Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next

2026-04-11 11:35:54 +02:00 · 2018-07-19 18:10:23 +02:00
parent fb22c9ffd9 6a7e6b4499
commit b5ea63f85c
17 changed files with 2869 additions and 2874 deletions
--- a/config/kernel/kernel.config.aarch64-ipfire-multi
+++ b/config/kernel/kernel.config.aarch64-ipfire-multi
--- a/config/rootfiles/common/aarch64/linux
+++ b/config/rootfiles/common/aarch64/linux
--- a/config/rootfiles/common/aarch64/linux-initrd
+++ b/config/rootfiles/common/aarch64/linux-initrd
@@ -0,0 +1,2 @@
+#boot/uInit-KVER-ipfire
+boot/initramfs-KVER-ipfire.img
--- a/config/rootfiles/common/aarch64/linux-initrd-multi
+++ b/config/rootfiles/common/aarch64/linux-initrd-multi
@@ -1,2 +0,0 @@
-#boot/uInit-KVER-ipfire-multi
-boot/initramfs-KVER-ipfire-multi.img
--- a/config/rootfiles/common/aarch64/linux-multi
+++ b/config/rootfiles/common/aarch64/linux-multi
--- a/config/rootfiles/common/hwdata
+++ b/config/rootfiles/common/hwdata
@@ -1,2 +1,3 @@
-usr/share/hwdata/usb.ids
+#usr/share/hwdata
 usr/share/hwdata/pci.ids
+usr/share/hwdata/usb.ids
--- a/config/rootfiles/common/iptables
+++ b/config/rootfiles/common/iptables
@@ -19,122 +19,122 @@ lib/libxtables.so
 lib/libxtables.so.12
 lib/libxtables.so.12.0.0
 #lib/xtables
-#lib/xtables/libebt_802_3.so
-#lib/xtables/libebt_ip.so
-#lib/xtables/libebt_log.so
-#lib/xtables/libebt_mark_m.so
-#lib/xtables/libip6t_DNAT.so
-#lib/xtables/libip6t_DNPT.so
-#lib/xtables/libip6t_HL.so
-#lib/xtables/libip6t_LOG.so
-#lib/xtables/libip6t_MASQUERADE.so
-#lib/xtables/libip6t_NETMAP.so
-#lib/xtables/libip6t_REDIRECT.so
-#lib/xtables/libip6t_REJECT.so
-#lib/xtables/libip6t_SNAT.so
-#lib/xtables/libip6t_SNPT.so
-#lib/xtables/libip6t_ah.so
-#lib/xtables/libip6t_dst.so
-#lib/xtables/libip6t_eui64.so
-#lib/xtables/libip6t_frag.so
-#lib/xtables/libip6t_hbh.so
-#lib/xtables/libip6t_hl.so
-#lib/xtables/libip6t_icmp6.so
-#lib/xtables/libip6t_ipv6header.so
-#lib/xtables/libip6t_mh.so
-#lib/xtables/libip6t_rt.so
-#lib/xtables/libip6t_srh.so
-#lib/xtables/libipt_CLUSTERIP.so
-#lib/xtables/libipt_DNAT.so
-#lib/xtables/libipt_ECN.so
-#lib/xtables/libipt_LOG.so
-#lib/xtables/libipt_MASQUERADE.so
-#lib/xtables/libipt_NETMAP.so
-#lib/xtables/libipt_REDIRECT.so
-#lib/xtables/libipt_REJECT.so
-#lib/xtables/libipt_SNAT.so
-#lib/xtables/libipt_TTL.so
-#lib/xtables/libipt_ULOG.so
-#lib/xtables/libipt_ah.so
-#lib/xtables/libipt_icmp.so
-#lib/xtables/libipt_realm.so
-#lib/xtables/libipt_ttl.so
-#lib/xtables/libxt_AUDIT.so
-#lib/xtables/libxt_CHECKSUM.so
-#lib/xtables/libxt_CLASSIFY.so
-#lib/xtables/libxt_CONNMARK.so
-#lib/xtables/libxt_CONNSECMARK.so
-#lib/xtables/libxt_CT.so
-#lib/xtables/libxt_DSCP.so
-#lib/xtables/libxt_HMARK.so
-#lib/xtables/libxt_IDLETIMER.so
-#lib/xtables/libxt_IMQ.so
-#lib/xtables/libxt_LED.so
-#lib/xtables/libxt_MARK.so
-#lib/xtables/libxt_NFLOG.so
-#lib/xtables/libxt_NFQUEUE.so
-#lib/xtables/libxt_NOTRACK.so
-#lib/xtables/libxt_RATEEST.so
-#lib/xtables/libxt_SECMARK.so
-#lib/xtables/libxt_SET.so
-#lib/xtables/libxt_SYNPROXY.so
-#lib/xtables/libxt_TCPMSS.so
-#lib/xtables/libxt_TCPOPTSTRIP.so
-#lib/xtables/libxt_TEE.so
-#lib/xtables/libxt_TOS.so
-#lib/xtables/libxt_TPROXY.so
-#lib/xtables/libxt_TRACE.so
-#lib/xtables/libxt_addrtype.so
-#lib/xtables/libxt_bpf.so
-#lib/xtables/libxt_cgroup.so
-#lib/xtables/libxt_cluster.so
-#lib/xtables/libxt_comment.so
-#lib/xtables/libxt_connbytes.so
-#lib/xtables/libxt_connlabel.so
-#lib/xtables/libxt_connlimit.so
-#lib/xtables/libxt_connmark.so
-#lib/xtables/libxt_conntrack.so
-#lib/xtables/libxt_cpu.so
-#lib/xtables/libxt_dccp.so
-#lib/xtables/libxt_devgroup.so
-#lib/xtables/libxt_dscp.so
-#lib/xtables/libxt_ecn.so
-#lib/xtables/libxt_esp.so
-#lib/xtables/libxt_hashlimit.so
-#lib/xtables/libxt_helper.so
-#lib/xtables/libxt_ipcomp.so
-#lib/xtables/libxt_iprange.so
-#lib/xtables/libxt_ipvs.so
-#lib/xtables/libxt_layer7.so
-#lib/xtables/libxt_length.so
-#lib/xtables/libxt_limit.so
-#lib/xtables/libxt_mac.so
-#lib/xtables/libxt_mangle.so
-#lib/xtables/libxt_mark.so
-#lib/xtables/libxt_multiport.so
-#lib/xtables/libxt_nfacct.so
-#lib/xtables/libxt_osf.so
-#lib/xtables/libxt_owner.so
-#lib/xtables/libxt_physdev.so
-#lib/xtables/libxt_pkttype.so
-#lib/xtables/libxt_policy.so
-#lib/xtables/libxt_quota.so
-#lib/xtables/libxt_rateest.so
-#lib/xtables/libxt_recent.so
-#lib/xtables/libxt_rpfilter.so
-#lib/xtables/libxt_sctp.so
-#lib/xtables/libxt_set.so
-#lib/xtables/libxt_socket.so
-#lib/xtables/libxt_standard.so
-#lib/xtables/libxt_state.so
-#lib/xtables/libxt_statistic.so
-#lib/xtables/libxt_string.so
-#lib/xtables/libxt_tcp.so
-#lib/xtables/libxt_tcpmss.so
-#lib/xtables/libxt_time.so
-#lib/xtables/libxt_tos.so
-#lib/xtables/libxt_u32.so
-#lib/xtables/libxt_udp.so
+lib/xtables/libebt_802_3.so
+lib/xtables/libebt_ip.so
+lib/xtables/libebt_log.so
+lib/xtables/libebt_mark_m.so
+lib/xtables/libip6t_DNAT.so
+lib/xtables/libip6t_DNPT.so
+lib/xtables/libip6t_HL.so
+lib/xtables/libip6t_LOG.so
+lib/xtables/libip6t_MASQUERADE.so
+lib/xtables/libip6t_NETMAP.so
+lib/xtables/libip6t_REDIRECT.so
+lib/xtables/libip6t_REJECT.so
+lib/xtables/libip6t_SNAT.so
+lib/xtables/libip6t_SNPT.so
+lib/xtables/libip6t_ah.so
+lib/xtables/libip6t_dst.so
+lib/xtables/libip6t_eui64.so
+lib/xtables/libip6t_frag.so
+lib/xtables/libip6t_hbh.so
+lib/xtables/libip6t_hl.so
+lib/xtables/libip6t_icmp6.so
+lib/xtables/libip6t_ipv6header.so
+lib/xtables/libip6t_mh.so
+lib/xtables/libip6t_rt.so
+lib/xtables/libip6t_srh.so
+lib/xtables/libipt_CLUSTERIP.so
+lib/xtables/libipt_DNAT.so
+lib/xtables/libipt_ECN.so
+lib/xtables/libipt_LOG.so
+lib/xtables/libipt_MASQUERADE.so
+lib/xtables/libipt_NETMAP.so
+lib/xtables/libipt_REDIRECT.so
+lib/xtables/libipt_REJECT.so
+lib/xtables/libipt_SNAT.so
+lib/xtables/libipt_TTL.so
+lib/xtables/libipt_ULOG.so
+lib/xtables/libipt_ah.so
+lib/xtables/libipt_icmp.so
+lib/xtables/libipt_realm.so
+lib/xtables/libipt_ttl.so
+lib/xtables/libxt_AUDIT.so
+lib/xtables/libxt_CHECKSUM.so
+lib/xtables/libxt_CLASSIFY.so
+lib/xtables/libxt_CONNMARK.so
+lib/xtables/libxt_CONNSECMARK.so
+lib/xtables/libxt_CT.so
+lib/xtables/libxt_DSCP.so
+lib/xtables/libxt_HMARK.so
+lib/xtables/libxt_IDLETIMER.so
+lib/xtables/libxt_IMQ.so
+lib/xtables/libxt_LED.so
+lib/xtables/libxt_MARK.so
+lib/xtables/libxt_NFLOG.so
+lib/xtables/libxt_NFQUEUE.so
+lib/xtables/libxt_NOTRACK.so
+lib/xtables/libxt_RATEEST.so
+lib/xtables/libxt_SECMARK.so
+lib/xtables/libxt_SET.so
+lib/xtables/libxt_SYNPROXY.so
+lib/xtables/libxt_TCPMSS.so
+lib/xtables/libxt_TCPOPTSTRIP.so
+lib/xtables/libxt_TEE.so
+lib/xtables/libxt_TOS.so
+lib/xtables/libxt_TPROXY.so
+lib/xtables/libxt_TRACE.so
+lib/xtables/libxt_addrtype.so
+lib/xtables/libxt_bpf.so
+lib/xtables/libxt_cgroup.so
+lib/xtables/libxt_cluster.so
+lib/xtables/libxt_comment.so
+lib/xtables/libxt_connbytes.so
+lib/xtables/libxt_connlabel.so
+lib/xtables/libxt_connlimit.so
+lib/xtables/libxt_connmark.so
+lib/xtables/libxt_conntrack.so
+lib/xtables/libxt_cpu.so
+lib/xtables/libxt_dccp.so
+lib/xtables/libxt_devgroup.so
+lib/xtables/libxt_dscp.so
+lib/xtables/libxt_ecn.so
+lib/xtables/libxt_esp.so
+lib/xtables/libxt_hashlimit.so
+lib/xtables/libxt_helper.so
+lib/xtables/libxt_ipcomp.so
+lib/xtables/libxt_iprange.so
+lib/xtables/libxt_ipvs.so
+lib/xtables/libxt_layer7.so
+lib/xtables/libxt_length.so
+lib/xtables/libxt_limit.so
+lib/xtables/libxt_mac.so
+lib/xtables/libxt_mangle.so
+lib/xtables/libxt_mark.so
+lib/xtables/libxt_multiport.so
+lib/xtables/libxt_nfacct.so
+lib/xtables/libxt_osf.so
+lib/xtables/libxt_owner.so
+lib/xtables/libxt_physdev.so
+lib/xtables/libxt_pkttype.so
+lib/xtables/libxt_policy.so
+lib/xtables/libxt_quota.so
+lib/xtables/libxt_rateest.so
+lib/xtables/libxt_recent.so
+lib/xtables/libxt_rpfilter.so
+lib/xtables/libxt_sctp.so
+lib/xtables/libxt_set.so
+lib/xtables/libxt_socket.so
+lib/xtables/libxt_standard.so
+lib/xtables/libxt_state.so
+lib/xtables/libxt_statistic.so
+lib/xtables/libxt_string.so
+lib/xtables/libxt_tcp.so
+lib/xtables/libxt_tcpmss.so
+lib/xtables/libxt_time.so
+lib/xtables/libxt_tos.so
+lib/xtables/libxt_u32.so
+lib/xtables/libxt_udp.so
 sbin/ip6tables
 sbin/ip6tables-restore
 sbin/ip6tables-save
--- a/config/rootfiles/common/setup
+++ b/config/rootfiles/common/setup
@@ -1,4 +1,7 @@
+#etc/sudoers.d
+etc/sudoers.d/setup
 usr/bin/probenic.sh
+usr/bin/run-setup
 usr/sbin/setup
 usr/share/locale/ar/LC_MESSAGES/setup.mo
 usr/share/locale/ca/LC_MESSAGES/setup.mo
--- a/config/rootfiles/common/sudo
+++ b/config/rootfiles/common/sudo
@@ -1,5 +1,4 @@
 etc/sudoers
-etc/sudoers.d
 usr/bin/sudo
 usr/bin/sudoedit
 usr/bin/sudoreplay
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -271,7 +271,7 @@ sub writeserverconf {
    print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n";
    #print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n";

-    # Check if we are using mssfix, fragment or mtu-disc and set the corretct mtu of 1500.
+    # Check if we are using mssfix, fragment and set the corretct mtu of 1500.
    # If we doesn't use one of them, we can use the configured mtu value.
    if ($sovpnsettings{'MSSFIX'} eq 'on') 
 	{ print CONF "tun-mtu 1500\n"; }
@@ -2183,15 +2183,6 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
   if ($confighash{$cgiparams{'KEY'}}[24] ne '') {print CLIENTCONF "fragment $confighash{$cgiparams{'KEY'}}[24]\n";}
   if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print CLIENTCONF "mssfix\n";}
   }
-   if (($confighash{$cgiparams{'KEY'}}[38] eq 'yes') ||
-       ($confighash{$cgiparams{'KEY'}}[38] eq 'maybe') ||
-       ($confighash{$cgiparams{'KEY'}}[38] eq 'no' )) {
-	if (($confighash{$cgiparams{'KEY'}}[23] ne 'on') || ($confighash{$cgiparams{'KEY'}}[24] eq '')) {
-		if ($tunmtu eq '1500' ) {
-			print CLIENTCONF "mtu-disc $confighash{$cgiparams{'KEY'}}[38]\n";
-		}
-	}
-   }
   # Check host certificate if X509 is RFC3280 compliant.
   # If not, old --ns-cert-type directive will be used.
   # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
@@ -2272,7 +2263,7 @@ else
    print CLIENTCONF "dev tun\r\n";
    print CLIENTCONF "proto $vpnsettings{'DPROTOCOL'}\r\n";

-    # Check if we are using fragment, mssfix or mtu-disc and set MTU to 1500
+    # Check if we are using fragment, mssfix and set MTU to 1500
    # or use configured value.
    if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' )
 	{ print CLIENTCONF "tun-mtu 1500\r\n"; }
@@ -3378,7 +3369,6 @@ my $complzoactive;
 my $mssfixactive;
 my $authactive;
 my $n2nfragment;
-my @n2nmtudisc = split(/ /, (grep { /^mtu-disc/ } @firen2nconf)[0]);
 my @n2nproto2 = split(/ /, (grep { /^proto/ } @firen2nconf)[0]);
 my @n2nproto = split(/-/, $n2nproto2[1]);
 my @n2nport = split(/ /, (grep { /^port/ } @firen2nconf)[0]);
@@ -3414,7 +3404,6 @@ $n2nremsub[2] =~ s/\n|\r//g;
 $n2nlocalsub[2] =~ s/\n|\r//g;
 $n2nfragment[1] =~ s/\n|\r//g;
 $n2nmgmt[2] =~ s/\n|\r//g;
-$n2nmtudisc[1] =~ s/\n|\r//g;
 $n2ncipher[1] =~ s/\n|\r//g;
 $n2nauth[1] =~ s/\n|\r//g;
 chomp ($complzoactive);
@@ -3491,7 +3480,6 @@ foreach my $dkey (keys %confighash) {
 	$confighash{$key}[29] = $n2nport[1];
 	$confighash{$key}[30] = $complzoactive;
 	$confighash{$key}[31] = $n2ntunmtu[1];
-	$confighash{$key}[38] = $n2nmtudisc[1];
 	$confighash{$key}[39] = $n2nauth[1];
 	$confighash{$key}[40] = $n2ncipher[1];
 	$confighash{$key}[41] = 'disabled';
@@ -3531,7 +3519,6 @@ foreach my $dkey (keys %confighash) {
 		<tr><td class='boldbase' nowrap='nowrap'>MSSFIX:</td><td><b>$confighash{$key}[23]</b></td></tr>
 		<tr><td class='boldbase' nowrap='nowrap'>Fragment:</td><td><b>$confighash{$key}[24]</b></td></tr>
 		<tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'MTU'}</td><td><b>$confighash{$key}[31]</b></td></tr>
-		<tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn mtu-disc'}</td><td><b>$confighash{$key}[38]</b></td></tr>
 		<tr><td class='boldbase' nowrap='nowrap'>Management Port </td><td><b>$confighash{$key}[22]</b></td></tr>
 		<tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn hmac'}:</td><td><b>$confighash{$key}[39]</b></td></tr>
 		<tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td><td><b>$confighash{$key}[40]</b></td></tr>
--- a/lfs/clamav
+++ b/lfs/clamav
@@ -24,7 +24,7 @@

 include Config

-VER        = 0.100.0
+VER        = 0.100.1

 THISAPP    = clamav-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -32,7 +32,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = clamav
-PAK_VER    = 38
+PAK_VER    = 39

 DEPS       = ""

@@ -48,7 +48,7 @@ objects = $(DL_FILE)

 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)

-$(DL_FILE)_MD5 = 93e8efb489c2afdfca73703b76c24e01
+$(DL_FILE)_MD5 = 0f653df0480eebcd828939e8db9f0443

 install : $(TARGET)

--- a/lfs/linux
+++ b/lfs/linux
@@ -37,16 +37,22 @@ CXXFLAGS   =
 PAK_VER    = 75
 DEPS	   = ""

+KERNEL_ARCH   = $(BUILD_ARCH)
+KERNEL_TARGET = bzImage
+HEADERS_ARCH  = $(BUILD_PLATFORM)
+
 ifeq "$(BUILD_ARCH)" "i586"
 	KERNEL_ARCH = i386
-else
-	KERNEL_ARCH = $(BUILD_ARCH)
 endif

 ifeq "$(BUILD_ARCH)" "aarch64"
 	HEADERS_ARCH = arm64
-else
-	HEADERS_ARCH = $(BUILD_PLATFORM)
+	KERNEL_ARCH  = arm64
+	KERNEL_TARGET = Image
+endif
+
+ifeq "$(BUILD_ARCH)" "armv5tel"
+	KERNEL_TARGET = zImage
 endif

 VERSUFIX=ipfire$(KCFG)
@@ -171,26 +177,11 @@ else
 	cd $(DIR_APP) && make clean
 	cd $(DIR_APP) && sed -i -e 's/EXTRAVERSION\ =.*/EXTRAVERSION\ =\ -$(VERSUFIX)/' Makefile

-ifeq "$(KCFG)" "-kirkwood"
-	cd $(DIR_APP) && make $(MAKETUNING) zImage modules
-	cd $(DIR_APP) && cp -v arch/arm/boot/zImage /boot/vmlinuz-$(VER)-$(VERSUFIX)
-#	cd $(DIR_APP) && cp -v arch/arm/boot/uImage /boot/uImage-$(VERSUFIX)
-else
-ifeq "$(KCFG)" "-multi"
-ifeq "$(BUILD_ARCH)" "armv5tel"
-	cd $(DIR_APP) && make $(MAKETUNING) zImage modules
-	cd $(DIR_APP) && cp -v arch/arm/boot/zImage /boot/vmlinuz-$(VER)-$(VERSUFIX)
-endif
-ifeq "$(BUILD_ARCH)" "aarch64"
-	cd $(DIR_APP) && make $(MAKETUNING) Image modules
-	cd $(DIR_APP) && cp -v arch/arm64/boot/Image /boot/vmlinuz-$(VER)-$(VERSUFIX)
-endif
-else
-	cd $(DIR_APP) && make $(MAKETUNING) bzImage modules
-	cd $(DIR_APP) && cp -v arch/$(KERNEL_ARCH)/boot/bzImage /boot/vmlinuz-$(VER)-$(VERSUFIX)
-endif
-endif
+	# Build the kernel
+	cd $(DIR_APP) && make $(MAKETUNING) $(KERNEL_TARGET) modules

+	# Install the kernel
+	cd $(DIR_APP) && cp -v arch/$(KERNEL_ARCH)/boot/$(KERNEL_TARGET) /boot/vmlinuz-$(VER)-$(VERSUFIX)
 	cd $(DIR_APP) && cp -v System.map /boot/System.map-$(VER)-$(VERSUFIX)
 	cd $(DIR_APP) && cp -v .config /boot/config-$(VER)-$(VERSUFIX)
 	cd $(DIR_APP) && make $(MAKETUNING) modules_install
--- a/make.sh
+++ b/make.sh
@@ -1093,7 +1093,7 @@ buildipfire() {
  lfsmake2 elfutils

  case "${BUILD_ARCH}" in
-	x86_64)
+	x86_64|aarch64)
 		lfsmake2 linux			KCFG=""
 #		lfsmake2 backports			KCFG=""
 #		lfsmake2 e1000e			KCFG=""
@@ -1137,17 +1137,6 @@ buildipfire() {
 #		lfsmake2 backports			KCFG="-multi"
 #		lfsmake2 e1000e			KCFG="-multi"
 #		lfsmake2 igb				KCFG="-multi"
-#		lfsmake2 ixgbe			KCFG="-multi"
-		lfsmake2 xtables-addons		KCFG="-multi"
-		lfsmake2 linux-initrd			KCFG="-multi"
-		;;
-
-	aarch64)
-		# arm multi platform (RPi3, OrangePi PC2 ...) kernel build
-		lfsmake2 linux			KCFG="-multi"
-#		lfsmake2 backports			KCFG="-multi"
-#		lfsmake2 e1000e			KCFG="-multi"
-#		lfsmake2 igb				KCFG="-multi"
 #		lfsmake2 ixgbe			KCFG="-multi"
 		lfsmake2 xtables-addons		KCFG="-multi"
 		lfsmake2 linux-initrd			KCFG="-multi"
--- a/src/initscripts/helper/aws-setup
+++ b/src/initscripts/helper/aws-setup
@@ -84,18 +84,28 @@ import_aws_configuration() {
 		echo "DOMAINNAME=${hostname#*.}" >> /var/ipfire/main/settings
 	fi

-	# Import SSH keys
+	# Create setup user
+	if ! getent passwd setup &>/dev/null; then
+		useradd setup -s /usr/bin/run-setup -g nobody -m
+
+		# Unlock the account
+		usermod -p "x" setup
+	fi
+
+	# Import SSH keys for setup user
 	local line
 	for line in $(get "public-keys/"); do
 		local key_no="${line%=*}"

 		local key="$(get public-keys/${key_no}/openssh-key)"
-		if [ -n "${key}" ] && ! grep -q "^${key}$" /root/.ssh/authorized_keys 2>/dev/null; then
-			mkdir -p /root/.ssh
-			chmod 700 /root/.ssh
+		if [ -n "${key}" ] && ! grep -q "^${key}$" "/home/setup/.ssh/authorized_keys" 2>/dev/null; then
+			mkdir -p "/home/setup/.ssh"
+			chmod 700 "/home/setup/.ssh"
+			chown setup.nobody "/home/setup/.ssh"

-			echo "${key}" >> /root/.ssh/authorized_keys
-			chmod 600 /root/.ssh/authorized_keys
+			echo "${key}" >> "/home/setup/.ssh/authorized_keys"
+			chmod 600 "/home/setup/.ssh/authorized_keys"
+			chown setup.nobody "/home/setup/.ssh/authorized_keys"
 		fi
 	done

@@ -218,15 +228,16 @@ import_aws_configuration() {
 		# Enable SSH
 		sed -e "s/ENABLE_SSH=.*/ENABLE_SSH=on/g" -i /var/ipfire/remote/settings

-		touch /var/ipfire/remote/enablessh
-		chown nobody:nobody /var/ipfire/remote/enablessh
-
 		# Enable SSH key authentication
 		sed -e "s/^ENABLE_SSH_KEYS=.*/ENABLE_SSH_KEYS=on/" -i /var/ipfire/remote/settings

 		# Apply SSH settings
 		/usr/local/bin/sshctrl

+		# Mark SSH to start immediately (but not right now)
+		touch /var/ipfire/remote/enablessh
+		chown nobody:nobody /var/ipfire/remote/enablessh
+
 		# Firewall rules for SSH and WEBIF
 		(
 			echo "1,ACCEPT,INPUTFW,ON,std_net_src,ALL,ipfire,RED1,,TCP,,,ON,,,cust_srv,SSH,,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second"
--- a/src/setup/Makefile.am
+++ b/src/setup/Makefile.am
@@ -25,11 +25,16 @@ AM_CFLAGS = $(OUR_CFLAGS)
 AM_CXXFLAGS = $(OUR_CXXFLAGS)
 AM_LDFLAGS = $(OUR_LDFLAGS)

+sudodir = /etc/sudoers.d
+
 bin_SCRIPTS =
 sbin_PROGRAMS =

 #- setup -----------------------------------------------------------------------

+bin_SCRIPTS += \
+	run-setup
+
 sbin_PROGRAMS += \
 	setup

@@ -56,3 +61,6 @@ setup_LDADD = \

 bin_SCRIPTS += \
 	probenic.sh
+
+sudo_DATA = \
+	sudo/setup
--- a/src/setup/run-setup
+++ b/src/setup/run-setup
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# Runs setup and tries to gain root privileges
+exec sudo setup
--- a/src/setup/sudo/setup
+++ b/src/setup/sudo/setup
@@ -0,0 +1,2 @@
+# The setup is allowed to run the setup command
+setup ALL=(ALL) NOPASSWD: /usr/sbin/setup