blob: dd3cde9effa8c4bc2cf1bcf2f3ede11c2745f475 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
#!/bin/sh
#
# Set up a SSH daemon, the sole purpose of which is to slurp the key for
# full disk encryption, so that it doesn't have to be manually entered
# to the installer.
#
# Copyright 2013 Guilhem Moulin <guilhem@fripost.org>
#
# Licensed under the GNU GPL version 3 or higher.
set -ue
# Crypto, disk and network modules, required to unlock the system from our initramfs
# TODO: should probably be stored in debconf, since we'll need the
# modules in the target only
while read k rest; do /sbin/modinfo -F filename "$k"; done < /proc/modules \
| sed -nr "s@^/lib/modules/`uname -r`/kernel/(arch|drivers/(ata|scsi))(/.*)?/([^/]+)\.ko\$@\4@p" \
> /tmp/initramfs-modules
anna-install cryptsetup-udeb openssh-server-udeb
mkdir -pm0755 /etc/ssh/
ssh-keygen -b 4096 -t rsa -N '' -C /etc/ssh/ssh_host_rsa_key -f /etc/ssh/ssh_host_rsa_key
cat > /etc/ssh/sshd_config << EOF
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
UsePrivilegeSeparation no
PasswordAuthentication no
ChallengeResponseAuthentication no
HostbasedAuthentication no
PubkeyAuthentication yes
PermitRootLogin yes
AllowUsers root
StrictModes yes
ForceCommand /cdrom/preseed/slurpkey.sh
EOF
# Populate the authorized keys. TODO: make something more generic
test -d ~root/.ssh || mkdir -m 0700 ~root/.ssh
cat > ~root/.ssh/authorized_keys << EOF
no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa ...
EOF
chmod og-rwx ~root/.ssh/authorized_keys
# Start the SSH daemon
touch /var/log/lastlog
/usr/sbin/sshd
# Tell the user we're ready
/cdrom/preseed/slurpkey-msg.sh
kill `cat /var/run/sshd.pid` || true
# Encrypt
## fill the disk with random crap
## partition the disk
## format /boot to ext2
## gptsync
## seed sshd and authorized_keys, print the key, forcecommand: dump everything into /lib/cryptsetup/passfifo
# /sbin/cryptsetup --verbose --align-payload 12544 --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/sdb3
# /sbin/cryptsetup luksOpen …
# pvcreate, vgcreate
rm ~root/root.key
|
