Drop 'dsa' and add 'ed25519' private key support

Update README: dropbearconvert requires OpenSSH keys in PEM format.

Changed installation script to rely on variables, especially the list of
handled private key types, to that it automatically packages expected
private keys, instead of having to explicitely name/package them.

ChangeLog

@@ -1,3 +1,21 @@
+2020-07-14 Julien Coloos <julien.coloos [at] gmail [dot] com>
+
+        * v0.7-1
+        Dropped 'dsa' private key support; added 'ed25519' private key support
+
+
+2018-03-13 Julien Coloos <julien.coloos [at] gmail [dot] com>
+
+        * v0.6-1
+        Dropped '-m' option when calling dropbear (latest ArchLinux version does not handle it)
+
+
+2017-06-25 Julien Coloos <julien.coloos [at] gmail [dot] com>
+
+        * v0.5-1
+        Fixed cryptsetup additional arguments handling: were not properly passed
+
+
 2017-06-25 Julien Coloos <julien.coloos [at] gmail [dot] com>
 
         * v0.4-1

PKGBUILD

@@ -1,6 +1,6 @@
 # Maintainer: Julien Coloos <julien.coloos [at] gmail [dot] com>
 pkgname=initrd-ssh-cryptsetup
-pkgver=0.4
+pkgver=0.7
 pkgrel=1
 pkgdesc="Allows for LUKS-encrypted devices to be unlocked remotely over SSH"
 arch=('any')
@@ -10,7 +10,7 @@ depends=('dropbear' 'cryptsetup' 'mkinitcpio-nfs-utils' 'iproute2')
 install=$pkgname.install
 changelog='ChangeLog'
 source=("http://julien.coloos.free.fr/archlinux/$pkgname-$pkgver.tar.xz" "$pkgname.install")
-md5sums=('fab9d0ffc14a6cd7bcb79fa1b9411336'
+md5sums=('260de3a8b8b22327264af12251ac9a5b'
          'ac60109d80e7bb2af0d66e69aaf178a6')
 
 package() {

README.md

@@ -1,21 +1,41 @@
 Personal ArchLinux package combining dropbear and cryptsetup in initrd for unlocking LUKS-encrypted devices either locally (boot console) or remotely over SSH.  
-The code was reworked from [dropbear_initrd_encrypt](https://aur.archlinux.org/packages/dropbear_initrd_encrypt/).
+The code was reworked from legacy dropbear_initrd_encrypt AUR package.
 
 
 ## Installation
-After cloning the repo, installation is done as for an AUR package.
+After cloning the repo, installation is done as for an AUR package, e.g.:
+
+    makepkg -sri
+
+
+## Dropbear
+SSH server key need to be generated for `dropbear`.  
+Either a new key can be generated with `dropbearkey`, e.g.:
+
+    dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key
+Or an existing OpenSSH key can be converted with `dropbearconvert` (useful so that the server fingerprint is the same with both), e.g.:
+
+    dropbearconvert openssh dropbear /etc/ssh/ssh_host_ecdsa_key /etc/dropbear/dropbear_ecdsa_host_key
+Notes:
+   * `rsa` and `ed25519` types are also handled
+   * OpenSSH keys must be in `PEM` format for `dropbearconvert` to properly work
 
 
 ## Configuration
 As explained upon installation, the following things need to be done:
-   * add the SSH public key to `/etc/dropbear/initrd.authorized_keys`
+   * add the authorized SSH public key to `/etc/dropbear/initrd.authorized_keys`
    * add the `ip=` kernel command parameter to the bootloader configuration (see https://wiki.archlinux.org/index.php/Mkinitcpio#Using_net)
+      - e.g. with `grub`: add `ip=:::::eth0:dhcp` to `GRUB_CMDLINE_LINUX_DEFAULT` in `/etc/default/grub`, and re-generate the configuration with `grub-mkconfig -o /boot/grub/grub.cfg`
    * in the `HOOKS` section of `/etc/mkinitcpio.conf`, add `ssh-cryptsetup` before `filesystems`; then rebuild the initramfs: `mkinitcpio -p linux`
+      - when using a non-standard keyboard layout, it is also useful to add the `keymap` hook before `ssh-cryptsetup`, and also move `keyboard` before `keymap`
 
 The LUKS-encrypted devices to unlock are derived from `/etc/crypttab`.
 
 
 Some options can be set in `/etc/initcpio/sshcs_env` (file is sourced in initrd shell):
+   * `sshcs_opt_debug`: whether to be more verbose about ongoing actions
+      - default: 0
+      - any non-zero value to enable
    * `sshcs_opt_timeout_ipconfig`: time (in seconds) to configure IP
       - default: 10 seconds
    * `sshcs_opt_listen`: SSH listening port
@@ -34,9 +54,10 @@ For example:
 ## Building notes
 1. Modify the sources (features in `src`, and/or package building files)
 2. If `src` was modified
-   * archive the `src` folder in `$pkgname-$pkgver.tar.xz` file; e.g.: `tar -cJf initrd-ssh-cryptsetup-0.4.tar.xz src`
+   * archive the `src` folder in `$pkgname-$pkgver.tar.xz` file; e.g.: `tar -cJf initrd-ssh-cryptsetup-0.7.tar.xz src`
    * upload the archive on the online repository (pointed by `PKGBUILD`)
-3. Update `PKGBUILD`
+3. Update ChangeLog
+4. Update `PKGBUILD`
    * bump `pkgver` if `src` was modified, or `pkgrel` if building files were modified
    * refresh `md5sums` if necessary (based on `md5sum initrd-ssh-cryptsetup-*.tar.xz initrd-ssh-cryptsetup.install` output)
-4. Delete generated archive file if any
+5. Delete generated archive file if any

src/hooks/ssh-cryptsetup

@@ -1,10 +1,16 @@
 #!/usr/bin/ash
 
+dbg () {
+    [ ${sshcs_opt_debug} != 0 ] && echo "$@"
+}
+
 sshcs_env_load() {
+    local debug_default=0
     local timeout_ipconfig_default=10
     local timeout_poweroff_min=120
 
     [ -e "${sshcs_env}" ] && . "${sshcs_env}"
+    [ -z "${sshcs_opt_debug}" ] && sshcs_opt_debug=${debug_default}
     [ -z "${sshcs_opt_timeout_ipconfig}" ] && sshcs_opt_timeout_ipconfig=${timeout_ipconfig_default}
     [ -n "${sshcs_opt_listen}" ] && sshcs_opt_listen="-p ${sshcs_opt_listen}"
     [ -z "${sshcs_opt_timeout_poweroff}" ] && sshcs_opt_timeout_poweroff=${timeout_poweroff_min}
@@ -14,10 +20,16 @@ sshcs_env_load() {
 sshcs_net_start() {
     # we must have an 'ip' setting, and a device in it
     [ -z "${ip}" ] && [ -n "${nfsaddrs}" ] && ip="${nfsaddrs}"
-    [ -z "${ip}" ] && return 1
+    [ -z "${ip}" ] && {
+        dbg "No ip setting to setup network"
+        return 1
+    }
 
     net_device=$(echo ${ip} | cut -d: -f6)
-    [ -z "${net_device}" ] && return 1
+    [ -z "${net_device}" ] && {
+        dbg "No network device to setup"
+        return 1
+    }
 
     # Setup network and save some values
     # Note: some useful redirection means ('< <(...)' and '<<< "$(...)"') are
@@ -59,6 +71,7 @@ sshcs_net_start() {
 sshcs_net_done() {
     # we are done with the network
     if [ -n "${net_device}" ]; then
+        dbg "Setting network device=${net_device} down"
         ip addr flush dev "${net_device}"
         ip link set dev "${net_device}" down
     fi
@@ -150,7 +163,7 @@ EOF
     touch "/var/log/lastlog"
 
     msg "Starting dropbear ..."
-    dropbear -Emsgjk -P "${path_dropbear_pid}" ${sshcs_opt_listen}
+    dropbear -Esgjk -P "${path_dropbear_pid}" ${sshcs_opt_listen}
 
     # Actual unlocking
     sshcs_unlock
@@ -196,6 +209,7 @@ sshcs_cryptpart_process() {
     cryptdev_orig=${cryptdev}
     if cryptdev=$(resolve_device "${cryptdev_orig}" ${rootdelay}); then
         if cryptsetup isLuks "${cryptdev}" >/dev/null 2>&1; then
+            dbg "Adding crypt device=${cryptdev} type=${crypttype} name=${cryptname} args=<${cryptargs}> in setup script"
 
             # update script used to unlock device either in console or SSH
             [ -s "${sshcs_cryptsetup_script}" ] || cat <<EOF > "${sshcs_cryptsetup_script}"
@@ -215,7 +229,7 @@ EOF
             cat <<EOF >> "${sshcs_cryptsetup_script}"
 # loop until device is available
 while [ ! -e "/dev/mapper/${cryptname}" ]; do
-    if cryptsetup open --type "${crypttype}" "${cryptdev}" "${cryptname}" "${cryptargs}" "\${CSQUIET}"; then
+    if cryptsetup open --type "${crypttype}" "${cryptdev}" "${cryptname}" ${cryptargs} "\${CSQUIET}"; then
         if poll_device "/dev/mapper/${cryptname}" ${rootdelay}; then
             killall cryptsetup > /dev/null 2>&1
             break
@@ -250,7 +264,10 @@ run_hook() {
     sshcs_env_load
 
     # sanity check: crypttab should be present
-    [ ! -e "${etc_crypttab}" ] && return 0
+    [ ! -e "${etc_crypttab}" ] && {
+        dbg "No crypttab configuration to process"
+        return 0
+    }
 
     modprobe -a -q dm-crypt >/dev/null 2>&1
     [ "${quiet}" = "y" ] && CSQUIET=">/dev/null"

src/install/ssh-cryptsetup

@@ -32,7 +32,7 @@ build() {
     local etc_crypttab="/etc/crypttab"
     local dropbear_authorized_keys="/etc/dropbear/initrd.authorized_keys"
     local sshcs_env="/etc/initcpio/sshcs_env"
-    local dropbear_key_types=( "dss" "rsa" "ecdsa" )
+    local dropbear_key_types=( "rsa" "ecdsa" "ed25519" )
     local dropbear_keyfile_prefix="/etc/dropbear/dropbear_"
     local dropbear_keyfile_suffix="_host_key"
     local openssh_keyfile_prefix="/etc/ssh/ssh_host_"
@@ -79,9 +79,9 @@ build() {
 
     # SSH-related files
     add_file "${dropbear_authorized_keys}" "/root/.ssh/authorized_keys"
-    add_file "/etc/dropbear/dropbear_rsa_host_key"
-    add_file "/etc/dropbear/dropbear_dss_host_key"
-    add_file "/etc/dropbear/dropbear_ecdsa_host_key"
+    for keytype in "${dropbear_key_types[@]}"; do
+        add_file "${dropbear_keyfile_prefix}${keytype}${dropbear_keyfile_suffix}"
+    done
 
     # cryptsetup-related files
     add_file "${etc_crypttab}"
@@ -113,8 +113,8 @@ initrd shell):
    - default (and minimum value): 2 minutes
    - negative value to deactivate
 
-Each SSH server key ('dropbear_rsa_host_key', 'dropbear_dss_host_key' and
-'dropbear_ecdsa_host_key' in '/etc/dropbear' folder) is imported from OpenSSH
+Each SSH server key ('dropbear_rsa_host_key', 'dropbear_ecdsa_host_key' and
+'dropbear_ed25519_host_key' in '/etc/dropbear' folder) is imported from OpenSSH
 if present or generated if missing. Fingerprints are displayed upon building
 the initramfs image.
 EOF