From f4867951543a028734a8fe84aee216462d6e487f Mon Sep 17 00:00:00 2001 From: Justin Oros Date: Sun, 19 Apr 2026 13:05:29 -0700 Subject: [PATCH] onboard-spoke.sh: add key selection prompt for tunnel auth, use explicit -i flag for all SSH calls, clarify hub key installation header --- README.md | 8 +++++++- hub/onboard-spoke.sh | 29 +++++++++++++++++++++++++---- 2 files changed, 32 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index c32d6c4..d6677ac 100644 --- a/README.md +++ b/README.md @@ -37,12 +37,18 @@ cd tinyboard ### Adding the Spoke's Public Key to the Hub -During `setup-spoke.sh`, a key pair is generated on the spoke for the autossh tunnel. The script will display the public key and pause. Before pressing ENTER, the hub owner must add the public key to the hub user's `authorized_keys`: +During `setup-spoke.sh`, a key pair is generated on the spoke for the autossh tunnel. The script will display the public key and pause. Before pressing ENTER, the hub owner must add the public key to the hub user's `authorized_keys`. Run this on the hub as the hub user (e.g. `armbian`): ```bash echo "" >> ~/.ssh/authorized_keys ``` +Or as root: + +```bash +echo "" >> /home/armbian/.ssh/authorized_keys +``` + Once the key is added, press ENTER on the spoke to continue. The script will test the SSH connection and if successful, bring up the tunnel. The private key never leaves the spoke — only the public key is shared. diff --git a/hub/onboard-spoke.sh b/hub/onboard-spoke.sh index 8ff0d71..d0d574b 100755 --- a/hub/onboard-spoke.sh +++ b/hub/onboard-spoke.sh @@ -73,6 +73,27 @@ KEY_PATH="$SSH_DIR/$KEY_NAME" mkdir -p "$(dirname "$RCLONE_CONF")" +header "Select Tunnel Key" +AVAILABLE_KEYS=() +while IFS= read -r keyfile; do + AVAILABLE_KEYS+=("$keyfile") +done < <(find "$SSH_DIR" -maxdepth 1 -type f ! -name "*.pub" ! -name "known_hosts" ! -name "authorized_keys" ! -name "config" | sort) + +if [ ${#AVAILABLE_KEYS[@]} -eq 0 ]; then + die "No private keys found in $SSH_DIR." +fi + +echo "Available keys:" +for i in "${!AVAILABLE_KEYS[@]}"; do + echo " $i) ${AVAILABLE_KEYS[$i]}" +done +echo "" +read -rp "Choose key to use for tunnel access [0]: " KEY_CHOICE +KEY_CHOICE="${KEY_CHOICE:-0}" +[[ "$KEY_CHOICE" =~ ^[0-9]+$ ]] && [ "$KEY_CHOICE" -lt "${#AVAILABLE_KEYS[@]}" ] || die "Invalid choice." +TUNNEL_KEY="${AVAILABLE_KEYS[$KEY_CHOICE]}" +info "Using key: $TUNNEL_KEY" + header "Checking Tunnel" info "Scanning spoke host key..." KEYSCAN=$(ssh-keyscan -p "$TUNNEL_PORT" -H localhost 2>/dev/null) @@ -86,7 +107,7 @@ done <<< "$KEYSCAN" info "Verifying spoke is reachable on port $TUNNEL_PORT..." retry_or_abort \ - "ssh -o BatchMode=yes -o ConnectTimeout=10 -p \"$TUNNEL_PORT\" \"$SPOKE_USER\"@localhost exit" \ + "ssh -i \"$TUNNEL_KEY\" -o BatchMode=yes -o ConnectTimeout=10 -p \"$TUNNEL_PORT\" \"$SPOKE_USER\"@localhost exit" \ "Spoke not reachable on port $TUNNEL_PORT. Make sure the tunnel is up." header "Generating Hub SSH Key" @@ -99,10 +120,10 @@ fi chmod 600 "$KEY_PATH" info "Permissions set: $KEY_PATH is 600" -header "Copying Hub Key to Spoke" -info "Running ssh-copy-id to $SPOKE_USER@localhost:$TUNNEL_PORT..." +header "Installing Hub Access Key on Spoke" +info "Copying hub public key to spoke's authorized_keys so the hub can SSH in for rclone..." info "(You will be prompted for the $SPOKE_USER password on the spoke)" -if ssh-copy-id -i "$KEY_PATH.pub" -p "$TUNNEL_PORT" "$SPOKE_USER"@localhost; then +if ssh-copy-id -i "$KEY_PATH.pub" -o "IdentityFile=$TUNNEL_KEY" -p "$TUNNEL_PORT" "$SPOKE_USER"@localhost; then info "Key copied." else warn "ssh-copy-id failed — password auth may be disabled on the spoke."