blob: 79436ee9b46de60a592e3d68f2135186d6168592 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
|
#!/bin/sh
#
# Set up a SSH daemon, the sole purpose of which is to slurp the key for
# full disk encryption, so that it doesn't have to be manually entered
# to the installer.
#
# Copyright 2013 Guilhem Moulin <guilhem@fripost.org>
#
# Licensed under the GNU GPL version 3 or higher.
set -ue
. /usr/share/debconf/confmodule
debconf-loadtemplate fripost-install /cdrom/preseed/fripost-install.template
db_input high fripost-install/full-disk-encryption || true
db_go
db_get fripost-install/full-disk-encryption
[ x"${RET:-true}" = x"false" ] && exit 0
# Crypto, disk and network modules, required to unlock the system from
# our initramfs.
# TODO: should probably be stored in debconf, since we'll need the
# modules in the target only
while read k rest; do /sbin/modinfo -F filename "$k"; done < /proc/modules \
| sed -nr "s@^/lib/modules/`uname -r`/kernel/(arch|drivers/(ata|scsi))(/.*)?/([^/]+)\.ko\$@\4@p" \
> /tmp/initramfs-modules
anna-install cryptsetup-udeb
db_input high fripost-install/full-disk-encryption-password || true
db_go
db_get fripost-install/full-disk-encryption-password
if [ -n "$RET" ]; then
touch ~root/root.key
chmod 0644 ~root/root.key
echo $RET >> ~root/root.key #TODO we don't want echo there
# TODO: remove passord from debconf
else
anna-install openssh-server-udeb
mkdir -pm0755 /etc/ssh/
sshHostKey=/etc/ssh/ssh_host_rsa_key
ssh-keygen -b 4096 -t rsa -N '' -C $sshHostKey -f $sshHostKey
cat > /etc/ssh/sshd_config <<- EOF
Port 22
Protocol 2
HostKey $sshHostKey
UsePrivilegeSeparation no
PasswordAuthentication no
ChallengeResponseAuthentication no
HostbasedAuthentication no
PubkeyAuthentication yes
PermitRootLogin yes
AllowUsers root
StrictModes yes
ForceCommand /bin/sh -c 'umask 0077; cat > ~root/root.key'
EOF
# Populate the authorized keys. TODO: make something more generic
test -d ~root/.ssh || mkdir -m 0700 ~root/.ssh
cat > ~root/.ssh/authorized_keys <<- EOF
no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa ...
EOF
chmod og-rwx ~root/.ssh/authorized_keys
# Start the SSH daemon
touch /var/log/lastlog
/usr/sbin/sshd
# Tell the user we're ready
db_subst fripost-install/full-disk-encryption-slurpkey_text IPv4 \
"$(ip addr show eth0 | sed -nr 's/^\s+inet\s([0-9.]{4,32}).*/\1/p')"
db_subst fripost-install/full-disk-encryption-slurpkey_text SSHFPR_SERVER \
"$(ssh-keygen -lf $sshHostKey)"
db_subst fripost-install/full-disk-encryption-slurpkey_text SSHFPR_AUTHORIZED \
"$($root/preseed/sshfprs.sh ~root/.ssh/authorized_keys ' - ')"
# Anything sent to the SSH is stored into $keyfile, which is our LUKS key.
until test -r "$keyfile"; do
db_settitle fripost-install/full-disk-encryption-slurpkey_title
db_input critical fripost-install/full-disk-encryption-slurpkey_text
db_go
done
kill `cat /var/run/sshd.pid` || true
fi
##############################################################################
# Fill the disk with random data
db_input high fripost-install/full-disk-encryption-fill || true
db_go
db_get fripost-install/full-disk-encryption-fill
dev="$RET"
heartbeat () {
local pid sig sleep
pid=$1
sig=${2:-SIGHUP}
sleep=${3:-1}
until false; do
sleep $sleep
/bin/kill -$sig $pid 2>/dev/null || break
done
}
if [ x"$RET" != x"none" ]; then
source="/dev/$RET"
bs=4096
disk=$(list-devices disk | head -1)
size=$(parted_devices "$disk" | cut -f2)
fill="dd if=$source of=$disk bs=$bs"
db_subst fripost-install/full-disk-encryption-fill_progress_title DISK "$disk"
db_subst fripost-install/full-disk-encryption-fill_progress_title SIZE "$size"
if [ x"$source" = x"/dev/zero" ]; then
db_subst fripost-install/full-disk-encryption-fill_progress_title WHAT "zeroes"
elif [ x"$source" = x"/dev/random" -o x"$source" = x"/dev/urandom" ]; then
db_subst fripost-install/full-disk-encryption-fill_progress_title WHAT "bytes of random data"
else
db_subst fripost-install/full-disk-encryption-fill_progress_title WHAT "bytes"
fi
db_progress START 0 $(( $size / $bs )) fripost-install/full-disk-encryption-fill_progress_title
db_subst fripost-install/full-disk-encryption-fill_progress_info COMMAND "$fill"
db_progress INFO fripost-install/full-disk-encryption-fill_progress_info
fifo=$(mktemp -u)
mknod "$fifo" p
trap 'echo kill $pid' EXIT
$fill 2> "$fifo" & pid=$!
heartbeat $pid USR1 &
while read -u 7 n records dir; do
[ x"$records" = x"records" -a x"$dir" = x"out" ] && db_progress SET ${n%+*}
done 7< "$fifo"
rm "$fifo"
trap '' EXIT
db_progress STOP
db_unregister fripost-install/full-disk-encryption-fill_progress_title
db_unregister fripost-install/full-disk-encryption-fill_progress_info
# http://horde.net/~jwm/blog/progress-bars-with-debconf/
# http://horde.net/~jwm/blog/how-shell-scripts-communicate-with-debconf/
fi
|