# copy ssh user | |||
if PASSWD_SSH=$(grep ssh /etc/passwd) ; then | |||
PASSWD_SSH=$(getent passwd ssh sshd) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can it happen that you get two entries back? Will the code still work?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As fas as I see the
IFS=: read user ex uid gid gecos homedir junk <<<"$PASSWD_SSH"
ensures that only the first "getent passwd ssh sshd"
entry gets actually used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@N3WWN
perhaps an explanatory comment why it works
if "getent passwd ssh sshd" results two entries
could avoid future doubts.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jsmeix
Explanatory comment added as well as searching for 'sshd' account before 'ssh' account.
I can't provide any examples where the account is named 'ssh', but that's what ReaR was looking for previously. Instead of breaking the account search for distros that I'm not familiar with by changing 'ssh' to 'sshd', I search for 'sshd' (which is the username on every system that I've checked) first and then ssh.
This also allows this code to work on systems that have 'sshd' as the system account and a non-system or secondary 'ssh' account.
IFS=: read user ex uid gid gecos homedir junk <<<"$PASSWD_SSH" | ||
# skip if this user exists already in the restore system | ||
if ! egrep -q "^$user:" $TARGET_FS_ROOT/etc/passwd ; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not add it to CLONE_USERS
similar to the ssh group?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the purpose of this 500_ssh.sh script should be kept
separated from the CLONE_USERS functionality
what I call "KSIS" Keep Separated Issues Separarated
(cf. RFC 1925 item 5 ;-)
…ssh user. Include comments on what happens if getent returns more than one entry.
@schlomo in ... we check for $1$ in the ssh password which is probably not working any more. Probably better to check for $?$ or so to catch all encryption formats. I am afraid I do not understand what that means. ...:$2y$... ...:$2a$... so that neither '$1$' nor '$?$' seem to match - but I could be |
@jsmeix From crypt(3):
If we have extglob enabled (i.e.
I don't see any format restrictions, but going off the of what we know (single digit or single digit+single char), I tested the following successfully:
This may not adhere to the coding standards of the project as I just whipped up this test, but it may serve as a good start. We could add a comment directing folks to check out the crypt(3) man page, too. |
@N3WWN If you like could you do another pull request to enhance it |
@N3WWN $ find usr/sbin/rear usr/share/rear/ | xargs grep 'extglob' usr/sbin/rear:# The extglob shell option enables several extended pattern matching operators. usr/sbin/rear:shopt -s nullglob extglob i.e. ReaR has extglob enabled |
This PR was originally included in my YUM PR, but I at the request of @jsmeix , I pulled it out and am submitting it separately.
In my testing, I would see multiple passwd entries created if the string 'ssh' occurred in more than just the sshd daemon user's entry. While this didn't actually break anything, these tweaks should make it cleaner.