scripts UPDATE add authorized_keys/pw auth in script

CMakeLists.txt

@@ -86,7 +86,6 @@ set(SCRIPT_DIR "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_DATADIR}/netopeer2" CACH
 option(INSTALL_MODULES "Install required modules into sysrepo" ON)
 option(GENERATE_HOSTKEY "Generate a new RSA host key in the keystore named \"genkey\"" ON)
 option(MERGE_LISTEN_CONFIG "Merge default server configuration for listening on all IPv4 interfaces" ON)
-option(MERGE_AUTH_CONFIG "Merge public keys from authorized_keys into the server configuration" OFF)
 set(MODULES_PERMS 600 CACHE STRING "File access permissions set for all the server modules")
 if(NOT MODULES_OWNER)
     execute_process(COMMAND id -un RESULT_VARIABLE RET
@@ -164,7 +163,7 @@ find_package(PkgConfig REQUIRED)
 pkg_check_modules(PKG_LN2 REQUIRED libnetconf2)
 
 # libnetconf2 thread count check
-pkg_get_variable(LN2_THREAD_COUNT libnetconf2 LN2_MAX_THREAD_COUNT)
+pkg_get_variable(LN2_THREAD_COUNT libnetconf2 "LN2_MAX_THREAD_COUNT")
 if(LN2_THREAD_COUNT)
     if(LN2_THREAD_COUNT LESS THREAD_COUNT)
         message(FATAL_ERROR "libnetconf2 was compiled with support up to ${LN2_THREAD_COUNT} threads, server is configured with ${THREAD_COUNT}.")
@@ -176,14 +175,14 @@ else()
 endif()
 
 # get libnetconf2 module directory, use it later when installing modules
-pkg_get_variable(LN2_YANG_MODULE_DIR libnetconf2 LN2_SCHEMAS_DIR)
+pkg_get_variable(LN2_YANG_MODULE_DIR libnetconf2 "LN2_SCHEMAS_DIR")
 if(NOT LN2_YANG_MODULE_DIR)
     message(FATAL_ERROR "Unable to learn libnetconf2 module search directory.")
 endif()
 
 # find sysrepo pkg and get sysrepo group
 pkg_check_modules(PKG_SR REQUIRED sysrepo)
-pkg_get_variable(SR_GROUP sysrepo SR_GROUP)
+pkg_get_variable(SR_GROUP sysrepo "SR_GROUP")
 
 # } PKGCONFIG
 
@@ -399,18 +398,6 @@ if(MERGE_LISTEN_CONFIG)
         endif()
     ")
 endif()
-if(MERGE_AUTH_CONFIG)
-    install(CODE "
-        message(STATUS \"Merging authorized keys into the server configuration...\")
-        set(ENV{SYSREPOCTL_EXECUTABLE} \"${SYSREPOCTL_EXECUTABLE}\")
-        set(ENV{SYSREPOCFG_EXECUTABLE} \"${SYSREPOCFG_EXECUTABLE}\")
-        set(ENV{NP2_SCRIPTS_DIR} \"${SCRIPT_DIR}\")
-        execute_process(COMMAND \"\$ENV{DESTDIR}${SCRIPT_DIR}/merge_auth_config.sh\" RESULT_VARIABLE MERGE_AUTH_CONFIG_RES)
-        if(NOT MERGE_AUTH_CONFIG_RES EQUAL \"0\")
-            message(FATAL_ERROR \" scripts/merge_auth_config.sh failed: \${MERGE_AUTH_CONFIG_RES}\")
-        endif()
-    ")
-endif()
 
 # tests
 if(ENABLE_TESTS)

scripts/merge_config.sh

@@ -20,9 +20,51 @@ if [ -n "$SERVER_CONFIG" ]; then
     exit 0
 fi
 
-# get the user who invoked the script and his password hash, use it to create an SSH user in the default config
+# get the user who invoked the script
 CURRENT_USER="$SUDO_USER"
-CURRENT_USER_PW_HASH=$(awk -v user="$CURRENT_USER" -F':' '$1 == user {print $2}' /etc/shadow)
+# get his home dir
+CURRENT_USER_HOME=$(eval echo "~$CURRENT_USER")
+# try to get his authorized_keys file
+AUTHORIZED_KEYS_FILE="$CURRENT_USER_HOME/.ssh/authorized_keys"
+# check if the authorized keys file exists
+if [ -f "$AUTHORIZED_KEYS_FILE" ]; then
+    # it exists, create public keys that are authorized in the server's configuration
+    AUTH_CONFIG="
+                        <public-keys>
+                            <inline-definition>"
+
+    IDX=0
+# read lines from authorized_keys
+    while IFS= read -r LINE; do
+        # check if the line is empty or starts with a comment (#)
+        if [[ -n "$LINE" && ! "$LINE" =~ ^\s*# ]]; then
+            # extract the base64 public key
+            PUB_BASE64=$(echo "$LINE" | awk '{print $2}')
+
+            NEW_PUBKEY_ENTRY="  <public-key>
+                                    <name>authorized_key_${IDX}</name>
+                                    <public-key-format xmlns:ct=\"urn:ietf:params:xml:ns:yang:ietf-crypto-types\">ct:ssh-public-key-format</public-key-format>
+                                    <public-key>${PUB_BASE64}</public-key>
+                                </public-key>"
+            # append
+            AUTH_CONFIG="${AUTH_CONFIG}${NEW_PUBKEY_ENTRY}"
+            IDX=$((IDX + 1))
+        fi
+    done < "$AUTHORIZED_KEYS_FILE"
+
+    # append the ending tags
+    AUTH_CONFIG="${AUTH_CONFIG}
+                            </inline-definition>
+                        </public-keys>"
+
+    echo "Added user \"${CURRENT_USER}\" that can authenticate with a key pair from his authorized_keys to the server configuration..."
+else
+    # authorized_keys doesn't exist, get the user's pw hash from /etc/shadow and use that for authentication
+    CURRENT_USER_PW_HASH=$(awk -v user="$CURRENT_USER" -F':' '$1 == user {print $2}' /etc/shadow)
+    AUTH_CONFIG="<password>${CURRENT_USER_PW_HASH}</password>"
+
+    echo "Added user \"${CURRENT_USER}\" that can authenticate with his password to the server configuration..."
+fi
 
 # import default config
 CONFIG="<netconf-server xmlns=\"urn:ietf:params:xml:ns:yang:ietf-netconf-server\">
@@ -51,7 +93,7 @@ CONFIG="<netconf-server xmlns=\"urn:ietf:params:xml:ns:yang:ietf-netconf-server\
                         <users>
                             <user>
                                 <name>${CURRENT_USER}</name>
-                                <password>${CURRENT_USER_PW_HASH}</password>
+                                ${AUTH_CONFIG}
                             </user>
                         </users>
                     </client-authentication>