diff options
| -rw-r--r-- | fripost-install.template | 23 | ||||
| -rwxr-xr-x | pre-partman.sh | 24 | ||||
| -rwxr-xr-x | sshfprs.sh | 20 |
3 files changed, 58 insertions, 9 deletions
diff --git a/fripost-install.template b/fripost-install.template index 44b3418..6c10976 100644 --- a/fripost-install.template +++ b/fripost-install.template @@ -27,3 +27,26 @@ Description: Filling ${DISK} with ${SIZE} ${WHAT} Template: fripost-install/full-disk-encryption-fill_progress_info Type: text Description: ${COMMAND} + +Template: fripost-install/full-disk-encryption-slurpkey_title +Type: note +Description: Waiting for passphrase + +Template: fripost-install/full-disk-encryption-slurpkey_text +Type: text +Description: Press 'continue' once you have sent the key + You now need to send the encryption key for LUKS/dm-crypt to + this special-purpose SSH server: + . + ssh -T -p 22 -l root ${IPv4} < /path/to/key + . + To defeat MiTM-attacks, please ensure that the server fingerprint matches + . + ${SSHFPR_SERVER} + . + Key(s) that are granted access have the following fingerprint: + . + ${SSHFPR_AUTHORIZED} + . + Note: This server is ephemeral, and will be replaced with a full-blown + one toward the end of the installation. diff --git a/pre-partman.sh b/pre-partman.sh index 79436ee..c0cebee 100755 --- a/pre-partman.sh +++ b/pre-partman.sh @@ -9,16 +9,18 @@ # Licensed under the GNU GPL version 3 or higher. set -ue +root=/cdrom . /usr/share/debconf/confmodule -debconf-loadtemplate fripost-install /cdrom/preseed/fripost-install.template +debconf-loadtemplate fripost-install $root/preseed/fripost-install.template db_input high fripost-install/full-disk-encryption || true db_go db_get fripost-install/full-disk-encryption [ x"${RET:-true}" = x"false" ] && exit 0 +############################################################################## # Crypto, disk and network modules, required to unlock the system from # our initramfs. # TODO: should probably be stored in debconf, since we'll need the @@ -29,14 +31,19 @@ while read k rest; do /sbin/modinfo -F filename "$k"; done < /proc/modules \ anna-install cryptsetup-udeb + +############################################################################## +# Slurp encryption key + db_input high fripost-install/full-disk-encryption-password || true db_go db_get fripost-install/full-disk-encryption-password +keyfile=~root/root.key if [ -n "$RET" ]; then - touch ~root/root.key - chmod 0644 ~root/root.key - echo $RET >> ~root/root.key #TODO we don't want echo there + touch "$keyfile" + chmod 0644 "$keyfile" + echo $RET >> "$keyfile" # TODO: remove passord from debconf else anna-install openssh-server-udeb @@ -60,14 +67,13 @@ else AllowUsers root StrictModes yes - ForceCommand /bin/sh -c 'umask 0077; cat > ~root/root.key' + #ForceCommand /bin/sh -c 'umask 0077; cat > $keyfile' EOF - # Populate the authorized keys. TODO: make something more generic + # Populate the authorized keys. test -d ~root/.ssh || mkdir -m 0700 ~root/.ssh - cat > ~root/.ssh/authorized_keys <<- EOF - no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa ... - EOF + sed 's/^/no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding /' \ + $root/preseed/authorized_keys > ~root/.ssh/authorized_keys chmod og-rwx ~root/.ssh/authorized_keys # Start the SSH daemon diff --git a/sshfprs.sh b/sshfprs.sh new file mode 100755 index 0000000..83cebd9 --- /dev/null +++ b/sshfprs.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +# Like ssh-keygen -lf, but for a file such as authorized_keys, which +# may contain multiple keys. +# +# Usage: sshfprs.sh file [prefix] + +set -ue + +file="$1" +prefix="${2:-}" + +while read pk; do + # ssh-keygen can't read from STDIN, and ash doesn't have the '<<<' + # construct, so we save each pubkey in a temporary file + pkf=$(mktemp) + echo "$pk" > "$pkf" + echo "${prefix}$(ssh-keygen -lf $pkf)" + rm "$pkf" +done < "$file" |