Example to convert existing OpenSSH key to PEM format

Include 'libgcc_s.so.1' for proper LUKS v2 support
v0.8-1
2025-12-15 00:58:57 +03:00 · 2021-08-15 23:07:37 +02:00 · 2021-08-15 22:58:32 +02:00 · 2020-07-14 16:22:54 +02:00
4 changed files with 37 additions and 10 deletions
--- a/13
+++ b/13
@@ -1,8 +1,21 @@
+2021-08-15 Julien Coloos <julien.coloos [at] gmail [dot] com>
+
+        * v0.8-1
+        Include 'libgcc_s.so.1' which is necessary for (at least) proper LUKS v2 handling
+
+
+2020-07-14 Julien Coloos <julien.coloos [at] gmail [dot] com>
+
+        * v0.7-1
+        Dropped 'dsa' private key support; added 'ed25519' private key support
+
+
 2018-03-13 Julien Coloos <julien.coloos [at] gmail [dot] com>

        * v0.6-1
        Dropped '-m' option when calling dropbear (latest ArchLinux version does not handle it)

+
 2017-06-25 Julien Coloos <julien.coloos [at] gmail [dot] com>

        * v0.5-1
--- a/4
+++ b/4
@@ -1,6 +1,6 @@
 # Maintainer: Julien Coloos <julien.coloos [at] gmail [dot] com>
 pkgname=initrd-ssh-cryptsetup
-pkgver=0.6
+pkgver=0.8
 pkgrel=1
 pkgdesc="Allows for LUKS-encrypted devices to be unlocked remotely over SSH"
 arch=('any')
@@ -10,7 +10,7 @@ depends=('dropbear' 'cryptsetup' 'mkinitcpio-nfs-utils' 'iproute2')
 install=$pkgname.install
 changelog='ChangeLog'
 source=("http://julien.coloos.free.fr/archlinux/$pkgname-$pkgver.tar.xz" "$pkgname.install")
-md5sums=('3fa8f5dd00a85b32025d01e5701e1407'
+md5sums=('ac5a53fbc288ccce61874488bcbbf58a'
         'ac60109d80e7bb2af0d66e69aaf178a6')

 package() {
--- a/README.md
+++ b/README.md
@@ -16,7 +16,13 @@ Either a new key can be generated with `dropbearkey`, e.g.:
 Or an existing OpenSSH key can be converted with `dropbearconvert` (useful so that the server fingerprint is the same with both), e.g.:

    dropbearconvert openssh dropbear /etc/ssh/ssh_host_ecdsa_key /etc/dropbear/dropbear_ecdsa_host_key
-Note: `rsa` and `dss` (`dsa` in OpenSSH) types are also handled.
+Notes:
+   * `rsa` and `ed25519` types are also handled
+   * OpenSSH keys must be in `PEM` format for `dropbearconvert` to properly work
+
+If necessary an existing key file can be converted to `PEM` format using `ssh-keygen`:
+
+    ssh-keygen -A -p -m PEM -f /etc/ssh/ssh_host_ecdsa_key


 ## Configuration
@@ -52,7 +58,7 @@ For example:
 ## Building notes
 1. Modify the sources (features in `src`, and/or package building files)
 2. If `src` was modified
-   * archive the `src` folder in `$pkgname-$pkgver.tar.xz` file; e.g.: `tar -cJf initrd-ssh-cryptsetup-0.4.tar.xz src`
+   * archive the `src` folder in `$pkgname-$pkgver.tar.xz` file; e.g.: `tar -cJf initrd-ssh-cryptsetup-0.7.tar.xz src`
   * upload the archive on the online repository (pointed by `PKGBUILD`)
 3. Update ChangeLog
 4. Update `PKGBUILD`
--- a/src/install/ssh-cryptsetup
+++ b/src/install/ssh-cryptsetup
@@ -32,7 +32,7 @@ build() {
    local etc_crypttab="/etc/crypttab"
    local dropbear_authorized_keys="/etc/dropbear/initrd.authorized_keys"
    local sshcs_env="/etc/initcpio/sshcs_env"
-    local dropbear_key_types=( "dss" "rsa" "ecdsa" )
+    local dropbear_key_types=( "rsa" "ecdsa" "ed25519" )
    local dropbear_keyfile_prefix="/etc/dropbear/dropbear_"
    local dropbear_keyfile_suffix="_host_key"
    local openssh_keyfile_prefix="/etc/ssh/ssh_host_"
@@ -53,6 +53,9 @@ build() {
    sshcs_check_keys

    add_checked_modules "/drivers/net/"
+    # Note: parts of this script (modules/binaries added) are the same than the
+    # 'encrypt' install script (/usr/lib/initcpio/install/encrypt) which is the
+    # nominal one to deal with encrypted volumes at boot time.
    add_module dm-crypt
    # Note: crypto modules are necessary
    if [ -n "${CRYPTO_MODULES}" ]; then
@@ -79,9 +82,9 @@ build() {

    # SSH-related files
    add_file "${dropbear_authorized_keys}" "/root/.ssh/authorized_keys"
-    add_file "/etc/dropbear/dropbear_rsa_host_key"
-    add_file "/etc/dropbear/dropbear_dss_host_key"
-    add_file "/etc/dropbear/dropbear_ecdsa_host_key"
+    for keytype in "${dropbear_key_types[@]}"; do
+        add_file "${dropbear_keyfile_prefix}${keytype}${dropbear_keyfile_suffix}"
+    done

    # cryptsetup-related files
    add_file "${etc_crypttab}"
@@ -90,6 +93,11 @@ build() {
    add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
    add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"

+    # At least with LUKS v2 volumes, cryptsetup calls pthread_cancel(), which
+    # dlopen()s libgcc_s.so.1.
+    # See the nominal 'encrypt' module, and similar/related bug reports (e.g.
+    # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950254).
+    add_binary "/usr/lib/libgcc_s.so.1"

    add_runscript
 }
@@ -113,8 +121,8 @@ initrd shell):
   - default (and minimum value): 2 minutes
   - negative value to deactivate

-Each SSH server key ('dropbear_rsa_host_key', 'dropbear_dss_host_key' and
-'dropbear_ecdsa_host_key' in '/etc/dropbear' folder) is imported from OpenSSH
+Each SSH server key ('dropbear_rsa_host_key', 'dropbear_ecdsa_host_key' and
+'dropbear_ed25519_host_key' in '/etc/dropbear' folder) is imported from OpenSSH
 if present or generated if missing. Fingerprints are displayed upon building
 the initramfs image.
 EOF
Author	SHA1	Message	Date
Julien Coloos	b3e9382f08	Example to convert existing OpenSSH key to PEM format	2021-08-15 23:07:37 +02:00
Julien Coloos	8ebd239c7a	Include 'libgcc_s.so.1' for proper LUKS v2 support v0.8-1	2021-08-15 22:58:32 +02:00
Julien Coloos	bc04382857	Drop 'dsa' and add 'ed25519' private key support Update README: dropbearconvert requires OpenSSH keys in PEM format. Changed installation script to rely on variables, especially the list of handled private key types, to that it automatically packages expected private keys, instead of having to explicitely name/package them.	2020-07-14 16:22:54 +02:00