Drop '-m' option when calling dropbear

Latest ArchLinux versions does not handle it. Boot fs is unlikely to have motd anyway. v0.6-1
README: don't forget to update ChangeLog when necessary
2025-12-15 00:58:57 +03:00 · 2018-03-13 22:20:27 +01:00 · 2018-03-13 22:17:19 +01:00 · 2017-09-03 21:34:10 +02:00 · 2017-07-09 16:17:19 +02:00 · 2017-06-25 20:07:07 +02:00
6 changed files with 229 additions and 64 deletions
--- a/47
+++ b/47
@@ -1,12 +1,43 @@
 2018-03-13 Julien Coloos <julien.coloos [at] gmail [dot] com>
        * v0.6-1
        Dropped '-m' option when calling dropbear (latest ArchLinux version does not handle it)
 2017-06-25 Julien Coloos <julien.coloos [at] gmail [dot] com>
        * v0.5-1
        Fixed cryptsetup additional arguments handling: were not properly passed
 2017-06-25 Julien Coloos <julien.coloos [at] gmail [dot] com>
        * v0.4-1
        Fixed TRIM option handling in /etc/crypttab: 'discard' ('allow-discards' being the switch name to use in cryptsetup)
 2015-11-22 Julien Coloos <julien.coloos [at] gmail [dot] com>
        * v0.3-1
        Added configurable timeout for ipconfig
        Moved configuration file from /etc/dropbear/initrd.env to /etc/initcpio/sshcs_env
 2014-05-20 Julien Coloos <julien.coloos [at] gmail [dot] com>
        * v0.2-1
        Removed unnecessary dependency: psmisc
        Added configurable timeout to unlock devices before automatic poweroff
 2014-05-19 Julien Coloos <julien.coloos [at] gmail [dot] com>
-	* v0.1-1
+        * v0.1-1
-	* Code adapted from dropbear_initrd_encrypt (https://aur.archlinux.org/packages/dropbear_initrd_encrypt/)
+        * Code adapted from dropbear_initrd_encrypt (https://aur.archlinux.org/packages/dropbear_initrd_encrypt/)
-	Reworked code
+        Reworked code
-	Dropped non-LUKS support
+        Dropped non-LUKS support
-	Rely on /etc/crypttab
+        Rely on /etc/crypttab
-	Handle multiple devices to unlock
+        Handle multiple devices to unlock
-	Merged dropbear and encryptssh hooks
+        Merged dropbear and encryptssh hooks
-	Better resources cleanup
+        Better resources cleanup
--- a/8
+++ b/8
@@ -1,17 +1,17 @@
 # Maintainer: Julien Coloos <julien.coloos [at] gmail [dot] com>
 pkgname=initrd-ssh-cryptsetup
-pkgver=0.1
+pkgver=0.6
 pkgrel=1
 pkgdesc="Allows for LUKS-encrypted devices to be unlocked remotely over SSH"
 arch=('any')
 url="https://github.com/suiryc/archlinux-$pkgname"
 license=('GPL3')
-depends=('dropbear' 'cryptsetup' 'mkinitcpio-nfs-utils' 'psmisc' 'iproute2')
+depends=('dropbear' 'cryptsetup' 'mkinitcpio-nfs-utils' 'iproute2')
 install=$pkgname.install
 changelog='ChangeLog'
 source=("http://julien.coloos.free.fr/archlinux/$pkgname-$pkgver.tar.xz" "$pkgname.install")
-md5sums=('cd16f62be49eef3fa178ce292de64f48'
+md5sums=('3fa8f5dd00a85b32025d01e5701e1407'
-         'a703663472bbd50882a11f6b2cfccbf0')
+         'ac60109d80e7bb2af0d66e69aaf178a6')
 package() {
  install -Dm644 "$srcdir/src/install/ssh-cryptsetup" "$pkgdir/usr/lib/initcpio/install/ssh-cryptsetup"
--- a/README.md
+++ b/README.md
@@ -1,21 +1,61 @@
-Personal ArchLinux package combining dropbear and cryptsetup in initrd for unlocking LUKS-encrypted devices either locally (boot console) or remotely over SSH.
+Personal ArchLinux package combining dropbear and cryptsetup in initrd for unlocking LUKS-encrypted devices either locally (boot console) or remotely over SSH.  
-The code was reworked from [dropbear_initrd_encrypt](https://aur.archlinux.org/packages/dropbear_initrd_encrypt/).
+The code was reworked from legacy dropbear_initrd_encrypt AUR package.
 ## Installation
-After cloning the repo, installation is done as for an AUR package.
+After cloning the repo, installation is done as for an AUR package, e.g.:
    makepkg -sri
 ## Dropbear
 SSH server key need to be generated for `dropbear`.  
 Either a new key can be generated with `dropbearkey`, e.g.:
    dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key
 Or an existing OpenSSH key can be converted with `dropbearconvert` (useful so that the server fingerprint is the same with both), e.g.:
    dropbearconvert openssh dropbear /etc/ssh/ssh_host_ecdsa_key /etc/dropbear/dropbear_ecdsa_host_key
 Note: `rsa` and `dss` (`dsa` in OpenSSH) types are also handled.
 ## Configuration
 As explained upon installation, the following things need to be done:
-  * add the SSH public key to `/etc/dropbear/initrd.authorized_keys`
+   * add the authorized SSH public key to `/etc/dropbear/initrd.authorized_keys`
-  * add the `ip=` kernel command parameter to the bootloader configuration (see https://wiki.archlinux.org/index.php/Mkinitcpio#Using_net)
+   * add the `ip=` kernel command parameter to the bootloader configuration (see https://wiki.archlinux.org/index.php/Mkinitcpio#Using_net)
-  * in the `HOOKS` section of `/etc/mkinitcpio.conf`, add `ssh-cryptsetup` before `filesystems`; then rebuild the initramfs: `mkinitcpio -p linux`
+      - e.g. with `grub`: add `ip=:::::eth0:dhcp` to `GRUB_CMDLINE_LINUX_DEFAULT` in `/etc/default/grub`, and re-generate the configuration with `grub-mkconfig -o /boot/grub/grub.cfg`
   * in the `HOOKS` section of `/etc/mkinitcpio.conf`, add `ssh-cryptsetup` before `filesystems`; then rebuild the initramfs: `mkinitcpio -p linux`
      - when using a non-standard keyboard layout, it is also useful to add the `keymap` hook before `ssh-cryptsetup`, and also move `keyboard` before `keymap`
 The LUKS-encrypted devices to unlock are derived from `/etc/crypttab`.
-The SSH listening port (22 by default) can be changed by setting the `sshcs_opt_listen` option in `/etc/dropbear/initrd.env` (file is sourced in initrd shell).
+
 Some options can be set in `/etc/initcpio/sshcs_env` (file is sourced in initrd shell):
   * `sshcs_opt_debug`: whether to be more verbose about ongoing actions
      - default: 0
      - any non-zero value to enable
   * `sshcs_opt_timeout_ipconfig`: time (in seconds) to configure IP
      - default: 10 seconds
   * `sshcs_opt_listen`: SSH listening port
      - default: 22
   * `sshcs_opt_timeout_poweroff`: time (in seconds) to unlock devices before automatic powering off
      - default (and minimum value): 2 minutes
      - negative value to deactivate
 For example:
    sshcs_opt_timeout_ipconfig=30
    sshcs_opt_listen=2222
    sshcs_opt_timeout_poweroff=-1
 ## Building notes
 1. Modify the sources (features in `src`, and/or package building files)
 2. If `src` was modified
   * archive the `src` folder in `$pkgname-$pkgver.tar.xz` file; e.g.: `tar -cJf initrd-ssh-cryptsetup-0.4.tar.xz src`
   * upload the archive on the online repository (pointed by `PKGBUILD`)
 3. Update ChangeLog
 4. Update `PKGBUILD`
   * bump `pkgver` if `src` was modified, or `pkgrel` if building files were modified
   * refresh `md5sums` if necessary (based on `md5sum initrd-ssh-cryptsetup-*.tar.xz initrd-ssh-cryptsetup.install` output)
 5. Delete generated archive file if any
--- a/initrd-ssh-cryptsetup.install
+++ b/initrd-ssh-cryptsetup.install
@@ -1,8 +1,17 @@
 #!/bin/bash
 post_install() {
    local sshcs_env="/etc/initcpio/sshcs_env"
    local sshcs_env_old="/etc/dropbear/initrd.env"
    local dropbear_authorized_keys="/etc/dropbear/initrd.authorized_keys"
    local etc_dropbear=$(dirname "${dropbear_authorized_keys}")
    [ ! -e "${sshcs_env}" ] && [ -e "${sshcs_env_old}" ] && {
        [ -d $(dirname "${sshcs_env}") ] || mkdir -p $(dirname "${sshcs_env}")
        mv "${sshcs_env_old}" "${sshcs_env}"
    cat <<EOF
    Moved legacy file ${sshcs_env_old} to new path ${sshcs_env}"
 EOF
    }
    [ -d "${etc_dropbear}" ] || mkdir -p "${etc_dropbear}"
    [ -e "${dropbear_authorized_keys}" ] || touch "${dropbear_authorized_keys}"
    chmod 600 "${dropbear_authorized_keys}"
--- a/src/hooks/ssh-cryptsetup
+++ b/src/hooks/ssh-cryptsetup
@@ -1,12 +1,35 @@
 #!/usr/bin/ash
 dbg () {
    [ ${sshcs_opt_debug} != 0 ] && echo "$@"
 }
 sshcs_env_load() {
    local debug_default=0
    local timeout_ipconfig_default=10
    local timeout_poweroff_min=120
    [ -e "${sshcs_env}" ] && . "${sshcs_env}"
    [ -z "${sshcs_opt_debug}" ] && sshcs_opt_debug=${debug_default}
    [ -z "${sshcs_opt_timeout_ipconfig}" ] && sshcs_opt_timeout_ipconfig=${timeout_ipconfig_default}
    [ -n "${sshcs_opt_listen}" ] && sshcs_opt_listen="-p ${sshcs_opt_listen}"
    [ -z "${sshcs_opt_timeout_poweroff}" ] && sshcs_opt_timeout_poweroff=${timeout_poweroff_min}
    [ ${sshcs_opt_timeout_poweroff} -ge 0 ] && [ ${sshcs_opt_timeout_poweroff} -lt ${timeout_poweroff_min} ] && sshcs_opt_timeout_poweroff=${timeout_poweroff_min}
 }
 sshcs_net_start() {
    # we must have an 'ip' setting, and a device in it
    [ -z "${ip}" ] && [ -n "${nfsaddrs}" ] && ip="${nfsaddrs}"
-    [ -z "${ip}" ] && return 1
+    [ -z "${ip}" ] && {
        dbg "No ip setting to setup network"
        return 1
    }
    net_device=$(echo ${ip} | cut -d: -f6)
-    [ -z "${net_device}" ] && return 1
+    [ -z "${net_device}" ] && {
        dbg "No network device to setup"
        return 1
    }
    # Setup network and save some values
    # Note: some useful redirection means ('< <(...)' and '<<< "$(...)"') are
@@ -14,7 +37,16 @@ sshcs_net_start() {
    # temporary file and 'source' it since '... | while read ...' spawns a
    # subshell from which outer variables cannot be altered.
    : > "${net_env}"
-    ipconfig "ip=${ip}" | while read line; do
+
    echo ""
    echo "Configuring IP (timeout = ${sshcs_opt_timeout_ipconfig}s) ..."
    ipconfig_out=$(ipconfig -t "${sshcs_opt_timeout_ipconfig}" "ip=${ip}")
    if [ $? -ne 0 ]; then
        err "IP configuration timeout!"
        return 1
    fi
    echo -n "${ipconfig_out}" | while read line; do
        [ "${line#"IP-Config:"}" != "${line}" ] && continue
        line="$(echo "${line}" | sed -e 's/ :/:/g;s/: /=/g')"
@@ -36,7 +68,58 @@ sshcs_net_start() {
    [ -n "${net_address}" ]
 }
 sshcs_net_done() {
    # we are done with the network
    if [ -n "${net_device}" ]; then
        dbg "Setting network device=${net_device} down"
        ip addr flush dev "${net_device}"
        ip link set dev "${net_device}" down
    fi
 }
 sshcs_trapped_timeout() {
    err "Timeout reached! Powering off."
    poweroff -f
    exit
 }
 sshcs_trap_timeout() {
    local pid_init=$$
    if [ ${sshcs_opt_timeout_poweroff} -gt 0 ]; then
        echo ""
        echo "WARNING! Automatic poweroff will be triggered in ${sshcs_opt_timeout_poweroff}s"
        echo "To deactivate, please unlock devices"
        echo ""
        trap sshcs_trapped_timeout SIGALRM
        (
            sleep ${sshcs_opt_timeout_poweroff}
            kill -SIGALRM ${pid_init}
            # Signal is not processed if cryptsetup is waiting for the password
            killall cryptsetup > /dev/null 2>&1
        ) &
        pid_timeout=$!
    fi
 }
 sshcs_untrap_timeout() {
    [ -z "${pid_timeout}" ] && return 0
    kill ${pid_timeout}
    trap - SIGALRM
    msg "Timeout cleared."
 }
 sshcs_unlock() {
    sshcs_trap_timeout
    # actual script (shared with SSH login) unlocking encrypted devices
    . "${sshcs_cryptsetup_script}"
    sshcs_untrap_timeout
 }
 sshcs_dropbear_unlock() {
    local pid_timeout=
    local dev_pts_mounted=0
    local listen=
@@ -57,14 +140,14 @@ sshcs_dropbear_unlock() {
 . "/init_functions"
-if [ ! -f "${dropbear_cryptsetup_script}" ]; then
+if [ ! -f "${sshcs_cryptsetup_script}" ]; then
    err "No cryptsetup script present! Please retry."
    exit 0
 fi
 if [ -c "/dev/mapper/control" ]; then
    CSQUIET=
-    . "${dropbear_cryptsetup_script}"
+    . "${sshcs_cryptsetup_script}"
    echo ""
    echo "cryptsetup succeeded! Boot sequence should go on."
@@ -79,15 +162,11 @@ EOF
    [ ! -d "/var/log" ] && mkdir -p "/var/log"
    touch "/var/log/lastlog"
    [ -e "${dropbear_env}" ] && . "${dropbear_env}"
    [ -n "${sshcs_opt_listen}" ] && sshcs_opt_listen="-p ${sshcs_opt_listen}"
    msg "Starting dropbear ..."
-    dropbear -Emsgjk -P "${path_dropbear_pid}" ${sshcs_opt_listen}
+    dropbear -Esgjk -P "${path_dropbear_pid}" ${sshcs_opt_listen}
-    # actual script (shared with SSH login) unlocking encrypted devices
+    # Actual unlocking
-    . "${dropbear_cryptsetup_script}"
+    sshcs_unlock
    # cleanup dropbear
    if [ -f "${path_dropbear_pid}" ]; then
@@ -95,7 +174,7 @@ EOF
        kill $(cat "${path_dropbear_pid}")
        rm -f "${path_dropbear_pid}"
    fi
-    rm -f "${dropbear_cryptsetup_script}" "${dropbear_login_shell}" "/etc/passwd" "/etc/shells" "/var/log/lastlog"
+    rm -f "${sshcs_cryptsetup_script}" "${dropbear_login_shell}" "/etc/passwd" "/etc/shells" "/var/log/lastlog"
    # cleanup /dev/pts if necessary
    if [ ${dev_pts_mounted} -ne 0 ]; then
@@ -104,14 +183,6 @@ EOF
    fi
 }
 sshcs_net_done() {
    # we are done with the network
    if [ -n "${net_device}" ]; then
        ip addr flush dev "${net_device}"
        ip link set dev "${net_device}" down
    fi
 }
 sshcs_cryptpart_process() {
    # ensure there is a device (handle 'UUID=' format)
    [ -z "${cryptdev}" ] && return 0
@@ -121,7 +192,7 @@ sshcs_cryptpart_process() {
    cryptargs=
    for cryptopt in ${cryptoptions//,/ }; do
        case ${cryptopt} in
-            allow-discards)
+            discard)
                cryptargs="${cryptargs} --allow-discards"
                ;;
@@ -138,9 +209,10 @@ sshcs_cryptpart_process() {
    cryptdev_orig=${cryptdev}
    if cryptdev=$(resolve_device "${cryptdev_orig}" ${rootdelay}); then
        if cryptsetup isLuks "${cryptdev}" >/dev/null 2>&1; then
            dbg "Adding crypt device=${cryptdev} type=${crypttype} name=${cryptname} args=<${cryptargs}> in setup script"
            # update script used to unlock device either in console or SSH
-            [ -s "${dropbear_cryptsetup_script}" ] || cat <<EOF > "${dropbear_cryptsetup_script}"
+            [ -s "${sshcs_cryptsetup_script}" ] || cat <<EOF > "${sshcs_cryptsetup_script}"
 cycle_or_retry() {
    local res
@@ -154,10 +226,10 @@ cycle_or_retry() {
 }
 EOF
-            cat <<EOF >> "${dropbear_cryptsetup_script}"
+            cat <<EOF >> "${sshcs_cryptsetup_script}"
 # loop until device is available
 while [ ! -e "/dev/mapper/${cryptname}" ]; do
-    if cryptsetup open --type "${crypttype}" "${cryptdev}" "${cryptname}" "${cryptargs}" "\${CSQUIET}"; then
+    if cryptsetup open --type "${crypttype}" "${cryptdev}" "${cryptname}" ${cryptargs} "\${CSQUIET}"; then
        if poll_device "/dev/mapper/${cryptname}" ${rootdelay}; then
            killall cryptsetup > /dev/null 2>&1
            break
@@ -178,33 +250,30 @@ EOF
    fi
 }
 run_hook() {
    local etc_crypttab="/etc/crypttab"
-    local dropbear_env="/etc/dropbear/initrd.env"
+    local sshcs_env="/etc/initcpio/sshcs_env"
    local path_dropbear_pid="/.dropbear.pid"
    local dropbear_login_shell="/.cryptsetup_shell.sh"
-    local dropbear_cryptsetup_script="/.cryptsetup_script.sh"
+    local sshcs_cryptsetup_script="/.cryptsetup_script.sh"
    local net_env="/.net_env.sh"
-    local line iparg net_address net_netmask net_gateway net_dns0 net_dns1
+    local line iparg net_address net_device ipconfig_out net_netmask net_gateway net_dns0 net_dns1
    local cryptdev cryptdev_orig crypttype cryptname cryptpass cryptoptions cryptopt cryptargs CSQUIET
    # Load our options
    sshcs_env_load
    # sanity check: crypttab should be present
-    [ ! -e "${etc_crypttab}" ] && return 0
+    [ ! -e "${etc_crypttab}" ] && {
        dbg "No crypttab configuration to process"
        return 0
    }
    modprobe -a -q dm-crypt >/dev/null 2>&1
    [ "${quiet}" = "y" ] && CSQUIET=">/dev/null"
    umask 0022
    # start and check network
    if ! sshcs_net_start; then
        err "Net interface not available! Skipping crypt remote unlocking."
        # stop the network if possible
        sshcs_net_done
        return 0
    fi
    # check encrypted devices to handle
    cryptdev=
    crypttype=luks
@@ -217,9 +286,17 @@ run_hook() {
        sshcs_cryptpart_process
    done < "${etc_crypttab}"
-    if [ ! -e "${dropbear_cryptsetup_script}" ]; then
+    if [ ! -e "${sshcs_cryptsetup_script}" ]; then
        err "No encrypted device found! Skipping crypt remote unlocking."
-        # don't forget to stop the network
+        return 0
    fi
    # start and check network
    if ! sshcs_net_start; then
        err "Net interface not available! Skipping crypt remote unlocking."
        # We still allow to unlock locally with timeout
        sshcs_unlock
        # stop the network if possible
        sshcs_net_done
        return 0
    fi
--- a/src/install/ssh-cryptsetup
+++ b/src/install/ssh-cryptsetup
@@ -31,7 +31,7 @@ sshcs_check_keys() {
 build() {
    local etc_crypttab="/etc/crypttab"
    local dropbear_authorized_keys="/etc/dropbear/initrd.authorized_keys"
-    local dropbear_env="/etc/dropbear/initrd.env"
+    local sshcs_env="/etc/initcpio/sshcs_env"
    local dropbear_key_types=( "dss" "rsa" "ecdsa" )
    local dropbear_keyfile_prefix="/etc/dropbear/dropbear_"
    local dropbear_keyfile_suffix="_host_key"
@@ -70,14 +70,15 @@ build() {
    add_binary "dropbear"
    add_binary "ip"
    add_binary "/usr/lib/initcpio/ipconfig" "/sbin/ipconfig"
-    add_binary "killall"
+
    # Our hook files
    [ -e "${sshcs_env}" ] && add_file "${sshcs_env}"
    # auth-related files
    add_file "/lib/libnss_files.so"
    # SSH-related files
    add_file "${dropbear_authorized_keys}" "/root/.ssh/authorized_keys"
    [ -e "${dropbear_env}" ] && add_file "${dropbear_env}"
    add_file "/etc/dropbear/dropbear_rsa_host_key"
    add_file "/etc/dropbear/dropbear_dss_host_key"
    add_file "/etc/dropbear/dropbear_ecdsa_host_key"
@@ -102,8 +103,15 @@ Network is configured with 'ip=' kernel parameter (see 'mkinitcpio-nfs-utils').
 Authorized SSH key(s) must be present in '/etc/dropbear/initrd.authorized_keys'.
 LUKS encrypted devices to unlock are derived from '/etc/crypttab', which must
 be present.
-Listening port (if not 22) can be set with the option 'sshcs_opt_listen' in
+Some options can be set in '/etc/initcpio/sshcs_env' (file is sourced in
-'/etc/dropbear/initrd.env' (file is sourced in initrd shell).
+initrd shell):
 * 'sshcs_opt_timeout_ipconfig': time (s) to configure IP
   - default: 10 seconds
 * 'sshcs_opt_listen': listening port (22 by default)
 * 'sshcs_opt_timeout_poweroff': time (s) to unlock devices before automatic
   powering off
   - default (and minimum value): 2 minutes
   - negative value to deactivate
 Each SSH server key ('dropbear_rsa_host_key', 'dropbear_dss_host_key' and
 'dropbear_ecdsa_host_key' in '/etc/dropbear' folder) is imported from OpenSSH
Author	SHA1	Message	Date
Julien Coloos	e47043f3a1	Drop '-m' option when calling dropbear Latest ArchLinux versions does not handle it. Boot fs is unlikely to have motd anyway. v0.6-1	2018-03-13 22:20:27 +01:00
Julien Coloos	4c1a7741d6	README: don't forget to update ChangeLog when necessary	2018-03-13 22:17:19 +01:00
Julien Coloos	6167cbc9cd	More details on installation and configuration Mention dropbear SSH key generation (or conversion from OpenSSH). Give example to setup IP with grub. Some fixes/details.	2017-09-03 21:34:10 +02:00
Julien Coloos	a13fecf645	Add comment about keymap HOOK when using non-standard keyboard layout	2017-07-09 16:17:19 +02:00
Julien Coloos	d94d257cf6	Fix cryptsetup additional arguments handling Quoting used in script prevented them ot be properly passed. Also added a debug mode to print some more messages about ongoing actions.	2017-06-25 20:07:07 +02:00
Julien Coloos	e5ee05f382	Fixed TRIM option handling in /etc/crypttab 'discard' ('allow-discards' being the switch name to use in cryptsetup) v0.4-1	2017-06-25 18:22:53 +02:00
Julien Coloos	cf6ccb2d23	Updated changelog	2015-11-22 19:05:58 +01:00
Julien Coloos	724d6a6bf0	Handle optional ipconfig timeout Specify timeout for ipconfig so that we can still boot while network is done. Otherwise ipconfig remains stuck (until IP can be configured). If not given we default to 10s. Minor code refactoring. Moved configuration file from /etc/dropbear/initrd.env to /etc/initcpio/sshcs_env since it now contains options for ipconfig and not only dropbear. Package installation script move legacy file to new path if present. v0.3-1	2015-11-22 18:54:57 +01:00
Julien Coloos	b61e50ebe8	v0.2-1	2014-05-20 22:53:17 +02:00
Julien Coloos	9443a3bb6b	Configurable timeout before automatic poweroff	2014-05-20 22:39:32 +02:00
Julien Coloos	3b3cf4b944	killall is already available, no need for extra dependency	2014-05-20 22:38:45 +02:00