task/manufacturer-tmp-keys/jaia/1507

Ability to add temporary or permanent keys at image generation and/or first boot time

This PR allows setting of temporary authorized keys (/etc/jaiabot/ssh/tmp_authorized_keys) in either:

the rootfs at image creation time (by committing them to the repo in rootfs/customization/includes.chroot/etc/jaiabot/ssh/tmp_authorized_keys). This would presumably be used by keys known to Jaia to do fleet creation (e.g., contract manufacturer keys)
first boot preseed (jaia_do_add_authorized_keys=true and jaia_tmp_authorized_keys={list of keys}). This gives more flexibility for keys not known at image creation time.

These temporary keys are now cleared on the first run of fleet-config.sh. This is intended for a contract manufacturer or other entity without access to the root keys to allow initial bring up of the system to the point where additional keys can be authorized over the service VPN.

Finally, I've also added the ability for first boot (preseed settings jaia_do_add_authorized_keys=true and jaia_perm_authorized_keys={list of keys}) to add permanent keys to /home/jaia/.ssh/authorized_keys (e.g., for the case where a customer wants keys preinstalled, and to support VirtualBox fleets).

Minor Jaia tool improvements

This PR also adds a number of improvements to make jaia admin ssh easier to use (and also existing tools that use the short host code such as jaia ssh).

Add self as host option

In addition to "bNfM" and "hNfM", I added "self" as a valid target host for jaia commands. This is helpful when running jaia directly on the hub (as opposed to an external machine).

For example, to show authorized keys on the current machine:

jaia admin ssh list self

Allow omitting 'fN' when running commands on current fleet.

If you're running the jaia tool on a hub or bot, you can omit the fN part of the host code to refer to the current fleet, e.g., when run on a hub:

jaia ssh b4

will log into bot 4 of the same fleet as the hub

Updates to "jaia admin ssh add"

I added the ability to set "forever" as the valid_for, which defaults the key to /home/jaia/.ssh/authorized_keys.

This means you add customer keys that are permanent by simply typing

jaia admin ssh add chf1 "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIE0e+NIeXQvvd39703nWgZpBm4Dsdfxsg//ajiXiT22GAAAABHNzaDo= somebody@somewhere" forever

rather than

jaia admin ssh add --authorized_keys_file=/home/jaia/.ssh/authorized_keys chf1 "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIE0e+NIeXQvvd39703nWgZpBm4Dsdfxsg//ajiXiT22GAAAABHNzaDo= somebody@somewhere" 1000m

Add "jaia admin ssh known"

New subtool "jaia admin ssh known" lists the key comments compiled in so you can quickly see what keys are available in the tool.

> jaia admin ssh known
Known VALID keys: 
    jaia@repair_test1
    jaia@root_yubikey19377650
    jaia@root_yubikey19377734
    jaia@root_yubikey19377746
    toby@yubikey16718427
    toby@yubikey16719053
    toby@yubikey16719472

jaia admin ssh known --full
Known VALID keys: 
    restrict,pty,command="/usr/share/jaiabot/config/fleet/fleet-config.sh" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyo/c0BMJpE8bzwOQk15xBn3fUhk6Gg8xqIH+ZATw8z3IaYH/5UYeCi8wjwjI1gF61zFlr0BSBuRctNRr1+P88sdeyDAinnplhBXAWBKm5aaC1gjM+IPI6LB8RytxOSMp/w/MRn6meeEsMkIr6+v2qAhBY6vtUObHTu1JE2gB+Cckq0zHdhtUb/tm063i3DfsAaftEAZLzwGS1Ad3jBe+bhydAUSPYxc7njF+meHJTqyzg1Cc9C0hb8bfsOG+LZF/+ap60UaM49ko2MTulvwKABzN5l9vvS4d5RycnkTwIGoY984TB/DrMc6HEqxooz51T4+7ltlgQ+VacgU0xE1f/ jaia@repair_test1
    sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIMBTII+4wTJ4VrDxVvljDShXUaxEeuBMByYe+kpzPH6WAAAABHNzaDo= jaia@root_yubikey19377650
    sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEgYJNPbLWHHjkd3a2b8OINZoPAlLgqjroKZelfESBpMAAAABHNzaDo= jaia@root_yubikey19377734
    sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAILWQpc0cmWaXvwti8SdvLALbddQeeteUkkEUn4pMfmW1AAAABHNzaDo= jaia@root_yubikey19377746
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDkhjS74aGshxZcl2yTzJIDlxhVdA4aeMdSwHyXNolNzem5kowIrBp5/twQmaUPpUegk/fy8PSSB36qoCEde+8saFfYKKMKW/u4WApWs8nrKljBJg+tAPXwMdkowhIaFM2FNoo8GGa9LsssaCHNG8McYGS5IBjoU2+xlIw+Wo5w9fVLNpp+uXJopO4GFsEXYHj5ZnCUFTxAVrHcVVv3rBOdZ6acrPoayi3SExhSWzKpG9OE9r6Qwip+TT6LuBVr7fzExSFl6dynJhjXbyNuTHQFLRgt2MaRb2Zcfmcvb7o4KVO3cuIDQ/c/gwlk1x+9KWKllExEaUXIO4etlTgSoZUF toby@yubikey16718427
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBxM4LhQ6Kfohk6oMesU9iPYsqiu1bI6hXS0TWQSsqF3sZgTb5BWO4FuoDXrc49EeeG8fQv0UKeZKmEK/VcXlu/YbHtirl0DYcsIA1SEBoTWEvwTN7SNf4hA9kDZH4WB+xJq2Ob+qmcRDmbVSovE9WSJUujJdYkZuuFl7w6j/UDys8waxV0vlw9FqY6bN/slxr26xY7CUwDygljP+b/VDzn4WNBZGLP8Xlb5vMtw9Gg5Jr0jH+IdVXpPtqhFa2zlWhpKTHq0mx7w6iKVaa1NZVyOX1Jlodml1NTted3P73K6dQ8g/SlKBTUvO/en6R+ZUpJFY3QvO/w5KgTl6d3v17 toby@yubikey16719053
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCWVm+RgEobZnz2gsOBBQ8jinPxmuroios5L0Jpb7XVw0/wr730JqIY4Pr7zipTTiwZSSuFCvT0vjAA2aQbw3witiPyhYpffXHtM6mpxvdj9U3dsTth2bbkolI28/J8P/AO8nUPsjh/Zack1a4vtVP+PJGSK9yHR54hkbBnDZ+MrjMpnHteTVAF2SEJF3IlpqeIpAja/qceflPL24LgMPq5rlY7f0K0xxT6YDPToRaZ/rNO+FgzW4ZaKOrU51TNX5WgN2AiiavyqKa3iVT/9VTo+HveWldoW1p9Ov4iCY6QfP2kiF7gfsxZZJ/Xpn99H3ya5SIng1Qs+gQ40vvKQVVT toby@yubikey16719472

jaiarobotics / jaiabot