mkinitcpio-dropbear/dropbear_install
Andrew J. Hesford 48e496ae61 Improve dropbear key detection and creation
- If at least one key already exists in /etc/dropbear, use that
  directory without trying to copy OpenSSH keys or generate new ones

- Add (optional) support for ed25519, ignoring failures in case the
  version of dropbear used by the hook does not support that type
2022-01-23 19:28:20 -05:00

119 lines
2.8 KiB
Bash

#!/bin/bash
get_fingerprint() {
local keyfile="$1"
dropbearkey -y -f "${keyfile}" | sed -n '/^Fingerprint:/ {s/Fingerprint: *//; p}'
}
display_fingerprints() {
local keyfile keytype
for keytype in rsa ecdsa ed25519; do
keyfile="/etc/dropbear/dropbear_${keytype}_host_key"
[ -s "${keyfile}" ] && echo "${keyfile##*/} : $(get_fingerprint "${keyfile}")"
done
}
use_dropbear_keys() {
local keytype
for keytype in rsa ecdsa ed25519; do
[ -s "/etc/dropbear/dropbear_${keytype}_host_key" ] && return 0
done
return 1
}
copy_openssh_keys() {
local osshkey keytype
local dbpre="/etc/dropbear/dropbear"
local return_code=1
for keytype in rsa ecdsa ed25519; do
osshkey="/etc/ssh/ssh_host_${keytype}_key"
[ -s "${osshkey}" ] || continue
if ! dropbearconvert openssh dropbear "${osshkey}" "${dbpre}_${keytype}_host_key"; then
error "failed to convert SSH key ${osshkey}"
return 1
fi
return_code=0
done
return $return_code
}
generate_keys() {
local keyfile keytype
for keytype in rsa ecdsa ed25519; do
keyfile="/etc/dropbear/dropbear_${keytype}_host_key"
[ -s "${keyfile}" ] && continue
if dropbearkey -t "${keytype}" -f "${keyfile}"; then
echo "Generated ${keytype} host key for dropbear"
elif [ "${keytype}" = "ed25519" ]; then
# ed25519 key is not supported by all dropbear versions; don't hard fail
warning "failed to generate $keytype host key for dropbear"
else
error "failed to generate ${keytype} host key for dropbear"
return 1
fi
done
}
build ()
{
#
# Begin real processing
#
# Are we even needed?
if [ ! -r "/etc/dropbear/root_key" -o ! -s "/etc/dropbear/root_key" ]; then
echo "There is no root key in /etc/dropbear/root_key existent; exit"
return 0
fi
# if TMPDIR is set leave it alone otherwise set
[ -z "$TMPDIR" ] && TMPDIR='/tmp/dropbear_initrd_encrypt'
# check if TMPDIR exsists if not make it
[ -d "$TMPDIR" ] || mkdir -p "$TMPDIR"
[ -d /etc/dropbear ] && mkdir -p /etc/dropbear
use_dropbear_keys || copy_openssh_keys || generate_keys
display_fingerprints
add_checked_modules "/drivers/net/"
add_binary "rm"
add_binary "killall"
add_binary "dropbear"
add_dir "/root/.ssh"
cat /etc/dropbear/root_key > "${BUILDROOT}"/root/.ssh/authorized_keys
add_full_dir "/etc/dropbear"
add_file "/lib/libnss_files.so.2"
add_dir "/var/run"
add_dir "/var/log"
touch "${BUILDROOT}"/var/log/lastlog
add_runscript
}
help ()
{
cat<<HELPEOF
This hook is meant to be used in conjunction with mkinitcpio-netconf and/or
mkinitcpio-ppp. It DOES NOT provide any default shell. It will only install
and start dropbear on early userspace. In the package mkinitcpio-utils you
will find hooks and shells for remote unlocking a luks root partition,
among others.
HELPEOF
}
# vim: softtabstop=2 shiftwidth=2 expandtab