-1

I'm trying to automate some tasks on first-boot running Ubuntu on Raspberry Pi. I have a Systemd service that runs once and kills itself. As part of it, I'm trying to update the config on sshd_config and have tried every possible thing I could think of and search on google but in vain. Hopefully, someone can pitch in here with more experience dealing with this stuff.

# disable password login
echo "First Boot - disabling ssh password login"
sed -i 's/PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config

Systemctl and Syslog don't show any errors in the execution. If I run the above command on the command line it behaves as expected.

Other things I have tried

Attempt 1: Assuming permission errors due to in-place sed file creation. I have routed the output to a temp file on printing the contents it looks right but the actual location i.e. /etc/ssh/sshd_config has no changes

TFILE=`mktemp --tmpdir tfile.XXXXX`
trap `rm -f $TFILE` 0 1 2 3 15
sed 's/PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config > $TFILE
cat $TFILE > /etc/ssh/sshd_config

Attempt 2: Read somewhere that /etc/ssh/sshd_config is a symlink to file in /usr and get copied over and hence executing first line copies it to /etc and changes on top 

sed -i '' /etc/ssh/sshd_config
sed -i 's/PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config

Updated 23/02:

Service file

[Unit]
Description=First boot script
ConditionPathExists=/first_boot.sh

[Service]
Type=oneshot
RemainAfterExit=true
ExecStart=/first_boot.sh
StandardOutput=journal+console

[Install]
WantedBy=multi-user.target
Nataraj Basappa
  • 9
  • 3
  • Please show us content of service file. Also add some dummy line into config to check possibility of extra script being replacing whole file – Maxim Sagaydachny Feb 23 '20 at 06:23
  • Thanks for the pointer. I addded a snippet into sshd_config to check if its gets replaced. But the snippet stayed but the actual value that i was interested in is being changed. I guess I need to now search in Ubuntu Systemd which service is replacing values I'm interested in. – Nataraj Basappa Feb 23 '20 at 08:47

3 Answers3

1

If this is an .ini file, you should check out crudini.

regular linux package, easy to install, gets you commands directly to be used in bash.

sudo apt-get install -q -y

and in my case

mimeapps="/home/frank/.config/mimeapps.list"
# create a new / ensure-there-is this section
crudini --set $mimeapps 'Default Applications'
# set a property in this section
crudini --set $mimeapps 'Default Applications' x-scheme-handler/http google-chrome.desktop

beware: of spaces-or-not around the 'equal' signs. might require one final regexp sed to sanitize depending on the specific ini file. Which I handle like so:

# crudini creates spaces around the ini sign
# this inplace search-and-replace removes any space before/after equal signs
_sanitizeIni(){
    [[ "$#" -eq 1 ]] || _fail "_sanitizeIni needs exactly 1 parameter"
    sed -i -E 's/\s?=\s?/=/g' $1
}
Frank N
  • 9,625
  • 4
  • 80
  • 110
  • 1
    Note since crudini-0.9.4 there is the `--ini-options=nospace` option to enforce not using spaces around the = throughout the file – pixelbeat Jan 09 '23 at 18:56
0

Check "nologin" - http://man7.org/linux/man-pages/man8/nologin.8.html Easy as: touch /etc/nologin; and rm -f /etc/nologin afterwards.

renlou
  • 19
  • 1
  • Welcome to StackOverflow! I suspect that Nataraj wants to allow logins via SSH keys only. Could you please explain what ```nologin``` has to do with it? – Maxim Sagaydachny Feb 23 '20 at 09:47
  • Maybe yes or maybe disabling pw auth in sshd is only idea he has to disable remote logins for users. My idea is same good as yours - ah sorry, you have none... – renlou Feb 23 '20 at 10:33
0

Thank you chaps for pointer and I got this finally working. Few years out of touch makes a huge leap in tech. The issue I had was Ubuntu cloud-init part of SystemD would update sshd_config file and order of execution basically overwrote my changes.

Here is my final service file that works.

[Unit]
Description=Post first boot script
ConditionPathExists=!/first_boot.sh
ConditionPathExists=/post_first_boot.sh

# run customisation and package installations after networking & ssh are up
After=cloud-config.service
Before=cloud-final.service

[Service]
Type=oneshot
RemainAfterExit=true
ExecStart=/post_first_boot.sh
StandardOutput=journal+console

[Install]
WantedBy=multi-user.target
Nataraj Basappa
  • 9
  • 3