From 1e87576868c6edaf92153330e4cea624ab216c13 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@robotics.uk.to>
Date: Thu, 29 Oct 2015 09:37:27 +0000
Subject: [PATCH] Specify an ssh public key when adding new user

---
 doc/EN/faq.org               |   6 ++++++
 man/freedombone-adduser.1.gz | Bin 1389 -> 1476 bytes
 src/freedombone-adduser      |  26 ++++++++++++++++++++++----
 3 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/doc/EN/faq.org b/doc/EN/faq.org
index 492d2f5a3..8506bf56f 100644
--- a/doc/EN/faq.org
+++ b/doc/EN/faq.org
@@ -46,6 +46,12 @@ Yes. Freedombone can support a small number of users, for a "/friends and family
 freedombone-adduser [username]
 #+END_SRC
 
+Or optionally with an /ssh public key/, given either as a filename or directly pasted. Specifying an ssh key will allow the user to log in more securely if they need to (such as if they use the Mutt email client).
+
+#+BEGIN_SRC bash
+freedombone-adduser [username] [ssh public key]
+#+END_SRC
+
 Something to consider when having more than a single user on the system is the security situation. The original administrator user will have access to all of the data for other users (including their encryption keys), so if you do add extra users they need to have *complete trust* in the administrator.
 
 Another point is that Freedombone installations are not intended to support many users (maybe ten at most). Large numbers of users may make the system unstable, and the more users you have on one system the more it becomes a single point of failure and also perhaps a honeypot from the standpoint of adversaries. Think of what happened with Lavabit and the moral dilemma which an administrator can be faced with (comply with threats and betray the trust of your users or don't comply and suffer other consequences). Ideally, you never want to put yourself into a situation where you can be forced to betray others.
diff --git a/man/freedombone-adduser.1.gz b/man/freedombone-adduser.1.gz
index f9df6c197adda265397cb917b47ccfd0eba9346f..6725b53e8656655c9eb2f4c8066e74bf5e9d2f79 100644
GIT binary patch
literal 1476
zcmV;#1v~m5iwFSb<}p?P1C3ViZ`(Ey{jR@)Fa{(AVtdW7p$mqgPM0OY@(Z=IqU-vB
zl1>s4iPT8SuD<MV-#b!v<i#Ck1c6PFclX}Cd(>=oB??QFn<h1yrZUevM^?NRlhYr>
zedfjKx39mShzb6FecmS?vFXT(Td6x)Pm*M|yb_bU#qGr;ITY^CsaWK>6H;iSvDzrD
zoVU^&E5ZhEgs(`r-g#<<aLbQ(_YceK<>8Q@_`jA7eHNdbt3=zSwaUa3^`D3Hzg#Te
zy}y1~UEkkLk`EPW(VI>nvsbdNdwg>qUqa$Bwpc{iyis`WTFO+>qxjaUM%rF%Q;SWd
zvMTOMDFoWbW{MH4nfQp1jYOo{8L^StGj0G9jxwY3ZD_Yo$BA$qvPh=SHC(aonv_EH
z!Ya~Ctj<Lt8&&t%&4;Du2z^Lb$u$XTq^iTdFHPGDnVC*|Crn_)?n+!$%8AT04exYa
z+Zu~q5m^rAupendLG%SEW5Kf|S(=7?rF6-~1C3KTO58B*$j|GIvCNUwi~|cb#oi<2
zGgzTwHZamz<$LV(o#eb++rRk@%m;Wf%g6=dn4p38TzV-A?gM_=f!kxHv%1Ser4=bF
zNN2Wh12m||y$TGfA_yRl{TV@xv}(wOlX323cFv5oHF@B(o%4y(FU0_k7CIKv8in2m
zr0COFdxIteV00CP;Rseex*RhOJwapjRxQV9GRqHCBV1#ge>D>~(v~zR#W5jqFYBR^
zPc){y<D_X#CqW+kAhaqTU={+y-1+C}*zHmt(g%EU&uxwPSf0>ahfN$eh`uFT$(FZP
z2-dd%S6CCnp$MJtj>>$E^b-1ZL6!Q6S2s);BDADI$42=IK-V%w6{Ff^Epk;8L_AC=
zYi>_C8CF19A+v3m<IuuB{_vG0>El?Xgfo2z9h%E!gprB-AXsknkr%`HI5$N>Th;L_
z&|e)?Mh<<s&WYXUBoM1<%|kLcLEHHd*->3^&rM)-kUx(SnB-I2;*HIsCWaD2KAy#3
ze~-(>CG2?Bw<-f6os-ama%V{*@cC~`O_KXC5Wy$=v1{$jP>X%n4RgjMY1#y8PR8y?
zngzzs8!osuB>+YNg-NHnkMlhWIKV8`8p0+O$P6Y}ptr$(nR{g^^Qf|w&}BaRKj;oz
z7%LtLzMU|_gL$Avl!&lyV{9J!+FG-Qt+D0@hYpd4+6?b*`HK~6h1Ovx26Q5W?P;nb
zM#r`90uL||DGwa(8})3@9!kg_0>-RaY{1-Xqc{vP`)zO?=ej2PS@4(O!I4FNoK;3;
z6l?<HXkc5hMJPaQNIs2X?#4FiltGj<xaKo4h398HFi089b1-}<N@H@7Qz5(B2itKV
z1mnP7D9W}BecoQ5TX6XSDGkFNMUk70u8qvO4?M1eq+QmE>4P}MM@;SRl79OQ&lJd#
zO7ritd4<Nzw~yzuQg^82?>SVk%@FmucMG%hI)}HNy_C?=*Yb#I8){+O55<H2z9n(g
zblxAafJ*YCdn@#PCKk2lcpm*?mq0O55Lu0z-tS%oR#j+ts%$>Lh7A}vG*=$lm9p-<
z=-T0KMY|fA!9xjh;-MjrkS;163UL(ggYoSn$_`TBn#uX&CEml{Q@DE4u7ox`-+Pt!
ztvj2~OK{SqGkD-Um9Dbcd^Cb{1x1qEzSdn_h{etFe($yJ_%*KG@zh4R8Cn105e7O?
za_B(~hd;E=qx6*=FPDujRQY0Al^S;SV!5^SGP0!xPI6!wik=<>Wt+p8Y;zEjZ4M%W
z+q_uo^j9k92vZ(oJQ;ekcwAlGzn>)MCKb2F<5p?JPpL`YT9X>DGB@j<X5Rdq%u<^?
zTt3V%A1=?t#p1^|rx)M739IMI<6VF+n=^5KJ3Y-lbX9Y{{yi`3Rdr+jSmmyL_w*a7
em9dZHmN((l2TIR^n4qQoT**IyJ=e0M3;+Pxuiu{l

literal 1389
zcmV-z1(Nz7iwFQoVJ}ty1BF)GZrer_eCJmzgaUSfNNQZPNR6V1oVvDAJ2oP@L3(*u
zl85BN<Sx4xDSYX-cg`*)OSOU;K_D#;&t=ZctY)igQCXtWbh*(qm1P+mS@Bv-&b}A-
zg%@Yvy#8(?CiwTubDVfY(1{awQU}>ivTU}z7L)gjyUR&-EZv_|u_#L?q|ip=v{PC+
zZ>2X@!~k!EZ%DYodFsY=%TMp`AC@=E<0=2(|F!JsuQB}R%jLTdHxH|u`}dRVV?$aD
zCI}SrO1ABQPtM~*tg}B#su_bf3eR0ng{lVh+FR90JBV#1v1wG%q^O)?qQg;4wKv5~
zd_u}jB2(*(*huYpO!O}t6-Jla)b4QlSHcBUk&Kq>xMLl<oMQIMD$<OjE=46f)eeZ}
zm!;<nLoC<GH3{mZYGd5zuJ45`Owis56H&3d7FUgOqA*>@kuLPTv4~2Ol|T;hC>tB1
z&zLebJj=4B>Bu)q*W5g&ajHa%8-^YA`MfihF_N0+z(GrC)kyg~tWc>M5D8ZK0g*mP
zuFJjs7vG3{98VSnxd<EsG~!-LFGa<Bz&AT$d#ZHNhB9{Akg|ewVTV4B_C$mGIwGj5
zNPsf!XK&O5s|H=T7}w5b7mQfnlE-{DIG-u~k_^CTp;IHhQP_Q)6nom|-pI)~Ft!T7
z@Cr^nwwx-CJHcZ0mMy1PGSd%GBVA{l|9U2FrLAdXieo@hEc2n0PqYtt;G%g;uOdD8
zL0naOfl-JE^X8w`v5Qh3)W`Vbp4Xb@V|s#f0YRKMlD;R~$eu$RBpZ4RS6P$Np$T2?
zUX|q<<t6y-A}jS1pKcg1Wavo)j*apS23^Y>UF`KPTT!Z(K;luM%((;N6gUB7l`OVt
zPU8xP^u;%pq))QS3GWOsbzCmD5hauGL9){56EDX1lWwYtwya|<(BA<pBZs}*l*I1y
zDgvu%%_13{pbtJ~cGOn9a}yCA>CaLElKj@Td1H&jiLu34kF^->?{T@fg8Qz9UKIc&
zI0-%|cb;VefB)y8E9MBhGdMk}sWmlt-Am^-#+Gr=-kLRZ&LkKuD<&cpCpR43^9L)|
z3bTMEN!TO`_<*K1iQ2K3?h=pVAyXN}d+1!V1HIJX0X7QqSp<Mc+bj;OW&?^cbS`vB
z;8AeVlxnr6q|%}>s-UPF@Y6uY$yd;T*pPhM%emumS{x5i(`X~lz*L@}F@sPty2<E(
zQq;zjqNGZO)<+#W00MrnIf%Ni*@1TV$#%E|1GlPa6A|7ib%<z{W}{mpOWp(Xcigcn
zdNF+vXZRCSySugCe#ImMSW;>Jem-xonECecd{*m#PX3vL1=|YPePZOEZQw!*4!8Y5
zN!NU_j+pkb7xux}Jm4RC5+_~o{)7oslixG)xc8Y@w4U>M?2BcCW)dNa7FVC&-Hodz
zE<9JZoZmnf2A0L0$93h*J1;^%UN%@)CkvPgfljPo@<{0t)4>o&$sqUbSkwVj->U24
z@e02~K2Y@HJk;QZ=Zm26zIW&Ic@0cLK7%RDbLkpe%=Z*GS70Q$?a!LaOR>0J-XHv|
zIem?LXkVmh+=8rs@d)~jkQ{r^!t#!tvy{G2<K?l@m8xGHt6Jj%cyZiYdYRc$2PZjl
z3`S3n4rROJGuiIwNVYpV5!~j*S<qkToHI;W#&|OBX7RYXzW*@EE=(@&jEBv3;>X<N
zZ>`CVSB0B}r<pfDWwYF74_6QKtB0#|ak=>6&DrI*Z{q2N^0*w?eb2?k-Sn*Z7@F>4
v{aabt>*m({zA9b+?&()jD`OwYEpOvnA1ObNWCE8CYi0ie(?XQbqYD54aiP47

diff --git a/src/freedombone-adduser b/src/freedombone-adduser
index aebf1ea04..f92a82fd8 100755
--- a/src/freedombone-adduser
+++ b/src/freedombone-adduser
@@ -1,5 +1,6 @@
 #!/bin/bash
 MY_USERNAME=$1
+SSH_PUBLIC_KEY=$2
 GPG_KEYSERVER='hkp://keys.gnupg.net'
 SSH_PORT=2222
 COMPLETION_FILE=$HOME/freedombone-completed.txt
@@ -29,10 +30,27 @@ if [ ! -d /home/$MY_USERNAME ]; then
     exit 4
 fi
 
+if [ $2 ]; then
+    if [ -f $SSH_PUBLIC_KEY ]; then
+        mkdir /home/$MY_USERNAME/.ssh
+        cp $SSH_PUBLIC_KEY /home/$MY_USERNAME/.ssh/authorized_keys
+        echo 'ssh public key installed'
+    else
+        if [[ $SSH_PUBLIC_KEY == "ssh-"* ]]; then
+            mkdir /home/$MY_USERNAME/.ssh
+            echo $SSH_PUBLIC_KEY > /home/$MY_USERNAME/.ssh/authorized_keys
+            echo 'ssh public key installed'
+        else
+            echo 'The second parameter does not look like an ssh key'
+            exit 5
+        fi
+    fi
+fi
+
 if [ ! -d /home/$MY_USERNAME/Maildir ]; then
     echo 'Email directory was not created'
     userdel -r $MY_USERNAME
-    exit 5
+    exit 6
 fi
 
 if grep -q "set from=" /home/$MY_USERNAME/.muttrc; then
@@ -77,7 +95,7 @@ su -c "gpg --output $MY_GPG_PUBLIC_KEY --armor --export $MY_GPG_PUBLIC_KEY_ID" -
 if [ ! -f $MY_GPG_PUBLIC_KEY ]; then
     echo "GPG public key was not generated for $MY_USERNAME@$HOSTNAME $MY_GPG_PUBLIC_KEY_ID"
     userdel -r $MY_USERNAME
-    exit 6
+    exit 7
 fi
 
 # encrypt outgoing mail to the "sent" folder
@@ -131,7 +149,7 @@ freedombone-addxmpp -e "$MY_USERNAME@$HOSTNAME" -p "$NEW_USER_PASSWORD"
 if [ ! "$?" = "0" ]; then
     echo "XMPP account not created"
     userdel -r $MY_USERNAME
-    exit 7
+    exit 8
 fi
 
 if grep -q "Blog domain" $COMPLETION_FILE; then
@@ -139,7 +157,7 @@ if grep -q "Blog domain" $COMPLETION_FILE; then
     if [ ! -d /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users ]; then
         echo 'Blog users directory not found'
         userdel -r $MY_USERNAME
-        exit 8
+        exit 9
     fi
     echo ';Password' > /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini
     echo "password = '$NEW_USER_PASSWORD'" >> /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini
-- 
GitLab