From cdec2e76b4b1af00e10ce3bb72ee74e33d52083b Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 8 May 2015 17:14:13 +0200 Subject: Make the encrypted installation work with Jessie. --- src/fripost-partman-udeb/base.sh | 14 +++++++++----- src/fripost-postinst-udeb/finish-install.d/07fripost | 15 +++------------ 2 files changed, 12 insertions(+), 17 deletions(-) (limited to 'src') diff --git a/src/fripost-partman-udeb/base.sh b/src/fripost-partman-udeb/base.sh index 23fcdeb..0155569 100644 --- a/src/fripost-partman-udeb/base.sh +++ b/src/fripost-partman-udeb/base.sh @@ -364,16 +364,14 @@ fripost_encrypt() { rm -f "$keyfile" # We are on a ramdisk, so it's good enough to unlink(2) # Add an entry to the crypttab - printf "%-15s %-41s %-15s %s\n" \ - "$name" UUID=$(/bin/block-attr --uuid "$device") none luks \ - >> /tmp/crypttab + fripost_crypttab_addentry "$name" "$device" none luks local m _ [ -d /var/lib/fripost ] || mkdir /var/lib/fripost # The modules required to fire up dropbear and start cryptsetup in the ramdisk. - echo dm_crypt > /tmp/initramfs-modules + echo dm_crypt >> /var/lib/fripost/initrd-modules while read m _; do /sbin/modinfo -F filename "$m"; done < /proc/modules \ - | sed -nr "s@^/lib/modules/`uname -r`/kernel/((arch/[^/]+/)?crypto|drivers/(ata|scsi))(/.*)?/([^/]+)\.ko\$@\5@p" \ + | sed -nr "s@^/lib/modules/`uname -r`/kernel/((arch/[^/]+/)?crypto|drivers/(ata|scsi|net))(/.*)?/([^/]+)\.ko\$@\5@p" \ >> /var/lib/fripost/initrd-modules /bin/apt-install busybox cryptsetup || true @@ -381,6 +379,12 @@ fripost_encrypt() { } +fripost_crypttab_addentry() { + local name="$1" uuid=$(/bin/block-attr --uuid "$2") keyfile="$3" options="$4" + printf "%-15s %-41s %-15s %s\n" "$name" "UUID=$uuid" "$keyfile" "$options" >>/tmp/crypttab +} + + # Like ssh-keygen -lf, but for a file such as authorized_keys, which # may contain multiple keys. Also, use the comment associated with the # key rather than the filename. diff --git a/src/fripost-postinst-udeb/finish-install.d/07fripost b/src/fripost-postinst-udeb/finish-install.d/07fripost index e583d5a..90df7b8 100755 --- a/src/fripost-postinst-udeb/finish-install.d/07fripost +++ b/src/fripost-postinst-udeb/finish-install.d/07fripost @@ -109,19 +109,10 @@ if [ "$encrypt" = true ]; then port=$(/target/usr/bin/od -An -N2 -i /dev/urandom) port=$(( $port % ($max + 1 - $min) + $min )) fi - # See dropbear(8) for the list of options. Failure to read a keyfile - # makes dropbear disable the corresponding algorithm (including - # key-based authentication), in our case DSS/DSA. - # XXX This is a dirty fix for bug #614981 + + # See dropbear(8) for the list of options. log "Changing dropbear's options; port $port" - sed -i "s@^\s*/sbin/dropbear\$@& -d '' -sgjk -p $port@" \ - /target/usr/share/initramfs-tools/scripts/init-premount/dropbear - - # Sadly /usr/lib/finish-install.d/10update-initramfs only updates - # the ramdisk if both cryptsetup *and* console-setup are installed. - # (Cf. #694156 and #696773.) So we perform the update manually here. - progress "Generating new initramfs image" - /bin/in-target /usr/sbin/update-initramfs -u -t + echo "PKGOPTION_dropbear_OPTION=\"-sgjk -p $port\"" >>/target/etc/initramfs-tools/initramfs.conf fi -- cgit v1.2.3