From 7fd9f454e771e0726f6f8ced76cd3aa24e641843 Mon Sep 17 00:00:00 2001
From: "Daniel F. Dickinson" <cshored@danielfdickinson.ca>
Date: Tue, 8 Sep 2020 16:16:07 -0400
Subject: [PATCH] Enable adding SSH pubkey and setting pubkey only (#380)

This commit add the ability to specify an SSH public key as well as the
option to disable password authentication and only allow public key
authentication for SSH.

Signed-off-by: Daniel F. Dickinson <cshored@thecshore.com>
---
 stage2/01-sys-tweaks/01-run.sh | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/stage2/01-sys-tweaks/01-run.sh b/stage2/01-sys-tweaks/01-run.sh
index e0762e6c88..00ad76183e 100755
--- a/stage2/01-sys-tweaks/01-run.sh
+++ b/stage2/01-sys-tweaks/01-run.sh
@@ -11,15 +11,17 @@ install -m 644 files/console-setup   	"${ROOTFS_DIR}/etc/default/"
 
 install -m 755 files/rc.local		"${ROOTFS_DIR}/etc/"
 
-install -m 644 files/iiod.service	"${ROOTFS_DIR}/lib/systemd/system/"
-install -m 644 files/x11vnc.service	"${ROOTFS_DIR}/lib/systemd/system/"
-
-install -d				"${ROOTFS_DIR}/home/${FIRST_USER_NAME}/.vnc"
-install -m 644 files/passwd		"${ROOTFS_DIR}/home/${FIRST_USER_NAME}/.vnc/"
+if [ -n "${PUBKEY_SSH_FIRST_USER}" ]; then
+	install -v -m 0700 -o 1000 -g 1000 -d "${ROOTFS_DIR}"/home/"${FIRST_USER_NAME}"/.ssh
+	echo "${PUBKEY_SSH_FIRST_USER}" >"${ROOTFS_DIR}"/home/"${FIRST_USER_NAME}"/.ssh/authorized_keys
+	chown 1000:1000 "${ROOTFS_DIR}"/home/"${FIRST_USER_NAME}"/.ssh/authorized_keys
+	chmod 0600 "${ROOTFS_DIR}"/home/"${FIRST_USER_NAME}"/.ssh/authorized_keys
+fi
 
-install -m 644 "${ROOTFS_DIR}/usr/share/doc/avahi-daemon/examples/ssh.service" "${ROOTFS_DIR}/etc/avahi/services/"
-#Enable root login for ssh
-sed -i 's/.*PermitRootLogin.*/PermitRootLogin yes/g' "${ROOTFS_DIR}/etc/ssh/sshd_config"
+if [ "${PUBKEY_ONLY_SSH}" = "1" ]; then
+	sed -i -Ee 's/^#?[[:blank:]]*PubkeyAuthentication[[:blank:]]*no[[:blank:]]*$/PubkeyAuthentication yes/
+s/^#?[[:blank:]]*PasswordAuthentication[[:blank:]]*yes[[:blank:]]*$/PasswordAuthentication no/' "${ROOTFS_DIR}"/etc/ssh/sshd_config
+fi
 
 on_chroot << EOF
 systemctl disable hwclock.sh