diff options
Diffstat (limited to 'slurpkey-msg.sh')
-rwxr-xr-x | slurpkey-msg.sh | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/slurpkey-msg.sh b/slurpkey-msg.sh new file mode 100755 index 0000000..800e1e2 --- /dev/null +++ b/slurpkey-msg.sh @@ -0,0 +1,58 @@ +#! /bin/sh +# +# Tell the user that the machine is ready to slurp the key for full disk +# encryption. +# +# Copyright 2013 Guilhem Moulin <guilhem@fripost.org> +# +# Licensed under the GNU GPL version 3 or higher. + +set -ue + +. /usr/share/debconf/confmodule + +ipv4="$(ip addr show eth0 | sed -nr 's/^\s+inet\s([0-9.]{4,32}).*/\1/p')" +template=$(mktemp) + +cat > "$template" <<EOF +Template: ssh-cryptsetup/title +Type: text +Description: Waiting for passphrase + +Template: ssh-cryptsetup/text +Type: text +Description: Press 'continue' once you have sent the key + You now need to send the encryption key for LUKS/dm-crypt to + this special-purpose SSH server: + . + ssh -T -p 22 -l root $ipv4 < /path/to/key + . + To defeat MiTM-attacks, please ensure that the server fingerprint matches + . + $(ssh-keygen -lf /etc/ssh/ssh_host_rsa_key) + . + Key(s) that are granted access have the following fingerprint: + . +EOF +while read pk; do + # ssh-keygen can't read from STDIN, and ash doesn't have the '<<<' + # construct, so we save each pubkey in a temporary file + pkf=$(mktemp) + echo "$pk" > "$pkf" + echo " - $(ssh-keygen -lf $pkf)" >> "$template" + rm "$pkf" +done < ~root/.ssh/authorized_keys +cat >> $template <<EOF + . + Note: This server is ephemeral, and will be replaced with a full-blown + one toward the end of the installation. +EOF + +debconf-loadtemplate ssh-cryptsetup "$template" +# Anything sent to the SSH is stored into ~root/root.key, which is our +# LUKS key. +until test -r ~root/root.key; do + db_settitle ssh-cryptsetup/title + db_input critical ssh-cryptsetup/text + db_go +done |