mirror of
https://github.com/suiryc/archlinux-initrd-ssh-cryptsetup.git
synced 2025-12-16 01:28:57 +03:00
Compare commits
5 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
3449995d4a | ||
|
|
c3cafcf6cd | ||
|
|
b3e9382f08 | ||
|
|
8ebd239c7a | ||
|
|
bc04382857 |
32
ChangeLog
32
ChangeLog
@@ -1,8 +1,40 @@
|
||||
2021-11-12 Julien Coloos <julien.coloos [at] gmail [dot] com>
|
||||
|
||||
* v0.10-1
|
||||
Option to use login shell instead of cryptsetup script
|
||||
Re-enable Wake-on-LAN on network device
|
||||
|
||||
|
||||
2021-11-12 Julien Coloos <julien.coloos [at] gmail [dot] com>
|
||||
|
||||
* v0.9-2
|
||||
Use SHA256 checksums instead of MD5
|
||||
|
||||
|
||||
2021-10-24 Julien Coloos <julien.coloos [at] gmail [dot] com>
|
||||
|
||||
* v0.9-1
|
||||
Try to print network devices information when interface setup fails
|
||||
|
||||
|
||||
2021-08-15 Julien Coloos <julien.coloos [at] gmail [dot] com>
|
||||
|
||||
* v0.8-1
|
||||
Include 'libgcc_s.so.1' which is necessary for (at least) proper LUKS v2 handling
|
||||
|
||||
|
||||
2020-07-14 Julien Coloos <julien.coloos [at] gmail [dot] com>
|
||||
|
||||
* v0.7-1
|
||||
Dropped 'dsa' private key support; added 'ed25519' private key support
|
||||
|
||||
|
||||
2018-03-13 Julien Coloos <julien.coloos [at] gmail [dot] com>
|
||||
|
||||
* v0.6-1
|
||||
Dropped '-m' option when calling dropbear (latest ArchLinux version does not handle it)
|
||||
|
||||
|
||||
2017-06-25 Julien Coloos <julien.coloos [at] gmail [dot] com>
|
||||
|
||||
* v0.5-1
|
||||
|
||||
8
PKGBUILD
8
PKGBUILD
@@ -1,17 +1,17 @@
|
||||
# Maintainer: Julien Coloos <julien.coloos [at] gmail [dot] com>
|
||||
pkgname=initrd-ssh-cryptsetup
|
||||
pkgver=0.6
|
||||
pkgver=0.10
|
||||
pkgrel=1
|
||||
pkgdesc="Allows for LUKS-encrypted devices to be unlocked remotely over SSH"
|
||||
arch=('any')
|
||||
url="https://github.com/suiryc/archlinux-$pkgname"
|
||||
license=('GPL3')
|
||||
depends=('dropbear' 'cryptsetup' 'mkinitcpio-nfs-utils' 'iproute2')
|
||||
depends=('dropbear' 'cryptsetup' 'mkinitcpio-nfs-utils' 'iproute2' 'ethtool')
|
||||
install=$pkgname.install
|
||||
changelog='ChangeLog'
|
||||
source=("http://julien.coloos.free.fr/archlinux/$pkgname-$pkgver.tar.xz" "$pkgname.install")
|
||||
md5sums=('3fa8f5dd00a85b32025d01e5701e1407'
|
||||
'ac60109d80e7bb2af0d66e69aaf178a6')
|
||||
sha256sums=('c3fa91fc8ba2228b3492d3709231918c8015cc3da49f516c3eacea5c0217536c'
|
||||
'b84978b3c2ef32208c2b104ee2d3ce8aaec26da0bd4e9e1c83942f373bbf6285')
|
||||
|
||||
package() {
|
||||
install -Dm644 "$srcdir/src/install/ssh-cryptsetup" "$pkgdir/usr/lib/initcpio/install/ssh-cryptsetup"
|
||||
|
||||
14
README.md
14
README.md
@@ -16,7 +16,13 @@ Either a new key can be generated with `dropbearkey`, e.g.:
|
||||
Or an existing OpenSSH key can be converted with `dropbearconvert` (useful so that the server fingerprint is the same with both), e.g.:
|
||||
|
||||
dropbearconvert openssh dropbear /etc/ssh/ssh_host_ecdsa_key /etc/dropbear/dropbear_ecdsa_host_key
|
||||
Note: `rsa` and `dss` (`dsa` in OpenSSH) types are also handled.
|
||||
Notes:
|
||||
* `rsa` and `ed25519` types are also handled
|
||||
* OpenSSH keys must be in `PEM` format for `dropbearconvert` to properly work
|
||||
|
||||
If necessary an existing key file can be converted to `PEM` format using `ssh-keygen`:
|
||||
|
||||
ssh-keygen -A -p -m PEM -f /etc/ssh/ssh_host_ecdsa_key
|
||||
|
||||
|
||||
## Configuration
|
||||
@@ -24,6 +30,7 @@ As explained upon installation, the following things need to be done:
|
||||
* add the authorized SSH public key to `/etc/dropbear/initrd.authorized_keys`
|
||||
* add the `ip=` kernel command parameter to the bootloader configuration (see https://wiki.archlinux.org/index.php/Mkinitcpio#Using_net)
|
||||
- e.g. with `grub`: add `ip=:::::eth0:dhcp` to `GRUB_CMDLINE_LINUX_DEFAULT` in `/etc/default/grub`, and re-generate the configuration with `grub-mkconfig -o /boot/grub/grub.cfg`
|
||||
- also see https://git.kernel.org/pub/scm/libs/klibc/klibc.git/tree/usr/kinit/ipconfig/README.ipconfig
|
||||
* in the `HOOKS` section of `/etc/mkinitcpio.conf`, add `ssh-cryptsetup` before `filesystems`; then rebuild the initramfs: `mkinitcpio -p linux`
|
||||
- when using a non-standard keyboard layout, it is also useful to add the `keymap` hook before `ssh-cryptsetup`, and also move `keyboard` before `keymap`
|
||||
|
||||
@@ -52,10 +59,11 @@ For example:
|
||||
## Building notes
|
||||
1. Modify the sources (features in `src`, and/or package building files)
|
||||
2. If `src` was modified
|
||||
* archive the `src` folder in `$pkgname-$pkgver.tar.xz` file; e.g.: `tar -cJf initrd-ssh-cryptsetup-0.4.tar.xz src`
|
||||
* archive the `src` folder in `$pkgname-$pkgver.tar.xz` file; e.g.: `tar -cJf initrd-ssh-cryptsetup-0.9.tar.xz src`
|
||||
* upload the archive on the online repository (pointed by `PKGBUILD`)
|
||||
3. Update ChangeLog
|
||||
4. Update `PKGBUILD`
|
||||
* bump `pkgver` if `src` was modified, or `pkgrel` if building files were modified
|
||||
* refresh `md5sums` if necessary (based on `md5sum initrd-ssh-cryptsetup-*.tar.xz initrd-ssh-cryptsetup.install` output)
|
||||
* refresh `sha256sums` with `updpkgsums` if necessary
|
||||
- or manually, based on `sha256sum initrd-ssh-cryptsetup-*.tar.xz initrd-ssh-cryptsetup.install` output
|
||||
5. Delete generated archive file if any
|
||||
|
||||
@@ -8,12 +8,14 @@ sshcs_env_load() {
|
||||
local debug_default=0
|
||||
local timeout_ipconfig_default=10
|
||||
local timeout_poweroff_min=120
|
||||
local use_shell_default=0
|
||||
|
||||
[ -e "${sshcs_env}" ] && . "${sshcs_env}"
|
||||
[ -z "${sshcs_opt_debug}" ] && sshcs_opt_debug=${debug_default}
|
||||
[ -z "${sshcs_opt_timeout_ipconfig}" ] && sshcs_opt_timeout_ipconfig=${timeout_ipconfig_default}
|
||||
[ -n "${sshcs_opt_listen}" ] && sshcs_opt_listen="-p ${sshcs_opt_listen}"
|
||||
[ -z "${sshcs_opt_timeout_poweroff}" ] && sshcs_opt_timeout_poweroff=${timeout_poweroff_min}
|
||||
[ -z "${sshcs_opt_use_shell}" ] && sshcs_opt_use_shell=${use_shell_default}
|
||||
[ ${sshcs_opt_timeout_poweroff} -ge 0 ] && [ ${sshcs_opt_timeout_poweroff} -lt ${timeout_poweroff_min} ] && sshcs_opt_timeout_poweroff=${timeout_poweroff_min}
|
||||
}
|
||||
|
||||
@@ -40,9 +42,12 @@ sshcs_net_start() {
|
||||
|
||||
echo ""
|
||||
echo "Configuring IP (timeout = ${sshcs_opt_timeout_ipconfig}s) ..."
|
||||
# ipconfig manual: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/tree/usr/kinit/ipconfig/README.ipconfig
|
||||
ipconfig_out=$(ipconfig -t "${sshcs_opt_timeout_ipconfig}" "ip=${ip}")
|
||||
if [ $? -ne 0 ]; then
|
||||
err "IP configuration timeout!"
|
||||
echo "Devices probing:"
|
||||
ipconfig -n -t 5 -c none all
|
||||
return 1
|
||||
fi
|
||||
|
||||
@@ -131,11 +136,15 @@ sshcs_dropbear_unlock() {
|
||||
fi
|
||||
|
||||
# /etc/passwd file for the root user
|
||||
echo "root:x:0:0:root:/root:${dropbear_login_shell}" > "/etc/passwd"
|
||||
echo "${dropbear_login_shell}" > "/etc/shells"
|
||||
if [ ${sshcs_opt_use_shell} -eq 0 ]; then
|
||||
echo "root:x:0:0:root:/root:${dropbear_cryptsetup_shell}" > "/etc/passwd"
|
||||
echo "${dropbear_cryptsetup_shell}" > "/etc/shells"
|
||||
else
|
||||
echo "root:x:0:0:root:/root:/usr/bin/ash" > "/etc/passwd"
|
||||
fi
|
||||
|
||||
# root login script
|
||||
cat <<EOF > "${dropbear_login_shell}"
|
||||
cat <<EOF > "${dropbear_cryptsetup_shell}"
|
||||
#!/usr/bin/ash
|
||||
|
||||
. "/init_functions"
|
||||
@@ -157,7 +166,7 @@ else
|
||||
fi
|
||||
echo ""
|
||||
EOF
|
||||
chmod a+x "${dropbear_login_shell}"
|
||||
chmod a+x "${dropbear_cryptsetup_shell}"
|
||||
|
||||
[ ! -d "/var/log" ] && mkdir -p "/var/log"
|
||||
touch "/var/log/lastlog"
|
||||
@@ -174,7 +183,7 @@ EOF
|
||||
kill $(cat "${path_dropbear_pid}")
|
||||
rm -f "${path_dropbear_pid}"
|
||||
fi
|
||||
rm -f "${sshcs_cryptsetup_script}" "${dropbear_login_shell}" "/etc/passwd" "/etc/shells" "/var/log/lastlog"
|
||||
rm -f "${sshcs_cryptsetup_script}" "${dropbear_cryptsetup_shell}" "/etc/passwd" "/etc/shells" "/var/log/lastlog"
|
||||
|
||||
# cleanup /dev/pts if necessary
|
||||
if [ ${dev_pts_mounted} -ne 0 ]; then
|
||||
@@ -254,7 +263,7 @@ run_hook() {
|
||||
local etc_crypttab="/etc/crypttab"
|
||||
local sshcs_env="/etc/initcpio/sshcs_env"
|
||||
local path_dropbear_pid="/.dropbear.pid"
|
||||
local dropbear_login_shell="/.cryptsetup_shell.sh"
|
||||
local dropbear_cryptsetup_shell="/.cryptsetup_shell.sh"
|
||||
local sshcs_cryptsetup_script="/.cryptsetup_script.sh"
|
||||
local net_env="/.net_env.sh"
|
||||
local line iparg net_address net_device ipconfig_out net_netmask net_gateway net_dns0 net_dns1
|
||||
@@ -306,3 +315,4 @@ run_hook() {
|
||||
# stop the network before going on in boot sequence
|
||||
sshcs_net_done
|
||||
}
|
||||
|
||||
|
||||
@@ -32,7 +32,7 @@ build() {
|
||||
local etc_crypttab="/etc/crypttab"
|
||||
local dropbear_authorized_keys="/etc/dropbear/initrd.authorized_keys"
|
||||
local sshcs_env="/etc/initcpio/sshcs_env"
|
||||
local dropbear_key_types=( "dss" "rsa" "ecdsa" )
|
||||
local dropbear_key_types=( "rsa" "ecdsa" "ed25519" )
|
||||
local dropbear_keyfile_prefix="/etc/dropbear/dropbear_"
|
||||
local dropbear_keyfile_suffix="_host_key"
|
||||
local openssh_keyfile_prefix="/etc/ssh/ssh_host_"
|
||||
@@ -53,6 +53,9 @@ build() {
|
||||
sshcs_check_keys
|
||||
|
||||
add_checked_modules "/drivers/net/"
|
||||
# Note: parts of this script (modules/binaries added) are the same than the
|
||||
# 'encrypt' install script (/usr/lib/initcpio/install/encrypt) which is the
|
||||
# nominal one to deal with encrypted volumes at boot time.
|
||||
add_module dm-crypt
|
||||
# Note: crypto modules are necessary
|
||||
if [ -n "${CRYPTO_MODULES}" ]; then
|
||||
@@ -69,7 +72,8 @@ build() {
|
||||
add_binary "dmsetup"
|
||||
add_binary "dropbear"
|
||||
add_binary "ip"
|
||||
add_binary "/usr/lib/initcpio/ipconfig" "/sbin/ipconfig"
|
||||
add_binary "/usr/lib/initcpio/ipconfig" "/bin/ipconfig"
|
||||
add_binary "ethtool"
|
||||
|
||||
# Our hook files
|
||||
[ -e "${sshcs_env}" ] && add_file "${sshcs_env}"
|
||||
@@ -79,9 +83,9 @@ build() {
|
||||
|
||||
# SSH-related files
|
||||
add_file "${dropbear_authorized_keys}" "/root/.ssh/authorized_keys"
|
||||
add_file "/etc/dropbear/dropbear_rsa_host_key"
|
||||
add_file "/etc/dropbear/dropbear_dss_host_key"
|
||||
add_file "/etc/dropbear/dropbear_ecdsa_host_key"
|
||||
for keytype in "${dropbear_key_types[@]}"; do
|
||||
add_file "${dropbear_keyfile_prefix}${keytype}${dropbear_keyfile_suffix}"
|
||||
done
|
||||
|
||||
# cryptsetup-related files
|
||||
add_file "${etc_crypttab}"
|
||||
@@ -90,6 +94,11 @@ build() {
|
||||
add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
|
||||
add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
|
||||
|
||||
# At least with LUKS v2 volumes, cryptsetup calls pthread_cancel(), which
|
||||
# dlopen()s libgcc_s.so.1.
|
||||
# See the nominal 'encrypt' module, and similar/related bug reports (e.g.
|
||||
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950254).
|
||||
add_binary "/usr/lib/libgcc_s.so.1"
|
||||
|
||||
add_runscript
|
||||
}
|
||||
@@ -113,9 +122,10 @@ initrd shell):
|
||||
- default (and minimum value): 2 minutes
|
||||
- negative value to deactivate
|
||||
|
||||
Each SSH server key ('dropbear_rsa_host_key', 'dropbear_dss_host_key' and
|
||||
'dropbear_ecdsa_host_key' in '/etc/dropbear' folder) is imported from OpenSSH
|
||||
Each SSH server key ('dropbear_rsa_host_key', 'dropbear_ecdsa_host_key' and
|
||||
'dropbear_ed25519_host_key' in '/etc/dropbear' folder) is imported from OpenSSH
|
||||
if present or generated if missing. Fingerprints are displayed upon building
|
||||
the initramfs image.
|
||||
EOF
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user