6 echo >&2 "novaboot-shell: $*"
13 - console (default command)
24 if [ "$NB_ADMIN" ]; then
27 - shell (use with ssh -t)
35 [ "$NB_ADMIN" ] || return 1
38 0) die "Usage: ssh ... add-key USERNAME < id_rsa.pub";;
40 *) die "User name must not contain spaces: $*";;
45 tmp=$(mktemp ~/.ssh/authorized_keys.XXXXXXXX)
47 cat ~/.ssh/authorized_keys
48 echo "command=\"user $user\" $key"
51 mv $tmp ~/.ssh/authorized_keys
55 [ "$NB_ADMIN" ] || die "Permission denied"
56 if ! tty > /dev/null; then
57 echo "novaboot-shell: Consider starting the shell with 'ssh -t'"
59 exec /bin/bash || exec /bin/sh
63 lslocks | awk '{ if ($9 == "'"$RUN_DIR"'") { print $2 } }'
70 for pid in $(lock_queue); do
71 echo $pid $(sed --null-data -ne '/^NOVABOOT_ID=/ s///p' /proc/$pid/environ)
74 echo "Target is occupied by:"
75 ( echo "PID USER LOGIN_TIME FROM"; echo "$queue" ) | column -t
81 exec flock --no-fork "$RUN_DIR" "$@"
89 . "${NOVABOOT_SHELL_CONFIG:-$HOME/.novaboot-shell}"
92 # run_subcommand should be called only after permission checks and/or locking
97 trap "rm -f $RUN_DIR/ppid" EXIT
98 echo $NOVABOOT_PPID > $RUN_DIR/ppid
99 echo 'novaboot-shell: Connected'
100 # TODO: $reset_begin_cmd
101 eval exec "${console_cmd:?}";;
103 eval exec "${reset_cmd:?}";;
104 "rsync --server "*" . .")
105 if ! [ $# -eq 5 -o \( $# -eq 6 -a "$4" = '--log-format=X' \) ]; then
106 die "Unexpected rsync invocation: $*"
108 mkdir -p "$HOME/tftproot"
112 eval exec "${on_cmd:?}";;
114 eval exec "${off_cmd:?}";;
119 if [ "$1" = "-c" ]; then
121 elif [ $# -gt 0 ]; then
122 die "Permission denied"
126 if [ "$1" = "user" ]; then
127 # Get user name encoded in ~/.ssh/authorized_keys
129 [ "$3" = "admin" ] && NB_ADMIN=1
130 set -- $SSH_ORIGINAL_COMMAND
133 IP=${SSH_CONNECTION%% *}
135 HOST=$(getent hosts $IP) || HOST=$IP
140 DATE=$(LANG=C date +'%F_%T')
141 export NOVABOOT_ID="${NB_USER:-?} $DATE ${REMOTE}"
142 export NOVABOOT_PPID=$PPID
147 # Commands allowed at any time
148 "console"|"") locked $0 console;;
149 "get-config") read_config && echo -n "${target_config}"; exit;;
150 "add-key") shift; add_key "$@"; exit;;
151 "shell") exec_shell; exit;;
154 # Commands allowed only when nobody or the same user is connected
155 # to the console. "The same user" means that we were executed by
156 # the same sshd process that has the lock. This is ensured by
157 # using SSH connection sharing on client side.
158 reset | rsync | on | off)
159 ALLOWED_PPID=$(cat $RUN_DIR/ppid 2>/dev/null || :)
160 if [ "$PPID" -eq "${ALLOWED_PPID:-0}" ]; then run=unlocked; else run=locked; fi
163 echo >&2 "novaboot-shell: Command not allowed: $*"
164 logger -p error "novaboot-shell: Command not allowed: $*"
169 if [ -d "$HOME" ]; then
172 RUN_DIR="/tmp/novaboot-shell@$USER"
176 if [ -z "$NOVABOOT_ID" ]; then
188 novaboot-shell - provides novaboot with unified SSH-based interface for controlling target hardware
192 B<novaboot-shell> -c "[command [arguments...]]"
194 B<novaboot-shell> [command [arguments...]]
196 B<ssh target@server> [command [arguments...]]
200 B<novaboot-shell> provides L<novaboot(1)> with a unified SSH-based
201 interface for controlling the target hardware. This simplifies
202 client-side configuration, because clients typically need only the
203 I<--ssh=...> option. B<novaboot-shell> is typically configured as a
204 login shell of special user accounts associated with the target
205 hardware (as set by L<adduser-novaboot(8)>). It ensures that users can
206 perform only a limited set of actions (see L</COMMANDS> below) with
207 the target and have no shell access on the server.
215 Connect to target console (usually serial line). When somebody is
216 connected to the console, other users are blocked from controlling the
217 target. Blocked users see a message indicating who blocks them.
219 The user connected to the console is able to invoke other commands
220 such as L</reset>, but only when the command is invoked via the same
221 SSH connection. This can be accomplished by using SSH connection
222 sharing, which is what L<novaboot(1)> uses (see I<-M> and I<-S> in
225 This is the default command when no command is specified on command
230 Reset the target hardware.
234 Power on the target hardware.
238 Power off the target hardware.
242 This command is not meant to be invoked directly by the user. It
243 allows using L<rsync(1)> to copy files to the target, perhaps for TFTP
244 server. The rsync command must be invoked as: C<rsync ...
245 target@server:>, i.e. without specifying destination path. The files
246 will be stored into I<$HOME/tftproot>.
248 =item user <uernamename> [admin]
250 User command is meant to be used with C<command=> option in SSH's
251 L<authorized_keys(5)> file. It allows the shell to display
252 human-readable names when printing information about who blocks the
253 target. Then, the real command is taken from SSH_ORIGINAL_COMMAND
254 environment variable.
256 When "admin" is specified after the user name, this user is considered
257 an administrator and is allowed to run L</add-key> and L</shell>
262 Prints novaboot configuration options needed for the target. One
267 =head2 Administration commands
269 Only administrators (see L</user>) are allowed to execute these
274 =item add-key <username>
276 Reads the SSH public key from standard input and adds it into in
277 F<~/.ssh/authorized_keys>.
279 Example: C<ssh target@server add-key johndoe < john_rsa.pub>
283 Runs shell on the server. Useful for editing configuration file. It is
284 better used with allocated pseudo-terminal.
286 Example: C<ssh -t target@server shell>
290 =head1 CONFIGURATION FILE
292 B<novaboot-shell> reads configuration file from
293 F<$HOME/.novaboot-shell>. It should define values for the following
294 variables in the SH syntax.
300 Command to C<exec> that connects to target's console.
304 Command to C<exec> that resets the Target.
308 Command to C<exec> that powers the target on.
312 Command to C<exec> that powers the target off.
316 Novaboot command line options that specify which boot loader is used
317 by the target (L<novaboot(1)> rejects other, possibly dangerous, options).
318 Each option is on its own line and no quoting, escaping or stripping
319 is performed on the values.
325 --uboot-init=setenv serverip 192.168.1.1; setenv ipaddr 192.168.1.10
326 --uboot-addr=kernel=0x8100000
327 --uboot-addr=fdt=0x83000000
328 --uboot-addr=ramdisk=0x83100000
336 Michal Sojka <sojkam1@fel.cvut.cz>
338 Latest version can be found at
339 L<https://github.com/wentasah/novaboot>.