mkinitcpio-dropbear/dropbear_install
Will Owens 786bedb245 Add a suggestion to convert keyfiles to PEM format
This commit adds additional output to the following Error
message informing the user they need to convert their existing
ssh_host key files to PEM format.

```
Error: Unsupported OpenSSH key type
Error reading key from '/etc/ssh/ssh_host_rsa_key'
Error: Unsupported OpenSSH key type
Error reading key from '/etc/ssh/ssh_host_ecdsa_key'
```

I found the suggestion to convert the existing keys to PEM format in
an issue[1] for systemd-tool and I've converted the suggestion to an
echo statement during a failure to convert the keys when running
mkinitcpio when dropbear hook is enabled.

Also this change stops swallowing this error. The new behavior is,
if dropbear convert was unable to convert any existing `ssh_host`
key files then `generate_keys` will be run. This prevents an initramfs
being generated without any host keyfiles. This is the same behavior
that occurs when NO existing `ssh_host` keyfiles exist.

[1] https://github.com/random-archer/mkinitcpio-systemd-tool/issues/83
2021-09-26 16:15:32 -04:00

109 lines
2.7 KiB
Bash

#!/bin/bash
get_fingerprint() {
local keyfile="$1"
dropbearkey -y -f "${keyfile}" | sed -n '/^Fingerprint:/ {s/Fingerprint: *//; p}'
}
display_fingerprints() {
local keyfile
for keyfile in "/etc/dropbear/dropbear_rsa_host_key" "/etc/dropbear/dropbear_ecdsa_host_key" ; do
if [ -s "${keyfile}" ] ; then
echo "$(basename "${keyfile}") : $(get_fingerprint "${keyfile}")"
fi
done
}
copy_openssh_keys() {
local osshrsa="/etc/ssh/ssh_host_rsa_key"
local osshecdsa="/etc/ssh/ssh_host_ecdsa_key"
local dbpre="/etc/dropbear/dropbear_"
local return_code=1
if [ -s "$osshrsa" ]; then
if dropbearconvert openssh dropbear $osshrsa ${dbpre}rsa_host_key; then
return_code=0
else
echo "dropbearconvert needs host keys in PEM format"
echo "To convert existing host key use: \"ssh-keygen -p -m PEM -f $osshrsa\""
fi
fi
if [ -s "$osshecdsa" ]; then
if dropbearconvert openssh dropbear $osshecdsa ${dbpre}ecdsa_host_key; then
return_code=0
else
echo "dropbearconvert needs host keys in PEM format"
echo "To convert existing host key use: \"ssh-keygen -p -m PEM -f $osshecdsa\""
fi
fi
return $return_code
}
generate_keys() {
local keyfile keytype
for keytype in rsa ecdsa ; do
keyfile="/etc/dropbear/dropbear_${keytype}_host_key"
if [ ! -s "$keyfile" ]; then
echo "Generating ${keytype} host key for dropbear ..."
dropbearkey -t "${keytype}" -f "${keyfile}"
fi
done
}
build ()
{
#
# Begin real processing
#
# Are we even needed?
if [ ! -r "/etc/dropbear/root_key" -o ! -s "/etc/dropbear/root_key" ]; then
echo "There is no root key in /etc/dropbear/root_key existent; exit"
return 0
fi
# if TMPDIR is set leave it alone otherwise set
[ -z $TMPDIR ] && TMPDIR='/tmp/dropbear_initrd_encrypt'
# check if TMPDIR exsists if not make it
[ -d $TMPDIR ] || mkdir -p $TMPDIR
umask 0022
[ -d /etc/dropbear ] && mkdir -p /etc/dropbear
copy_openssh_keys || generate_keys
display_fingerprints
add_checked_modules "/drivers/net/"
add_binary "rm"
add_binary "killall"
add_binary "dropbear"
add_dir "/root/.ssh"
cat /etc/dropbear/root_key > "${BUILDROOT}"/root/.ssh/authorized_keys
add_full_dir "/etc/dropbear"
add_file "/lib/libnss_files.so.2"
add_dir "/var/run"
add_dir "/var/log"
touch "${BUILDROOT}"/var/log/lastlog
add_runscript
}
help ()
{
cat<<HELPEOF
This hook is meant to be used in conjunction with mkinitcpio-netconf and/or
mkinitcpio-ppp. It DOES NOT provide any default shell. It will only install
and start dropbear on early userspace. In the package mkinitcpio-utils you
will find hooks and shells for remote unlocking a luks root partition,
among others.
HELPEOF
}