blob: 800e1e2e24f5c79cfa6b251672d6b24d368fc420 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
|
#! /bin/sh
#
# Tell the user that the machine is ready to slurp the key for full disk
# encryption.
#
# Copyright 2013 Guilhem Moulin <guilhem@fripost.org>
#
# Licensed under the GNU GPL version 3 or higher.
set -ue
. /usr/share/debconf/confmodule
ipv4="$(ip addr show eth0 | sed -nr 's/^\s+inet\s([0-9.]{4,32}).*/\1/p')"
template=$(mktemp)
cat > "$template" <<EOF
Template: ssh-cryptsetup/title
Type: text
Description: Waiting for passphrase
Template: ssh-cryptsetup/text
Type: text
Description: Press 'continue' once you have sent the key
You now need to send the encryption key for LUKS/dm-crypt to
this special-purpose SSH server:
.
ssh -T -p 22 -l root $ipv4 < /path/to/key
.
To defeat MiTM-attacks, please ensure that the server fingerprint matches
.
$(ssh-keygen -lf /etc/ssh/ssh_host_rsa_key)
.
Key(s) that are granted access have the following fingerprint:
.
EOF
while read pk; do
# ssh-keygen can't read from STDIN, and ash doesn't have the '<<<'
# construct, so we save each pubkey in a temporary file
pkf=$(mktemp)
echo "$pk" > "$pkf"
echo " - $(ssh-keygen -lf $pkf)" >> "$template"
rm "$pkf"
done < ~root/.ssh/authorized_keys
cat >> $template <<EOF
.
Note: This server is ephemeral, and will be replaced with a full-blown
one toward the end of the installation.
EOF
debconf-loadtemplate ssh-cryptsetup "$template"
# Anything sent to the SSH is stored into ~root/root.key, which is our
# LUKS key.
until test -r ~root/root.key; do
db_settitle ssh-cryptsetup/title
db_input critical ssh-cryptsetup/text
db_go
done
|
