Drop '-m' option when calling dropbear

Latest ArchLinux versions does not handle it.
Boot fs is unlikely to have motd anyway.

v0.6-1

ChangeLog

@@ -1,3 +1,34 @@
+2018-03-13 Julien Coloos <julien.coloos [at] gmail [dot] com>
+
+        * v0.6-1
+        Dropped '-m' option when calling dropbear (latest ArchLinux version does not handle it)
+
+2017-06-25 Julien Coloos <julien.coloos [at] gmail [dot] com>
+
+        * v0.5-1
+        Fixed cryptsetup additional arguments handling: were not properly passed
+
+
+2017-06-25 Julien Coloos <julien.coloos [at] gmail [dot] com>
+
+        * v0.4-1
+        Fixed TRIM option handling in /etc/crypttab: 'discard' ('allow-discards' being the switch name to use in cryptsetup)
+
+
+2015-11-22 Julien Coloos <julien.coloos [at] gmail [dot] com>
+
+        * v0.3-1
+        Added configurable timeout for ipconfig
+        Moved configuration file from /etc/dropbear/initrd.env to /etc/initcpio/sshcs_env
+
+
+2014-05-20 Julien Coloos <julien.coloos [at] gmail [dot] com>
+
+        * v0.2-1
+        Removed unnecessary dependency: psmisc
+        Added configurable timeout to unlock devices before automatic poweroff
+
+
 2014-05-19 Julien Coloos <julien.coloos [at] gmail [dot] com>
 
         * v0.1-1

PKGBUILD

@@ -1,17 +1,17 @@
 # Maintainer: Julien Coloos <julien.coloos [at] gmail [dot] com>
 pkgname=initrd-ssh-cryptsetup
-pkgver=0.1
+pkgver=0.6
 pkgrel=1
 pkgdesc="Allows for LUKS-encrypted devices to be unlocked remotely over SSH"
 arch=('any')
 url="https://github.com/suiryc/archlinux-$pkgname"
 license=('GPL3')
-depends=('dropbear' 'cryptsetup' 'mkinitcpio-nfs-utils' 'psmisc' 'iproute2')
+depends=('dropbear' 'cryptsetup' 'mkinitcpio-nfs-utils' 'iproute2')
 install=$pkgname.install
 changelog='ChangeLog'
 source=("http://julien.coloos.free.fr/archlinux/$pkgname-$pkgver.tar.xz" "$pkgname.install")
-md5sums=('cd16f62be49eef3fa178ce292de64f48'
+md5sums=('3fa8f5dd00a85b32025d01e5701e1407'
-         'a703663472bbd50882a11f6b2cfccbf0')
+         'ac60109d80e7bb2af0d66e69aaf178a6')
 
 package() {
   install -Dm644 "$srcdir/src/install/ssh-cryptsetup" "$pkgdir/usr/lib/initcpio/install/ssh-cryptsetup"

README.md

@@ -1,21 +1,61 @@
 Personal ArchLinux package combining dropbear and cryptsetup in initrd for unlocking LUKS-encrypted devices either locally (boot console) or remotely over SSH.  
-The code was reworked from [dropbear_initrd_encrypt](https://aur.archlinux.org/packages/dropbear_initrd_encrypt/).
+The code was reworked from legacy dropbear_initrd_encrypt AUR package.
 
 
 ## Installation
-After cloning the repo, installation is done as for an AUR package.
+After cloning the repo, installation is done as for an AUR package, e.g.:
+
+    makepkg -sri
+
+
+## Dropbear
+SSH server key need to be generated for `dropbear`.  
+Either a new key can be generated with `dropbearkey`, e.g.:
+
+    dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key
+Or an existing OpenSSH key can be converted with `dropbearconvert` (useful so that the server fingerprint is the same with both), e.g.:
+
+    dropbearconvert openssh dropbear /etc/ssh/ssh_host_ecdsa_key /etc/dropbear/dropbear_ecdsa_host_key
+Note: `rsa` and `dss` (`dsa` in OpenSSH) types are also handled.
 
 
 ## Configuration
 As explained upon installation, the following things need to be done:
-  * add the SSH public key to `/etc/dropbear/initrd.authorized_keys`
+   * add the authorized SSH public key to `/etc/dropbear/initrd.authorized_keys`
    * add the `ip=` kernel command parameter to the bootloader configuration (see https://wiki.archlinux.org/index.php/Mkinitcpio#Using_net)
+      - e.g. with `grub`: add `ip=:::::eth0:dhcp` to `GRUB_CMDLINE_LINUX_DEFAULT` in `/etc/default/grub`, and re-generate the configuration with `grub-mkconfig -o /boot/grub/grub.cfg`
    * in the `HOOKS` section of `/etc/mkinitcpio.conf`, add `ssh-cryptsetup` before `filesystems`; then rebuild the initramfs: `mkinitcpio -p linux`
+      - when using a non-standard keyboard layout, it is also useful to add the `keymap` hook before `ssh-cryptsetup`, and also move `keyboard` before `keymap`
 
 The LUKS-encrypted devices to unlock are derived from `/etc/crypttab`.
 
-The SSH listening port (22 by default) can be changed by setting the `sshcs_opt_listen` option in `/etc/dropbear/initrd.env` (file is sourced in initrd shell).
+
+Some options can be set in `/etc/initcpio/sshcs_env` (file is sourced in initrd shell):
+   * `sshcs_opt_debug`: whether to be more verbose about ongoing actions
+      - default: 0
+      - any non-zero value to enable
+   * `sshcs_opt_timeout_ipconfig`: time (in seconds) to configure IP
+      - default: 10 seconds
+   * `sshcs_opt_listen`: SSH listening port
+      - default: 22
+   * `sshcs_opt_timeout_poweroff`: time (in seconds) to unlock devices before automatic powering off
+      - default (and minimum value): 2 minutes
+      - negative value to deactivate
+
 For example:
 
+    sshcs_opt_timeout_ipconfig=30
     sshcs_opt_listen=2222
+    sshcs_opt_timeout_poweroff=-1
 
+
+## Building notes
+1. Modify the sources (features in `src`, and/or package building files)
+2. If `src` was modified
+   * archive the `src` folder in `$pkgname-$pkgver.tar.xz` file; e.g.: `tar -cJf initrd-ssh-cryptsetup-0.4.tar.xz src`
+   * upload the archive on the online repository (pointed by `PKGBUILD`)
+3. Update ChangeLog
+4. Update `PKGBUILD`
+   * bump `pkgver` if `src` was modified, or `pkgrel` if building files were modified
+   * refresh `md5sums` if necessary (based on `md5sum initrd-ssh-cryptsetup-*.tar.xz initrd-ssh-cryptsetup.install` output)
+5. Delete generated archive file if any

initrd-ssh-cryptsetup.install

@@ -1,8 +1,17 @@
 #!/bin/bash
 
 post_install() {
+    local sshcs_env="/etc/initcpio/sshcs_env"
+    local sshcs_env_old="/etc/dropbear/initrd.env"
     local dropbear_authorized_keys="/etc/dropbear/initrd.authorized_keys"
     local etc_dropbear=$(dirname "${dropbear_authorized_keys}")
+    [ ! -e "${sshcs_env}" ] && [ -e "${sshcs_env_old}" ] && {
+        [ -d $(dirname "${sshcs_env}") ] || mkdir -p $(dirname "${sshcs_env}")
+        mv "${sshcs_env_old}" "${sshcs_env}"
+    cat <<EOF
+    Moved legacy file ${sshcs_env_old} to new path ${sshcs_env}"
+EOF
+    }
     [ -d "${etc_dropbear}" ] || mkdir -p "${etc_dropbear}"
     [ -e "${dropbear_authorized_keys}" ] || touch "${dropbear_authorized_keys}"
     chmod 600 "${dropbear_authorized_keys}"

src/hooks/ssh-cryptsetup

@@ -1,12 +1,35 @@
 #!/usr/bin/ash
 
+dbg () {
+    [ ${sshcs_opt_debug} != 0 ] && echo "$@"
+}
+
+sshcs_env_load() {
+    local debug_default=0
+    local timeout_ipconfig_default=10
+    local timeout_poweroff_min=120
+
+    [ -e "${sshcs_env}" ] && . "${sshcs_env}"
+    [ -z "${sshcs_opt_debug}" ] && sshcs_opt_debug=${debug_default}
+    [ -z "${sshcs_opt_timeout_ipconfig}" ] && sshcs_opt_timeout_ipconfig=${timeout_ipconfig_default}
+    [ -n "${sshcs_opt_listen}" ] && sshcs_opt_listen="-p ${sshcs_opt_listen}"
+    [ -z "${sshcs_opt_timeout_poweroff}" ] && sshcs_opt_timeout_poweroff=${timeout_poweroff_min}
+    [ ${sshcs_opt_timeout_poweroff} -ge 0 ] && [ ${sshcs_opt_timeout_poweroff} -lt ${timeout_poweroff_min} ] && sshcs_opt_timeout_poweroff=${timeout_poweroff_min}
+}
+
 sshcs_net_start() {
     # we must have an 'ip' setting, and a device in it
     [ -z "${ip}" ] && [ -n "${nfsaddrs}" ] && ip="${nfsaddrs}"
-    [ -z "${ip}" ] && return 1
+    [ -z "${ip}" ] && {
+        dbg "No ip setting to setup network"
+        return 1
+    }
 
     net_device=$(echo ${ip} | cut -d: -f6)
-    [ -z "${net_device}" ] && return 1
+    [ -z "${net_device}" ] && {
+        dbg "No network device to setup"
+        return 1
+    }
 
     # Setup network and save some values
     # Note: some useful redirection means ('< <(...)' and '<<< "$(...)"') are
@@ -14,7 +37,16 @@ sshcs_net_start() {
     # temporary file and 'source' it since '... | while read ...' spawns a
     # subshell from which outer variables cannot be altered.
     : > "${net_env}"
-    ipconfig "ip=${ip}" | while read line; do
+
+    echo ""
+    echo "Configuring IP (timeout = ${sshcs_opt_timeout_ipconfig}s) ..."
+    ipconfig_out=$(ipconfig -t "${sshcs_opt_timeout_ipconfig}" "ip=${ip}")
+    if [ $? -ne 0 ]; then
+        err "IP configuration timeout!"
+        return 1
+    fi
+
+    echo -n "${ipconfig_out}" | while read line; do
         [ "${line#"IP-Config:"}" != "${line}" ] && continue
 
         line="$(echo "${line}" | sed -e 's/ :/:/g;s/: /=/g')"
@@ -36,7 +68,58 @@ sshcs_net_start() {
     [ -n "${net_address}" ]
 }
 
+sshcs_net_done() {
+    # we are done with the network
+    if [ -n "${net_device}" ]; then
+        dbg "Setting network device=${net_device} down"
+        ip addr flush dev "${net_device}"
+        ip link set dev "${net_device}" down
+    fi
+}
+
+sshcs_trapped_timeout() {
+    err "Timeout reached! Powering off."
+    poweroff -f
+    exit
+}
+
+sshcs_trap_timeout() {
+    local pid_init=$$
+
+    if [ ${sshcs_opt_timeout_poweroff} -gt 0 ]; then
+        echo ""
+        echo "WARNING! Automatic poweroff will be triggered in ${sshcs_opt_timeout_poweroff}s"
+        echo "To deactivate, please unlock devices"
+        echo ""
+        trap sshcs_trapped_timeout SIGALRM
+        (
+            sleep ${sshcs_opt_timeout_poweroff}
+            kill -SIGALRM ${pid_init}
+            # Signal is not processed if cryptsetup is waiting for the password
+            killall cryptsetup > /dev/null 2>&1
+        ) &
+        pid_timeout=$!
+    fi
+}
+
+sshcs_untrap_timeout() {
+    [ -z "${pid_timeout}" ] && return 0
+    kill ${pid_timeout}
+    trap - SIGALRM
+    msg "Timeout cleared."
+}
+
+sshcs_unlock() {
+    sshcs_trap_timeout
+
+    # actual script (shared with SSH login) unlocking encrypted devices
+    . "${sshcs_cryptsetup_script}"
+
+    sshcs_untrap_timeout
+}
+
 sshcs_dropbear_unlock() {
+    local pid_timeout=
     local dev_pts_mounted=0
     local listen=
 
@@ -57,14 +140,14 @@ sshcs_dropbear_unlock() {
 
 . "/init_functions"
 
-if [ ! -f "${dropbear_cryptsetup_script}" ]; then
+if [ ! -f "${sshcs_cryptsetup_script}" ]; then
     err "No cryptsetup script present! Please retry."
     exit 0
 fi
 
 if [ -c "/dev/mapper/control" ]; then
     CSQUIET=
-    . "${dropbear_cryptsetup_script}"
+    . "${sshcs_cryptsetup_script}"
 
     echo ""
     echo "cryptsetup succeeded! Boot sequence should go on."
@@ -79,15 +162,11 @@ EOF
     [ ! -d "/var/log" ] && mkdir -p "/var/log"
     touch "/var/log/lastlog"
 
-    [ -e "${dropbear_env}" ] && . "${dropbear_env}"
-    [ -n "${sshcs_opt_listen}" ] && sshcs_opt_listen="-p ${sshcs_opt_listen}"
-
-
     msg "Starting dropbear ..."
-    dropbear -Emsgjk -P "${path_dropbear_pid}" ${sshcs_opt_listen}
+    dropbear -Esgjk -P "${path_dropbear_pid}" ${sshcs_opt_listen}
 
-    # actual script (shared with SSH login) unlocking encrypted devices
+    # Actual unlocking
-    . "${dropbear_cryptsetup_script}"
+    sshcs_unlock
 
     # cleanup dropbear
     if [ -f "${path_dropbear_pid}" ]; then
@@ -95,7 +174,7 @@ EOF
         kill $(cat "${path_dropbear_pid}")
         rm -f "${path_dropbear_pid}"
     fi
-    rm -f "${dropbear_cryptsetup_script}" "${dropbear_login_shell}" "/etc/passwd" "/etc/shells" "/var/log/lastlog"
+    rm -f "${sshcs_cryptsetup_script}" "${dropbear_login_shell}" "/etc/passwd" "/etc/shells" "/var/log/lastlog"
 
     # cleanup /dev/pts if necessary
     if [ ${dev_pts_mounted} -ne 0 ]; then
@@ -104,14 +183,6 @@ EOF
     fi
 }
 
-sshcs_net_done() {
-    # we are done with the network
-    if [ -n "${net_device}" ]; then
-        ip addr flush dev "${net_device}"
-        ip link set dev "${net_device}" down
-    fi
-}
-
 sshcs_cryptpart_process() {
     # ensure there is a device (handle 'UUID=' format)
     [ -z "${cryptdev}" ] && return 0
@@ -121,7 +192,7 @@ sshcs_cryptpart_process() {
     cryptargs=
     for cryptopt in ${cryptoptions//,/ }; do
         case ${cryptopt} in
-            allow-discards)
+            discard)
                 cryptargs="${cryptargs} --allow-discards"
                 ;;
 
@@ -138,9 +209,10 @@ sshcs_cryptpart_process() {
     cryptdev_orig=${cryptdev}
     if cryptdev=$(resolve_device "${cryptdev_orig}" ${rootdelay}); then
         if cryptsetup isLuks "${cryptdev}" >/dev/null 2>&1; then
+            dbg "Adding crypt device=${cryptdev} type=${crypttype} name=${cryptname} args=<${cryptargs}> in setup script"
 
             # update script used to unlock device either in console or SSH
-            [ -s "${dropbear_cryptsetup_script}" ] || cat <<EOF > "${dropbear_cryptsetup_script}"
+            [ -s "${sshcs_cryptsetup_script}" ] || cat <<EOF > "${sshcs_cryptsetup_script}"
 cycle_or_retry() {
     local res
 
@@ -154,10 +226,10 @@ cycle_or_retry() {
 }
 EOF
 
-            cat <<EOF >> "${dropbear_cryptsetup_script}"
+            cat <<EOF >> "${sshcs_cryptsetup_script}"
 # loop until device is available
 while [ ! -e "/dev/mapper/${cryptname}" ]; do
-    if cryptsetup open --type "${crypttype}" "${cryptdev}" "${cryptname}" "${cryptargs}" "\${CSQUIET}"; then
+    if cryptsetup open --type "${crypttype}" "${cryptdev}" "${cryptname}" ${cryptargs} "\${CSQUIET}"; then
         if poll_device "/dev/mapper/${cryptname}" ${rootdelay}; then
             killall cryptsetup > /dev/null 2>&1
             break
@@ -178,33 +250,30 @@ EOF
     fi
 }
 
-
 run_hook() {
     local etc_crypttab="/etc/crypttab"
-    local dropbear_env="/etc/dropbear/initrd.env"
+    local sshcs_env="/etc/initcpio/sshcs_env"
     local path_dropbear_pid="/.dropbear.pid"
     local dropbear_login_shell="/.cryptsetup_shell.sh"
-    local dropbear_cryptsetup_script="/.cryptsetup_script.sh"
+    local sshcs_cryptsetup_script="/.cryptsetup_script.sh"
     local net_env="/.net_env.sh"
-    local line iparg net_address net_netmask net_gateway net_dns0 net_dns1
+    local line iparg net_address net_device ipconfig_out net_netmask net_gateway net_dns0 net_dns1
     local cryptdev cryptdev_orig crypttype cryptname cryptpass cryptoptions cryptopt cryptargs CSQUIET
 
+    # Load our options
+    sshcs_env_load
+
     # sanity check: crypttab should be present
-    [ ! -e "${etc_crypttab}" ] && return 0
+    [ ! -e "${etc_crypttab}" ] && {
+        dbg "No crypttab configuration to process"
+        return 0
+    }
 
     modprobe -a -q dm-crypt >/dev/null 2>&1
     [ "${quiet}" = "y" ] && CSQUIET=">/dev/null"
 
     umask 0022
 
-    # start and check network
-    if ! sshcs_net_start; then
-        err "Net interface not available! Skipping crypt remote unlocking."
-        # stop the network if possible
-        sshcs_net_done
-        return 0
-    fi
-
     # check encrypted devices to handle
     cryptdev=
     crypttype=luks
@@ -217,9 +286,17 @@ run_hook() {
         sshcs_cryptpart_process
     done < "${etc_crypttab}"
 
-    if [ ! -e "${dropbear_cryptsetup_script}" ]; then
+    if [ ! -e "${sshcs_cryptsetup_script}" ]; then
         err "No encrypted device found! Skipping crypt remote unlocking."
-        # don't forget to stop the network
+        return 0
+    fi
+
+    # start and check network
+    if ! sshcs_net_start; then
+        err "Net interface not available! Skipping crypt remote unlocking."
+        # We still allow to unlock locally with timeout
+        sshcs_unlock
+        # stop the network if possible
         sshcs_net_done
         return 0
     fi

src/install/ssh-cryptsetup

@@ -31,7 +31,7 @@ sshcs_check_keys() {
 build() {
     local etc_crypttab="/etc/crypttab"
     local dropbear_authorized_keys="/etc/dropbear/initrd.authorized_keys"
-    local dropbear_env="/etc/dropbear/initrd.env"
+    local sshcs_env="/etc/initcpio/sshcs_env"
     local dropbear_key_types=( "dss" "rsa" "ecdsa" )
     local dropbear_keyfile_prefix="/etc/dropbear/dropbear_"
     local dropbear_keyfile_suffix="_host_key"
@@ -70,14 +70,15 @@ build() {
     add_binary "dropbear"
     add_binary "ip"
     add_binary "/usr/lib/initcpio/ipconfig" "/sbin/ipconfig"
-    add_binary "killall"
+
+    # Our hook files
+    [ -e "${sshcs_env}" ] && add_file "${sshcs_env}"
 
     # auth-related files
     add_file "/lib/libnss_files.so"
 
     # SSH-related files
     add_file "${dropbear_authorized_keys}" "/root/.ssh/authorized_keys"
-    [ -e "${dropbear_env}" ] && add_file "${dropbear_env}"
     add_file "/etc/dropbear/dropbear_rsa_host_key"
     add_file "/etc/dropbear/dropbear_dss_host_key"
     add_file "/etc/dropbear/dropbear_ecdsa_host_key"
@@ -102,8 +103,15 @@ Network is configured with 'ip=' kernel parameter (see 'mkinitcpio-nfs-utils').
 Authorized SSH key(s) must be present in '/etc/dropbear/initrd.authorized_keys'.
 LUKS encrypted devices to unlock are derived from '/etc/crypttab', which must
 be present.
-Listening port (if not 22) can be set with the option 'sshcs_opt_listen' in
+Some options can be set in '/etc/initcpio/sshcs_env' (file is sourced in
-'/etc/dropbear/initrd.env' (file is sourced in initrd shell).
+initrd shell):
+ * 'sshcs_opt_timeout_ipconfig': time (s) to configure IP
+   - default: 10 seconds
+ * 'sshcs_opt_listen': listening port (22 by default)
+ * 'sshcs_opt_timeout_poweroff': time (s) to unlock devices before automatic
+   powering off
+   - default (and minimum value): 2 minutes
+   - negative value to deactivate
 
 Each SSH server key ('dropbear_rsa_host_key', 'dropbear_dss_host_key' and
 'dropbear_ecdsa_host_key' in '/etc/dropbear' folder) is imported from OpenSSH