aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/fripost-partman-udeb/base.sh30
-rwxr-xr-xsrc/fripost-postinst-udeb/finish-install.d/07fripost26
2 files changed, 33 insertions, 23 deletions
diff --git a/src/fripost-partman-udeb/base.sh b/src/fripost-partman-udeb/base.sh
index 449d3ae..b6af4d1 100644
--- a/src/fripost-partman-udeb/base.sh
+++ b/src/fripost-partman-udeb/base.sh
@@ -35,7 +35,7 @@ fatal() {
# Ensure stdout is opened with line buffering. If some day stdbuf(1) is
# available in busybox, we should replace the LD_PRELOAD by 'stdbuf -oL -eL'.
-# XXX: see #751394
+# XXX: workaround for #751394
stdbuf() {
LD_PRELOAD=/lib/fripost-partman/stdbuf.so "$@"
}
@@ -298,12 +298,15 @@ fripost_encrypt() {
AllowAgentForwarding no
AllowTcpForwarding no
+ PermitOpen none
+ PermitTTY no
+ PermitUserRC no
ForceCommand /bin/cat >$keyfile
EOF
# Populate the authorized keys.
[ -d ~root/.ssh ] || mkdir -m0700 ~root/.ssh
- copy_authorized_keys $import/authorized_keys ~root/.ssh/authorized_keys 'no-pty'
+ copy_authorized_keys $import/authorized_keys ~root/.ssh/authorized_keys
# Start the SSH daemon
touch /var/log/lastlog
@@ -312,7 +315,7 @@ fripost_encrypt() {
# Tell the user we're ready
db_subst fripost/encryption-slurpkey_text IPv4 "$(getIPv4)"
db_subst fripost/encryption-slurpkey_text SSHFPR_SERVER \
- "$(/usr/bin/ssh-keygen -lf $sshHostKey)"
+ "$(sshfprs ${sshHostKey}.pub)"
db_subst fripost/encryption-slurpkey_text SSHFPR_AUTHORIZED \
"$(sshfprs ~root/.ssh/authorized_keys ' - ')"
@@ -379,21 +382,22 @@ fripost_encrypt() {
# Like ssh-keygen -lf, but for a file such as authorized_keys, which
-# may contain multiple keys.
+# may contain multiple keys. Also, use the comment associated with the
+# key rather than the filename.
#
-# Usage: sshfprs.sh file [prefix]
+# Usage: sshfprs file [prefix]
sshfprs() {
- local file="$1" prefix="${2:-}" pk
+ local file="$1" prefix="${2:-}" type pk comment pkf=$(mktemp)
- while read pk; do
+ sed -nr "s#^([^#]+\s)?(ssh-(dss|rsa|ed25519)|ecdsa-sha2-nistp(256|384|521))\s#\2 #p" "$file" | \
+ while read type pk comment; do
# /usr/bin/ssh-keygen can't read from STDIN, and the '<<<' is
# not POSIX, so we save each pubkey in a temporary file
- pkf=$(mktemp)
- echo "$pk" > "$pkf"
- echo "${prefix}$(/usr/bin/ssh-keygen -lf $pkf)"
- rm -f "$pkf"
- done < "$file"
+ echo "$type $pk $comment" > "$pkf"
+ echo "${prefix}$(/usr/bin/ssh-keygen -lf $pkf | sed "s#$pkf#$comment#")"
+ done
+ rm -f "$pkf"
}
# Copy an authorized_keys file, possibly adding some options. The input
@@ -403,7 +407,7 @@ sshfprs() {
copy_authorized_keys() {
local from="$1" to="$2"
if [ $# -gt 2 ]; then
- sed -r "s#^([^#]+\s)?(ssh-(dss|rsa)|ecdsa-sha2-nistp(256|384|521))\s#$3 \2 #" \
+ sed -r "s#^([^#]+\s)?(ssh-(dss|rsa|ed25519)|ecdsa-sha2-nistp(256|384|521))\s#$3 \2 #" \
"$from" > "$to"
else
cp "$from" "$to"
diff --git a/src/fripost-postinst-udeb/finish-install.d/07fripost b/src/fripost-postinst-udeb/finish-install.d/07fripost
index bacb910..d4e05bb 100755
--- a/src/fripost-postinst-udeb/finish-install.d/07fripost
+++ b/src/fripost-postinst-udeb/finish-install.d/07fripost
@@ -48,6 +48,17 @@ progress "Generating public/private rsa key pair (OpenSSH)"
#######################################################################
+# Change initramfs defaults
+
+sed -ri -e 's/^#?\s*MODULES=.*/MODULES=dep/' \
+ -e 's/^#?\s*COMPRESS=.*/COMPRESS=xz/' \
+ /target/etc/initramfs-tools/initramfs.conf
+
+sed -nr '/^\s*(\S+)\s+\S+\s+swap\s.*/ {s//RESUME=\1/p;q}' /target/etc/fstab \
+ >> /target/etc/initramfs-tools/conf.d/resume
+
+
+#######################################################################
# Put dropbear in the initrd if full disk encryption is desired.
# Get username of the first user
@@ -175,11 +186,6 @@ cat > "$dpkg_remove" <<- EOF
wamerican
wbritish
EOF
-# XXX: the dummy package 'module-init-tools' is a dependency for 'acpid'.
-#/usr/sbin/chroot /target /usr/bin/dpkg-query \
-# --show --showformat='${binary:Package} ${binary:Summary}\n' \
-# | sed -rn 's/^(\S+)\s.*\btransitional dummy package\b.*/\1/p' \
-# >> "$dpkg_remove"
/bin/in-target /usr/bin/xargs -a"${dpkg_remove#/target}" \
debconf-apt-progress --no-progress -- apt-get -y autoremove --purge
rm -f "$dpkg_remove"
@@ -225,16 +231,16 @@ else
db_subst "$template" PORT "$port"
# Convert the key to OpenSSH format, so we can use ssh-keygen
- sshHostKey2=$(mktemp)
+ sshPubKey2=$(mktemp)
/usr/sbin/chroot /target /usr/bin/dropbearkey -y \
-f /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
- | grep -E '^(ssh-(dss|rsa)|ecdsa-sha2-nistp(256|384|521))' > "$sshHostKey2"
- db_subst "$template" SSHFPR_INITRD "$(/usr/bin/ssh-keygen -lf $sshHostKey2)"
- rm -f "$sshHostKey2"
+ | grep -E '^(ssh-(dss|rsa|ed25519)|ecdsa-sha2-nistp(256|384|521))' > "$sshPubKey2"
+ db_subst "$template" SSHFPR_INITRD "$(sshfprs $sshPubKey2)"
+ rm -f "$sshPubKey2"
fi
db_subst "$template" USER "$user"
db_subst "$template" IPv4 "$(getIPv4)"
-db_subst "$template" SSHFPR_SERVER "$(/usr/bin/ssh-keygen -lf $sshHostKey)"
+db_subst "$template" SSHFPR_SERVER "$(sshfprs ${sshHostKey}.pub)"
db_subst "$template" SSHFPR_AUTHORIZED "$(sshfprs $import/authorized_keys ' - ')"
db_get fripost/final-notice