blob: 1be33c03d93244640bfc89da1f391335e6df5e19 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
|
Template: base-installer/progress/fripost
Type: text
Description: ${WHAT}
Template: fripost/initrd-ssh-port
Type: string
Default: 22
Description: Listening [address:]port for dropbear:
If port is a range (e.g., 1024-65535), a random port in that range is
chosen. Leaving the question empty is equivalent to specifying the
range of registered port 1024-49151. This is only used for remote
(SSH) unlocking of encrypted disks.
Template: fripost/dropbear-use-openssh-key
Type: boolean
Default: false
Description: Use the same key for dropbear and OpenSSH?
If False, generate a dedicated key for dropbear.
Template: fripost/activate-selinux
Type: boolean
Default: false
Description: Install and activate (in enforcing mode) SELinux?
Note that activating SELinux requires a dummy reboot to label all
files. So if you have full-disk encryption, you'll have to send the
password twice to dropbear.
Template: fripost/keep-media-directory
Type: boolean
Default: false
Description: Keep /media and its kids' entries in the fstab?
/media (and its related entries in the fstab) can safely be removed on
a headless server.
Template: fripost/sshd-fprs_title
Type: text
Description: Reboot in progress
Template: fripost/sshd-fprs_text
Type: note
Description: Press 'continue' to reboot on the new system
Done! After rebooting you should be able to log in into your new
machine:
.
ssh ${USER}@${IPv4}
.
To defeat MiTM-attacks, please ensure (for instance by trying to log in
right now, although it won't be successful before the next reboot) that
the server's public key has the following fingerprint
.
${SSHFPR_SERVER}
.
To unlock the encrypted disk, you need to send the key to the SSH
daemon living in in the initrd:
.
ssh -p ${PORT} -T root@${IPv4} < /path/to/key
.
An attacker successfully mounting a MiTM-attack could get hold of the
encryption key! It is crucial that you match this (single purpose)
server's fingerprint against
.
${SSHFPR_INITRD}
.
Key(s) that are granted access to these two servers have the following
fingerprint:
.
${SSHFPR_AUTHORIZED}
Template: fripost/sshd-fprs-nodropbear_text
Type: note
Description: Press 'continue' to reboot on the new system
Done! After rebooting you should be able to log in into your new
machine:
.
ssh ${USER}@${IPv4}
.
To defeat MiTM-attacks, please ensure (for instance by trying to log in
right now, although it won't be successful before the next reboot) that
the server's public key has the following fingerprint
.
${SSHFPR_SERVER}
.
Key(s) that are granted access to the server have the following
fingerprint:
.
${SSHFPR_AUTHORIZED}
Template: fripost/final-notice
Type: boolean
Default: true
Description: Display the final notice before rebooting?
It's good to show SSH fingerprints, because it defeats MiTM-attacks.
|