Use SHA256 checksums instead of MD5

v0.9-2

ChangeLog

@@ -1,3 +1,40 @@
+2021-11-12 Julien Coloos <julien.coloos [at] gmail [dot] com>
+
+        * v0.10-1
+        Option to use login shell instead of cryptsetup script
+        Re-enable Wake-on-LAN on network device
+
+
+2021-11-12 Julien Coloos <julien.coloos [at] gmail [dot] com>
+
+        * v0.9-2
+        Use SHA256 checksums instead of MD5
+
+
+2021-10-24 Julien Coloos <julien.coloos [at] gmail [dot] com>
+
+        * v0.9-1
+        Try to print network devices information when interface setup fails
+
+
+2021-08-15 Julien Coloos <julien.coloos [at] gmail [dot] com>
+
+        * v0.8-1
+        Include 'libgcc_s.so.1' which is necessary for (at least) proper LUKS v2 handling
+
+
+2020-07-14 Julien Coloos <julien.coloos [at] gmail [dot] com>
+
+        * v0.7-1
+        Dropped 'dsa' private key support; added 'ed25519' private key support
+
+
+2018-03-13 Julien Coloos <julien.coloos [at] gmail [dot] com>
+
+        * v0.6-1
+        Dropped '-m' option when calling dropbear (latest ArchLinux version does not handle it)
+
+
 2017-06-25 Julien Coloos <julien.coloos [at] gmail [dot] com>
 
         * v0.5-1

PKGBUILD

@@ -1,17 +1,17 @@
 # Maintainer: Julien Coloos <julien.coloos [at] gmail [dot] com>
 pkgname=initrd-ssh-cryptsetup
-pkgver=0.5
+pkgver=0.10
 pkgrel=1
 pkgdesc="Allows for LUKS-encrypted devices to be unlocked remotely over SSH"
 arch=('any')
 url="https://github.com/suiryc/archlinux-$pkgname"
 license=('GPL3')
-depends=('dropbear' 'cryptsetup' 'mkinitcpio-nfs-utils' 'iproute2')
+depends=('dropbear' 'cryptsetup' 'mkinitcpio-nfs-utils' 'iproute2' 'ethtool')
 install=$pkgname.install
 changelog='ChangeLog'
 source=("http://julien.coloos.free.fr/archlinux/$pkgname-$pkgver.tar.xz" "$pkgname.install")
-md5sums=('d87a35adbef55db89f32a89f4966a27a'
-         'ac60109d80e7bb2af0d66e69aaf178a6')
+sha256sums=('c3fa91fc8ba2228b3492d3709231918c8015cc3da49f516c3eacea5c0217536c'
+            'b84978b3c2ef32208c2b104ee2d3ce8aaec26da0bd4e9e1c83942f373bbf6285')
 
 package() {
   install -Dm644 "$srcdir/src/install/ssh-cryptsetup" "$pkgdir/usr/lib/initcpio/install/ssh-cryptsetup"

README.md

@@ -1,16 +1,38 @@
 Personal ArchLinux package combining dropbear and cryptsetup in initrd for unlocking LUKS-encrypted devices either locally (boot console) or remotely over SSH.  
-The code was reworked from [dropbear_initrd_encrypt](https://aur.archlinux.org/packages/dropbear_initrd_encrypt/).
+The code was reworked from legacy dropbear_initrd_encrypt AUR package.
 
 
 ## Installation
-After cloning the repo, installation is done as for an AUR package.
+After cloning the repo, installation is done as for an AUR package, e.g.:
+
+    makepkg -sri
+
+
+## Dropbear
+SSH server key need to be generated for `dropbear`.  
+Either a new key can be generated with `dropbearkey`, e.g.:
+
+    dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key
+Or an existing OpenSSH key can be converted with `dropbearconvert` (useful so that the server fingerprint is the same with both), e.g.:
+
+    dropbearconvert openssh dropbear /etc/ssh/ssh_host_ecdsa_key /etc/dropbear/dropbear_ecdsa_host_key
+Notes:
+   * `rsa` and `ed25519` types are also handled
+   * OpenSSH keys must be in `PEM` format for `dropbearconvert` to properly work
+
+If necessary an existing key file can be converted to `PEM` format using `ssh-keygen`:
+
+    ssh-keygen -A -p -m PEM -f /etc/ssh/ssh_host_ecdsa_key
 
 
 ## Configuration
 As explained upon installation, the following things need to be done:
-   * add the SSH public key to `/etc/dropbear/initrd.authorized_keys`
+   * add the authorized SSH public key to `/etc/dropbear/initrd.authorized_keys`
    * add the `ip=` kernel command parameter to the bootloader configuration (see https://wiki.archlinux.org/index.php/Mkinitcpio#Using_net)
+      - e.g. with `grub`: add `ip=:::::eth0:dhcp` to `GRUB_CMDLINE_LINUX_DEFAULT` in `/etc/default/grub`, and re-generate the configuration with `grub-mkconfig -o /boot/grub/grub.cfg`
+      - also see https://git.kernel.org/pub/scm/libs/klibc/klibc.git/tree/usr/kinit/ipconfig/README.ipconfig
    * in the `HOOKS` section of `/etc/mkinitcpio.conf`, add `ssh-cryptsetup` before `filesystems`; then rebuild the initramfs: `mkinitcpio -p linux`
+      - when using a non-standard keyboard layout, it is also useful to add the `keymap` hook before `ssh-cryptsetup`, and also move `keyboard` before `keymap`
 
 The LUKS-encrypted devices to unlock are derived from `/etc/crypttab`.
 
@@ -37,9 +59,11 @@ For example:
 ## Building notes
 1. Modify the sources (features in `src`, and/or package building files)
 2. If `src` was modified
-   * archive the `src` folder in `$pkgname-$pkgver.tar.xz` file; e.g.: `tar -cJf initrd-ssh-cryptsetup-0.4.tar.xz src`
+   * archive the `src` folder in `$pkgname-$pkgver.tar.xz` file; e.g.: `tar -cJf initrd-ssh-cryptsetup-0.9.tar.xz src`
    * upload the archive on the online repository (pointed by `PKGBUILD`)
-3. Update `PKGBUILD`
+3. Update ChangeLog
+4. Update `PKGBUILD`
    * bump `pkgver` if `src` was modified, or `pkgrel` if building files were modified
-   * refresh `md5sums` if necessary (based on `md5sum initrd-ssh-cryptsetup-*.tar.xz initrd-ssh-cryptsetup.install` output)
-4. Delete generated archive file if any
+   * refresh `sha256sums` with `updpkgsums` if necessary
+     - or manually, based on `sha256sum initrd-ssh-cryptsetup-*.tar.xz initrd-ssh-cryptsetup.install` output
+5. Delete generated archive file if any

src/hooks/ssh-cryptsetup

@@ -8,12 +8,14 @@ sshcs_env_load() {
   local debug_default=0
   local timeout_ipconfig_default=10
   local timeout_poweroff_min=120
+  local use_shell_default=0
 
   [ -e "${sshcs_env}" ] && . "${sshcs_env}"
   [ -z "${sshcs_opt_debug}" ] && sshcs_opt_debug=${debug_default}
   [ -z "${sshcs_opt_timeout_ipconfig}" ] && sshcs_opt_timeout_ipconfig=${timeout_ipconfig_default}
   [ -n "${sshcs_opt_listen}" ] && sshcs_opt_listen="-p ${sshcs_opt_listen}"
   [ -z "${sshcs_opt_timeout_poweroff}" ] && sshcs_opt_timeout_poweroff=${timeout_poweroff_min}
+  [ -z "${sshcs_opt_use_shell}" ] && sshcs_opt_use_shell=${use_shell_default}
   [ ${sshcs_opt_timeout_poweroff} -ge 0 ] && [ ${sshcs_opt_timeout_poweroff} -lt ${timeout_poweroff_min} ] && sshcs_opt_timeout_poweroff=${timeout_poweroff_min}
 }
 
@@ -40,9 +42,12 @@ sshcs_net_start() {
 
   echo ""
   echo "Configuring IP (timeout = ${sshcs_opt_timeout_ipconfig}s) ..."
+  # ipconfig manual: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/tree/usr/kinit/ipconfig/README.ipconfig
   ipconfig_out=$(ipconfig -t "${sshcs_opt_timeout_ipconfig}" "ip=${ip}")
   if [ $? -ne 0 ]; then
     err "IP configuration timeout!"
+    echo "Devices probing:"
+    ipconfig -n -t 5 -c none all
     return 1
   fi
 
@@ -131,11 +136,15 @@ sshcs_dropbear_unlock() {
   fi
 
   # /etc/passwd file for the root user
-    echo "root:x:0:0:root:/root:${dropbear_login_shell}" > "/etc/passwd"
-    echo "${dropbear_login_shell}" > "/etc/shells"
+  if [ ${sshcs_opt_use_shell} -eq 0 ]; then
+    echo "root:x:0:0:root:/root:${dropbear_cryptsetup_shell}" > "/etc/passwd"
+    echo "${dropbear_cryptsetup_shell}" > "/etc/shells"
+  else
+    echo "root:x:0:0:root:/root:/usr/bin/ash" > "/etc/passwd"
+  fi
 
   # root login script
-    cat <<EOF > "${dropbear_login_shell}"
+  cat <<EOF > "${dropbear_cryptsetup_shell}"
 #!/usr/bin/ash
 
 . "/init_functions"
@@ -157,13 +166,13 @@ else
 fi
 echo ""
 EOF
-    chmod a+x "${dropbear_login_shell}"
+  chmod a+x "${dropbear_cryptsetup_shell}"
 
   [ ! -d "/var/log" ] && mkdir -p "/var/log"
   touch "/var/log/lastlog"
 
   msg "Starting dropbear ..."
-    dropbear -Emsgjk -P "${path_dropbear_pid}" ${sshcs_opt_listen}
+  dropbear -Esgjk -P "${path_dropbear_pid}" ${sshcs_opt_listen}
 
   # Actual unlocking
   sshcs_unlock
@@ -174,7 +183,7 @@ EOF
     kill $(cat "${path_dropbear_pid}")
     rm -f "${path_dropbear_pid}"
   fi
-    rm -f "${sshcs_cryptsetup_script}" "${dropbear_login_shell}" "/etc/passwd" "/etc/shells" "/var/log/lastlog"
+  rm -f "${sshcs_cryptsetup_script}" "${dropbear_cryptsetup_shell}" "/etc/passwd" "/etc/shells" "/var/log/lastlog"
 
   # cleanup /dev/pts if necessary
   if [ ${dev_pts_mounted} -ne 0 ]; then
@@ -254,7 +263,7 @@ run_hook() {
   local etc_crypttab="/etc/crypttab"
   local sshcs_env="/etc/initcpio/sshcs_env"
   local path_dropbear_pid="/.dropbear.pid"
-    local dropbear_login_shell="/.cryptsetup_shell.sh"
+  local dropbear_cryptsetup_shell="/.cryptsetup_shell.sh"
   local sshcs_cryptsetup_script="/.cryptsetup_script.sh"
   local net_env="/.net_env.sh"
   local line iparg net_address net_device ipconfig_out net_netmask net_gateway net_dns0 net_dns1
@@ -306,3 +315,4 @@ run_hook() {
   # stop the network before going on in boot sequence
   sshcs_net_done
 }
+

src/install/ssh-cryptsetup

@@ -32,7 +32,7 @@ build() {
   local etc_crypttab="/etc/crypttab"
   local dropbear_authorized_keys="/etc/dropbear/initrd.authorized_keys"
   local sshcs_env="/etc/initcpio/sshcs_env"
-    local dropbear_key_types=( "dss" "rsa" "ecdsa" )
+  local dropbear_key_types=( "rsa" "ecdsa" "ed25519" )
   local dropbear_keyfile_prefix="/etc/dropbear/dropbear_"
   local dropbear_keyfile_suffix="_host_key"
   local openssh_keyfile_prefix="/etc/ssh/ssh_host_"
@@ -53,6 +53,9 @@ build() {
   sshcs_check_keys
 
   add_checked_modules "/drivers/net/"
+  # Note: parts of this script (modules/binaries added) are the same than the
+  # 'encrypt' install script (/usr/lib/initcpio/install/encrypt) which is the
+  # nominal one to deal with encrypted volumes at boot time.
   add_module dm-crypt
   # Note: crypto modules are necessary
   if [ -n "${CRYPTO_MODULES}" ]; then
@@ -69,7 +72,8 @@ build() {
   add_binary "dmsetup"
   add_binary "dropbear"
   add_binary "ip"
-    add_binary "/usr/lib/initcpio/ipconfig" "/sbin/ipconfig"
+  add_binary "/usr/lib/initcpio/ipconfig" "/bin/ipconfig"
+  add_binary "ethtool"
 
   # Our hook files
   [ -e "${sshcs_env}" ] && add_file "${sshcs_env}"
@@ -79,9 +83,9 @@ build() {
 
   # SSH-related files
   add_file "${dropbear_authorized_keys}" "/root/.ssh/authorized_keys"
-    add_file "/etc/dropbear/dropbear_rsa_host_key"
-    add_file "/etc/dropbear/dropbear_dss_host_key"
-    add_file "/etc/dropbear/dropbear_ecdsa_host_key"
+  for keytype in "${dropbear_key_types[@]}"; do
+    add_file "${dropbear_keyfile_prefix}${keytype}${dropbear_keyfile_suffix}"
+  done
 
   # cryptsetup-related files
   add_file "${etc_crypttab}"
@@ -90,6 +94,11 @@ build() {
   add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
   add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
 
+  # At least with LUKS v2 volumes, cryptsetup calls pthread_cancel(), which
+  # dlopen()s libgcc_s.so.1.
+  # See the nominal 'encrypt' module, and similar/related bug reports (e.g.
+  # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950254).
+  add_binary "/usr/lib/libgcc_s.so.1"
 
   add_runscript
 }
@@ -113,9 +122,10 @@ initrd shell):
    - default (and minimum value): 2 minutes
    - negative value to deactivate
 
-Each SSH server key ('dropbear_rsa_host_key', 'dropbear_dss_host_key' and
-'dropbear_ecdsa_host_key' in '/etc/dropbear' folder) is imported from OpenSSH
+Each SSH server key ('dropbear_rsa_host_key', 'dropbear_ecdsa_host_key' and
+'dropbear_ed25519_host_key' in '/etc/dropbear' folder) is imported from OpenSSH
 if present or generated if missing. Fingerprints are displayed upon building
 the initramfs image.
 EOF
 }
+