Specify an ssh public key when adding new user
This commit is contained in:
parent
0bebdb4b82
commit
1e87576868
|
@ -46,6 +46,12 @@ Yes. Freedombone can support a small number of users, for a "/friends and family
|
||||||
freedombone-adduser [username]
|
freedombone-adduser [username]
|
||||||
#+END_SRC
|
#+END_SRC
|
||||||
|
|
||||||
|
Or optionally with an /ssh public key/, given either as a filename or directly pasted. Specifying an ssh key will allow the user to log in more securely if they need to (such as if they use the Mutt email client).
|
||||||
|
|
||||||
|
#+BEGIN_SRC bash
|
||||||
|
freedombone-adduser [username] [ssh public key]
|
||||||
|
#+END_SRC
|
||||||
|
|
||||||
Something to consider when having more than a single user on the system is the security situation. The original administrator user will have access to all of the data for other users (including their encryption keys), so if you do add extra users they need to have *complete trust* in the administrator.
|
Something to consider when having more than a single user on the system is the security situation. The original administrator user will have access to all of the data for other users (including their encryption keys), so if you do add extra users they need to have *complete trust* in the administrator.
|
||||||
|
|
||||||
Another point is that Freedombone installations are not intended to support many users (maybe ten at most). Large numbers of users may make the system unstable, and the more users you have on one system the more it becomes a single point of failure and also perhaps a honeypot from the standpoint of adversaries. Think of what happened with Lavabit and the moral dilemma which an administrator can be faced with (comply with threats and betray the trust of your users or don't comply and suffer other consequences). Ideally, you never want to put yourself into a situation where you can be forced to betray others.
|
Another point is that Freedombone installations are not intended to support many users (maybe ten at most). Large numbers of users may make the system unstable, and the more users you have on one system the more it becomes a single point of failure and also perhaps a honeypot from the standpoint of adversaries. Think of what happened with Lavabit and the moral dilemma which an administrator can be faced with (comply with threats and betray the trust of your users or don't comply and suffer other consequences). Ideally, you never want to put yourself into a situation where you can be forced to betray others.
|
||||||
|
|
Binary file not shown.
|
@ -1,5 +1,6 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
MY_USERNAME=$1
|
MY_USERNAME=$1
|
||||||
|
SSH_PUBLIC_KEY=$2
|
||||||
GPG_KEYSERVER='hkp://keys.gnupg.net'
|
GPG_KEYSERVER='hkp://keys.gnupg.net'
|
||||||
SSH_PORT=2222
|
SSH_PORT=2222
|
||||||
COMPLETION_FILE=$HOME/freedombone-completed.txt
|
COMPLETION_FILE=$HOME/freedombone-completed.txt
|
||||||
|
@ -29,10 +30,27 @@ if [ ! -d /home/$MY_USERNAME ]; then
|
||||||
exit 4
|
exit 4
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ $2 ]; then
|
||||||
|
if [ -f $SSH_PUBLIC_KEY ]; then
|
||||||
|
mkdir /home/$MY_USERNAME/.ssh
|
||||||
|
cp $SSH_PUBLIC_KEY /home/$MY_USERNAME/.ssh/authorized_keys
|
||||||
|
echo 'ssh public key installed'
|
||||||
|
else
|
||||||
|
if [[ $SSH_PUBLIC_KEY == "ssh-"* ]]; then
|
||||||
|
mkdir /home/$MY_USERNAME/.ssh
|
||||||
|
echo $SSH_PUBLIC_KEY > /home/$MY_USERNAME/.ssh/authorized_keys
|
||||||
|
echo 'ssh public key installed'
|
||||||
|
else
|
||||||
|
echo 'The second parameter does not look like an ssh key'
|
||||||
|
exit 5
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
if [ ! -d /home/$MY_USERNAME/Maildir ]; then
|
if [ ! -d /home/$MY_USERNAME/Maildir ]; then
|
||||||
echo 'Email directory was not created'
|
echo 'Email directory was not created'
|
||||||
userdel -r $MY_USERNAME
|
userdel -r $MY_USERNAME
|
||||||
exit 5
|
exit 6
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if grep -q "set from=" /home/$MY_USERNAME/.muttrc; then
|
if grep -q "set from=" /home/$MY_USERNAME/.muttrc; then
|
||||||
|
@ -77,7 +95,7 @@ su -c "gpg --output $MY_GPG_PUBLIC_KEY --armor --export $MY_GPG_PUBLIC_KEY_ID" -
|
||||||
if [ ! -f $MY_GPG_PUBLIC_KEY ]; then
|
if [ ! -f $MY_GPG_PUBLIC_KEY ]; then
|
||||||
echo "GPG public key was not generated for $MY_USERNAME@$HOSTNAME $MY_GPG_PUBLIC_KEY_ID"
|
echo "GPG public key was not generated for $MY_USERNAME@$HOSTNAME $MY_GPG_PUBLIC_KEY_ID"
|
||||||
userdel -r $MY_USERNAME
|
userdel -r $MY_USERNAME
|
||||||
exit 6
|
exit 7
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# encrypt outgoing mail to the "sent" folder
|
# encrypt outgoing mail to the "sent" folder
|
||||||
|
@ -131,7 +149,7 @@ freedombone-addxmpp -e "$MY_USERNAME@$HOSTNAME" -p "$NEW_USER_PASSWORD"
|
||||||
if [ ! "$?" = "0" ]; then
|
if [ ! "$?" = "0" ]; then
|
||||||
echo "XMPP account not created"
|
echo "XMPP account not created"
|
||||||
userdel -r $MY_USERNAME
|
userdel -r $MY_USERNAME
|
||||||
exit 7
|
exit 8
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if grep -q "Blog domain" $COMPLETION_FILE; then
|
if grep -q "Blog domain" $COMPLETION_FILE; then
|
||||||
|
@ -139,7 +157,7 @@ if grep -q "Blog domain" $COMPLETION_FILE; then
|
||||||
if [ ! -d /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users ]; then
|
if [ ! -d /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users ]; then
|
||||||
echo 'Blog users directory not found'
|
echo 'Blog users directory not found'
|
||||||
userdel -r $MY_USERNAME
|
userdel -r $MY_USERNAME
|
||||||
exit 8
|
exit 9
|
||||||
fi
|
fi
|
||||||
echo ';Password' > /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini
|
echo ';Password' > /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini
|
||||||
echo "password = '$NEW_USER_PASSWORD'" >> /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini
|
echo "password = '$NEW_USER_PASSWORD'" >> /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini
|
||||||
|
|
Loading…
Reference in New Issue