diff options
-rw-r--r-- | fripost-install.template | 21 | ||||
-rwxr-xr-x | post-install-msg.sh | 4 | ||||
-rwxr-xr-x | pre-partman.sh | 136 | ||||
-rwxr-xr-x | slurpkey-msg.sh | 58 |
4 files changed, 128 insertions, 91 deletions
diff --git a/fripost-install.template b/fripost-install.template new file mode 100644 index 0000000..696d6e0 --- /dev/null +++ b/fripost-install.template @@ -0,0 +1,21 @@ +# Fripost's debconf configuration +# +# Copyright 2013 Guilhem Moulin <guilhem@fripost.org> +# +# Licensed under the GNU GPL version 3 or higher. + +Template: fripost-install/full-disk-encryption +Type: boolean +Default: true +Description: Should the system disk be fully encrypted? (Excluding /boot.) + +Template: fripost-install/full-disk-encryption-password +Type: password +Default: +Description: Password for full-disk encryption. + +Template: fripost-install/full-disk-encryption-fillrandom +Type: select +Default: badblocks +Choices: none, badblocks, urandom, random +Description: How to fill the disk with random data before encryption. diff --git a/post-install-msg.sh b/post-install-msg.sh index 8c5d5d7..8fecde4 100755 --- a/post-install-msg.sh +++ b/post-install-msg.sh @@ -25,11 +25,11 @@ template=$(mktemp) cat > "$template" <<EOF Template: post-install/title -Type: text +Type: note Description: Installation complete Template: post-install/text -Type: text +Type: note Description: Press 'continue' to reboot After the reboot, you will be able to log in to this new Debian GNU/Linux system: diff --git a/pre-partman.sh b/pre-partman.sh index ebb1d1e..0aa93bd 100755 --- a/pre-partman.sh +++ b/pre-partman.sh @@ -10,53 +10,127 @@ set -ue -# Crypto, disk and network modules, required to unlock the system from our initramfs +. /usr/share/debconf/confmodule + +debconf-loadtemplate fripost-install /cdrom/preseed/fripost-install.template + +db_input high fripost-install/full-disk-encryption || true +db_go +db_get fripost-install/full-disk-encryption +[ x"${RET:-true}" = x"false" ] && exit 0 + +# Crypto, disk and network modules, required to unlock the system from +# our initramfs. # TODO: should probably be stored in debconf, since we'll need the # modules in the target only while read k rest; do /sbin/modinfo -F filename "$k"; done < /proc/modules \ | sed -nr "s@^/lib/modules/`uname -r`/kernel/(arch|drivers/(ata|scsi))(/.*)?/([^/]+)\.ko\$@\4@p" \ > /tmp/initramfs-modules -anna-install cryptsetup-udeb openssh-server-udeb -mkdir -pm0755 /etc/ssh/ -ssh-keygen -b 4096 -t rsa -N '' -C /etc/ssh/ssh_host_rsa_key -f /etc/ssh/ssh_host_rsa_key +anna-install cryptsetup-udeb + +db_input high fripost-install/full-disk-encryption-password || true +db_go +db_get fripost-install/full-disk-encryption-password + +if [ -n "$RET" ]; then + touch ~root/root.key + chmod 0644 ~root/root.key + echo $RET >> ~root/root.key #TODO we don't want echo there + # TODO: remove passord from debconf +else + anna-install openssh-server-udeb + + mkdir -pm0755 /etc/ssh/ + sshHostKey=/etc/ssh/ssh_host_rsa_key + ssh-keygen -b 4096 -t rsa -N '' -C $sshHostKey -f $sshHostKey + + cat > /etc/ssh/sshd_config <<- EOF + Port 22 + Protocol 2 + HostKey $sshHostKey + UsePrivilegeSeparation no + + PasswordAuthentication no + ChallengeResponseAuthentication no + HostbasedAuthentication no + PubkeyAuthentication yes + + PermitRootLogin yes + AllowUsers root + StrictModes yes + + ForceCommand /bin/sh -c 'umask 0077; cat > ~root/root.key' + EOF + + # Populate the authorized keys. TODO: make something more generic + test -d ~root/.ssh || mkdir -m 0700 ~root/.ssh + cat > ~root/.ssh/authorized_keys <<- EOF + no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa ... + EOF + chmod og-rwx ~root/.ssh/authorized_keys -cat > /etc/ssh/sshd_config << EOF -Port 22 -Protocol 2 -HostKey /etc/ssh/ssh_host_rsa_key -UsePrivilegeSeparation no + # Start the SSH daemon + touch /var/log/lastlog + /usr/sbin/sshd -PasswordAuthentication no -ChallengeResponseAuthentication no -HostbasedAuthentication no -PubkeyAuthentication yes + # Tell the user we're ready + ipv4="$(ip addr show eth0 | sed -nr 's/^\s+inet\s([0-9.]{4,32}).*/\1/p')" + template=$(mktemp) -PermitRootLogin yes -AllowUsers root -StrictModes yes + cat > "$template" <<- EOF + Template: cryptsetup-ssh-slurpkey/title + Type: note + Description: Waiting for passphrase -ForceCommand /bin/sh -c 'umask 0077; cat > ~root/root.key' -EOF + Template: cryptsetup-ssh-slurpkey/text + Type: note + Description: Press 'continue' once you have sent the key + You now need to send the encryption key for LUKS/dm-crypt to + this special-purpose SSH server: + . + ssh -T -p 22 -l root $ipv4 < /path/to/key + . + To defeat MiTM-attacks, please ensure that the server fingerprint matches + . + $(ssh-keygen -lf $sshHostKey) + . + Key(s) that are granted access have the following fingerprint: + . + EOF + while read pk; do + # ssh-keygen can't read from STDIN, and ash doesn't have the '<<<' + # construct, so we save each pubkey in a temporary file + pkf=$(mktemp) + echo "$pk" > "$pkf" + echo " - $(ssh-keygen -lf $pkf)" >> "$template" + rm "$pkf" + done < ~root/.ssh/authorized_keys + cat >> $template <<- EOF + . + Note: This server is ephemeral, and will be replaced with a full-blown + one toward the end of the installation. + EOF -# Populate the authorized keys. TODO: make something more generic -test -d ~root/.ssh || mkdir -m 0700 ~root/.ssh -cat > ~root/.ssh/authorized_keys << EOF -no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa ... -EOF -chmod og-rwx ~root/.ssh/authorized_keys + debconf-loadtemplate cryptsetup-ssh-slurpkey "$template" + # Anything sent to the SSH is stored into ~root/root.key, which is our + # LUKS key. + until test -r ~root/root.key; do + db_settitle cryptsetup-ssh-slurpkey/title + db_input critical cryptsetup-ssh-slurpkey/text + db_go + done -# Start the SSH daemon -touch /var/log/lastlog -/usr/sbin/sshd + kill `cat /var/run/sshd.pid` || true +fi -# Tell the user we're ready -/cdrom/preseed/slurpkey-msg.sh -kill `cat /var/run/sshd.pid` || true +db_input high fripost-install/full-disk-encryption-fillrandom || true +db_go +db_get fripost-install/full-disk-encryption-fillrandom # Encrypt -## fill the disk with random crap +## fill the disk with random crap (TODO: progress) ## partition the disk ## format /boot to ext2 ## gptsync diff --git a/slurpkey-msg.sh b/slurpkey-msg.sh deleted file mode 100755 index 800e1e2..0000000 --- a/slurpkey-msg.sh +++ /dev/null @@ -1,58 +0,0 @@ -#! /bin/sh -# -# Tell the user that the machine is ready to slurp the key for full disk -# encryption. -# -# Copyright 2013 Guilhem Moulin <guilhem@fripost.org> -# -# Licensed under the GNU GPL version 3 or higher. - -set -ue - -. /usr/share/debconf/confmodule - -ipv4="$(ip addr show eth0 | sed -nr 's/^\s+inet\s([0-9.]{4,32}).*/\1/p')" -template=$(mktemp) - -cat > "$template" <<EOF -Template: ssh-cryptsetup/title -Type: text -Description: Waiting for passphrase - -Template: ssh-cryptsetup/text -Type: text -Description: Press 'continue' once you have sent the key - You now need to send the encryption key for LUKS/dm-crypt to - this special-purpose SSH server: - . - ssh -T -p 22 -l root $ipv4 < /path/to/key - . - To defeat MiTM-attacks, please ensure that the server fingerprint matches - . - $(ssh-keygen -lf /etc/ssh/ssh_host_rsa_key) - . - Key(s) that are granted access have the following fingerprint: - . -EOF -while read pk; do - # ssh-keygen can't read from STDIN, and ash doesn't have the '<<<' - # construct, so we save each pubkey in a temporary file - pkf=$(mktemp) - echo "$pk" > "$pkf" - echo " - $(ssh-keygen -lf $pkf)" >> "$template" - rm "$pkf" -done < ~root/.ssh/authorized_keys -cat >> $template <<EOF - . - Note: This server is ephemeral, and will be replaced with a full-blown - one toward the end of the installation. -EOF - -debconf-loadtemplate ssh-cryptsetup "$template" -# Anything sent to the SSH is stored into ~root/root.key, which is our -# LUKS key. -until test -r ~root/root.key; do - db_settitle ssh-cryptsetup/title - db_input critical ssh-cryptsetup/text - db_go -done |