do not manage ~cbsd/.ssh/authorized_keys due to security reason

olevole · olevole · commit 29cf64afbd89 · 2024-10-22T14:59:33.000+03:00
historically, cbsd user was only used for remote commands after "cbsd node mode=add" operations.
At the moment there are several frontend systems for CBSD that require adding an unprivileged user to the cbsd group.
This can lead to leakage of the private/public key through the frontend and access to the server
if the server administrator has not closed the SSH and does not block the "cbsd" user of the through SSH.
Accordingly, if administrator want "cbsd node mode=add", he must copy the public key into ~cbsd/.ssh/authorized_keys.
diff --git a/etc/defaults/qlogin.conf b/etc/defaults/qlogin.conf
@@ -40,7 +40,11 @@ if [ -d ${jailsysdir}/${jname}/cloud-init ]; then
 				# try lookup for global
 				eval _pubkey="\$ci_user_pubkey"
 			fi
-			if [ "${_pubkey}" = ".ssh/authorized_keys" ]; then
+			if [ "${_pubkey}" = ".ssh/id_rsa.pub" ]; then
+				echo "qlogin.conf: ${SSH_CMD} -oStrictHostKeyChecking=no -oConnectTimeout=15 -oServerAliveInterval=10 -i ${workdir}/.ssh/id_rsa ${ci_user_add}@${first_ip4_addr}" 1>&2
+				login_cmd="${SSH_CMD} -oStrictHostKeyChecking=no -oConnectTimeout=15 -oServerAliveInterval=10 -i ${workdir}/.ssh/id_rsa ${ci_user_add}@${first_ip4_addr}"
+			elif [ "${_pubkey}" = ".ssh/authorized_keys" ]; then
+				# back compat for CBSD < 14.1.3
 				echo "qlogin.conf: ${SSH_CMD} -oStrictHostKeyChecking=no -oConnectTimeout=15 -oServerAliveInterval=10 -i ${workdir}/.ssh/id_rsa ${ci_user_add}@${first_ip4_addr}" 1>&2
 				login_cmd="${SSH_CMD} -oStrictHostKeyChecking=no -oConnectTimeout=15 -oServerAliveInterval=10 -i ${workdir}/.ssh/id_rsa ${ci_user_add}@${first_ip4_addr}"
 			else
