100 lines
3.3 KiB
Bash
Executable File
100 lines
3.3 KiB
Bash
Executable File
#!/bin/bash
|
|
#
|
|
# setup-ssh.sh - Configure SSH so any user gets the toes CLI
|
|
#
|
|
# This script:
|
|
# 1. Compiles and installs the NSS module
|
|
# 2. Adds "toes" to nsswitch.conf passwd line
|
|
# 3. Configures PAM to accept any password (home network appliance)
|
|
# 4. Ensures PasswordAuthentication is enabled in sshd
|
|
# 5. Adds /usr/local/bin/toes to /etc/shells
|
|
# 6. Restarts sshd
|
|
#
|
|
# Run as root on the toes machine.
|
|
|
|
set -euo pipefail
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
|
|
|
|
echo "==> Setting up SSH auto-CLI for toes"
|
|
|
|
# 1. Compile and install NSS module
|
|
echo " Compiling NSS module..."
|
|
gcc -shared -o /tmp/libnss_toes.so.2 "$SCRIPT_DIR/nss/libnss_toes.c" -fPIC
|
|
cp /tmp/libnss_toes.so.2 /lib/
|
|
ldconfig
|
|
echo " Installed libnss_toes.so.2"
|
|
|
|
# 2. Add toes to nsswitch.conf
|
|
if ! grep -q 'passwd:.*toes' /etc/nsswitch.conf; then
|
|
sed -i 's/^passwd:.*/& toes/' /etc/nsswitch.conf
|
|
echo " Added toes to nsswitch.conf"
|
|
else
|
|
echo " nsswitch.conf already configured"
|
|
fi
|
|
|
|
# 3. Configure PAM - accept any password for SSH
|
|
if ! grep -q 'pam_permit.so.*# toes' /etc/pam.d/sshd; then
|
|
# Comment out existing auth and replace with pam_permit
|
|
sed -i '/^@include common-auth/s/^/# /' /etc/pam.d/sshd
|
|
sed -i '/^auth/s/^/# /' /etc/pam.d/sshd
|
|
# Add pam_permit after the commented lines
|
|
echo 'auth sufficient pam_permit.so # toes' >> /etc/pam.d/sshd
|
|
echo " Configured PAM for passwordless SSH"
|
|
else
|
|
echo " PAM already configured"
|
|
fi
|
|
|
|
# 4. Ensure PasswordAuthentication yes in sshd_config
|
|
SSHD_CONFIG="/etc/ssh/sshd_config"
|
|
if grep -q '^PasswordAuthentication no' "$SSHD_CONFIG"; then
|
|
sed -i 's/^PasswordAuthentication no/PasswordAuthentication yes/' "$SSHD_CONFIG"
|
|
echo " Enabled PasswordAuthentication"
|
|
elif grep -q '^#PasswordAuthentication' "$SSHD_CONFIG"; then
|
|
sed -i 's/^#PasswordAuthentication.*/PasswordAuthentication yes/' "$SSHD_CONFIG"
|
|
echo " Enabled PasswordAuthentication"
|
|
elif ! grep -q '^PasswordAuthentication yes' "$SSHD_CONFIG"; then
|
|
echo 'PasswordAuthentication yes' >> "$SSHD_CONFIG"
|
|
echo " Added PasswordAuthentication yes"
|
|
else
|
|
echo " PasswordAuthentication already enabled"
|
|
fi
|
|
|
|
# 5. Ensure /usr/local/bin/toes is in /etc/shells
|
|
TOES_SHELL="/usr/local/bin/toes"
|
|
if ! grep -q "^${TOES_SHELL}$" /etc/shells; then
|
|
echo "$TOES_SHELL" >> /etc/shells
|
|
echo " Added $TOES_SHELL to /etc/shells"
|
|
else
|
|
echo " $TOES_SHELL already in /etc/shells"
|
|
fi
|
|
|
|
# Ensure the toes binary exists (symlink to bun entry point)
|
|
if [ ! -f "$TOES_SHELL" ]; then
|
|
echo " WARNING: $TOES_SHELL does not exist yet"
|
|
echo " Create it with: ln -sf /path/to/toes/cli $TOES_SHELL"
|
|
fi
|
|
|
|
# Create toes-cli system user for guest SSH sessions
|
|
if ! id toes-cli &>/dev/null; then
|
|
useradd --system --uid 3001 --home-dir /home/toes-cli --shell /usr/local/bin/toes --create-home toes-cli
|
|
echo " Created toes-cli user"
|
|
else
|
|
echo " toes-cli user already exists"
|
|
fi
|
|
|
|
# Ensure /home/toes-cli exists for guest sessions
|
|
if [ ! -d /home/toes-cli ]; then
|
|
mkdir -p /home/toes-cli
|
|
chmod 755 /home/toes-cli
|
|
echo " Created /home/toes-cli"
|
|
fi
|
|
|
|
# 6. Restart sshd
|
|
echo " Restarting sshd..."
|
|
systemctl restart sshd || service ssh restart || true
|
|
|
|
echo "==> Done. Any SSH user will now get the toes CLI."
|
|
echo " SSH users are mapped to the toes-cli account (UID 3001)."
|
|
echo " toes@toes.local still gets a regular shell."
|