-
Notifications
You must be signed in to change notification settings - Fork 0
/
dropbear_install
134 lines (104 loc) · 3.46 KB
/
dropbear_install
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
#!/bin/bash
get_fingerprint() {
local keyfile="$1"
dropbearkey -y -f "${keyfile}" | sed -n '/^Fingerprint:/ {s/Fingerprint: *//; p}'
}
display_fingerprints() {
local keyfile
for keyfile in "/etc/dropbear/dropbear_dss_host_key" "/etc/dropbear/dropbear_rsa_host_key" ; do
if [ ! -r "${keyfile}" ] ; then
return 1
fi
echo "$(basename "${keyfile}") : $(get_fingerprint "${keyfile}")"
done
}
copy_openssh_keys() {
local osshrsa="/etc/ssh/ssh_host_rsa_key"
local osshdsa="/etc/ssh/ssh_host_dsa_key"
local dbpre="/etc/dropbear/dropbear_"
[ -f "$osshrsa" ] && [ -f "$osshdsa" ] || return 1
dropbearconvert openssh dropbear $osshrsa ${dbpre}rsa_host_key
dropbearconvert openssh dropbear $osshdsa ${dbpre}dss_host_key
}
generate_keys() {
local keyfile keytype
for keytype in dss rsa ; do
keyfile="/etc/dropbear/dropbear_${keytype}_host_key"
echo "Generating ${keytype} host key for dropbear ..."
dropbearkey -t "${keytype}" -f "${keyfile}"
done
}
make_etc_passwd() {
echo 'root:x:0:0:root:/:/bin/cryptsetup_shell' > "${TMPDIR}"/passwd
}
build ()
{
#
# Begin real processing
#
# Are we even needed?
if [ ! -e "/etc/dropbear/root_key" ]; then
echo "There is no root key in /etc/dropbear/root_key existent; exit"
return 0
fi
# if TMPDIR is set leave it alone otherwise set
[ -z $TMPDIR ] && TMPDIR='/tmp/dropbear_initrd_encrypt'
# check if TMPDIR exsists if not make it
[ -d $TMPDIR ] || mkdir -p $TMPDIR
umask 0022
[ -d /etc/dropbear ] && mkdir -p /etc/dropbear
display_fingerprints || copy_openssh_keys || generate_keys
[ -e "${TMPDIR}/passwd" ] && ( grep -q -e '^root:' "${TMPDIR}/passwd" ) || make_etc_passwd
add_checked_modules "/drivers/net/"
add_binary "rm"
add_binary "dropbear"
add_binary "killall"
cat <<SCRIPTEOF > ${TMPDIR}/cryptsetup_shell
#!/bin/sh
#if [ -f "/.cryptloop" ]; then
# modprobe loop
# losetup -o \`cat /.cryptloop | cut -d: -f1\` --sizelimit \`cat /.cryptloop | cut -d: -f2\` \`cat /.cryptloop | cut -d: -f3\` \`cat /.cryptloop | cut -d: -f4\`
#fi
if [ -c "/dev/mapper/control" ]; then
if eval /sbin/cryptsetup luksOpen \`cat /.cryptdev\` \`cat /.cryptname\` \`cat /.cryptargs\` ; then
echo > /.done
killall cryptsetup
fi
else
echo "encryption bootup not succeeded. please wait!"
fi
SCRIPTEOF
chmod a+x ${TMPDIR}/cryptsetup_shell
add_file "${TMPDIR}/cryptsetup_shell" "/bin/cryptsetup_shell"
echo '/bin/cryptsetup_shell' > "${TMPDIR}"/shells
add_file "${TMPDIR}/shells" "/etc/shells"
cat /etc/dropbear/root_key > "${TMPDIR}"/authorized_keys
add_dir "/.ssh"
add_file "${TMPDIR}/authorized_keys" "/.ssh/authorized_keys"
add_file "${TMPDIR}/passwd" "/etc/passwd"
add_dir "/etc/dropbear"
add_file "/etc/dropbear/dropbear_rsa_host_key"
add_file "/etc/dropbear/dropbear_dss_host_key"
add_file "/lib/libnss_files.so.2"
add_binary "ip" "/sbin/ip"
add_dir "/var/run"
touch "${TMPDIR}"/lastlog
add_dir "/var/log"
add_file "${TMPDIR}/lastlog" "/var/log/lastlog"
add_binary "/usr/lib/initcpio/ipconfig" "/bin/ipconfig"
# cleanup
rm "${TMPDIR}/cryptsetup_shell"
rm "${TMPDIR}/shells"
rm "${TMPDIR}/authorized_keys"
rm "${TMPDIR}/passwd"
rm "${TMPDIR}/lastlog"
add_runscript
}
help ()
{
cat<<HELPEOF
This hook should always be used in combination with the "encrypthssh" hook.
Add this hook before the "encryptssh", though. Together they allow to enter
a password for a LUKS encrypted root device either via SSH or locally.
HELPEOF
}