diff options
Diffstat (limited to 'medkit-initial-config/files')
-rw-r--r-- | medkit-initial-config/files/README.md | 50 | ||||
-rw-r--r-- | medkit-initial-config/files/medkit-initial-config | 156 |
2 files changed, 206 insertions, 0 deletions
diff --git a/medkit-initial-config/files/README.md b/medkit-initial-config/files/README.md new file mode 100644 index 0000000..528f20b --- /dev/null +++ b/medkit-initial-config/files/README.md @@ -0,0 +1,50 @@ +Medkit initial system configuration +----------------------------------- +This package provides script that allows limited configuration of router after +medkit is used. The idea is to allow users to preconfigure router in a way they +can connect to it in secure manner over WiFi if needed. + +It is applied only with first boot on medkited router. It intentionally does not +work with just factory reset, medkit reflash is required. + +## Usage +User places alongside medkit configuration file to flash drive. The name of file +has to be in format `BOARD-medkit-config.json` where `BOARD` is name of board +consistent with medkit prefix. + +## Configuration file format +Configuration file has to contain valid JSON. + +### Example configuration +``` +{ + "foris_password": "m4ZZMC9cpyu3xpbw", + "system_password": "Wru4FU0TLw8avIVY", + "wireless": { + "ssid": "TurrisConfigWifi", + "key": "tScqsSAr0DXEqUe0" + } +} +``` + +### Foris Password +Option `foris_password` can be used to configure password for Foris web interface +and that way skip initial step in setup. + +This is suggested to be used as web interfaces allows anyone to set initial +password. That makes router administration accessible by anyone. By setting +password even before WiFi or/and Foris are started prevents access to just +everyone. + +### System Password +Option `system_password` can be used to configure password for `root` account on +router. This is password used by LuCI web interfaces as well as SSH. + +This is not essentially required on Turris, because in default root account is +blocked for interactive login. This is included rather for convenience for cases +when user wants to use SSH rather than Foris. + +### Wireless AP configuration +Option `wireless` has to be set to object with `ssid` and `key` fields. It +configures first radio it can access on system to AP mode with provided SSID and +key (password). diff --git a/medkit-initial-config/files/medkit-initial-config b/medkit-initial-config/files/medkit-initial-config new file mode 100644 index 0000000..c1c6f2f --- /dev/null +++ b/medkit-initial-config/files/medkit-initial-config @@ -0,0 +1,156 @@ +#!/bin/sh +set -eu + +# There are multiple reasons why we do not want to just automatically always run +# this script on any other occasion except when you do medkit. +# It is also more strait forward for users to have it as some sort of extension to +# medkit. That is placing appropriate file beside medkit. +# When router is medkited then there is no snapshots. Only other case when this +# happen is when you unpack router from the box (from factory). This means that we +# can safely assume that no snapshot is the symptom of medkit. +# Why we want to allow configuration just in case of medkit is because we want to +# force user to update router to latest version of drivers. It is potentially +# dangerous to enable WiFi in old versions of system as there could be known +# vulnerabilities. +if ! schnapps list -j | jsonfilter -e '$.snapshots[0]' >/dev/null; then + echo "For security concerns " >&2 + exit 1 +fi + + +. /etc/os-release +case "$OPENWRT_DEVICE_PRODUCT" in + "Turris Mox") + board="mox" + ;; + "Turris Omnia") + board="omnia" + ;; + "Turris 1.x") + board="turris1x" + ;; + *) + echo "Router we are running on is not known to medkit-initial-config!" >&2 + exit 1 + ;; +esac + + +tmpmnt="$(mktemp -d)" +tmpclean() { + umount -fl "$tmpmnt" 2>/dev/null || true + rmdir "$tmpmnt" 2>/dev/null || true +} +trap tmpclean HUP INT QUIT TERM EXIT + +# Locate drive with medkit and configuration file +for dev in /dev/mmcblk*p* /dev/sd*; do + [ -e "$dev" ] || continue + echo "Checking device: $dev" + mount "$dev" "$tmpmnt" || continue + + for medkit in \ + "$tmpmnt/$board"-medkit-*.tar.gz \ + "$tmpmnt/medkit-$board"*.tar.gz \ + ; do + [ -f "$medkit" ] || continue + [ -f "$medkit.md5" ] && \ + (cd "${medkit%/*}" && md5sum "$medkit.md5") || continue + [ -f "$medkit.sha256" ] && \ + (cd "${medkit%/*}" && sha256sum "$medkit.sha256") || continue + [ -f "$medkit.sig" ] && \ + usign -V -m "$medkit" -P /etc/opkg/keys || continue + + echo "Located drive used for medkit: $dev (medkit: ${medit##*/})" >&2 + + config_file="${medkit%/*}/$board-medkit-config.json" + if [ -f "$config_file" ]; then + echo "Located config file: ${config_file##*/}" >&2 + break + else + echo "No config file located alongside the medkit." >&2 + umount -fl + exit 0 + fi + done + [ -f "$config_file" ] && break + umount -fl "$tmpmnt" +done + +if [ ! -f "$config_file" ]; then + # The only way we could get here is that device with medkit is not connected + echo "Device with appropriate medkit not located." >&2 + exit 0 +fi + + +################################################################################## +# Load config and apply it on system +. /usr/share/libubox/jshn.sh +json_init +json_load_file "$config_file" + + +foris_password() { + local password + json_get_var password "foris_password" || { + echo "foris_password configuration not present." >&2 + return + } + + uci -q batch <<-EOF + foris.auth=config + foris.auth.password=$password + commit foris.auth + EOF + echo "Foris password set." >&2 +} + +system_password() { + local password + json_get_var password "system_password" || { + echo "system_password configuration not present." >&2 + return + } + + echo "root:$password" | chpasswd + passwd -u root + echo "System password set." >&2 +} + +wireless() { + json_select "wireless" >/dev/null || { + echo "wireless configuration not present." >&2 + return + } + local ssid key + for var in ssid key; do + json_get_var "$var" "$var" || { + echo "wireless.$var configuration is missing. Wireless configuration not performed." >&2 + return + } + done + + local wifi_dev + wifi_dev="$(uci show 'wireless.@wifi-device[0]' | \ + sed -n 's/^wireless\.\([^.]\+\)=.*$/\1/p')" || { + echo "Wireless configuration is not possible as there is no WiFi device." >&2 + return + } + + uci -q batch <<-EOF + wireless.wifinet_auto=wifi-iface + wireless.wifinet_auto.device=$wifi_dev + wireless.wifinet_auto.network=lan + wireless.wifinet_auto.mode=ap + wireless.wifinet_auto.ssid=$ssid + wireless.wifinet_auto.encryption=psk2+tkip+aes + wireless.wifinet_auto.key=$key + commit wireless.wifinet_auto + EOF +} + + +foris_password +system_password +wireless |