From 4aef8c9e30d4c14c801a50aa94eed983ab4ae2c5 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 8 May 2015 17:23:03 +0200 Subject: Jessie fixups. --- include/partition.sh | 1 - preseed.cfg | 3 --- src/fripost-partman-udeb/base.sh | 30 ++++++++++++---------- .../finish-install.d/07fripost | 26 +++++++++++-------- 4 files changed, 33 insertions(+), 27 deletions(-) diff --git a/include/partition.sh b/include/partition.sh index 5879401..eed6db9 100755 --- a/include/partition.sh +++ b/include/partition.sh @@ -83,7 +83,6 @@ encrypt=$RET # Install GRUB on the first device in case of an array db_set grub-installer/bootdev "${device%% *}" db_fset grub-installer/bootdev seen true -db_set grub-installer/only_debian false # dirty fix for #666974 part_boot= part_system= diff --git a/preseed.cfg b/preseed.cfg index cde10d6..05f027d 100644 --- a/preseed.cfg +++ b/preseed.cfg @@ -122,6 +122,3 @@ d-i pkgsel/upgrade select safe-upgrade d-i preseed/early_command string anna-install fripost-partman fripost-postinst d-i preseed/late_command string /bin/in-target /usr/bin/update-alternatives --set editor /usr/bin/vim.nox - -# Dirty fix for bug #666974 -d-i grub-installer/only_debian boolean false diff --git a/src/fripost-partman-udeb/base.sh b/src/fripost-partman-udeb/base.sh index 449d3ae..b6af4d1 100644 --- a/src/fripost-partman-udeb/base.sh +++ b/src/fripost-partman-udeb/base.sh @@ -35,7 +35,7 @@ fatal() { # Ensure stdout is opened with line buffering. If some day stdbuf(1) is # available in busybox, we should replace the LD_PRELOAD by 'stdbuf -oL -eL'. -# XXX: see #751394 +# XXX: workaround for #751394 stdbuf() { LD_PRELOAD=/lib/fripost-partman/stdbuf.so "$@" } @@ -298,12 +298,15 @@ fripost_encrypt() { AllowAgentForwarding no AllowTcpForwarding no + PermitOpen none + PermitTTY no + PermitUserRC no ForceCommand /bin/cat >$keyfile EOF # Populate the authorized keys. [ -d ~root/.ssh ] || mkdir -m0700 ~root/.ssh - copy_authorized_keys $import/authorized_keys ~root/.ssh/authorized_keys 'no-pty' + copy_authorized_keys $import/authorized_keys ~root/.ssh/authorized_keys # Start the SSH daemon touch /var/log/lastlog @@ -312,7 +315,7 @@ fripost_encrypt() { # Tell the user we're ready db_subst fripost/encryption-slurpkey_text IPv4 "$(getIPv4)" db_subst fripost/encryption-slurpkey_text SSHFPR_SERVER \ - "$(/usr/bin/ssh-keygen -lf $sshHostKey)" + "$(sshfprs ${sshHostKey}.pub)" db_subst fripost/encryption-slurpkey_text SSHFPR_AUTHORIZED \ "$(sshfprs ~root/.ssh/authorized_keys ' - ')" @@ -379,21 +382,22 @@ fripost_encrypt() { # Like ssh-keygen -lf, but for a file such as authorized_keys, which -# may contain multiple keys. +# may contain multiple keys. Also, use the comment associated with the +# key rather than the filename. # -# Usage: sshfprs.sh file [prefix] +# Usage: sshfprs file [prefix] sshfprs() { - local file="$1" prefix="${2:-}" pk + local file="$1" prefix="${2:-}" type pk comment pkf=$(mktemp) - while read pk; do + sed -nr "s#^([^#]+\s)?(ssh-(dss|rsa|ed25519)|ecdsa-sha2-nistp(256|384|521))\s#\2 #p" "$file" | \ + while read type pk comment; do # /usr/bin/ssh-keygen can't read from STDIN, and the '<<<' is # not POSIX, so we save each pubkey in a temporary file - pkf=$(mktemp) - echo "$pk" > "$pkf" - echo "${prefix}$(/usr/bin/ssh-keygen -lf $pkf)" - rm -f "$pkf" - done < "$file" + echo "$type $pk $comment" > "$pkf" + echo "${prefix}$(/usr/bin/ssh-keygen -lf $pkf | sed "s#$pkf#$comment#")" + done + rm -f "$pkf" } # Copy an authorized_keys file, possibly adding some options. The input @@ -403,7 +407,7 @@ sshfprs() { copy_authorized_keys() { local from="$1" to="$2" if [ $# -gt 2 ]; then - sed -r "s#^([^#]+\s)?(ssh-(dss|rsa)|ecdsa-sha2-nistp(256|384|521))\s#$3 \2 #" \ + sed -r "s#^([^#]+\s)?(ssh-(dss|rsa|ed25519)|ecdsa-sha2-nistp(256|384|521))\s#$3 \2 #" \ "$from" > "$to" else cp "$from" "$to" diff --git a/src/fripost-postinst-udeb/finish-install.d/07fripost b/src/fripost-postinst-udeb/finish-install.d/07fripost index bacb910..d4e05bb 100755 --- a/src/fripost-postinst-udeb/finish-install.d/07fripost +++ b/src/fripost-postinst-udeb/finish-install.d/07fripost @@ -47,6 +47,17 @@ progress "Generating public/private rsa key pair (OpenSSH)" -C "${sshHostKey#/target}" -f "${sshHostKey#/target}" +####################################################################### +# Change initramfs defaults + +sed -ri -e 's/^#?\s*MODULES=.*/MODULES=dep/' \ + -e 's/^#?\s*COMPRESS=.*/COMPRESS=xz/' \ + /target/etc/initramfs-tools/initramfs.conf + +sed -nr '/^\s*(\S+)\s+\S+\s+swap\s.*/ {s//RESUME=\1/p;q}' /target/etc/fstab \ + >> /target/etc/initramfs-tools/conf.d/resume + + ####################################################################### # Put dropbear in the initrd if full disk encryption is desired. @@ -175,11 +186,6 @@ cat > "$dpkg_remove" <<- EOF wamerican wbritish EOF -# XXX: the dummy package 'module-init-tools' is a dependency for 'acpid'. -#/usr/sbin/chroot /target /usr/bin/dpkg-query \ -# --show --showformat='${binary:Package} ${binary:Summary}\n' \ -# | sed -rn 's/^(\S+)\s.*\btransitional dummy package\b.*/\1/p' \ -# >> "$dpkg_remove" /bin/in-target /usr/bin/xargs -a"${dpkg_remove#/target}" \ debconf-apt-progress --no-progress -- apt-get -y autoremove --purge rm -f "$dpkg_remove" @@ -225,16 +231,16 @@ else db_subst "$template" PORT "$port" # Convert the key to OpenSSH format, so we can use ssh-keygen - sshHostKey2=$(mktemp) + sshPubKey2=$(mktemp) /usr/sbin/chroot /target /usr/bin/dropbearkey -y \ -f /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \ - | grep -E '^(ssh-(dss|rsa)|ecdsa-sha2-nistp(256|384|521))' > "$sshHostKey2" - db_subst "$template" SSHFPR_INITRD "$(/usr/bin/ssh-keygen -lf $sshHostKey2)" - rm -f "$sshHostKey2" + | grep -E '^(ssh-(dss|rsa|ed25519)|ecdsa-sha2-nistp(256|384|521))' > "$sshPubKey2" + db_subst "$template" SSHFPR_INITRD "$(sshfprs $sshPubKey2)" + rm -f "$sshPubKey2" fi db_subst "$template" USER "$user" db_subst "$template" IPv4 "$(getIPv4)" -db_subst "$template" SSHFPR_SERVER "$(/usr/bin/ssh-keygen -lf $sshHostKey)" +db_subst "$template" SSHFPR_SERVER "$(sshfprs ${sshHostKey}.pub)" db_subst "$template" SSHFPR_AUTHORIZED "$(sshfprs $import/authorized_keys ' - ')" db_get fripost/final-notice -- cgit v1.2.3