Is it possible to customise the d-i just to add an ssh authorized key for root

Discussion:

Add Reply

PICCA Frederic-Emmanuel

2025-01-24 09:00:03 UTC

Hello, I would like to customize the debian-installer in order to allow root access once installed via an authorize key.

so I need to put something like this in the /root/.ssh/ during the installation

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGkFpSsCIGpAJtsH4TWHCatHMkdGMS/PTG2M/7xeWz6Syw/JUrZPc/5bRC9H5+bikrhotZOidC+lafzGFHGmHzpq7+rXrd5Np3uHH6U+Y0O7mUeU0CVhCpkIr2ggk4Bw7K79/d6fsPXZi2h+JAZ9cBaI6ob5K6e70Ljj3REZRh7LXBVIAd1hmMPEESb5xll1MHvB/7Qn6r6uupcOY/pC/LH+ZPUaqvwXGrSltFjJoeFEW8H05uYkuZta5vBG/owdLjRt6v7h3tnINsMV4S0uKNQNz6022xAptn1FY1WQ0F1y738hTNoikITty//MB3HW3uQEpw4sXN7tEGqQtHrbMkPfcwb+KMISXYlHPaBt9ik4fWnt55U1IzXr5s/ErT6/ZCG2iPfnffuHnCVMujrUu+KcnHtF7Ux50N1QxR7+EiT6WxRDW3S6Vz0MQ6jTZdy/YryKYZtGnriFb2RwRu9Y7Df+VYfj4nKrnF3JQF9yipBLcUhpliNvByvoh7eTE8iWuVlp3GkdHotEq4okH88TtUG5DBbddGHoGpxnzi8R4sn+YvFTybywwhKgMQh0ueJ26j326AgujBDlvL3Hf6Satz/EDmwjStWGSwWQAcy+W+gfNAuRfHpyYHKDGPIJLzMfuf0vx0KLL0C55x7I4cGqOIT22RXLhhf9NFHNDi4Q== cardno:000500001073" > /root/.ssh/authorized_keys

Is it a feature provided by d-i ?

thanks

Frederic

Colin Watson

2025-01-24 12:10:01 UTC

Permalink

Post by PICCA Frederic-Emmanuel
Hello, I would like to customize the debian-installer in order to allow root access once installed via an authorize key.
so I need to put something like this in the /root/.ssh/ during the installation
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGkFpSsCIGpAJtsH4TWHCatHMkdGMS/PTG2M/7xeWz6Syw/JUrZPc/5bRC9H5+bikrhotZOidC+lafzGFHGmHzpq7+rXrd5Np3uHH6U+Y0O7mUeU0CVhCpkIr2ggk4Bw7K79/d6fsPXZi2h+JAZ9cBaI6ob5K6e70Ljj3REZRh7LXBVIAd1hmMPEESb5xll1MHvB/7Qn6r6uupcOY/pC/LH+ZPUaqvwXGrSltFjJoeFEW8H05uYkuZta5vBG/owdLjRt6v7h3tnINsMV4S0uKNQNz6022xAptn1FY1WQ0F1y738hTNoikITty//MB3HW3uQEpw4sXN7tEGqQtHrbMkPfcwb+KMISXYlHPaBt9ik4fWnt55U1IzXr5s/ErT6/ZCG2iPfnffuHnCVMujrUu+KcnHtF7Ux50N1QxR7+EiT6WxRDW3S6Vz0MQ6jTZdy/YryKYZtGnriFb2RwRu9Y7Df+VYfj4nKrnF3JQF9yipBLcUhpliNvByvoh7eTE8iWuVlp3GkdHotEq4okH88TtUG5DBbddGHoGpxnzi8R4sn+YvFTybywwhKgMQh0ueJ26j326AgujBDlvL3Hf6Satz/EDmwjStWGSwWQAcy+W+gfNAuRfHpyYHKDGPIJLzMfuf0vx0KLL0C55x7I4cGqOIT22RXLhhf9NFHNDi4Q== cardno:000500001073" > /root/.ssh/authorized_keys
Is it a feature provided by d-i ?

You can do this with preseed/late_command
(https://www.debian.org/releases/bookworm/amd64/apbs05.en.html#preseed-hooks,
and see https://www.debian.org/releases/bookworm/amd64/apb.en.html for
general advice on preseeding if you haven't used it before). Something
like this should work:

d-i preseed/late_command string mkdir -p /target/root/.ssh; echo 'ssh-rsa ...' >/target/root/.ssh/authorized_keys

--
Colin Watson (he/him) [***@debian.org]

Emanuele Rocca

2025-01-24 13:40:01 UTC

Permalink

Post by Colin Watson
You can do this with preseed/late_command
(https://www.debian.org/releases/bookworm/amd64/apbs05.en.html#preseed-hooks,
and see https://www.debian.org/releases/bookworm/amd64/apb.en.html for
general advice on preseeding if you haven't used it before). Something
d-i preseed/late_command string mkdir -p /target/root/.ssh; echo 'ssh-rsa ...' >/target/root/.ssh/authorized_keys

An easy way to do that with preseeding, assuming your setup has network
connectivity, is adding the string Colin mentioned to a file such as
https://example.org/preseed.txt and then appending the following to your
kernel arguments when booting the installer:

preseed/url=https://example.org/preseed.txt

Philip Hands

2025-01-24 15:40:01 UTC

Permalink

Post by Emanuele Rocca

You can get away with just `url=` there, since `url` is an alias[1] for
the `preseed/url` setting.

Also, if you put the preseed file in the right place[2], you can actually
get away with something like:

url=autoserver

which is nice if you're having to type things by hand.

Cheers, Phil.

[1] https://d-i.debian.org/manual/en.amd64/apbs02.html#preseed-aliases
[2] https://d-i.debian.org/manual/en.amd64/apbs02.html#preseed-auto

--
Philip Hands -- https://hands.com/~phil

Philip Hands

2025-01-24 15:10:02 UTC

Permalink

Post by Colin Watson

You can do this with preseed/late_command
(https://www.debian.org/releases/bookworm/amd64/apbs05.en.html#preseed-hooks,
and see https://www.debian.org/releases/bookworm/amd64/apb.en.html for
general advice on preseeding if you haven't used it before). Something
d-i preseed/late_command string mkdir -p /target/root/.ssh; echo 'ssh-rsa ...' >/target/root/.ssh/authorized_keys

If setting one ssh key is the only thing you want to tweak, then as
Colin says, the late_command is the way to go.

If you want to do more complicated things, especially if you have
multiple sets of machines that need different settings applied and/or
different keys preinstalled, then you might want to have a look at:

https://hands.com/d-i/

which lets you specify which keys should be installed to which users,
and set the local passwords etc.

For example, here's a site-local default that can be (overridden based on
domainname, hostname, or pretty-much any other criterion you like):

https://hands.com/d-i/preseed/local/_users/default

with the keys being installed from the sshkeys.* files here:

https://hands.com/d-i/preseed/local/_users/

and if the machine happens to be told via DNS that it's called 'nimble'
on one of my test networks, then instead it'll get these settings:

https://hands.com/d-i/preseed/local/_users/_hostname/hk.hands.com/nimble

HTH

BTW I'm happy to answer questions about how that all works, if you think
it's worth a try for your usage.

Cheers, Phil.

--
Philip Hands -- https://hands.com/~phil