#!/bin/sh # # Set up a SSH daemon, the sole purpose of which is to slurp the key for # full disk encryption, so that it doesn't have to be manually entered # to the installer. # # Copyright 2013 Guilhem Moulin # # Licensed under the GNU GPL version 3 or higher. set -ue . /usr/share/debconf/confmodule debconf-loadtemplate fripost-install /cdrom/preseed/fripost-install.template db_input high fripost-install/full-disk-encryption || true db_go db_get fripost-install/full-disk-encryption [ x"${RET:-true}" = x"false" ] && exit 0 # Crypto, disk and network modules, required to unlock the system from # our initramfs. # TODO: should probably be stored in debconf, since we'll need the # modules in the target only while read k rest; do /sbin/modinfo -F filename "$k"; done < /proc/modules \ | sed -nr "s@^/lib/modules/`uname -r`/kernel/(arch|drivers/(ata|scsi))(/.*)?/([^/]+)\.ko\$@\4@p" \ > /tmp/initramfs-modules anna-install cryptsetup-udeb db_input high fripost-install/full-disk-encryption-password || true db_go db_get fripost-install/full-disk-encryption-password if [ -n "$RET" ]; then touch ~root/root.key chmod 0644 ~root/root.key echo $RET >> ~root/root.key #TODO we don't want echo there # TODO: remove passord from debconf else anna-install openssh-server-udeb mkdir -pm0755 /etc/ssh/ sshHostKey=/etc/ssh/ssh_host_rsa_key ssh-keygen -b 4096 -t rsa -N '' -C $sshHostKey -f $sshHostKey cat > /etc/ssh/sshd_config <<- EOF Port 22 Protocol 2 HostKey $sshHostKey UsePrivilegeSeparation no PasswordAuthentication no ChallengeResponseAuthentication no HostbasedAuthentication no PubkeyAuthentication yes PermitRootLogin yes AllowUsers root StrictModes yes ForceCommand /bin/sh -c 'umask 0077; cat > ~root/root.key' EOF # Populate the authorized keys. TODO: make something more generic test -d ~root/.ssh || mkdir -m 0700 ~root/.ssh cat > ~root/.ssh/authorized_keys <<- EOF no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa ... EOF chmod og-rwx ~root/.ssh/authorized_keys # Start the SSH daemon touch /var/log/lastlog /usr/sbin/sshd # Tell the user we're ready ipv4="$(ip addr show eth0 | sed -nr 's/^\s+inet\s([0-9.]{4,32}).*/\1/p')" template=$(mktemp) cat > "$template" <<- EOF Template: cryptsetup-ssh-slurpkey/title Type: note Description: Waiting for passphrase Template: cryptsetup-ssh-slurpkey/text Type: note Description: Press 'continue' once you have sent the key You now need to send the encryption key for LUKS/dm-crypt to this special-purpose SSH server: . ssh -T -p 22 -l root $ipv4 < /path/to/key . To defeat MiTM-attacks, please ensure that the server fingerprint matches . $(ssh-keygen -lf $sshHostKey) . Key(s) that are granted access have the following fingerprint: . EOF while read pk; do # ssh-keygen can't read from STDIN, and ash doesn't have the '<<<' # construct, so we save each pubkey in a temporary file pkf=$(mktemp) echo "$pk" > "$pkf" echo " - $(ssh-keygen -lf $pkf)" >> "$template" rm "$pkf" done < ~root/.ssh/authorized_keys cat >> $template <<- EOF . Note: This server is ephemeral, and will be replaced with a full-blown one toward the end of the installation. EOF debconf-loadtemplate cryptsetup-ssh-slurpkey "$template" # Anything sent to the SSH is stored into ~root/root.key, which is our # LUKS key. until test -r ~root/root.key; do db_settitle cryptsetup-ssh-slurpkey/title db_input critical cryptsetup-ssh-slurpkey/text db_go done kill `cat /var/run/sshd.pid` || true fi db_input high fripost-install/full-disk-encryption-fillrandom || true db_go db_get fripost-install/full-disk-encryption-fillrandom # Encrypt ## fill the disk with random crap (TODO: progress) ## partition the disk ## format /boot to ext2 ## gptsync ## seed sshd and authorized_keys, print the key, forcecommand: dump everything into /lib/cryptsetup/passfifo # /sbin/cryptsetup --verbose --align-payload 12544 --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/sdb3 # /sbin/cryptsetup luksOpen … # pvcreate, vgcreate rm ~root/root.key