* Initial release.
This commit is contained in:
parent
d944b72807
commit
80bc0c0479
2 changed files with 163 additions and 0 deletions
22
dropbear_hook
Normal file
22
dropbear_hook
Normal file
|
@ -0,0 +1,22 @@
|
|||
#!/usr/bin/ash
|
||||
|
||||
run_hook ()
|
||||
{
|
||||
[ -d /dev/pts ] || mkdir -p /dev/pts
|
||||
mount -t devpts devpts /dev/pts
|
||||
|
||||
echo "Starting dropbear"
|
||||
/usr/sbin/dropbear -E -s -j -k
|
||||
}
|
||||
|
||||
run_cleanuphook ()
|
||||
{
|
||||
umount /dev/pts
|
||||
rm -R /dev/pts
|
||||
if [ -f -f /var/run/dropbear.pid ]; then
|
||||
kill `cat /var/run/dropbear.pid`
|
||||
fi
|
||||
. /ip_opts
|
||||
/sbin/ip addr flush dev "$device"
|
||||
/sbin/ip link set down "$device"
|
||||
}
|
141
dropbear_install
Normal file
141
dropbear_install
Normal file
|
@ -0,0 +1,141 @@
|
|||
#!/bin/bash
|
||||
|
||||
get_fingerprint() {
|
||||
local keyfile="$1"
|
||||
dropbearkey -y -f "${keyfile}" | sed -n '/^Fingerprint:/ {s/Fingerprint: *//; p}'
|
||||
}
|
||||
|
||||
display_fingerprints() {
|
||||
local keyfile
|
||||
|
||||
for keyfile in "/etc/dropbear/dropbear_rsa_host_key" "/etc/dropbear/dropbear_dss_host_key" "/etc/dropbear/dropbear_ecdsa_host_key" ; do
|
||||
if [ -s "${keyfile}" ] ; then
|
||||
echo "$(basename "${keyfile}") : $(get_fingerprint "${keyfile}")"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
copy_openssh_keys() {
|
||||
local osshrsa="/etc/ssh/ssh_host_rsa_key"
|
||||
local osshdsa="/etc/ssh/ssh_host_dsa_key"
|
||||
local osshecdsa="/etc/ssh/ssh_host_ecdsa_key"
|
||||
|
||||
local dbpre="/etc/dropbear/dropbear_"
|
||||
|
||||
local return_code=1
|
||||
|
||||
if [ -s "$osshrsa" ]; then
|
||||
dropbearconvert openssh dropbear $osshrsa ${dbpre}rsa_host_key
|
||||
return_code=0
|
||||
fi
|
||||
|
||||
if [ -s "$osshdsa" ]; then
|
||||
dropbearconvert openssh dropbear $osshdsa ${dbpre}dss_host_key
|
||||
return_code=0
|
||||
fi
|
||||
|
||||
if [ -s "$osshecdsa" ]; then
|
||||
dropbearconvert openssh dropbear $osshecdsa ${dbpre}ecdsa_host_key
|
||||
return_code=0
|
||||
fi
|
||||
|
||||
return $return_code
|
||||
}
|
||||
|
||||
generate_keys() {
|
||||
local keyfile keytype
|
||||
for keytype in rsa dss ecdsa ; do
|
||||
keyfile="/etc/dropbear/dropbear_${keytype}_host_key"
|
||||
if [ ! -s "$keyfile" ]; then
|
||||
echo "Generating ${keytype} host key for dropbear ..."
|
||||
dropbearkey -t "${keytype}" -f "${keyfile}"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
make_etc_passwd() {
|
||||
echo 'root:x:0:0:root:/:/bin/cryptsetup_shell' > "${TMPDIR}"/passwd
|
||||
}
|
||||
|
||||
build ()
|
||||
{
|
||||
#
|
||||
# Begin real processing
|
||||
#
|
||||
|
||||
# Are we even needed?
|
||||
if [ ! -r "/etc/dropbear/root_key" -o ! -s "/etc/dropbear/root_key" ]; then
|
||||
echo "There is no root key in /etc/dropbear/root_key existent; exit"
|
||||
return 0
|
||||
fi
|
||||
|
||||
# if TMPDIR is set leave it alone otherwise set
|
||||
[ -z $TMPDIR ] && TMPDIR='/tmp/dropbear_initrd_encrypt'
|
||||
|
||||
# check if TMPDIR exsists if not make it
|
||||
[ -d $TMPDIR ] || mkdir -p $TMPDIR
|
||||
|
||||
umask 0022
|
||||
|
||||
[ -d /etc/dropbear ] && mkdir -p /etc/dropbear
|
||||
|
||||
copy_openssh_keys || generate_keys
|
||||
display_fingerprints
|
||||
|
||||
[ -e "${TMPDIR}/passwd" ] && ( grep -q -e '^root:' "${TMPDIR}/passwd" ) || make_etc_passwd
|
||||
|
||||
add_checked_modules "/drivers/net/"
|
||||
add_binary "rm"
|
||||
add_binary "dropbear"
|
||||
|
||||
cat <<SCRIPTEOF > ${TMPDIR}/cryptsetup_shell
|
||||
#!/bin/sh
|
||||
if [ -c "/dev/mapper/control" ]; then
|
||||
if eval /sbin/cryptsetup luksOpen \`cat /.cryptdev\` \`cat /.cryptname\` \`cat /.cryptargs\` ; then
|
||||
echo > /.done
|
||||
killall cryptsetup
|
||||
fi
|
||||
else
|
||||
echo "encryption bootup not succeeded. please wait!"
|
||||
fi
|
||||
SCRIPTEOF
|
||||
|
||||
chmod a+x ${TMPDIR}/cryptsetup_shell
|
||||
|
||||
add_file "${TMPDIR}/cryptsetup_shell" "/bin/cryptsetup_shell"
|
||||
|
||||
echo '/bin/cryptsetup_shell' > "${TMPDIR}"/shells
|
||||
add_file "${TMPDIR}/shells" "/etc/shells"
|
||||
|
||||
cat /etc/dropbear/root_key > "${TMPDIR}"/authorized_keys
|
||||
|
||||
add_dir "/.ssh"
|
||||
add_file "${TMPDIR}/authorized_keys" "/.ssh/authorized_keys"
|
||||
add_file "${TMPDIR}/passwd" "/etc/passwd"
|
||||
add_full_dir "/etc/dropbear"
|
||||
add_file "/lib/libnss_files.so.2"
|
||||
add_dir "/var/run"
|
||||
|
||||
touch "${TMPDIR}"/lastlog
|
||||
add_dir "/var/log"
|
||||
add_file "${TMPDIR}/lastlog" "/var/log/lastlog"
|
||||
|
||||
# cleanup
|
||||
rm "${TMPDIR}/cryptsetup_shell"
|
||||
rm "${TMPDIR}/shells"
|
||||
rm "${TMPDIR}/authorized_keys"
|
||||
rm "${TMPDIR}/passwd"
|
||||
rm "${TMPDIR}/lastlog"
|
||||
|
||||
add_runscript
|
||||
|
||||
}
|
||||
|
||||
help ()
|
||||
{
|
||||
cat<<HELPEOF
|
||||
This hook should always be used in combination with the "encrypthssh" hook.
|
||||
Add this hook before the "encryptssh", though. Together they allow to enter
|
||||
a password for a LUKS encrypted root device either via SSH or locally.
|
||||
HELPEOF
|
||||
}
|
Loading…
Reference in a new issue