Jump to content

Why is crontab not run before first authentification ?


Recommended Posts

Posted

Just after writing the image on the SDcard, I start tuning rc.local and crontab. I have found that crontab is not run before first authentification; this is an issue, because I use crontab to handle my networking; and without networking, I can not know the IP of the pi, and I can't login.

 

I have found that after first authentification, I am asked to change the root password, then I see /etc/update-motd.d/99-point-to-faq, then /etc/profile.d/check_first_login.sh (which includesuser account creatino), but not /etc/update-motd.d/41-armbian-config

 

After second authentification, I can see /etc/update-motd.d/41-armbian-config and /etc/update-motd.d/99-point-to-faq have been removed from disk (the end of the script removes itself).

 

What I don't understand:

- during first boot, why (how) is 41-armbian-config not run ? how does it get enabled ?

- where and how is root password change handlede ?

- why (how) is root password change required to start crontab

- is /etc/rc.local run before first root auth ? I am 100% certain crontab is not run, but I am not sure about rc.local.

- if system is power cycled before first root auth, are sshd certificates regenerated ?

 

Does /boot/armbian_first_run.txt handle IPv6 ?

 

I have spent hours on studying the systemd dep tree, and reading all scripts, there are 4 details that I can't catch.

 

Instead of removing 99-point-to-faq, it would be much more clean to add it to the MOTD_DISABLE list in /etc/default/armbian-motd

Posted

Crontab is definitely not executed, but rc.local is. So, I have inserted some sections in rc.local.

 

What I insert in rc.local is not the code below directly, but a call to a script. The call looks like this:

/usr/local/sbin/rc.local.sh &

or

/usr/local/sbin/rc.local.sh || /bin/true

or
 

{
some code || true
anothercommand || true
} &

both methods will work, as long as your code loses the sh -x property.

 

I have tried various combinations like this:

/usr/bin/expect -c "
set timeout 30
set password 1234
set new orangepi
spawn -noecho ssh -t -o StrictHostKeychecking=no -o ConnectTimeout=20 -o UserKnownHostsFile=/dev/null -o PreferredAuthentications=keyboard-interactive,password -l root localhost passwd
expect \"*assword:\"
send \"$password\r\"
expect \"*UNIX password:\"
send \"$password\r\"
expect \"*nter new UNIX password:\"
send \"$new\r\"
expect \"*etype new UNIX password:\"
send \"$new\r\"
expect \"Please provide a username (eg. your forename):\"
send \"\x03\r\"
" >>/root/log1 2>&1

but they all ended up with

Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
root@localhost's password:
Permission denied, please try again.
root@localhost's password:
Permission denied, please try again.
root@localhost's password:
Permission denied (publickey,password).
send: spawn id exp3 not open
    while executing
"send "\r""

They work fine in all my simulation tests, but not in the live real run. For some reason I can't understand, the password 1234 can work later, from remote network, after the system has completed boot, but does not work from localhost during rc.local.

 

I have tried to add this before the above section, but it did not help: /bin/echo "root:1234" | /usr/sbin/chpasswd

 

So, I ended up with something else; after days of attempts, it's the only thing that works for me:


 

cat /root/.ssh/id_rsa.pub >>/root/.ssh/authorized_keys

/usr/bin/expect -c "
set timeout 30
set password 1234
set new orangepi
spawn -noecho ssh -t -o StrictHostKeychecking=no -o ConnectTimeout=20 -o UserKnownHostsFile=/dev/null -o PreferredAuthentications=gssapi-with-mic,hostbased,publickey -l root localhost passwd
expect \"*UNIX password:\"
send \"$password\r\"
expect \"*nter new UNIX password:\"
send \"$new\r\"
expect \"*etype new UNIX password:\"
send \"$new\r\"
expect \"Please provide a username (eg. your forename):\"
send \"\x03\r\"
" >>/root/log0 2>&1

 

Of course, a certificate is generated for root in an earlier step; but I do this just after writing the image on sdcard; so the certificates are already available in /root before the pi boots the SD, and before rc.local is started.

 

Here is a hint for curious people; but this raw code will NOT work as is in rc.local:

 

/bin/echo "" | /usr/bin/ssh-keygen -t rsa -N "" -C "root@$DAHOSTNAME" -f "$MNTPNT"/root/.ssh/id_rsa

 

I am tired of trying 100 different things; so I am not going to work and identify the smallest optimal solution; the above code should work. So, there are two different ways to change the root password; I don't know which one best worksaround my Armbian specific issue:

 

/bin/echo "root:armbian" | /usr/sbin/chpasswd

 

or

 

/usr/bin/expect -c "
set timeout 30
set password 1234
set new orangepi
spawn -noecho ssh -t -o StrictHostKeychecking=no -o ConnectTimeout=20 -o UserKnownHostsFile=/dev/null -o PreferredAuthentications=gssapi-with-mic,hostbased,publickey -l root localhost passwd
expect \"*UNIX password:\"
send \"$password\r\"
expect \"*nter new UNIX password:\"
send \"$new\r\"
expect \"*etype new UNIX password:\"
send \"$new\r\"
expect \"Please provide a username (eg. your forename):\"
send \"\x03\r\"
" >>/root/log0 2>&1

 

After changing the root password, Armbian offers to set a user profile; if you don't, it will prompt you on first login. I also want to get rid of this message.

 

What should work, but does not for me:

 

/usr/bin/expect -c "
set timeout 30
set password orangepi
spawn -noecho ssh -t -o StrictHostKeychecking=no -o ConnectTimeout=20 -o UserKnownHostsFile=/dev/null -o PreferredAuthentications=keyboard-interactive,password -l root localhost
expect \"*assword:\"
send \"$password\r\"
expect \"Please provide a username (eg. your forename):\"
send \"\x03\r\"
" >>/root/log3 2>&1

 

What works for me:

 

/usr/bin/expect -c "
set timeout 30
spawn -noecho ssh -t -o StrictHostKeychecking=no -o ConnectTimeout=20 -o UserKnownHostsFile=/dev/null -o PreferredAuthentications=gssapi-with-mic,hostbased,publickey -l root localhost
expect \"Please provide a username (eg. your forename):\"
send \"\x03\r\"
" >>/root/log5 2>&1

 

I do not understand why expect is unable to sort this issue the first time, and why I need to run send \"\x03\r\" twice. But I am tired. So I just run expect twice. First time. And here is what the section should look like (I am not using this code as it is below; this code is not tested-certified):


 

/bin/echo "" | /usr/bin/ssh-keygen -t rsa -N "" -C "root@$(hostname)" -f /root/.ssh/id_rsa
cat /root/.ssh/id_rsa.pub >>/root/.ssh/authorized_keys

chage -l root >/root/chage1
/bin/echo "root:1234" | /usr/sbin/chpasswd
chage -l root >/root/chage2

/usr/bin/expect -c "
set timeout 30
set password 1234
set new orangepi
spawn -noecho ssh -t -o StrictHostKeychecking=no -o ConnectTimeout=20 -o UserKnownHostsFile=/dev/null -o PreferredAuthentications=gssapi-with-mic,hostbased,publickey -l root localhost passwd
expect \"*UNIX password:\"
send \"$password\r\"
expect \"*nter new UNIX password:\"
send \"$new\r\"
expect \"*etype new UNIX password:\"
send \"$new\r\"
expect \"Please provide a username (eg. your forename):\"
send \"\x03\r\"
" >>/root/log0 2>&1

chage -l root >/root/chage3

/usr/bin/expect -c "
set timeout 30
spawn -noecho ssh -t -o StrictHostKeychecking=no -o ConnectTimeout=20 -o UserKnownHostsFile=/dev/null -o PreferredAuthentications=gssapi-with-mic,hostbased,publickey -l root localhost
expect \"Please provide a username (eg. your forename):\"
send \"\x03\r\"
" >>/root/log5 2>&1

 

Of course, my scripts also include other features to avoid running this twice (at second and later boots) (but this is off-topic today).

 

The minimalistic version should look like this (untested)


 

/bin/echo "" | /usr/bin/ssh-keygen -t rsa -N "" -C "root@$(hostname)" -f /root/.ssh/id_rsa
cat /root/.ssh/id_rsa.pub >>/root/.ssh/authorized_keys
/bin/echo "root:1234" | /usr/sbin/chpasswd
/usr/bin/expect -c "
set timeout 30
spawn -noecho ssh -t -o StrictHostKeychecking=no -o ConnectTimeout=20 -o UserKnownHostsFile=/dev/null -o PreferredAuthentications=gssapi-with-mic,hostbased,publickey -l root localhost
expect \"Please provide a username (eg. your forename):\"
send \"\x03\r\"
"

 

Tutos I used:

https://stackoverflow.com/questions/26654640/expect-script-to-change-password-using-ssh

https://stackoverflow.com/questions/23836136/expect-interrupt-program-ctrlc

 

Guest
This topic is now closed to further replies.
×
×
  • Create New...

Important Information

Terms of Use - Privacy Policy - Guidelines