aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2013-10-07 06:25:39 +0200
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 04:27:26 +0200
commit56c9372d22859203caf7dcabf271896ddf9e216c (patch)
tree0e09455878e5f84e02ec5e303b5f2286d5ffa81a
parenta64e8005a6bc0004c77a2baff8b28e3a0f031e8e (diff)
Factorization: Separate the logic from the text.
-rw-r--r--fripost-install.template23
-rwxr-xr-xpre-partman.sh24
-rwxr-xr-xsshfprs.sh20
3 files changed, 58 insertions, 9 deletions
diff --git a/fripost-install.template b/fripost-install.template
index 44b3418..6c10976 100644
--- a/fripost-install.template
+++ b/fripost-install.template
@@ -27,3 +27,26 @@ Description: Filling ${DISK} with ${SIZE} ${WHAT}
Template: fripost-install/full-disk-encryption-fill_progress_info
Type: text
Description: ${COMMAND}
+
+Template: fripost-install/full-disk-encryption-slurpkey_title
+Type: note
+Description: Waiting for passphrase
+
+Template: fripost-install/full-disk-encryption-slurpkey_text
+Type: text
+Description: Press 'continue' once you have sent the key
+ You now need to send the encryption key for LUKS/dm-crypt to
+ this special-purpose SSH server:
+ .
+ ssh -T -p 22 -l root ${IPv4} < /path/to/key
+ .
+ To defeat MiTM-attacks, please ensure that the server fingerprint matches
+ .
+ ${SSHFPR_SERVER}
+ .
+ Key(s) that are granted access have the following fingerprint:
+ .
+ ${SSHFPR_AUTHORIZED}
+ .
+ Note: This server is ephemeral, and will be replaced with a full-blown
+ one toward the end of the installation.
diff --git a/pre-partman.sh b/pre-partman.sh
index 79436ee..c0cebee 100755
--- a/pre-partman.sh
+++ b/pre-partman.sh
@@ -9,16 +9,18 @@
# Licensed under the GNU GPL version 3 or higher.
set -ue
+root=/cdrom
. /usr/share/debconf/confmodule
-debconf-loadtemplate fripost-install /cdrom/preseed/fripost-install.template
+debconf-loadtemplate fripost-install $root/preseed/fripost-install.template
db_input high fripost-install/full-disk-encryption || true
db_go
db_get fripost-install/full-disk-encryption
[ x"${RET:-true}" = x"false" ] && exit 0
+##############################################################################
# Crypto, disk and network modules, required to unlock the system from
# our initramfs.
# TODO: should probably be stored in debconf, since we'll need the
@@ -29,14 +31,19 @@ while read k rest; do /sbin/modinfo -F filename "$k"; done < /proc/modules \
anna-install cryptsetup-udeb
+
+##############################################################################
+# Slurp encryption key
+
db_input high fripost-install/full-disk-encryption-password || true
db_go
db_get fripost-install/full-disk-encryption-password
+keyfile=~root/root.key
if [ -n "$RET" ]; then
- touch ~root/root.key
- chmod 0644 ~root/root.key
- echo $RET >> ~root/root.key #TODO we don't want echo there
+ touch "$keyfile"
+ chmod 0644 "$keyfile"
+ echo $RET >> "$keyfile"
# TODO: remove passord from debconf
else
anna-install openssh-server-udeb
@@ -60,14 +67,13 @@ else
AllowUsers root
StrictModes yes
- ForceCommand /bin/sh -c 'umask 0077; cat > ~root/root.key'
+ #ForceCommand /bin/sh -c 'umask 0077; cat > $keyfile'
EOF
- # Populate the authorized keys. TODO: make something more generic
+ # Populate the authorized keys.
test -d ~root/.ssh || mkdir -m 0700 ~root/.ssh
- cat > ~root/.ssh/authorized_keys <<- EOF
- no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa ...
- EOF
+ sed 's/^/no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding /' \
+ $root/preseed/authorized_keys > ~root/.ssh/authorized_keys
chmod og-rwx ~root/.ssh/authorized_keys
# Start the SSH daemon
diff --git a/sshfprs.sh b/sshfprs.sh
new file mode 100755
index 0000000..83cebd9
--- /dev/null
+++ b/sshfprs.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+# Like ssh-keygen -lf, but for a file such as authorized_keys, which
+# may contain multiple keys.
+#
+# Usage: sshfprs.sh file [prefix]
+
+set -ue
+
+file="$1"
+prefix="${2:-}"
+
+while read pk; do
+ # ssh-keygen can't read from STDIN, and ash doesn't have the '<<<'
+ # construct, so we save each pubkey in a temporary file
+ pkf=$(mktemp)
+ echo "$pk" > "$pkf"
+ echo "${prefix}$(ssh-keygen -lf $pkf)"
+ rm "$pkf"
+done < "$file"