1 files changed, 60 insertions, 0 deletions

diff --git a/post-install-msg.sh b/post-install-msg.sh
new file mode 100755
index 0000000..8c5d5d7
--- /dev/null
+++ b/post-install-msg.sh
@@ -0,0 +1,60 @@
+#! /bin/sh
+#
+# Tell the user that the machine is ready to slurp the key for full disk
+# encryption.
+#
+# Copyright 2013 Guilhem Moulin <guilhem@fripost.org>
+#
+# Licensed under the GNU GPL version 3 or higher.
+
+set -ue
+
+cd /target/etc/
+
+chroot /target/ service ssh start; sleep 1
+sed -i 's/^DenyUsers \*$/AllowGroups ssh/' ./ssh/sshd_config
+
+# Busybox's sed doesn't support address '0,/../'
+user="$(sed -rn 's/^([^:]*):[^:]*:1000:.*/\1/p' ./passwd)"
+home="/target/$(sed -rn 's/^[^:]*:[^:]*:1000:[^:]*:[^:]*:([^:]*):.*/\1/p' ./passwd)"
+
+. /usr/share/debconf/confmodule
+
+ipv4="$(ip addr show eth0 | sed -nr 's/^\s+inet\s([0-9.]{4,32}).*/\1/p')"
+template=$(mktemp)
+
+cat > "$template" <<EOF
+Template: post-install/title
+Type: text
+Description: Installation complete
+
+Template: post-install/text
+Type: text
+Description: Press 'continue' to reboot
+ After the reboot, you will be able to log in to this new Debian GNU/Linux
+ system:
+ .
+     ssh -p 22 -l $user $ipv4
+ .
+ To defeat MiTM-attacks, please ensure that the server fingerprint matches
+ .
+     $(ssh-keygen -lf ./ssh/ssh_host_rsa_key)
+ .
+ Key(s) that are currently granted access have the following fingerprint:
+ .
+EOF
+while read pk; do
+	# ssh-keygen can't read from STDIN, and ash doesn't have the '<<<'
+	# construct, so we save each pubkey in a temporary file
+	pkf=$(mktemp)
+	echo "$pk" > "$pkf"
+	echo "   - $(ssh-keygen -lf $pkf)" >> "$template"
+	rm "$pkf"
+done < "$home/.ssh/authorized_keys"
+# TODO: key granted access to the initramfs
+# TODO: copy the previous keys?
+
+debconf-loadtemplate post-install "$template"
+db_settitle post-install/title
+db_input critical post-install/text
+db_go