DoubleHP Posted January 25, 2018 Share Posted January 25, 2018 Just after writing the image on the SDcard, I start tuning rc.local and crontab. I have found that crontab is not run before first authentification; this is an issue, because I use crontab to handle my networking; and without networking, I can not know the IP of the pi, and I can't login. I have found that after first authentification, I am asked to change the root password, then I see /etc/update-motd.d/99-point-to-faq, then /etc/profile.d/check_first_login.sh (which includesuser account creatino), but not /etc/update-motd.d/41-armbian-config After second authentification, I can see /etc/update-motd.d/41-armbian-config and /etc/update-motd.d/99-point-to-faq have been removed from disk (the end of the script removes itself). What I don't understand: - during first boot, why (how) is 41-armbian-config not run ? how does it get enabled ? - where and how is root password change handlede ? - why (how) is root password change required to start crontab - is /etc/rc.local run before first root auth ? I am 100% certain crontab is not run, but I am not sure about rc.local. - if system is power cycled before first root auth, are sshd certificates regenerated ? Does /boot/armbian_first_run.txt handle IPv6 ? I have spent hours on studying the systemd dep tree, and reading all scripts, there are 4 details that I can't catch. Instead of removing 99-point-to-faq, it would be much more clean to add it to the MOTD_DISABLE list in /etc/default/armbian-motd Link to comment Share on other sites More sharing options...
DoubleHP Posted February 9, 2018 Author Share Posted February 9, 2018 Crontab is definitely not executed, but rc.local is. So, I have inserted some sections in rc.local. What I insert in rc.local is not the code below directly, but a call to a script. The call looks like this: /usr/local/sbin/rc.local.sh & or /usr/local/sbin/rc.local.sh || /bin/true or { some code || true anothercommand || true } & both methods will work, as long as your code loses the sh -x property. I have tried various combinations like this: /usr/bin/expect -c " set timeout 30 set password 1234 set new orangepi spawn -noecho ssh -t -o StrictHostKeychecking=no -o ConnectTimeout=20 -o UserKnownHostsFile=/dev/null -o PreferredAuthentications=keyboard-interactive,password -l root localhost passwd expect \"*assword:\" send \"$password\r\" expect \"*UNIX password:\" send \"$password\r\" expect \"*nter new UNIX password:\" send \"$new\r\" expect \"*etype new UNIX password:\" send \"$new\r\" expect \"Please provide a username (eg. your forename):\" send \"\x03\r\" " >>/root/log1 2>&1 but they all ended up with Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts. root@localhost's password: Permission denied, please try again. root@localhost's password: Permission denied, please try again. root@localhost's password: Permission denied (publickey,password). send: spawn id exp3 not open while executing "send "\r"" They work fine in all my simulation tests, but not in the live real run. For some reason I can't understand, the password 1234 can work later, from remote network, after the system has completed boot, but does not work from localhost during rc.local. I have tried to add this before the above section, but it did not help: /bin/echo "root:1234" | /usr/sbin/chpasswd So, I ended up with something else; after days of attempts, it's the only thing that works for me: cat /root/.ssh/id_rsa.pub >>/root/.ssh/authorized_keys /usr/bin/expect -c " set timeout 30 set password 1234 set new orangepi spawn -noecho ssh -t -o StrictHostKeychecking=no -o ConnectTimeout=20 -o UserKnownHostsFile=/dev/null -o PreferredAuthentications=gssapi-with-mic,hostbased,publickey -l root localhost passwd expect \"*UNIX password:\" send \"$password\r\" expect \"*nter new UNIX password:\" send \"$new\r\" expect \"*etype new UNIX password:\" send \"$new\r\" expect \"Please provide a username (eg. your forename):\" send \"\x03\r\" " >>/root/log0 2>&1 Of course, a certificate is generated for root in an earlier step; but I do this just after writing the image on sdcard; so the certificates are already available in /root before the pi boots the SD, and before rc.local is started. Here is a hint for curious people; but this raw code will NOT work as is in rc.local: /bin/echo "" | /usr/bin/ssh-keygen -t rsa -N "" -C "root@$DAHOSTNAME" -f "$MNTPNT"/root/.ssh/id_rsa I am tired of trying 100 different things; so I am not going to work and identify the smallest optimal solution; the above code should work. So, there are two different ways to change the root password; I don't know which one best worksaround my Armbian specific issue: /bin/echo "root:armbian" | /usr/sbin/chpasswd or /usr/bin/expect -c " set timeout 30 set password 1234 set new orangepi spawn -noecho ssh -t -o StrictHostKeychecking=no -o ConnectTimeout=20 -o UserKnownHostsFile=/dev/null -o PreferredAuthentications=gssapi-with-mic,hostbased,publickey -l root localhost passwd expect \"*UNIX password:\" send \"$password\r\" expect \"*nter new UNIX password:\" send \"$new\r\" expect \"*etype new UNIX password:\" send \"$new\r\" expect \"Please provide a username (eg. your forename):\" send \"\x03\r\" " >>/root/log0 2>&1 After changing the root password, Armbian offers to set a user profile; if you don't, it will prompt you on first login. I also want to get rid of this message. What should work, but does not for me: /usr/bin/expect -c " set timeout 30 set password orangepi spawn -noecho ssh -t -o StrictHostKeychecking=no -o ConnectTimeout=20 -o UserKnownHostsFile=/dev/null -o PreferredAuthentications=keyboard-interactive,password -l root localhost expect \"*assword:\" send \"$password\r\" expect \"Please provide a username (eg. your forename):\" send \"\x03\r\" " >>/root/log3 2>&1 What works for me: /usr/bin/expect -c " set timeout 30 spawn -noecho ssh -t -o StrictHostKeychecking=no -o ConnectTimeout=20 -o UserKnownHostsFile=/dev/null -o PreferredAuthentications=gssapi-with-mic,hostbased,publickey -l root localhost expect \"Please provide a username (eg. your forename):\" send \"\x03\r\" " >>/root/log5 2>&1 I do not understand why expect is unable to sort this issue the first time, and why I need to run send \"\x03\r\" twice. But I am tired. So I just run expect twice. First time. And here is what the section should look like (I am not using this code as it is below; this code is not tested-certified): /bin/echo "" | /usr/bin/ssh-keygen -t rsa -N "" -C "root@$(hostname)" -f /root/.ssh/id_rsa cat /root/.ssh/id_rsa.pub >>/root/.ssh/authorized_keys chage -l root >/root/chage1 /bin/echo "root:1234" | /usr/sbin/chpasswd chage -l root >/root/chage2 /usr/bin/expect -c " set timeout 30 set password 1234 set new orangepi spawn -noecho ssh -t -o StrictHostKeychecking=no -o ConnectTimeout=20 -o UserKnownHostsFile=/dev/null -o PreferredAuthentications=gssapi-with-mic,hostbased,publickey -l root localhost passwd expect \"*UNIX password:\" send \"$password\r\" expect \"*nter new UNIX password:\" send \"$new\r\" expect \"*etype new UNIX password:\" send \"$new\r\" expect \"Please provide a username (eg. your forename):\" send \"\x03\r\" " >>/root/log0 2>&1 chage -l root >/root/chage3 /usr/bin/expect -c " set timeout 30 spawn -noecho ssh -t -o StrictHostKeychecking=no -o ConnectTimeout=20 -o UserKnownHostsFile=/dev/null -o PreferredAuthentications=gssapi-with-mic,hostbased,publickey -l root localhost expect \"Please provide a username (eg. your forename):\" send \"\x03\r\" " >>/root/log5 2>&1 Of course, my scripts also include other features to avoid running this twice (at second and later boots) (but this is off-topic today). The minimalistic version should look like this (untested) /bin/echo "" | /usr/bin/ssh-keygen -t rsa -N "" -C "root@$(hostname)" -f /root/.ssh/id_rsa cat /root/.ssh/id_rsa.pub >>/root/.ssh/authorized_keys /bin/echo "root:1234" | /usr/sbin/chpasswd /usr/bin/expect -c " set timeout 30 spawn -noecho ssh -t -o StrictHostKeychecking=no -o ConnectTimeout=20 -o UserKnownHostsFile=/dev/null -o PreferredAuthentications=gssapi-with-mic,hostbased,publickey -l root localhost expect \"Please provide a username (eg. your forename):\" send \"\x03\r\" " Tutos I used: https://stackoverflow.com/questions/26654640/expect-script-to-change-password-using-ssh https://stackoverflow.com/questions/23836136/expect-interrupt-program-ctrlc Link to comment Share on other sites More sharing options...
Recommended Posts