aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--fripost-install.template21
-rwxr-xr-xpost-install-msg.sh4
-rwxr-xr-xpre-partman.sh136
-rwxr-xr-xslurpkey-msg.sh58
4 files changed, 128 insertions, 91 deletions
diff --git a/fripost-install.template b/fripost-install.template
new file mode 100644
index 0000000..696d6e0
--- /dev/null
+++ b/fripost-install.template
@@ -0,0 +1,21 @@
+# Fripost's debconf configuration
+#
+# Copyright 2013 Guilhem Moulin <guilhem@fripost.org>
+#
+# Licensed under the GNU GPL version 3 or higher.
+
+Template: fripost-install/full-disk-encryption
+Type: boolean
+Default: true
+Description: Should the system disk be fully encrypted? (Excluding /boot.)
+
+Template: fripost-install/full-disk-encryption-password
+Type: password
+Default:
+Description: Password for full-disk encryption.
+
+Template: fripost-install/full-disk-encryption-fillrandom
+Type: select
+Default: badblocks
+Choices: none, badblocks, urandom, random
+Description: How to fill the disk with random data before encryption.
diff --git a/post-install-msg.sh b/post-install-msg.sh
index 8c5d5d7..8fecde4 100755
--- a/post-install-msg.sh
+++ b/post-install-msg.sh
@@ -25,11 +25,11 @@ template=$(mktemp)
cat > "$template" <<EOF
Template: post-install/title
-Type: text
+Type: note
Description: Installation complete
Template: post-install/text
-Type: text
+Type: note
Description: Press 'continue' to reboot
After the reboot, you will be able to log in to this new Debian GNU/Linux
system:
diff --git a/pre-partman.sh b/pre-partman.sh
index ebb1d1e..0aa93bd 100755
--- a/pre-partman.sh
+++ b/pre-partman.sh
@@ -10,53 +10,127 @@
set -ue
-# Crypto, disk and network modules, required to unlock the system from our initramfs
+. /usr/share/debconf/confmodule
+
+debconf-loadtemplate fripost-install /cdrom/preseed/fripost-install.template
+
+db_input high fripost-install/full-disk-encryption || true
+db_go
+db_get fripost-install/full-disk-encryption
+[ x"${RET:-true}" = x"false" ] && exit 0
+
+# Crypto, disk and network modules, required to unlock the system from
+# our initramfs.
# TODO: should probably be stored in debconf, since we'll need the
# modules in the target only
while read k rest; do /sbin/modinfo -F filename "$k"; done < /proc/modules \
| sed -nr "s@^/lib/modules/`uname -r`/kernel/(arch|drivers/(ata|scsi))(/.*)?/([^/]+)\.ko\$@\4@p" \
> /tmp/initramfs-modules
-anna-install cryptsetup-udeb openssh-server-udeb
-mkdir -pm0755 /etc/ssh/
-ssh-keygen -b 4096 -t rsa -N '' -C /etc/ssh/ssh_host_rsa_key -f /etc/ssh/ssh_host_rsa_key
+anna-install cryptsetup-udeb
+
+db_input high fripost-install/full-disk-encryption-password || true
+db_go
+db_get fripost-install/full-disk-encryption-password
+
+if [ -n "$RET" ]; then
+ touch ~root/root.key
+ chmod 0644 ~root/root.key
+ echo $RET >> ~root/root.key #TODO we don't want echo there
+ # TODO: remove passord from debconf
+else
+ anna-install openssh-server-udeb
+
+ mkdir -pm0755 /etc/ssh/
+ sshHostKey=/etc/ssh/ssh_host_rsa_key
+ ssh-keygen -b 4096 -t rsa -N '' -C $sshHostKey -f $sshHostKey
+
+ cat > /etc/ssh/sshd_config <<- EOF
+ Port 22
+ Protocol 2
+ HostKey $sshHostKey
+ UsePrivilegeSeparation no
+
+ PasswordAuthentication no
+ ChallengeResponseAuthentication no
+ HostbasedAuthentication no
+ PubkeyAuthentication yes
+
+ PermitRootLogin yes
+ AllowUsers root
+ StrictModes yes
+
+ ForceCommand /bin/sh -c 'umask 0077; cat > ~root/root.key'
+ EOF
+
+ # Populate the authorized keys. TODO: make something more generic
+ test -d ~root/.ssh || mkdir -m 0700 ~root/.ssh
+ cat > ~root/.ssh/authorized_keys <<- EOF
+ no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa ...
+ EOF
+ chmod og-rwx ~root/.ssh/authorized_keys
-cat > /etc/ssh/sshd_config << EOF
-Port 22
-Protocol 2
-HostKey /etc/ssh/ssh_host_rsa_key
-UsePrivilegeSeparation no
+ # Start the SSH daemon
+ touch /var/log/lastlog
+ /usr/sbin/sshd
-PasswordAuthentication no
-ChallengeResponseAuthentication no
-HostbasedAuthentication no
-PubkeyAuthentication yes
+ # Tell the user we're ready
+ ipv4="$(ip addr show eth0 | sed -nr 's/^\s+inet\s([0-9.]{4,32}).*/\1/p')"
+ template=$(mktemp)
-PermitRootLogin yes
-AllowUsers root
-StrictModes yes
+ cat > "$template" <<- EOF
+ Template: cryptsetup-ssh-slurpkey/title
+ Type: note
+ Description: Waiting for passphrase
-ForceCommand /bin/sh -c 'umask 0077; cat > ~root/root.key'
-EOF
+ Template: cryptsetup-ssh-slurpkey/text
+ Type: note
+ Description: Press 'continue' once you have sent the key
+ You now need to send the encryption key for LUKS/dm-crypt to
+ this special-purpose SSH server:
+ .
+ ssh -T -p 22 -l root $ipv4 < /path/to/key
+ .
+ To defeat MiTM-attacks, please ensure that the server fingerprint matches
+ .
+ $(ssh-keygen -lf $sshHostKey)
+ .
+ Key(s) that are granted access have the following fingerprint:
+ .
+ EOF
+ while read pk; do
+ # ssh-keygen can't read from STDIN, and ash doesn't have the '<<<'
+ # construct, so we save each pubkey in a temporary file
+ pkf=$(mktemp)
+ echo "$pk" > "$pkf"
+ echo " - $(ssh-keygen -lf $pkf)" >> "$template"
+ rm "$pkf"
+ done < ~root/.ssh/authorized_keys
+ cat >> $template <<- EOF
+ .
+ Note: This server is ephemeral, and will be replaced with a full-blown
+ one toward the end of the installation.
+ EOF
-# Populate the authorized keys. TODO: make something more generic
-test -d ~root/.ssh || mkdir -m 0700 ~root/.ssh
-cat > ~root/.ssh/authorized_keys << EOF
-no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa ...
-EOF
-chmod og-rwx ~root/.ssh/authorized_keys
+ debconf-loadtemplate cryptsetup-ssh-slurpkey "$template"
+ # Anything sent to the SSH is stored into ~root/root.key, which is our
+ # LUKS key.
+ until test -r ~root/root.key; do
+ db_settitle cryptsetup-ssh-slurpkey/title
+ db_input critical cryptsetup-ssh-slurpkey/text
+ db_go
+ done
-# Start the SSH daemon
-touch /var/log/lastlog
-/usr/sbin/sshd
+ kill `cat /var/run/sshd.pid` || true
+fi
-# Tell the user we're ready
-/cdrom/preseed/slurpkey-msg.sh
-kill `cat /var/run/sshd.pid` || true
+db_input high fripost-install/full-disk-encryption-fillrandom || true
+db_go
+db_get fripost-install/full-disk-encryption-fillrandom
# Encrypt
-## fill the disk with random crap
+## fill the disk with random crap (TODO: progress)
## partition the disk
## format /boot to ext2
## gptsync
diff --git a/slurpkey-msg.sh b/slurpkey-msg.sh
deleted file mode 100755
index 800e1e2..0000000
--- a/slurpkey-msg.sh
+++ /dev/null
@@ -1,58 +0,0 @@
-#! /bin/sh
-#
-# Tell the user that the machine is ready to slurp the key for full disk
-# encryption.
-#
-# Copyright 2013 Guilhem Moulin <guilhem@fripost.org>
-#
-# Licensed under the GNU GPL version 3 or higher.
-
-set -ue
-
-. /usr/share/debconf/confmodule
-
-ipv4="$(ip addr show eth0 | sed -nr 's/^\s+inet\s([0-9.]{4,32}).*/\1/p')"
-template=$(mktemp)
-
-cat > "$template" <<EOF
-Template: ssh-cryptsetup/title
-Type: text
-Description: Waiting for passphrase
-
-Template: ssh-cryptsetup/text
-Type: text
-Description: Press 'continue' once you have sent the key
- You now need to send the encryption key for LUKS/dm-crypt to
- this special-purpose SSH server:
- .
- ssh -T -p 22 -l root $ipv4 < /path/to/key
- .
- To defeat MiTM-attacks, please ensure that the server fingerprint matches
- .
- $(ssh-keygen -lf /etc/ssh/ssh_host_rsa_key)
- .
- Key(s) that are granted access have the following fingerprint:
- .
-EOF
-while read pk; do
- # ssh-keygen can't read from STDIN, and ash doesn't have the '<<<'
- # construct, so we save each pubkey in a temporary file
- pkf=$(mktemp)
- echo "$pk" > "$pkf"
- echo " - $(ssh-keygen -lf $pkf)" >> "$template"
- rm "$pkf"
-done < ~root/.ssh/authorized_keys
-cat >> $template <<EOF
- .
- Note: This server is ephemeral, and will be replaced with a full-blown
- one toward the end of the installation.
-EOF
-
-debconf-loadtemplate ssh-cryptsetup "$template"
-# Anything sent to the SSH is stored into ~root/root.key, which is our
-# LUKS key.
-until test -r ~root/root.key; do
- db_settitle ssh-cryptsetup/title
- db_input critical ssh-cryptsetup/text
- db_go
-done