mirrors/archlinux-initrd-ssh-cryptsetup
1
0
Fork 0
mirror of https://github.com/suiryc/archlinux-initrd-ssh-cryptsetup.git synced 2025-07-27 22:23:52 +03:00
Code Issues Projects Releases Wiki Activity
Files
e47043f3a1960e894a862db57c2008eaf5c1d5b1
archlinux-initrd-ssh-crypts…/src/install/ssh-cryptsetup
Julien Coloos 724d6a6bf0 Handle optional ipconfig timeout 
Specify timeout for ipconfig so that we can still boot while network is done.
Otherwise ipconfig remains stuck (until IP can be configured). If not given
we default to 10s.

Minor code refactoring.

Moved configuration file from /etc/dropbear/initrd.env to /etc/initcpio/sshcs_env since
it now contains options for ipconfig and not only dropbear. Package installation script
move legacy file to new path if present.

v0.3-1
2015-11-22 18:54:57 +01:00

122 lines
4.1 KiB
Bash
Raw Blame History

#!/bin/bash
sshcs_check_nonempty() {
local filepath="$1"
[ -e "${filepath}" ] && grep -q -v '^\s*\(#\|$\)' "${filepath}"
}
sshcs_check_keys() {
local dropbear_keyfile
local openssh_keyfile
local fingerprint
for keytype in "${dropbear_key_types[@]}"; do
dropbear_keyfile=${dropbear_keyfile_prefix}${keytype}${dropbear_keyfile_suffix}
openssh_keyfile=${openssh_keyfile_prefix}${keytype}${openssh_keyfile_suffix}
# Prefer OpenSSH keys, or generate missing ones
if [ -e "${openssh_keyfile}" ]; then
#echo "Copying OpenSSH ${keytype} host key for dropbear ..."
dropbearconvert openssh dropbear "${openssh_keyfile}" "${dropbear_keyfile}" > /dev/null 2>&1
elif [ ! -e "${dropbear_keyfile}" ]; then
#echo "Generating ${keytype} host key for dropbear ..."
dropbearkey -t "${keytype}" -f "${dropbear_keyfile}" > /dev/null 2>&1
fi
fingerprint=$(dropbearkey -y -f "${dropbear_keyfile}" | sed -n '/^Fingerprint:/ {s/Fingerprint: *//; p}')
echo "$(basename "${dropbear_keyfile}") : ${fingerprint}"
done
}
build() {
local etc_crypttab="/etc/crypttab"
local dropbear_authorized_keys="/etc/dropbear/initrd.authorized_keys"
local sshcs_env="/etc/initcpio/sshcs_env"
local dropbear_key_types=( "dss" "rsa" "ecdsa" )
local dropbear_keyfile_prefix="/etc/dropbear/dropbear_"
local dropbear_keyfile_suffix="_host_key"
local openssh_keyfile_prefix="/etc/ssh/ssh_host_"
local openssh_keyfile_suffix="_key"
# Check we are needed
if ! sshcs_check_nonempty "${dropbear_authorized_keys}"; then
echo "There is no root key(s) in ${dropbear_authorized_keys}. Skipping."
return 0
fi
if ! sshcs_check_nonempty "${etc_crypttab}"; then
echo "There is no device in ${etc_crypttab}. Skipping."
return 0
fi
umask 0022
sshcs_check_keys
add_checked_modules "/drivers/net/"
add_module dm-crypt
# Note: crypto modules are necessary
if [ -n "${CRYPTO_MODULES}" ]; then
local mod
for mod in ${CRYPTO_MODULES}; do
add_module "${mod}"
done
else
add_all_modules "/crypto/"
fi
# Note: dmsetup is necessary for device mapper features
add_binary "cryptsetup"
add_binary "dmsetup"
add_binary "dropbear"
add_binary "ip"
add_binary "/usr/lib/initcpio/ipconfig" "/sbin/ipconfig"
# Our hook files
[ -e "${sshcs_env}" ] && add_file "${sshcs_env}"
# auth-related files
add_file "/lib/libnss_files.so"
# SSH-related files
add_file "${dropbear_authorized_keys}" "/root/.ssh/authorized_keys"
add_file "/etc/dropbear/dropbear_rsa_host_key"
add_file "/etc/dropbear/dropbear_dss_host_key"
add_file "/etc/dropbear/dropbear_ecdsa_host_key"
# cryptsetup-related files
add_file "${etc_crypttab}"
add_file "/usr/lib/udev/rules.d/10-dm.rules"
add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
add_runscript
}
help() {
cat <<EOF
This hook allows for LUKS encrypted devices to be unlocked either locally
(boot console) or remotely over SSH.
Network is configured with 'ip=' kernel parameter (see 'mkinitcpio-nfs-utils').
Authorized SSH key(s) must be present in '/etc/dropbear/initrd.authorized_keys'.
LUKS encrypted devices to unlock are derived from '/etc/crypttab', which must
be present.
Some options can be set in '/etc/initcpio/sshcs_env' (file is sourced in
initrd shell):
* 'sshcs_opt_timeout_ipconfig': time (s) to configure IP
- default: 10 seconds
* 'sshcs_opt_listen': listening port (22 by default)
* 'sshcs_opt_timeout_poweroff': time (s) to unlock devices before automatic
powering off
- default (and minimum value): 2 minutes
- negative value to deactivate
Each SSH server key ('dropbear_rsa_host_key', 'dropbear_dss_host_key' and
'dropbear_ecdsa_host_key' in '/etc/dropbear' folder) is imported from OpenSSH
if present or generated if missing. Fingerprints are displayed upon building
the initramfs image.
EOF
}
Reference in New Issue View Git Blame Copy Permalink