v0.2-1

ChangeLog

@@ -1,3 +1,10 @@
+2014-05-20 Julien Coloos <julien.coloos [at] gmail [dot] com>
+
+	* v0.2-1
+	Removed unnecessary dependency: psmisc
+	Added configurable timeout to unlock devices before automatic poweroff
+
+
 2014-05-19 Julien Coloos <julien.coloos [at] gmail [dot] com>
 
 	* v0.1-1

PKGBUILD

@@ -1,16 +1,16 @@
 # Maintainer: Julien Coloos <julien.coloos [at] gmail [dot] com>
 pkgname=initrd-ssh-cryptsetup
-pkgver=0.1
+pkgver=0.2
 pkgrel=1
 pkgdesc="Allows for LUKS-encrypted devices to be unlocked remotely over SSH"
 arch=('any')
 url="https://github.com/suiryc/archlinux-$pkgname"
 license=('GPL3')
-depends=('dropbear' 'cryptsetup' 'mkinitcpio-nfs-utils' 'psmisc' 'iproute2')
+depends=('dropbear' 'cryptsetup' 'mkinitcpio-nfs-utils' 'iproute2')
 install=$pkgname.install
 changelog='ChangeLog'
 source=("http://julien.coloos.free.fr/archlinux/$pkgname-$pkgver.tar.xz" "$pkgname.install")
-md5sums=('cd16f62be49eef3fa178ce292de64f48'
+md5sums=('27b040fd69d252050c20a2595f8c67ba'
          'a703663472bbd50882a11f6b2cfccbf0')
 
 package() {

README.md

@@ -14,8 +14,16 @@ As explained upon installation, the following things need to be done:
 
 The LUKS-encrypted devices to unlock are derived from `/etc/crypttab`.
 
-The SSH listening port (22 by default) can be changed by setting the `sshcs_opt_listen` option in `/etc/dropbear/initrd.env` (file is sourced in initrd shell).
+
+Some options can be set in `/etc/dropbear/initrd.env` (file is sourced in initrd shell):
+  * `sshcs_opt_listen`: SSH listening port
+    - default: 22
+  * `sshcs_opt_timeout_poweroff`: time (in seconds) to unlock devices before automatic powering off
+    - default (and minimum value): 2 minutes
+    - negative value to deactivate
+
 For example:
 
     sshcs_opt_listen=2222
+    sshcs_opt_timeout_poweroff=-1
 

src/hooks/ssh-cryptsetup

@@ -36,7 +36,41 @@ sshcs_net_start() {
     [ -n "${net_address}" ]
 }
 
+sshcs_trapped_timeout() {
+    err "Timeout reached! Powering off."
+    poweroff -f
+    exit
+}
+
+sshcs_trap_timeout() {
+    local pid_init=$$
+
+    if [ ${sshcs_opt_timeout_poweroff} -gt 0 ]; then
+        echo ""
+        echo "WARNING! Automatic poweroff will be triggered in ${sshcs_opt_timeout_poweroff}s"
+        echo "To deactivate, please unlock devices"
+        echo ""
+        trap sshcs_trapped_timeout SIGALRM
+        (
+            sleep ${sshcs_opt_timeout_poweroff}
+            kill -SIGALRM ${pid_init}
+            # Signal is not processed if cryptsetup is waiting for the password
+            killall cryptsetup > /dev/null 2>&1
+        ) &
+        pid_timeout=$!
+    fi
+}
+
+sshcs_untrap_timeout() {
+    [ -z "${pid_timeout}" ] && return 0
+    kill ${pid_timeout}
+    trap - SIGALRM
+    msg "Timeout cleared."
+}
+
 sshcs_dropbear_unlock() {
+    local timeout_poweroff_min=120
+    local pid_timeout=
     local dev_pts_mounted=0
     local listen=
 
@@ -81,14 +115,20 @@ EOF
 
     [ -e "${dropbear_env}" ] && . "${dropbear_env}"
     [ -n "${sshcs_opt_listen}" ] && sshcs_opt_listen="-p ${sshcs_opt_listen}"
+    [ -z "${sshcs_opt_timeout_poweroff}" ] && sshcs_opt_timeout_poweroff=${timeout_poweroff_min}
+    [ ${sshcs_opt_timeout_poweroff} -ge 0 ] && [ ${sshcs_opt_timeout_poweroff} -lt ${timeout_poweroff_min} ] && sshcs_opt_timeout_poweroff=${timeout_poweroff_min}
 
 
     msg "Starting dropbear ..."
     dropbear -Emsgjk -P "${path_dropbear_pid}" ${sshcs_opt_listen}
 
+    sshcs_trap_timeout
+
     # actual script (shared with SSH login) unlocking encrypted devices
     . "${dropbear_cryptsetup_script}"
 
+    sshcs_untrap_timeout
+
     # cleanup dropbear
     if [ -f "${path_dropbear_pid}" ]; then
         msg "Stopping dropbear ..."
@@ -178,7 +218,6 @@ EOF
     fi
 }
 
-
 run_hook() {
     local etc_crypttab="/etc/crypttab"
     local dropbear_env="/etc/dropbear/initrd.env"

src/install/ssh-cryptsetup

@@ -70,7 +70,6 @@ build() {
     add_binary "dropbear"
     add_binary "ip"
     add_binary "/usr/lib/initcpio/ipconfig" "/sbin/ipconfig"
-    add_binary "killall"
 
     # auth-related files
     add_file "/lib/libnss_files.so"
@@ -102,8 +101,13 @@ Network is configured with 'ip=' kernel parameter (see 'mkinitcpio-nfs-utils').
 Authorized SSH key(s) must be present in '/etc/dropbear/initrd.authorized_keys'.
 LUKS encrypted devices to unlock are derived from '/etc/crypttab', which must
 be present.
-Listening port (if not 22) can be set with the option 'sshcs_opt_listen' in
-'/etc/dropbear/initrd.env' (file is sourced in initrd shell).
+Some options can be set in '/etc/dropbear/initrd.env' (file is sourced in
+initrd shell):
+ * 'sshcs_opt_listen': listening port (22 by default)
+ * 'sshcs_opt_timeout_poweroff': time (s) to unlock devices before automatic
+   powering off
+   - default (and minimum value): 2 minutes
+   - negative value to deactivate
 
 Each SSH server key ('dropbear_rsa_host_key', 'dropbear_dss_host_key' and
 'dropbear_ecdsa_host_key' in '/etc/dropbear' folder) is imported from OpenSSH