1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
|
#!/bin/sh
#
# Set up a SSH daemon, the sole purpose of which is to slurp the key for
# full disk encryption, so that it doesn't have to be manually entered
# to the installer.
#
# Copyright 2013 Guilhem Moulin <guilhem@fripost.org>
#
# Licensed under the GNU GPL version 3 or higher.
set -ue
. /usr/share/debconf/confmodule
debconf-loadtemplate fripost-install /cdrom/preseed/fripost-install.template
db_input high fripost-install/full-disk-encryption || true
db_go
db_get fripost-install/full-disk-encryption
[ x"${RET:-true}" = x"false" ] && exit 0
# Crypto, disk and network modules, required to unlock the system from
# our initramfs.
# TODO: should probably be stored in debconf, since we'll need the
# modules in the target only
while read k rest; do /sbin/modinfo -F filename "$k"; done < /proc/modules \
| sed -nr "s@^/lib/modules/`uname -r`/kernel/(arch|drivers/(ata|scsi))(/.*)?/([^/]+)\.ko\$@\4@p" \
> /tmp/initramfs-modules
anna-install cryptsetup-udeb
db_input high fripost-install/full-disk-encryption-password || true
db_go
db_get fripost-install/full-disk-encryption-password
if [ -n "$RET" ]; then
touch ~root/root.key
chmod 0644 ~root/root.key
echo $RET >> ~root/root.key #TODO we don't want echo there
# TODO: remove passord from debconf
else
anna-install openssh-server-udeb
mkdir -pm0755 /etc/ssh/
sshHostKey=/etc/ssh/ssh_host_rsa_key
ssh-keygen -b 4096 -t rsa -N '' -C $sshHostKey -f $sshHostKey
cat > /etc/ssh/sshd_config <<- EOF
Port 22
Protocol 2
HostKey $sshHostKey
UsePrivilegeSeparation no
PasswordAuthentication no
ChallengeResponseAuthentication no
HostbasedAuthentication no
PubkeyAuthentication yes
PermitRootLogin yes
AllowUsers root
StrictModes yes
ForceCommand /bin/sh -c 'umask 0077; cat > ~root/root.key'
EOF
# Populate the authorized keys. TODO: make something more generic
test -d ~root/.ssh || mkdir -m 0700 ~root/.ssh
cat > ~root/.ssh/authorized_keys <<- EOF
no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa ...
EOF
chmod og-rwx ~root/.ssh/authorized_keys
# Start the SSH daemon
touch /var/log/lastlog
/usr/sbin/sshd
# Tell the user we're ready
ipv4="$(ip addr show eth0 | sed -nr 's/^\s+inet\s([0-9.]{4,32}).*/\1/p')"
template=$(mktemp)
cat > "$template" <<- EOF
Template: cryptsetup-ssh-slurpkey/title
Type: note
Description: Waiting for passphrase
Template: cryptsetup-ssh-slurpkey/text
Type: note
Description: Press 'continue' once you have sent the key
You now need to send the encryption key for LUKS/dm-crypt to
this special-purpose SSH server:
.
ssh -T -p 22 -l root $ipv4 < /path/to/key
.
To defeat MiTM-attacks, please ensure that the server fingerprint matches
.
$(ssh-keygen -lf $sshHostKey)
.
Key(s) that are granted access have the following fingerprint:
.
EOF
while read pk; do
# ssh-keygen can't read from STDIN, and ash doesn't have the '<<<'
# construct, so we save each pubkey in a temporary file
pkf=$(mktemp)
echo "$pk" > "$pkf"
echo " - $(ssh-keygen -lf $pkf)" >> "$template"
rm "$pkf"
done < ~root/.ssh/authorized_keys
cat >> $template <<- EOF
.
Note: This server is ephemeral, and will be replaced with a full-blown
one toward the end of the installation.
EOF
debconf-loadtemplate cryptsetup-ssh-slurpkey "$template"
# Anything sent to the SSH is stored into ~root/root.key, which is our
# LUKS key.
until test -r ~root/root.key; do
db_settitle cryptsetup-ssh-slurpkey/title
db_input critical cryptsetup-ssh-slurpkey/text
db_go
done
kill `cat /var/run/sshd.pid` || true
fi
db_input high fripost-install/full-disk-encryption-fillrandom || true
db_go
db_get fripost-install/full-disk-encryption-fillrandom
# Encrypt
## fill the disk with random crap (TODO: progress)
## partition the disk
## format /boot to ext2
## gptsync
## seed sshd and authorized_keys, print the key, forcecommand: dump everything into /lib/cryptsetup/passfifo
# /sbin/cryptsetup --verbose --align-payload 12544 --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/sdb3
# /sbin/cryptsetup luksOpen …
# pvcreate, vgcreate
rm ~root/root.key
|