DoubleHP Posted January 25, 2018 Posted January 25, 2018 Just after writing the image on the SDcard, I start tuning rc.local and crontab. I have found that crontab is not run before first authentification; this is an issue, because I use crontab to handle my networking; and without networking, I can not know the IP of the pi, and I can't login. I have found that after first authentification, I am asked to change the root password, then I see /etc/update-motd.d/99-point-to-faq, then /etc/profile.d/check_first_login.sh (which includesuser account creatino), but not /etc/update-motd.d/41-armbian-config After second authentification, I can see /etc/update-motd.d/41-armbian-config and /etc/update-motd.d/99-point-to-faq have been removed from disk (the end of the script removes itself). What I don't understand: - during first boot, why (how) is 41-armbian-config not run ? how does it get enabled ? - where and how is root password change handlede ? - why (how) is root password change required to start crontab - is /etc/rc.local run before first root auth ? I am 100% certain crontab is not run, but I am not sure about rc.local. - if system is power cycled before first root auth, are sshd certificates regenerated ? Does /boot/armbian_first_run.txt handle IPv6 ? I have spent hours on studying the systemd dep tree, and reading all scripts, there are 4 details that I can't catch. Instead of removing 99-point-to-faq, it would be much more clean to add it to the MOTD_DISABLE list in /etc/default/armbian-motd
DoubleHP Posted February 9, 2018 Author Posted February 9, 2018 Crontab is definitely not executed, but rc.local is. So, I have inserted some sections in rc.local. What I insert in rc.local is not the code below directly, but a call to a script. The call looks like this: /usr/local/sbin/rc.local.sh & or /usr/local/sbin/rc.local.sh || /bin/true or { some code || true anothercommand || true } & both methods will work, as long as your code loses the sh -x property. I have tried various combinations like this: /usr/bin/expect -c " set timeout 30 set password 1234 set new orangepi spawn -noecho ssh -t -o StrictHostKeychecking=no -o ConnectTimeout=20 -o UserKnownHostsFile=/dev/null -o PreferredAuthentications=keyboard-interactive,password -l root localhost passwd expect \"*assword:\" send \"$password\r\" expect \"*UNIX password:\" send \"$password\r\" expect \"*nter new UNIX password:\" send \"$new\r\" expect \"*etype new UNIX password:\" send \"$new\r\" expect \"Please provide a username (eg. your forename):\" send \"\x03\r\" " >>/root/log1 2>&1 but they all ended up with Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts. root@localhost's password: Permission denied, please try again. root@localhost's password: Permission denied, please try again. root@localhost's password: Permission denied (publickey,password). send: spawn id exp3 not open while executing "send "\r"" They work fine in all my simulation tests, but not in the live real run. For some reason I can't understand, the password 1234 can work later, from remote network, after the system has completed boot, but does not work from localhost during rc.local. I have tried to add this before the above section, but it did not help: /bin/echo "root:1234" | /usr/sbin/chpasswd So, I ended up with something else; after days of attempts, it's the only thing that works for me: cat /root/.ssh/id_rsa.pub >>/root/.ssh/authorized_keys /usr/bin/expect -c " set timeout 30 set password 1234 set new orangepi spawn -noecho ssh -t -o StrictHostKeychecking=no -o ConnectTimeout=20 -o UserKnownHostsFile=/dev/null -o PreferredAuthentications=gssapi-with-mic,hostbased,publickey -l root localhost passwd expect \"*UNIX password:\" send \"$password\r\" expect \"*nter new UNIX password:\" send \"$new\r\" expect \"*etype new UNIX password:\" send \"$new\r\" expect \"Please provide a username (eg. your forename):\" send \"\x03\r\" " >>/root/log0 2>&1 Of course, a certificate is generated for root in an earlier step; but I do this just after writing the image on sdcard; so the certificates are already available in /root before the pi boots the SD, and before rc.local is started. Here is a hint for curious people; but this raw code will NOT work as is in rc.local: /bin/echo "" | /usr/bin/ssh-keygen -t rsa -N "" -C "root@$DAHOSTNAME" -f "$MNTPNT"/root/.ssh/id_rsa I am tired of trying 100 different things; so I am not going to work and identify the smallest optimal solution; the above code should work. So, there are two different ways to change the root password; I don't know which one best worksaround my Armbian specific issue: /bin/echo "root:armbian" | /usr/sbin/chpasswd or /usr/bin/expect -c " set timeout 30 set password 1234 set new orangepi spawn -noecho ssh -t -o StrictHostKeychecking=no -o ConnectTimeout=20 -o UserKnownHostsFile=/dev/null -o PreferredAuthentications=gssapi-with-mic,hostbased,publickey -l root localhost passwd expect \"*UNIX password:\" send \"$password\r\" expect \"*nter new UNIX password:\" send \"$new\r\" expect \"*etype new UNIX password:\" send \"$new\r\" expect \"Please provide a username (eg. your forename):\" send \"\x03\r\" " >>/root/log0 2>&1 After changing the root password, Armbian offers to set a user profile; if you don't, it will prompt you on first login. I also want to get rid of this message. What should work, but does not for me: /usr/bin/expect -c " set timeout 30 set password orangepi spawn -noecho ssh -t -o StrictHostKeychecking=no -o ConnectTimeout=20 -o UserKnownHostsFile=/dev/null -o PreferredAuthentications=keyboard-interactive,password -l root localhost expect \"*assword:\" send \"$password\r\" expect \"Please provide a username (eg. your forename):\" send \"\x03\r\" " >>/root/log3 2>&1 What works for me: /usr/bin/expect -c " set timeout 30 spawn -noecho ssh -t -o StrictHostKeychecking=no -o ConnectTimeout=20 -o UserKnownHostsFile=/dev/null -o PreferredAuthentications=gssapi-with-mic,hostbased,publickey -l root localhost expect \"Please provide a username (eg. your forename):\" send \"\x03\r\" " >>/root/log5 2>&1 I do not understand why expect is unable to sort this issue the first time, and why I need to run send \"\x03\r\" twice. But I am tired. So I just run expect twice. First time. And here is what the section should look like (I am not using this code as it is below; this code is not tested-certified): /bin/echo "" | /usr/bin/ssh-keygen -t rsa -N "" -C "root@$(hostname)" -f /root/.ssh/id_rsa cat /root/.ssh/id_rsa.pub >>/root/.ssh/authorized_keys chage -l root >/root/chage1 /bin/echo "root:1234" | /usr/sbin/chpasswd chage -l root >/root/chage2 /usr/bin/expect -c " set timeout 30 set password 1234 set new orangepi spawn -noecho ssh -t -o StrictHostKeychecking=no -o ConnectTimeout=20 -o UserKnownHostsFile=/dev/null -o PreferredAuthentications=gssapi-with-mic,hostbased,publickey -l root localhost passwd expect \"*UNIX password:\" send \"$password\r\" expect \"*nter new UNIX password:\" send \"$new\r\" expect \"*etype new UNIX password:\" send \"$new\r\" expect \"Please provide a username (eg. your forename):\" send \"\x03\r\" " >>/root/log0 2>&1 chage -l root >/root/chage3 /usr/bin/expect -c " set timeout 30 spawn -noecho ssh -t -o StrictHostKeychecking=no -o ConnectTimeout=20 -o UserKnownHostsFile=/dev/null -o PreferredAuthentications=gssapi-with-mic,hostbased,publickey -l root localhost expect \"Please provide a username (eg. your forename):\" send \"\x03\r\" " >>/root/log5 2>&1 Of course, my scripts also include other features to avoid running this twice (at second and later boots) (but this is off-topic today). The minimalistic version should look like this (untested) /bin/echo "" | /usr/bin/ssh-keygen -t rsa -N "" -C "root@$(hostname)" -f /root/.ssh/id_rsa cat /root/.ssh/id_rsa.pub >>/root/.ssh/authorized_keys /bin/echo "root:1234" | /usr/sbin/chpasswd /usr/bin/expect -c " set timeout 30 spawn -noecho ssh -t -o StrictHostKeychecking=no -o ConnectTimeout=20 -o UserKnownHostsFile=/dev/null -o PreferredAuthentications=gssapi-with-mic,hostbased,publickey -l root localhost expect \"Please provide a username (eg. your forename):\" send \"\x03\r\" " Tutos I used: https://stackoverflow.com/questions/26654640/expect-script-to-change-password-using-ssh https://stackoverflow.com/questions/23836136/expect-interrupt-program-ctrlc
Recommended Posts