From e596091daf51443248a0cb427832be62552eaf27 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 28 Oct 2013 19:50:41 +0100 Subject: Reorganization. Move preseed-related stuff in ./preseed/, and vm-related stuff in ./virtualenv/. --- src/fripost-postinst-udeb/debian/changelog | 5 ++ src/fripost-postinst-udeb/debian/compat | 1 + src/fripost-postinst-udeb/debian/control | 11 ++++ src/fripost-postinst-udeb/debian/copyright | 7 +++ src/fripost-postinst-udeb/debian/install | 2 + src/fripost-postinst-udeb/debian/rules | 3 + src/fripost-postinst-udeb/debian/templates | 93 ++++++++++++++++++++++++++++++ 7 files changed, 122 insertions(+) create mode 100644 src/fripost-postinst-udeb/debian/changelog create mode 100644 src/fripost-postinst-udeb/debian/compat create mode 100644 src/fripost-postinst-udeb/debian/control create mode 100644 src/fripost-postinst-udeb/debian/copyright create mode 100644 src/fripost-postinst-udeb/debian/install create mode 100755 src/fripost-postinst-udeb/debian/rules create mode 100644 src/fripost-postinst-udeb/debian/templates (limited to 'src/fripost-postinst-udeb/debian') diff --git a/src/fripost-postinst-udeb/debian/changelog b/src/fripost-postinst-udeb/debian/changelog new file mode 100644 index 0000000..c1ea4fd --- /dev/null +++ b/src/fripost-postinst-udeb/debian/changelog @@ -0,0 +1,5 @@ +fripost-postinst (0.0.0) unstable; urgency=low + + * Tests + + -- Guilhem Moulin Wed, 17 Oct 2013 04:32:31 +0200 diff --git a/src/fripost-postinst-udeb/debian/compat b/src/fripost-postinst-udeb/debian/compat new file mode 100644 index 0000000..7f8f011 --- /dev/null +++ b/src/fripost-postinst-udeb/debian/compat @@ -0,0 +1 @@ +7 diff --git a/src/fripost-postinst-udeb/debian/control b/src/fripost-postinst-udeb/debian/control new file mode 100644 index 0000000..e173159 --- /dev/null +++ b/src/fripost-postinst-udeb/debian/control @@ -0,0 +1,11 @@ +Source: fripost-postinst +Section: debian-installer +Priority: optional +Maintainer: Guilhem Moulin +Build-Depends: debhelper (>= 7) + +Package: fripost-postinst +XC-Package-Type: udeb +Architecture: all +Depends: fripost-partman, ${misc:Depends} +Description: Post-install scripts (e.g., install dropbear in the initramfs) diff --git a/src/fripost-postinst-udeb/debian/copyright b/src/fripost-postinst-udeb/debian/copyright new file mode 100644 index 0000000..4e26ce2 --- /dev/null +++ b/src/fripost-postinst-udeb/debian/copyright @@ -0,0 +1,7 @@ +Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Source: native package + +Files: * +Copyright: © 2013 Guilhem Moulin +License: GPL-3+ + diff --git a/src/fripost-postinst-udeb/debian/install b/src/fripost-postinst-udeb/debian/install new file mode 100644 index 0000000..5426071 --- /dev/null +++ b/src/fripost-postinst-udeb/debian/install @@ -0,0 +1,2 @@ +finish-install.d/* /usr/lib/finish-install.d +sshd_config /var/lib/fripost diff --git a/src/fripost-postinst-udeb/debian/rules b/src/fripost-postinst-udeb/debian/rules new file mode 100755 index 0000000..cbe925d --- /dev/null +++ b/src/fripost-postinst-udeb/debian/rules @@ -0,0 +1,3 @@ +#!/usr/bin/make -f +%: + dh $@ diff --git a/src/fripost-postinst-udeb/debian/templates b/src/fripost-postinst-udeb/debian/templates new file mode 100644 index 0000000..5385ce9 --- /dev/null +++ b/src/fripost-postinst-udeb/debian/templates @@ -0,0 +1,93 @@ +Template: base-installer/progress/fripost +Type: text +Description: ${WHAT} + +Template: fripost/initrd-ssh-port +Type: string +Default: 22 +Description: On which [address:]port should dropbear listen? +Extended_description: If port is a range (e.g., 1024-65535), a random + port in that range is chosen. Leaving the question empty is equivalent + to specifying the range of registered port 1024-49151. This is only + used for remote (SSH) unlocking of encrypted disks. + +Template: fripost/dropbear-use-openssh-key +Type: boolean +Default: false +Description: Use the same key for dropbear and OpenSSH? +Extended_description: If False, generate a dedicated key for dropbear. + +Template: fripost/activate-selinux +Type: boolean +Default: true +Description: Install and activate (in enforcing mode) SELinux? +Extended_description: Note that activating SELinux requires a dummy + reboot to label all files. So if you have full-disk encryption, you'll + have to send the password twice to dropbear. + +Template: fripost/keep-media-directory +Type: boolean +Default: false +Description: Keep /media and its kids' entries in the fstab? +Extended_description: /media (and its related entries in the fstab) + can safely be removed on a headless server. + +Template: fripost/sshd-fprs_title +Type: text +Description: Reboot in progress + +Template: fripost/sshd-fprs_text +Type: note +Description: Press 'continue' to reboot on the new system + We are done! After rebooting you should be able to log in into your + new machine: + . + ssh ${USER}@${IPv4} + . + To defeat MiTM-attacks, please ensure (for instance by trying to log in + right now, although it won't be successful before the next reboot) that + the server's public key has the following fingerprint + . + ${SSHFPR_SERVER} + . + To unlock the encrypted disk, you need to send the key to the SSH + daemon living in in the initrd: + . + ssh -p ${PORT} -T root@${IPv4} < /path/to/key + . + An attacker successfully mounting a MiTM-attack could get hold of the + encryption key! It is crucial that you match this (single purpose) + server's fingerprint against + . + ${SSHFPR_INITRD} + . + Key(s) that are granted access to these two servers have the following + fingerprint: + . + ${SSHFPR_AUTHORIZED} + +Template: fripost/sshd-fprs-nodropbear_text +Type: note +Description: Press 'continue' to reboot on the new system + We are done! After rebooting you should be able to log in into your new + machine: + . + ssh ${USER}@${IPv4} + . + To defeat MiTM-attacks, please ensure (for instance by trying to log in + right now, although it won't be successful before the next reboot) that + the server's public key has the following fingerprint + . + ${SSHFPR_SERVER} + . + Key(s) that are granted access to the server have the following + fingerprint: + . + ${SSHFPR_AUTHORIZED} + +Template: fripost/final-notice +Type: boolean +Default: true +Description: Display the final notice before rebooting? +Extended_description: It's good to show SSH fingerprints, because it + defeats MiTM-attacks. -- cgit v1.2.3