As featured in the XtendedGreg YouTube Live Stream: https://youtube.com/live/sVxxmtI0sYQ
- Why would you need a custom config shell -- Provides secure way to initially configure device -- Prevents unrestricted shell access -- Limits users to specific tasks -- Explicitly lists the available user actions
- Install bash -
apk add bash - Demonstrate shell_one.sh
- Intro to dialog (Website)
- Install dialog -
apk add dialog - Demonstrate shell_two.sh
- Copy shell_two.sh to /bin/shell_two.sh
cp shell_two.sh /bin/shell_two.sh
lbu add /bin/shell_two.sh
lbu commit -d
addgroup configUser
adduser -s /bin/shell_two.sh -G configUser myconfiguser
passwd -u myconfiguser
lbu add /home/myconfiguser
lbu commit -d
Using an application like puTTY, login through SSH using the username we just created
apk add doas
echo "permit nopass :configUser as root cmd [command]" > /etc/doas.d/configUser.conf
lbu commit -d
- getty is a program that manages the terminal and protects the system from unauthorized access
- We will put a getty on the serial port to allow login via serial
To use the onboard serial port ADD enable_uart=1 to usercfg.txt (not needed for USB serial NOTE: Pi is 3.3v which needs a level shifter in most cases or a compatible serial adapter
mount -o remount,rw /media/mmcblk0p1
vi /media/mmcblk0p1/usercfg.txt
enable_uart=1
:wq
mount -o remount,ro /media/mmcblk0p1
ls /dev/tty*
vi /etc/inittab
Modify inittab with the following text below
# Put a getty on the serial port
# ttyS0::respawn:/sbin/getty -L ttyS0 115200 vt100
ttyUSB0::respawn:/sbin/getty -L ttyUSB0 115200 vt100
Type :wq to save an exit
kill -HUP 1
- or reboot
reboot
vi /etc/securetty
Add the following to the bottom of the file
ttyUSB0
Type :wq to save and exit
Login using our user "myconfiguser"