48e496ae61
- If at least one key already exists in /etc/dropbear, use that directory without trying to copy OpenSSH keys or generate new ones - Add (optional) support for ed25519, ignoring failures in case the version of dropbear used by the hook does not support that type
119 lines
2.8 KiB
Bash
119 lines
2.8 KiB
Bash
#!/bin/bash
|
|
|
|
get_fingerprint() {
|
|
local keyfile="$1"
|
|
dropbearkey -y -f "${keyfile}" | sed -n '/^Fingerprint:/ {s/Fingerprint: *//; p}'
|
|
}
|
|
|
|
display_fingerprints() {
|
|
local keyfile keytype
|
|
|
|
for keytype in rsa ecdsa ed25519; do
|
|
keyfile="/etc/dropbear/dropbear_${keytype}_host_key"
|
|
[ -s "${keyfile}" ] && echo "${keyfile##*/} : $(get_fingerprint "${keyfile}")"
|
|
done
|
|
}
|
|
|
|
use_dropbear_keys() {
|
|
local keytype
|
|
|
|
for keytype in rsa ecdsa ed25519; do
|
|
[ -s "/etc/dropbear/dropbear_${keytype}_host_key" ] && return 0
|
|
done
|
|
|
|
return 1
|
|
}
|
|
|
|
copy_openssh_keys() {
|
|
local osshkey keytype
|
|
|
|
local dbpre="/etc/dropbear/dropbear"
|
|
|
|
local return_code=1
|
|
|
|
for keytype in rsa ecdsa ed25519; do
|
|
osshkey="/etc/ssh/ssh_host_${keytype}_key"
|
|
[ -s "${osshkey}" ] || continue
|
|
|
|
if ! dropbearconvert openssh dropbear "${osshkey}" "${dbpre}_${keytype}_host_key"; then
|
|
error "failed to convert SSH key ${osshkey}"
|
|
return 1
|
|
fi
|
|
|
|
return_code=0
|
|
done
|
|
|
|
return $return_code
|
|
}
|
|
|
|
generate_keys() {
|
|
local keyfile keytype
|
|
|
|
for keytype in rsa ecdsa ed25519; do
|
|
keyfile="/etc/dropbear/dropbear_${keytype}_host_key"
|
|
[ -s "${keyfile}" ] && continue
|
|
|
|
if dropbearkey -t "${keytype}" -f "${keyfile}"; then
|
|
echo "Generated ${keytype} host key for dropbear"
|
|
elif [ "${keytype}" = "ed25519" ]; then
|
|
# ed25519 key is not supported by all dropbear versions; don't hard fail
|
|
warning "failed to generate $keytype host key for dropbear"
|
|
else
|
|
error "failed to generate ${keytype} host key for dropbear"
|
|
return 1
|
|
fi
|
|
done
|
|
}
|
|
|
|
build ()
|
|
{
|
|
#
|
|
# Begin real processing
|
|
#
|
|
|
|
# Are we even needed?
|
|
if [ ! -r "/etc/dropbear/root_key" -o ! -s "/etc/dropbear/root_key" ]; then
|
|
echo "There is no root key in /etc/dropbear/root_key existent; exit"
|
|
return 0
|
|
fi
|
|
|
|
# if TMPDIR is set leave it alone otherwise set
|
|
[ -z "$TMPDIR" ] && TMPDIR='/tmp/dropbear_initrd_encrypt'
|
|
|
|
# check if TMPDIR exsists if not make it
|
|
[ -d "$TMPDIR" ] || mkdir -p "$TMPDIR"
|
|
|
|
[ -d /etc/dropbear ] && mkdir -p /etc/dropbear
|
|
|
|
use_dropbear_keys || copy_openssh_keys || generate_keys
|
|
display_fingerprints
|
|
|
|
add_checked_modules "/drivers/net/"
|
|
add_binary "rm"
|
|
add_binary "killall"
|
|
add_binary "dropbear"
|
|
|
|
add_dir "/root/.ssh"
|
|
cat /etc/dropbear/root_key > "${BUILDROOT}"/root/.ssh/authorized_keys
|
|
|
|
add_full_dir "/etc/dropbear"
|
|
add_file "/lib/libnss_files.so.2"
|
|
add_dir "/var/run"
|
|
add_dir "/var/log"
|
|
touch "${BUILDROOT}"/var/log/lastlog
|
|
|
|
add_runscript
|
|
}
|
|
|
|
help ()
|
|
{
|
|
cat<<HELPEOF
|
|
This hook is meant to be used in conjunction with mkinitcpio-netconf and/or
|
|
mkinitcpio-ppp. It DOES NOT provide any default shell. It will only install
|
|
and start dropbear on early userspace. In the package mkinitcpio-utils you
|
|
will find hooks and shells for remote unlocking a luks root partition,
|
|
among others.
|
|
HELPEOF
|
|
}
|
|
|
|
# vim: softtabstop=2 shiftwidth=2 expandtab
|