1. Forum
  2. Usenet
  3. LINUX.DEBIAN.DEVEL

  • Is it possible to customise the d-i just to add an ssh authorized key f

    From PICCA Frederic-Emmanuel@21:1/5 to All on Fri Jan 24 10:00:03 2025
    Hello, I would like to customize the debian-installer in order to allow root access once installed via an authorize key.

    so I need to put something like this in the /root/.ssh/ during the installation

    echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGkFpSsCIGpAJtsH4TWHCatHMkdGMS/PTG2M/7xeWz6Syw/JUrZPc/5bRC9H5+bikrhotZOidC+lafzGFHGmHzpq7+rXrd5Np3uHH6U+Y0O7mUeU0CVhCpkIr2ggk4Bw7K79/d6fsPXZi2h+JAZ9cBaI6ob5K6e70Ljj3REZRh7LXBVIAd1hmMPEESb5xll1MHvB/7Qn6r6uupcOY/
    pC/LH+ZPUaqvwXGrSltFjJoeFEW8H05uYkuZta5vBG/owdLjRt6v7h3tnINsMV4S0uKNQNz6022xAptn1FY1WQ0F1y738hTNoikITty//MB3HW3uQEpw4sXN7tEGqQtHrbMkPfcwb+KMISXYlHPaBt9ik4fWnt55U1IzXr5s/ErT6/ZCG2iPfnffuHnCVMujrUu+KcnHtF7Ux50N1QxR7+EiT6WxRDW3S6Vz0MQ6jTZdy/
    YryKYZtGnriFb2RwRu9Y7Df+VYfj4nKrnF3JQF9yipBLcUhpliNvByvoh7eTE8iWuVlp3GkdHotEq4okH88TtUG5DBbddGHoGpxnzi8R4sn+YvFTybywwhKgMQh0ueJ26j326AgujBDlvL3Hf6Satz/EDmwjStWGSwWQAcy+W+gfNAuRfHpyYHKDGPIJLzMfuf0vx0KLL0C55x7I4cGqOIT22RXLhhf9NFHNDi4Q== cardno:000500001073"
    /root/.ssh/authorized_keys

    Is it a feature provided by d-i ?

    thanks

    Frederic

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Colin Watson@21:1/5 to PICCA Frederic-Emmanuel on Fri Jan 24 13:10:01 2025
    On Fri, Jan 24, 2025 at 09:40:50AM +0100, PICCA Frederic-Emmanuel wrote:
    Hello, I would like to customize the debian-installer in order to allow root access once installed via an authorize key.

    so I need to put something like this in the /root/.ssh/ during the installation

    echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGkFpSsCIGpAJtsH4TWHCatHMkdGMS/PTG2M/7xeWz6Syw/JUrZPc/5bRC9H5+bikrhotZOidC+lafzGFHGmHzpq7+rXrd5Np3uHH6U+Y0O7mUeU0CVhCpkIr2ggk4Bw7K79/d6fsPXZi2h+JAZ9cBaI6ob5K6e70Ljj3REZRh7LXBVIAd1hmMPEESb5xll1MHvB/
    7Qn6r6uupcOY/pC/LH+ZPUaqvwXGrSltFjJoeFEW8H05uYkuZta5vBG/owdLjRt6v7h3tnINsMV4S0uKNQNz6022xAptn1FY1WQ0F1y738hTNoikITty//MB3HW3uQEpw4sXN7tEGqQtHrbMkPfcwb+KMISXYlHPaBt9ik4fWnt55U1IzXr5s/ErT6/ZCG2iPfnffuHnCVMujrUu+KcnHtF7Ux50N1QxR7+EiT6WxRDW3S6Vz0MQ6jTZdy/
    YryKYZtGnriFb2RwRu9Y7Df+VYfj4nKrnF3JQF9yipBLcUhpliNvByvoh7eTE8iWuVlp3GkdHotEq4okH88TtUG5DBbddGHoGpxnzi8R4sn+YvFTybywwhKgMQh0ueJ26j326AgujBDlvL3Hf6Satz/EDmwjStWGSwWQAcy+W+gfNAuRfHpyYHKDGPIJLzMfuf0vx0KLL0C55x7I4cGqOIT22RXLhhf9NFHNDi4Q== cardno:000500001073"
    /root/.ssh/authorized_keys

    Is it a feature provided by d-i ?

    You can do this with preseed/late_command (https://www.debian.org/releases/bookworm/amd64/apbs05.en.html#preseed-hooks, and see https://www.debian.org/releases/bookworm/amd64/apb.en.html for
    general advice on preseeding if you haven't used it before). Something
    like this should work:

    d-i preseed/late_command string mkdir -p /target/root/.ssh; echo 'ssh-rsa ...' >/target/root/.ssh/authorized_keys

    --
    Colin Watson (he/him) [[email protected]]

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Emanuele Rocca@21:1/5 to Colin Watson on Fri Jan 24 14:40:01 2025
    On 2025-01-24 12:08, Colin Watson wrote:
    You can do this with preseed/late_command (https://www.debian.org/releases/bookworm/amd64/apbs05.en.html#preseed-hooks, and see https://www.debian.org/releases/bookworm/amd64/apb.en.html for general advice on preseeding if you haven't used it before). Something
    like this should work:

    d-i preseed/late_command string mkdir -p /target/root/.ssh; echo 'ssh-rsa ...' >/target/root/.ssh/authorized_keys

    An easy way to do that with preseeding, assuming your setup has network connectivity, is adding the string Colin mentioned to a file such as https://example.org/preseed.txt and then appending the following to your
    kernel arguments when booting the installer:

    preseed/url=https://example.org/preseed.txt

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Philip Hands@21:1/5 to Colin Watson on Fri Jan 24 16:10:02 2025
    Colin Watson <[email protected]> writes:

    On Fri, Jan 24, 2025 at 09:40:50AM +0100, PICCA Frederic-Emmanuel wrote:
    Hello, I would like to customize the debian-installer in order to allow root access once installed via an authorize key.

    so I need to put something like this in the /root/.ssh/ during the installation

    echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGkFpSsCIGpAJtsH4TWHCatHMkdGMS/PTG2M/7xeWz6Syw/JUrZPc/5bRC9H5+bikrhotZOidC+lafzGFHGmHzpq7+rXrd5Np3uHH6U+Y0O7mUeU0CVhCpkIr2ggk4Bw7K79/d6fsPXZi2h+JAZ9cBaI6ob5K6e70Ljj3REZRh7LXBVIAd1hmMPEESb5xll1MHvB/
    7Qn6r6uupcOY/pC/LH+ZPUaqvwXGrSltFjJoeFEW8H05uYkuZta5vBG/owdLjRt6v7h3tnINsMV4S0uKNQNz6022xAptn1FY1WQ0F1y738hTNoikITty//MB3HW3uQEpw4sXN7tEGqQtHrbMkPfcwb+KMISXYlHPaBt9ik4fWnt55U1IzXr5s/ErT6/ZCG2iPfnffuHnCVMujrUu+KcnHtF7Ux50N1QxR7+EiT6WxRDW3S6Vz0MQ6jTZdy/
    YryKYZtGnriFb2RwRu9Y7Df+VYfj4nKrnF3JQF9yipBLcUhpliNvByvoh7eTE8iWuVlp3GkdHotEq4okH88TtUG5DBbddGHoGpxnzi8R4sn+YvFTybywwhKgMQh0ueJ26j326AgujBDlvL3Hf6Satz/EDmwjStWGSwWQAcy+W+gfNAuRfHpyYHKDGPIJLzMfuf0vx0KLL0C55x7I4cGqOIT22RXLhhf9NFHNDi4Q== cardno:000500001073"
    /root/.ssh/authorized_keys

    Is it a feature provided by d-i ?

    You can do this with preseed/late_command (https://www.debian.org/releases/bookworm/amd64/apbs05.en.html#preseed-hooks, and see https://www.debian.org/releases/bookworm/amd64/apb.en.html for general advice on preseeding if you haven't used it before). Something
    like this should work:

    d-i preseed/late_command string mkdir -p /target/root/.ssh; echo 'ssh-rsa ...' >/target/root/.ssh/authorized_keys

    If setting one ssh key is the only thing you want to tweak, then as
    Colin says, the late_command is the way to go.

    If you want to do more complicated things, especially if you have
    multiple sets of machines that need different settings applied and/or
    different keys preinstalled, then you might want to have a look at:

    https://hands.com/d-i/

    which lets you specify which keys should be installed to which users,
    and set the local passwords etc.

    For example, here's a site-local default that can be (overridden based on domainname, hostname, or pretty-much any other criterion you like):

    https://hands.com/d-i/preseed/local/_users/default

    with the keys being installed from the sshkeys.* files here:

    https://hands.com/d-i/preseed/local/_users/

    and if the machine happens to be told via DNS that it's called 'nimble'
    on one of my test networks, then instead it'll get these settings:

    https://hands.com/d-i/preseed/local/_users/_hostname/hk.hands.com/nimble

    HTH

    BTW I'm happy to answer questions about how that all works, if you think
    it's worth a try for your usage.

    Cheers, Phil.
    --
    Philip Hands -- https://hands.com/~phil

    --=-=-Content-Type: application/pgp-signature; name="signature.asc"

    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEE3/FBWs4yJ/zyBwfW0EujoAEl1cAFAmeTqv0ACgkQ0EujoAEl 1cCbFw//WM9y1CeiNkgnoH5SWa/DwOL70X+tydU6dqyARb530j8l7BsgOw/XMxmg UfjUEkcUsqvu5TeIIyibKwKH0nsfKpSo/42xl6vNK4V20L6xbvNlLGxMNCRY1zTL SUEs1uBNKqLP3KwNwBlrZW0c47/vBQeg9b/aK75L0+/MHD1n2ZdXF2Cq6lzdcCWG w/lUMBkcs0b5CTaxgg8VdxK2DtMBwHSGbr/kG0hN7jfs097JHRkW17aY9hYoTupr lozxE02eneOiBUQYgslwasRGZLlfnuTYzx3E8mU+lKzmqKiMvdP5DRm2fuLnsC9u bo7nKjWn9Qp1rYv6qqis6fBua4g6rUC9kMZVtv2itTHTtpVtpKU242Q5HDdDtaP3 afpG0Hr8uMVWIVW42WSQHwLCZPAtwnHeKw2i11hx8wKo06yRIo3lnsJxFCDUvVWg eVs7ysag3zENSB1JRPlRPw3b+9CvRbkGoTYJShJzfTPQ/F9efQIRbup6sm3IoBjF B23mOhTMjM2UXKzlW+l3AYdGzmxjI12WQNzdZkWFzXOtGEpsiaefhDxWp/Pe8Gwq L5mX8tzHK2QEHBSL/+4fZCFA2hQeYCJyTRGj7gEdQv3sv4j5H9+B5RIBS/3zQxDQ M1Roh54wMEHspJEqpr9RMMnEg0F2S3CIUK81LryeYGOnSYKMv40=9I8r
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gatewa
  • From Philip Hands@21:1/5 to Emanuele Rocca on Fri Jan 24 16:40:01 2025
    Emanuele Rocca <[email protected]> writes:

    On 2025-01-24 12:08, Colin Watson wrote:
    You can do this with preseed/late_command
    (https://www.debian.org/releases/bookworm/amd64/apbs05.en.html#preseed-hooks,
    and see https://www.debian.org/releases/bookworm/amd64/apb.en.html for
    general advice on preseeding if you haven't used it before). Something
    like this should work:

    d-i preseed/late_command string mkdir -p /target/root/.ssh; echo 'ssh-rsa ...' >/target/root/.ssh/authorized_keys

    An easy way to do that with preseeding, assuming your setup has network connectivity, is adding the string Colin mentioned to a file such as https://example.org/preseed.txt and then appending the following to your kernel arguments when booting the installer:

    preseed/url=https://example.org/preseed.txt

    You can get away with just `url=` there, since `url` is an alias[1] for
    the `preseed/url` setting.

    Also, if you put the preseed file in the right place[2], you can actually
    get away with something like:

    url=autoserver

    which is nice if you're having to type things by hand.

    Cheers, Phil.

    [1] https://d-i.debian.org/manual/en.amd64/apbs02.html#preseed-aliases
    [2] https://d-i.debian.org/manual/en.amd64/apbs02.html#preseed-auto
    --
    Philip Hands -- https://hands.com/~phil

    --=-=-Content-Type: application/pgp-signature; name="signature.asc"

    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEE3/FBWs4yJ/zyBwfW0EujoAEl1cAFAmeTsk0ACgkQ0EujoAEl 1cAZsRAAmgBbGfC/JA814jdwts4dbKTlRggX7KhErOSmyEJSW5hDqNfy8FlJK3gW KJEl4PCESolglLw3rZmxQcEP0UP9se5HlLbzRtLbDyE4ivOmnQfPibLoEGOSt4w1 MrDvGGsziRCTbWihJg3FdDiqX8l02orKNvkaU3OQZNF52cgwGlbkv6nZPp6KBEqg 1GKSiwCRwVoIG/2D/YmFOSrFkqkZsZpmLzNI9HMbe/8uQm8ttJz69lRNquIsuOTA EwPGofpAFN8Cjok3gwmH+IYDgCPKXiBeBbz3UTMaYHsLIFX4lXugFaYjkQL0z8s9 rQ7EvrKxCkAUajDBQzHclfMtLHF/ITU46VRJfMR6oR3zNWGR53rugHQ1EQKzvMzq 0U6pVr29iI4wc/RpJ91FP91jsHXDhbIqZlmmQm9ySsWaPQNm1SZRnm+wvkd+Kqhq 8hYHzTyucCNAxNs+tdGfT8BU/e+GsfNyvQLD03N1R3Swb+3MqD2udAWAHB9J4tUX /FbTr6y2z+w8o+U6d7GDjdrSKNpFH7Kqd/vpzrvMnBtZ7vAu1CrU10xlKGsLfz9P SrXV9R7aEMF0YeRFI1OryMf9jxXBHihvOZ2uCM2CxyTgb2qQtpluYn7RyGWhdldY FKYmyDtcoPezmQORzmTovIKAVn1kO+fqyfWDGclzyZaxUfr0NZQ=EJ0n
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gatewa