diff options
Diffstat (limited to 'pre-partman.sh')
-rwxr-xr-x | pre-partman.sh | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/pre-partman.sh b/pre-partman.sh new file mode 100755 index 0000000..dd3cde9 --- /dev/null +++ b/pre-partman.sh @@ -0,0 +1,68 @@ +#!/bin/sh +# +# Set up a SSH daemon, the sole purpose of which is to slurp the key for +# full disk encryption, so that it doesn't have to be manually entered +# to the installer. +# +# Copyright 2013 Guilhem Moulin <guilhem@fripost.org> +# +# Licensed under the GNU GPL version 3 or higher. + +set -ue + +# Crypto, disk and network modules, required to unlock the system from our initramfs +# TODO: should probably be stored in debconf, since we'll need the +# modules in the target only +while read k rest; do /sbin/modinfo -F filename "$k"; done < /proc/modules \ +| sed -nr "s@^/lib/modules/`uname -r`/kernel/(arch|drivers/(ata|scsi))(/.*)?/([^/]+)\.ko\$@\4@p" \ +> /tmp/initramfs-modules + +anna-install cryptsetup-udeb openssh-server-udeb +mkdir -pm0755 /etc/ssh/ +ssh-keygen -b 4096 -t rsa -N '' -C /etc/ssh/ssh_host_rsa_key -f /etc/ssh/ssh_host_rsa_key + +cat > /etc/ssh/sshd_config << EOF +Port 22 +Protocol 2 +HostKey /etc/ssh/ssh_host_rsa_key +UsePrivilegeSeparation no + +PasswordAuthentication no +ChallengeResponseAuthentication no +HostbasedAuthentication no +PubkeyAuthentication yes + +PermitRootLogin yes +AllowUsers root +StrictModes yes + +ForceCommand /cdrom/preseed/slurpkey.sh +EOF + +# Populate the authorized keys. TODO: make something more generic +test -d ~root/.ssh || mkdir -m 0700 ~root/.ssh +cat > ~root/.ssh/authorized_keys << EOF +no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa ... +EOF +chmod og-rwx ~root/.ssh/authorized_keys + +# Start the SSH daemon +touch /var/log/lastlog +/usr/sbin/sshd + +# Tell the user we're ready +/cdrom/preseed/slurpkey-msg.sh +kill `cat /var/run/sshd.pid` || true + +# Encrypt + +## fill the disk with random crap +## partition the disk +## format /boot to ext2 +## gptsync +## seed sshd and authorized_keys, print the key, forcecommand: dump everything into /lib/cryptsetup/passfifo +# /sbin/cryptsetup --verbose --align-payload 12544 --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/sdb3 +# /sbin/cryptsetup luksOpen … +# pvcreate, vgcreate + +rm ~root/root.key |