diff --git a/README.md b/README.md index 1a383b7..926f45a 100644 --- a/README.md +++ b/README.md @@ -14,8 +14,16 @@ As explained upon installation, the following things need to be done: The LUKS-encrypted devices to unlock are derived from `/etc/crypttab`. -The SSH listening port (22 by default) can be changed by setting the `sshcs_opt_listen` option in `/etc/dropbear/initrd.env` (file is sourced in initrd shell). + +Some options can be set in `/etc/dropbear/initrd.env` (file is sourced in initrd shell): + * `sshcs_opt_listen`: SSH listening port + - default: 22 + * `sshcs_opt_timeout_poweroff`: time (in seconds) to unlock devices before automatic powering off + - default (and minimum value): 2 minutes + - negative value to deactivate + For example: sshcs_opt_listen=2222 + sshcs_opt_timeout_poweroff=-1 diff --git a/src/hooks/ssh-cryptsetup b/src/hooks/ssh-cryptsetup index 19f38df..5cd54a4 100644 --- a/src/hooks/ssh-cryptsetup +++ b/src/hooks/ssh-cryptsetup @@ -36,7 +36,41 @@ sshcs_net_start() { [ -n "${net_address}" ] } +sshcs_trapped_timeout() { + err "Timeout reached! Powering off." + poweroff -f + exit +} + +sshcs_trap_timeout() { + local pid_init=$$ + + if [ ${sshcs_opt_timeout_poweroff} -gt 0 ]; then + echo "" + echo "WARNING! Automatic poweroff will be triggered in ${sshcs_opt_timeout_poweroff}s" + echo "To deactivate, please unlock devices" + echo "" + trap sshcs_trapped_timeout SIGALRM + ( + sleep ${sshcs_opt_timeout_poweroff} + kill -SIGALRM ${pid_init} + # Signal is not processed if cryptsetup is waiting for the password + killall cryptsetup > /dev/null 2>&1 + ) & + pid_timeout=$! + fi +} + +sshcs_untrap_timeout() { + [ -z "${pid_timeout}" ] && return 0 + kill ${pid_timeout} + trap - SIGALRM + msg "Timeout cleared." +} + sshcs_dropbear_unlock() { + local timeout_poweroff_min=120 + local pid_timeout= local dev_pts_mounted=0 local listen= @@ -81,14 +115,20 @@ EOF [ -e "${dropbear_env}" ] && . "${dropbear_env}" [ -n "${sshcs_opt_listen}" ] && sshcs_opt_listen="-p ${sshcs_opt_listen}" + [ -z "${sshcs_opt_timeout_poweroff}" ] && sshcs_opt_timeout_poweroff=${timeout_poweroff_min} + [ ${sshcs_opt_timeout_poweroff} -ge 0 ] && [ ${sshcs_opt_timeout_poweroff} -lt ${timeout_poweroff_min} ] && sshcs_opt_timeout_poweroff=${timeout_poweroff_min} msg "Starting dropbear ..." dropbear -Emsgjk -P "${path_dropbear_pid}" ${sshcs_opt_listen} + sshcs_trap_timeout + # actual script (shared with SSH login) unlocking encrypted devices . "${dropbear_cryptsetup_script}" + sshcs_untrap_timeout + # cleanup dropbear if [ -f "${path_dropbear_pid}" ]; then msg "Stopping dropbear ..." @@ -178,7 +218,6 @@ EOF fi } - run_hook() { local etc_crypttab="/etc/crypttab" local dropbear_env="/etc/dropbear/initrd.env" diff --git a/src/install/ssh-cryptsetup b/src/install/ssh-cryptsetup index d56b65b..59cc929 100644 --- a/src/install/ssh-cryptsetup +++ b/src/install/ssh-cryptsetup @@ -101,8 +101,13 @@ Network is configured with 'ip=' kernel parameter (see 'mkinitcpio-nfs-utils'). Authorized SSH key(s) must be present in '/etc/dropbear/initrd.authorized_keys'. LUKS encrypted devices to unlock are derived from '/etc/crypttab', which must be present. -Listening port (if not 22) can be set with the option 'sshcs_opt_listen' in -'/etc/dropbear/initrd.env' (file is sourced in initrd shell). +Some options can be set in '/etc/dropbear/initrd.env' (file is sourced in +initrd shell): + * 'sshcs_opt_listen': listening port (22 by default) + * 'sshcs_opt_timeout_poweroff': time (s) to unlock devices before automatic + powering off + - default (and minimum value): 2 minutes + - negative value to deactivate Each SSH server key ('dropbear_rsa_host_key', 'dropbear_dss_host_key' and 'dropbear_ecdsa_host_key' in '/etc/dropbear' folder) is imported from OpenSSH