blob: 8fecde42b45cc794e335898b8b30b6d23ac4d78b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
#! /bin/sh
#
# Tell the user that the machine is ready to slurp the key for full disk
# encryption.
#
# Copyright 2013 Guilhem Moulin <guilhem@fripost.org>
#
# Licensed under the GNU GPL version 3 or higher.
set -ue
cd /target/etc/
chroot /target/ service ssh start; sleep 1
sed -i 's/^DenyUsers \*$/AllowGroups ssh/' ./ssh/sshd_config
# Busybox's sed doesn't support address '0,/../'
user="$(sed -rn 's/^([^:]*):[^:]*:1000:.*/\1/p' ./passwd)"
home="/target/$(sed -rn 's/^[^:]*:[^:]*:1000:[^:]*:[^:]*:([^:]*):.*/\1/p' ./passwd)"
. /usr/share/debconf/confmodule
ipv4="$(ip addr show eth0 | sed -nr 's/^\s+inet\s([0-9.]{4,32}).*/\1/p')"
template=$(mktemp)
cat > "$template" <<EOF
Template: post-install/title
Type: note
Description: Installation complete
Template: post-install/text
Type: note
Description: Press 'continue' to reboot
After the reboot, you will be able to log in to this new Debian GNU/Linux
system:
.
ssh -p 22 -l $user $ipv4
.
To defeat MiTM-attacks, please ensure that the server fingerprint matches
.
$(ssh-keygen -lf ./ssh/ssh_host_rsa_key)
.
Key(s) that are currently granted access have the following fingerprint:
.
EOF
while read pk; do
# ssh-keygen can't read from STDIN, and ash doesn't have the '<<<'
# construct, so we save each pubkey in a temporary file
pkf=$(mktemp)
echo "$pk" > "$pkf"
echo " - $(ssh-keygen -lf $pkf)" >> "$template"
rm "$pkf"
done < "$home/.ssh/authorized_keys"
# TODO: key granted access to the initramfs
# TODO: copy the previous keys?
debconf-loadtemplate post-install "$template"
db_settitle post-install/title
db_input critical post-install/text
db_go
|
