mirrors/archlinux-initrd-ssh-cryptsetup
1
0
Fork 0
mirror of https://github.com/suiryc/archlinux-initrd-ssh-cryptsetup.git synced 2025-12-16 01:28:57 +03:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: mirrors:0.3-1
Branches Tags
mirrors:master
mirrors:1.1-2 mirrors:1.1-1 mirrors:1.0-1 mirrors:0.9-2 mirrors:0.9-1 mirrors:0.8-1 mirrors:0.7-1 mirrors:0.6-1 mirrors:0.5-1 mirrors:0.4-1 mirrors:0.3-1 mirrors:0.2-1 mirrors:0.1-1
...
compare: mirrors:0.5-1
Branches Tags
mirrors:master
mirrors:1.1-2 mirrors:1.1-1 mirrors:1.0-1 mirrors:0.9-2 mirrors:0.9-1 mirrors:0.8-1 mirrors:0.7-1 mirrors:0.6-1 mirrors:0.5-1 mirrors:0.4-1 mirrors:0.3-1 mirrors:0.2-1 mirrors:0.1-1

2 Commits
0.3-1 ... 0.5-1

Author SHA1 Message Date
Julien Coloos
d94d257cf6 Fix cryptsetup additional arguments handling 
Quoting used in script prevented them ot be properly passed.
Also added a debug mode to print some more messages about ongoing actions.
 2017-06-25 20:07:07 +02:00
Julien Coloos
e5ee05f382 Fixed TRIM option handling in /etc/crypttab 
'discard' ('allow-discards' being the switch name to use in cryptsetup)

v0.4-1
 2017-06-25 18:22:53 +02:00
4 changed files with 72 additions and 30 deletions
Expand all files Collapse all files

38
ChangeLog
View File

@@ -1,26 +1,38 @@
2017-06-25 Julien Coloos <julien.coloos [at] gmail [dot] com>
* v0.5-1
Fixed cryptsetup additional arguments handling: were not properly passed
2017-06-25 Julien Coloos <julien.coloos [at] gmail [dot] com>
* v0.4-1
Fixed TRIM option handling in /etc/crypttab: 'discard' ('allow-discards' being the switch name to use in cryptsetup)
2015-11-22 Julien Coloos <julien.coloos [at] gmail [dot] com> 2015-11-22 Julien Coloos <julien.coloos [at] gmail [dot] com>
* v0.3-1 * v0.3-1
Added configurable timeout for ipconfig Added configurable timeout for ipconfig
Moved configuration file from /etc/dropbear/initrd.env to /etc/initcpio/sshcs_env Moved configuration file from /etc/dropbear/initrd.env to /etc/initcpio/sshcs_env
2014-05-20 Julien Coloos <julien.coloos [at] gmail [dot] com> 2014-05-20 Julien Coloos <julien.coloos [at] gmail [dot] com>
* v0.2-1 * v0.2-1
Removed unnecessary dependency: psmisc Removed unnecessary dependency: psmisc
Added configurable timeout to unlock devices before automatic poweroff Added configurable timeout to unlock devices before automatic poweroff
2014-05-19 Julien Coloos <julien.coloos [at] gmail [dot] com> 2014-05-19 Julien Coloos <julien.coloos [at] gmail [dot] com>
* v0.1-1 * v0.1-1
* Code adapted from dropbear_initrd_encrypt (https://aur.archlinux.org/packages/dropbear_initrd_encrypt/) * Code adapted from dropbear_initrd_encrypt (https://aur.archlinux.org/packages/dropbear_initrd_encrypt/)
Reworked code Reworked code
Dropped non-LUKS support Dropped non-LUKS support
Rely on /etc/crypttab Rely on /etc/crypttab
Handle multiple devices to unlock Handle multiple devices to unlock
Merged dropbear and encryptssh hooks Merged dropbear and encryptssh hooks
Better resources cleanup Better resources cleanup

4
PKGBUILD
View File

@@ -1,6 +1,6 @@
# Maintainer: Julien Coloos <julien.coloos [at] gmail [dot] com> # Maintainer: Julien Coloos <julien.coloos [at] gmail [dot] com>
pkgname=initrd-ssh-cryptsetup pkgname=initrd-ssh-cryptsetup
pkgver=0.3 pkgver=0.5
pkgrel=1 pkgrel=1
pkgdesc="Allows for LUKS-encrypted devices to be unlocked remotely over SSH" pkgdesc="Allows for LUKS-encrypted devices to be unlocked remotely over SSH"
arch=('any') arch=('any')
@@ -10,7 +10,7 @@ depends=('dropbear' 'cryptsetup' 'mkinitcpio-nfs-utils' 'iproute2')
install=$pkgname.install install=$pkgname.install
changelog='ChangeLog' changelog='ChangeLog'
source=("http://julien.coloos.free.fr/archlinux/$pkgname-$pkgver.tar.xz" "$pkgname.install") source=("http://julien.coloos.free.fr/archlinux/$pkgname-$pkgver.tar.xz" "$pkgname.install")
md5sums=('a25dbbac5cd82a8d87932e646e38d9c4' md5sums=('d87a35adbef55db89f32a89f4966a27a'
'ac60109d80e7bb2af0d66e69aaf178a6') 'ac60109d80e7bb2af0d66e69aaf178a6')
package() { package() {

33
README.md
View File

@@ -8,21 +8,24 @@ After cloning the repo, installation is done as for an AUR package.
## Configuration ## Configuration
As explained upon installation, the following things need to be done: As explained upon installation, the following things need to be done:
* add the SSH public key to `/etc/dropbear/initrd.authorized_keys` * add the SSH public key to `/etc/dropbear/initrd.authorized_keys`
* add the `ip=` kernel command parameter to the bootloader configuration (see https://wiki.archlinux.org/index.php/Mkinitcpio#Using_net) * add the `ip=` kernel command parameter to the bootloader configuration (see https://wiki.archlinux.org/index.php/Mkinitcpio#Using_net)
* in the `HOOKS` section of `/etc/mkinitcpio.conf`, add `ssh-cryptsetup` before `filesystems`; then rebuild the initramfs: `mkinitcpio -p linux` * in the `HOOKS` section of `/etc/mkinitcpio.conf`, add `ssh-cryptsetup` before `filesystems`; then rebuild the initramfs: `mkinitcpio -p linux`
The LUKS-encrypted devices to unlock are derived from `/etc/crypttab`. The LUKS-encrypted devices to unlock are derived from `/etc/crypttab`.
Some options can be set in `/etc/initcpio/sshcs_env` (file is sourced in initrd shell): Some options can be set in `/etc/initcpio/sshcs_env` (file is sourced in initrd shell):
* `sshcs_opt_timeout_ipconfig`: time (in seconds) to configure IP * `sshcs_opt_debug`: whether to be more verbose about ongoing actions
- default: 10 seconds - default: 0
* `sshcs_opt_listen`: SSH listening port - any non-zero value to enable
- default: 22 * `sshcs_opt_timeout_ipconfig`: time (in seconds) to configure IP
* `sshcs_opt_timeout_poweroff`: time (in seconds) to unlock devices before automatic powering off - default: 10 seconds
- default (and minimum value): 2 minutes * `sshcs_opt_listen`: SSH listening port
- negative value to deactivate - default: 22
* `sshcs_opt_timeout_poweroff`: time (in seconds) to unlock devices before automatic powering off
- default (and minimum value): 2 minutes
- negative value to deactivate
For example: For example:
@@ -30,3 +33,13 @@ For example:
sshcs_opt_listen=2222 sshcs_opt_listen=2222
sshcs_opt_timeout_poweroff=-1 sshcs_opt_timeout_poweroff=-1
## Building notes
1. Modify the sources (features in `src`, and/or package building files)
2. If `src` was modified
* archive the `src` folder in `$pkgname-$pkgver.tar.xz` file; e.g.: `tar -cJf initrd-ssh-cryptsetup-0.4.tar.xz src`
* upload the archive on the online repository (pointed by `PKGBUILD`)
3. Update `PKGBUILD`
* bump `pkgver` if `src` was modified, or `pkgrel` if building files were modified
* refresh `md5sums` if necessary (based on `md5sum initrd-ssh-cryptsetup-*.tar.xz initrd-ssh-cryptsetup.install` output)
4. Delete generated archive file if any

27
src/hooks/ssh-cryptsetup
View File

@@ -1,10 +1,16 @@
#!/usr/bin/ash #!/usr/bin/ash
dbg () {
[ ${sshcs_opt_debug} != 0 ] && echo "$@"
}
sshcs_env_load() { sshcs_env_load() {
local debug_default=0
local timeout_ipconfig_default=10 local timeout_ipconfig_default=10
local timeout_poweroff_min=120 local timeout_poweroff_min=120
[ -e "${sshcs_env}" ] && . "${sshcs_env}" [ -e "${sshcs_env}" ] && . "${sshcs_env}"
[ -z "${sshcs_opt_debug}" ] && sshcs_opt_debug=${debug_default}
[ -z "${sshcs_opt_timeout_ipconfig}" ] && sshcs_opt_timeout_ipconfig=${timeout_ipconfig_default} [ -z "${sshcs_opt_timeout_ipconfig}" ] && sshcs_opt_timeout_ipconfig=${timeout_ipconfig_default}
[ -n "${sshcs_opt_listen}" ] && sshcs_opt_listen="-p ${sshcs_opt_listen}" [ -n "${sshcs_opt_listen}" ] && sshcs_opt_listen="-p ${sshcs_opt_listen}"
[ -z "${sshcs_opt_timeout_poweroff}" ] && sshcs_opt_timeout_poweroff=${timeout_poweroff_min} [ -z "${sshcs_opt_timeout_poweroff}" ] && sshcs_opt_timeout_poweroff=${timeout_poweroff_min}
@@ -14,10 +20,16 @@ sshcs_env_load() {
sshcs_net_start() { sshcs_net_start() {
# we must have an 'ip' setting, and a device in it # we must have an 'ip' setting, and a device in it
[ -z "${ip}" ] && [ -n "${nfsaddrs}" ] && ip="${nfsaddrs}" [ -z "${ip}" ] && [ -n "${nfsaddrs}" ] && ip="${nfsaddrs}"
[ -z "${ip}" ] && return 1 [ -z "${ip}" ] && {
dbg "No ip setting to setup network"
return 1
}
net_device=$(echo ${ip} | cut -d: -f6) net_device=$(echo ${ip} | cut -d: -f6)
[ -z "${net_device}" ] && return 1 [ -z "${net_device}" ] && {
dbg "No network device to setup"
return 1
}
# Setup network and save some values # Setup network and save some values
# Note: some useful redirection means ('< <(...)' and '<<< "$(...)"') are # Note: some useful redirection means ('< <(...)' and '<<< "$(...)"') are
@@ -59,6 +71,7 @@ sshcs_net_start() {
sshcs_net_done() { sshcs_net_done() {
# we are done with the network # we are done with the network
if [ -n "${net_device}" ]; then if [ -n "${net_device}" ]; then
dbg "Setting network device=${net_device} down"
ip addr flush dev "${net_device}" ip addr flush dev "${net_device}"
ip link set dev "${net_device}" down ip link set dev "${net_device}" down
fi fi
@@ -179,7 +192,7 @@ sshcs_cryptpart_process() {
cryptargs= cryptargs=
for cryptopt in ${cryptoptions//,/ }; do for cryptopt in ${cryptoptions//,/ }; do
case ${cryptopt} in case ${cryptopt} in
allow-discards) discard)
cryptargs="${cryptargs} --allow-discards" cryptargs="${cryptargs} --allow-discards"
;; ;;
@@ -196,6 +209,7 @@ sshcs_cryptpart_process() {
cryptdev_orig=${cryptdev} cryptdev_orig=${cryptdev}
if cryptdev=$(resolve_device "${cryptdev_orig}" ${rootdelay}); then if cryptdev=$(resolve_device "${cryptdev_orig}" ${rootdelay}); then
if cryptsetup isLuks "${cryptdev}" >/dev/null 2>&1; then if cryptsetup isLuks "${cryptdev}" >/dev/null 2>&1; then
dbg "Adding crypt device=${cryptdev} type=${crypttype} name=${cryptname} args=<${cryptargs}> in setup script"
# update script used to unlock device either in console or SSH # update script used to unlock device either in console or SSH
[ -s "${sshcs_cryptsetup_script}" ] || cat <<EOF > "${sshcs_cryptsetup_script}" [ -s "${sshcs_cryptsetup_script}" ] || cat <<EOF > "${sshcs_cryptsetup_script}"
@@ -215,7 +229,7 @@ EOF
cat <<EOF >> "${sshcs_cryptsetup_script}" cat <<EOF >> "${sshcs_cryptsetup_script}"
# loop until device is available # loop until device is available
while [ ! -e "/dev/mapper/${cryptname}" ]; do while [ ! -e "/dev/mapper/${cryptname}" ]; do
if cryptsetup open --type "${crypttype}" "${cryptdev}" "${cryptname}" "${cryptargs}" "\${CSQUIET}"; then if cryptsetup open --type "${crypttype}" "${cryptdev}" "${cryptname}" ${cryptargs} "\${CSQUIET}"; then
if poll_device "/dev/mapper/${cryptname}" ${rootdelay}; then if poll_device "/dev/mapper/${cryptname}" ${rootdelay}; then
killall cryptsetup > /dev/null 2>&1 killall cryptsetup > /dev/null 2>&1
break break
@@ -250,7 +264,10 @@ run_hook() {
sshcs_env_load sshcs_env_load
# sanity check: crypttab should be present # sanity check: crypttab should be present
[ ! -e "${etc_crypttab}" ] && return 0 [ ! -e "${etc_crypttab}" ] && {
dbg "No crypttab configuration to process"
return 0
}
modprobe -a -q dm-crypt >/dev/null 2>&1 modprobe -a -q dm-crypt >/dev/null 2>&1
[ "${quiet}" = "y" ] && CSQUIET=">/dev/null" [ "${quiet}" = "y" ] && CSQUIET=">/dev/null"