From 9811c81db1db0a25a0658822b4ee8acdac79893e Mon Sep 17 00:00:00 2001
From: Terry Moore <tmm@mcci.com>
Date: Sat, 20 Jan 2018 16:37:16 -0500
Subject: [PATCH] Add jumphost bootstrapping scripts

---
 roles/conduit/files/conduit-stage2          | 220 ++++++++++++++++++++
 roles/conduit/files/generate-conduit-stage1 | 102 +++++++++
 2 files changed, 322 insertions(+)
 create mode 100755 roles/conduit/files/conduit-stage2
 create mode 100755 roles/conduit/files/generate-conduit-stage1

diff --git a/roles/conduit/files/conduit-stage2 b/roles/conduit/files/conduit-stage2
new file mode 100755
index 0000000..613f4dd
--- /dev/null
+++ b/roles/conduit/files/conduit-stage2
@@ -0,0 +1,220 @@
+#!/bin/sh
+
+# second stage boot. Set up autossh on the jump host.
+# if I knew how to do it, I'd either use a template or have
+# smarter scheme for doing this.
+
+# safety check
+if [ ! -e /etc/mlinux-version ]; then
+   echo "Not running on mLinux" >&2
+   exit 1
+fi
+
+function _error {
+	echo "$*" 1>&2
+	exit 1
+}
+
+FIRSTUID=20000
+FIRSTKEEPALIVE=40000
+
+# check that JUMPHOST and JUMPADMIN are set
+if [ X"$JUMPHOST" = X ]; then
+	_error "JUMPHOST not defined -- see instructions"
+fi
+if [ X"$JUMPADMIN" = X ]; then
+	_error "JUMPADMIN not defined -- see instructions"
+fi
+if [ X"$JUMPPORT" = X ]; then
+	_error "JUMPPORT not defined -- see instructions"
+fi
+if [ X"$MYPREFIX" = X ]; then
+	_error "MYPREFIX not defined -- see instructions"
+fi
+
+# check that ssh_tunnel has been copied across
+if [ ! -f /tmp/ssh_tunnel.initd ]; then
+	_error "ssh_tunnel.initd not copied across"
+fi
+
+# get our mac address, and then our name
+ETHADDR=$(ifconfig eth0 | grep HWaddr | awk '{ print tolower($5) }' | tr : -)
+MYNAME="${MYPREFIX}-${ETHADDR}"
+MYGROUP="${MYPREFIX}-gateways"
+echo "MYNAME: ${MYNAME}"
+echo "MYGROUP: ${MYGROUP}"
+
+# check that we can connect to jumphost
+echo -n "Check basic connectivity..."
+ssh -p "$JUMPPORT" "$JUMPADMIN"@"$JUMPHOST" true ||
+	_error "Can't connect to $JUMPHOST as $JUMPADMIN"
+echo "OK"
+
+echo -n "Check sudo..."
+ssh -p "$JUMPPORT" "$JUMPADMIN"@"$JUMPHOST" -t sudo true ||
+	_error "Can't sudo on $JUMPHOST as $JUMPADMIN"
+echo "OK"
+
+# get the date right
+ntpdate -ub pool.ntp.org || _error "Couldn't set date/time"
+
+# get the mlinux version
+mlinux_version=$(cat /etc/mlinux-version | sed -n -e '/^mLinux/s/mLinux //p')
+
+# Fix version in opkg feeds config
+expr ${mlinux_version} : "3.3.[0-9]" && sed -i -e "s%/3.3/%/${mlinux_version}/%" /etc/opkg/mlinux-feed.conf
+
+if [ ! -d /var/config/ansible ]; then
+	mkdir -m 755 /var/config/ansible
+fi
+
+test -d /var/config/ansible && ln -s /var/config/ansible /etc/ansible
+
+
+# create our identity
+NEEDKEY=0
+if [ -f "${HOME}/.ssh/id_$MYNAME" -a -f "${HOME}/.ssh/id_${MYNAME}.pub" ]; then
+	true
+else
+	NEEDKEY=1
+fi
+
+if [ $NEEDKEY -eq 0 ]; then
+	IDOK=$(find "${HOME}/.ssh/id_$MYNAME" -perm 600)
+	if [ X"$IDOK" = X ]; then
+		_error "permissions wrong on ${HOME}/.ssh/id_$MYNAME"
+	fi
+else
+	echo "About to generate key; this may take some time"
+	ssh-keygen -f "${HOME}/.ssh/id_$MYNAME" -b 4096 -t rsa -N '' -C "$MYNAME" ||
+		_error "ssh-keygen failed"
+fi
+
+# create our user
+FOUNDUSER=0
+ssh -p "$JUMPPORT" "$JUMPADMIN"@"$JUMPHOST" \
+	grep -q "^$MYNAME:" /etc/passwd && FOUNDUSER=1
+FOUNDGROUP=0
+ssh -p "$JUMPPORT" "$JUMPADMIN"@"$JUMPHOST" \
+	grep -q "^$MYGROUP:" /etc/group && FOUNDGROUP=1
+
+if [ $FOUNDGROUP -eq 0 ]; then
+	echo "Creating group $MYGROUP"
+	ssh -p "$JUMPPORT" "$JUMPADMIN"@"$JUMPHOST" -t \
+		sudo groupadd "$MYGROUP" || \
+			_error "groupadd ${MYGROUP} failed"
+else
+	echo "Group already exists: $MYGROUP"
+fi
+
+if [ $FOUNDUSER -eq 0 ]; then
+echo "Creating $MYNAME"
+ssh -p "$JUMPPORT" "$JUMPADMIN"@"$JUMPHOST" -t \
+	sudo useradd --comment "$MYNAME" --password "*" \
+		--gid "${MYGROUP}" \
+		--no-user-group \
+		--create-home \
+		--key UID_MIN="${FIRSTUID}" "$MYNAME" || \
+			_error "useradd ${MYNAME} failed"
+else
+	echo "User already exists: $MYNAME"
+fi
+
+# copy ssh dir across
+echo "Creating .ssh dir"
+ssh -p "$JUMPPORT" "$JUMPADMIN"@"$JUMPHOST" -t \
+        sudo -u "$MYNAME" "sh -c '
+		cd &&
+		if [ ! -d .ssh ] ; then
+			mkdir -m 700 .ssh || exit 1 ;
+		fi'"
+if [ $? -ne 0 ]; then
+	_error "mkdir .ssh failed"
+fi
+
+# copy public key
+echo "Create authorized_keys"
+scp -P "$JUMPPORT" -p "${HOME}/.ssh/id_${MYNAME}.pub" "$JUMPADMIN"@"$JUMPHOST":"~/id_${MYNAME}.pub" || \
+		_error "can't create ~/id_${MYNAME}.pub"
+scp -P "$JUMPPORT" -p /etc/ssh/ssh_host_rsa_key.pub "$JUMPADMIN"@"$JUMPHOST":"~/id_${MYNAME}_host_rsa_key.pub" || \
+		_error "can't create ~/id_${MYNAME}_host_rsa_key.pub"
+
+echo "Move public keys"
+ssh -p "$JUMPPORT" "$JUMPADMIN"@"$JUMPHOST" -t \
+	sudo mv "id_${MYNAME}*.pub" "~$MYNAME/.ssh" || \
+		_error "can't move public keys"
+
+echo "Create authorized_keys"
+ssh -p "$JUMPPORT" "$JUMPADMIN"@"$JUMPHOST" -t \
+	sudo sh -c \'"cat ~${MYNAME}/.ssh/id_${MYNAME}*.pub >~${MYNAME}/.ssh/authorized_keys"\' || \
+		_error "can't create authorized_keys"
+
+echo "Change ownership of authorized_keys"
+ssh -p "$JUMPPORT" "$JUMPADMIN"@"$JUMPHOST" -t \
+	sudo chown "$MYNAME" "~$MYNAME/.ssh/authorized_keys" || \
+		_error "can't chown authorized_keys"
+
+echo "Change permissions on authorized_keys"
+ssh -p "$JUMPPORT" "$JUMPADMIN"@"$JUMPHOST" -t \
+	sudo chmod 600 "~$MYNAME/.ssh/authorized_keys" || \
+		_error "can't chmod authorized_keys"
+
+# test that we can now log in
+echo sh -i ".ssh/id_${MYNAME}" -o IdentitiesOnly=yes -p "$JUMPPORT" "$MYNAME"@"$JUMPHOST" true
+ssh -i ".ssh/id_${MYNAME}" -o IdentitiesOnly=yes -p "$JUMPPORT" "$MYNAME"@"$JUMPHOST" true ||
+	_error "can't login as $MYNAME"
+
+# get our ID
+JUMPUID=$(ssh -i ".ssh/id_${MYNAME}" -o IdentitiesOnly=yes -p "$JUMPPORT" "$MYNAME"@"$JUMPHOST" id -u)
+
+if [ X"$JUMPUID" = X ]; then
+	_error "Can't get JUMPUID"
+fi
+
+KEEPALIVE=$(expr '(' "$JUMPUID" - "$FIRSTUID" ')' '*' 2 + "$FIRSTKEEPALIVE")
+echo "JUMPUID: ${JUMPUID}"
+echo "KEEPALIVE: ${KEEPALIVE}"
+
+# finally, set up the parameters for the ssh setup
+echo "Set up ssh tunnel"
+cat << EOF > /etc/default/ssh_tunnel
+DAEMON=/usr/bin/autossh
+LOCAL_PORT=22
+REMOTE_HOST="$JUMPHOST"
+REMOTE_USER="$MYNAME"
+REMOTE_PORT="$JUMPUID"
+SSH_KEY="$HOME/.ssh/id_${MYNAME}"
+SSH_PORT=22
+DAEMON_ARGS="-f -M ${KEEPALIVE} -o ServerAliveInterval=30 -i ${HOME}/.ssh/id_${MYNAME}"
+EOF
+
+chmod 755 /etc/default/ssh_tunnel || _error "can't chmod defaults"
+chown root.root /etc/default/ssh_tunnel || _error "can't chown defaults"
+
+# update the ssh_tunnel script
+cat /tmp/ssh_tunnel.initd > /etc/init.d/ssh_tunnel	|| _error "can't create ssh_tunnel"
+chmod 755 /etc/init.d/ssh_tunnel		|| _error "can't chmod ssh_tunnel"
+chown root.root /etc/init.d/ssh_tunnel		|| _error "can't chown ssh_tunnel"
+
+echo -n "Press enter to restart daemon: "
+read JUNK
+/etc/init.d/ssh_tunnel restart 			|| _error "can't restart ssh_tunnel"
+
+echo "
+************
+* Success! *
+************
+
+You can now connect to this gateway using the command:
+
+   ssh -tA $JUMPADMIN@$JUMPHOST ssh -A -p $JUMPUID root@localhost
+
+Don't forget to update host_vars/${MYNAME}.yaml to set these values:
+
+   ssh_tunnel_remote_port: $JUMPUID
+   ssh_tunnel_keepalive_base_port: $KEEPALIVE
+"
+
+rm -f "$0"
+exit 0
+
diff --git a/roles/conduit/files/generate-conduit-stage1 b/roles/conduit/files/generate-conduit-stage1
new file mode 100755
index 0000000..4ed2115
--- /dev/null
+++ b/roles/conduit/files/generate-conduit-stage1
@@ -0,0 +1,102 @@
+#!/bin/sh
+
+HERE=$(dirname $0)
+TEMPLATES=$HERE/../templates
+
+if [ $# -eq 0 ]; then
+    set -- $HERE/authorized_keys
+fi
+
+#### emit the first part of the file.
+cat << _EOF_
+#!/bin/sh
+
+# generated by $(realpath $0)
+# cut/paste this file into a file on the Conduit, and then run it.
+
+_EOF_
+
+cat << '_EOF_'
+# safety check
+if [ ! -e /etc/mlinux-version ]; then
+   echo "Not running on mLinux" >&2
+   exit 1
+fi
+
+mlinux_version=$(cat /etc/mlinux-version | sed -n -e '/^mLinux/s/mLinux //p')
+
+if [ ! -e "${HOME}/.ssh" ]; then
+   mkdir -p "${HOME}/.ssh"
+   chmod 700 "${HOME}/.ssh"
+fi
+
+cat << 'EOF' > "${HOME}/.ssh/authorized_keys"
+_EOF_
+
+### insert the authorized keys
+for keyfile in "$@" ; do
+  if [ ! -f "$keyfile" ]; then
+    echo "unable to read: $keyfile" 1>&2
+    exit 1
+  fi
+done
+
+for keyfile in "$@" ; do
+  cat "$keyfile"
+done
+
+### finish the copy and go on 
+cat << '_EOF_'
+EOF
+
+### disable password login
+if [ ! -f /etc/ssh/sshd_config.orig ]; then
+	cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
+fi
+cat << 'EOF' > /etc/ssh/sshd_config
+# generated...
+Protocol 2
+# UsePAM yes
+UsePrivilegeSeparation yes
+Compression no
+ClientAliveInterval 15
+ClientAliveCountMax 4
+Subsystem       sftp    /usr/lib/openssh/sftp-server
+PasswordAuthentication no
+UsePAM no
+PermitEmptyPasswords no
+EOF
+
+/etc/init.d/sshd restart || { echo "failed to restart sshd" 1>&2 ; exit 1; }
+
+### set device for DHCP
+if [ ! -f /etc/network/interfaces.orig ]; then
+	cp -p /etc/network/interfaces /etc/network/interfaces.orig
+fi
+cat << 'EOF' > /etc/network/interfaces
+# Wired interface
+auto eth0
+iface eth0 inet dhcp 
+post-up ifconfig eth0 mtu 1100
+EOF
+
+echo 'All set: press enter to enable DHCP'
+read JUNK
+ifdown eth0
+ifup eth0
+
+sleep 3
+echo 'checking ping'
+ping -c 4 -n 8.8.8.8
+
+echo '
+if ping succeeded, you'\''re ready to proceed by logging in from the
+remote test system with ssh. Check the IP address from the ifconfig output
+below...
+'
+ifconfig eth0
+
+exit 0
+_EOF_
+
+exit 0