blob: 8c5d5d782a151f93bc21848b1d972356ef18c699 (
plain)
| 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
 | #! /bin/sh
#
# Tell the user that the machine is ready to slurp the key for full disk
# encryption.
#
# Copyright 2013 Guilhem Moulin <guilhem@fripost.org>
#
# Licensed under the GNU GPL version 3 or higher.
set -ue
cd /target/etc/
chroot /target/ service ssh start; sleep 1
sed -i 's/^DenyUsers \*$/AllowGroups ssh/' ./ssh/sshd_config
# Busybox's sed doesn't support address '0,/../'
user="$(sed -rn 's/^([^:]*):[^:]*:1000:.*/\1/p' ./passwd)"
home="/target/$(sed -rn 's/^[^:]*:[^:]*:1000:[^:]*:[^:]*:([^:]*):.*/\1/p' ./passwd)"
. /usr/share/debconf/confmodule
ipv4="$(ip addr show eth0 | sed -nr 's/^\s+inet\s([0-9.]{4,32}).*/\1/p')"
template=$(mktemp)
cat > "$template" <<EOF
Template: post-install/title
Type: text
Description: Installation complete
Template: post-install/text
Type: text
Description: Press 'continue' to reboot
 After the reboot, you will be able to log in to this new Debian GNU/Linux
 system:
 .
     ssh -p 22 -l $user $ipv4
 .
 To defeat MiTM-attacks, please ensure that the server fingerprint matches
 .
     $(ssh-keygen -lf ./ssh/ssh_host_rsa_key)
 .
 Key(s) that are currently granted access have the following fingerprint:
 .
EOF
while read pk; do
	# ssh-keygen can't read from STDIN, and ash doesn't have the '<<<'
	# construct, so we save each pubkey in a temporary file
	pkf=$(mktemp)
	echo "$pk" > "$pkf"
	echo "   - $(ssh-keygen -lf $pkf)" >> "$template"
	rm "$pkf"
done < "$home/.ssh/authorized_keys"
# TODO: key granted access to the initramfs
# TODO: copy the previous keys?
debconf-loadtemplate post-install "$template"
db_settitle post-install/title
db_input critical post-install/text
db_go
 |