diff --git a/README.md b/README.md index c18c9f1..462093d 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ Secure AlmaLinux (RHEL) Server setup with LUKS encryption, Tang, TPM and RAID1 f - Remote unlock via Tang server - TPM-based boot verification - mdadm RAID1 + XFS (RHEL standard) -- SSH key-only access with early boot SSH via dropbear +- SSH key-only access with early boot SSH via tinyssh - Best-in-class terminal: zsh + powerlevel10k + evil tmux ## Unlock Strategy @@ -24,7 +24,7 @@ Secure AlmaLinux (RHEL) Server setup with LUKS encryption, Tang, TPM and RAID1 f - No manual intervention required 2. **Manual unlock via SSH** (fallback): - - SSH to server on port 22 (dropbear in early boot) + - SSH to server on port 2222 (tinyssh in early boot) - Enter LUKS passphrase when prompted (twice, once per disk) - Used when automatic unlock fails or is not configured diff --git a/post-install.sh b/post-install.sh index d3fa1ec..ca69003 100755 --- a/post-install.sh +++ b/post-install.sh @@ -104,19 +104,18 @@ echo "[+] Installing additional packages..." dnf install -y \ clevis clevis-luks tpm2-tools tpm2-tss \ tmux neovim python3-pip \ - tree gcc make zlib-devel autoconf automake tar bzip2 || exit 1 + tree gcc make autoconf automake tar bzip2 || exit 1 -# Build and install dropbear from source since AlmaLinux doesn't package it -echo "[+] Installing dropbear from source..." +# Build and install tinyssh from source since AlmaLinux doesn't package it +echo "[+] Installing tinyssh from source..." cd /tmp || exit 1 -wget -q https://matt.ucc.asn.au/dropbear/releases/dropbear-2022.83.tar.bz2 || exit 1 -tar xf dropbear-2022.83.tar.bz2 || exit 1 -cd dropbear-2022.83 || exit 1 -./configure --prefix=/usr/local --enable-static || exit 1 -make PROGRAMS="dropbear dropbearkey" MULTI=1 || exit 1 -make install || exit 1 -ln -sf /usr/local/bin/dropbear /usr/bin/dropbear -ln -sf /usr/local/bin/dropbearkey /usr/bin/dropbearkey +wget -q https://github.com/janmojzis/tinyssh/archive/refs/tags/20250126.tar.gz || exit 1 +tar xf 20250126.tar.gz || exit 1 +cd tinyssh-20250126 || exit 1 +make || exit 1 +make install PREFIX=/usr/local || exit 1 +ln -sf /usr/local/bin/tinysshd /usr/bin/tinysshd +ln -sf /usr/local/bin/tinyssh-keyconvert /usr/bin/tinyssh-keyconvert # Install lsd and bat echo "[+] Installing lsd and bat..." @@ -188,16 +187,16 @@ fi echo "[+] Enabling Clevis for early boot..." systemctl enable clevis-luks-askpass.service -# Configure dropbear for remote unlock -echo "[+] Configuring dropbear for remote unlock..." +# Configure tinyssh for remote unlock +echo "[+] Configuring tinyssh for remote unlock..." -# Create dropbear dracut module -mkdir -p /usr/lib/dracut/modules.d/60dropbear +# Create tinyssh dracut module +mkdir -p /usr/lib/dracut/modules.d/60tinyssh -cat > /usr/lib/dracut/modules.d/60dropbear/module-setup.sh << 'EOF' +cat > /usr/lib/dracut/modules.d/60tinyssh/module-setup.sh << 'EOF' #!/bin/bash check() { - require_binaries dropbear dropbearkey || return 1 + require_binaries tinysshd tinyssh-keyconvert || return 1 return 0 } @@ -207,17 +206,17 @@ depends() { } install() { - inst_multiple dropbear dropbearkey - mkdir -p "$initdir/etc/dropbear" + inst_multiple tinysshd tinyssh-keyconvert ssh-keygen + mkdir -p "$initdir/etc/tinyssh" # Copy authorized keys - [ -f /etc/dropbear/authorized_keys ] && inst /etc/dropbear/authorized_keys /etc/dropbear/authorized_keys + [ -f /etc/tinyssh/authorized_keys ] && inst /etc/tinyssh/authorized_keys /etc/tinyssh/authorized_keys # Copy host keys - inst /etc/dropbear/dropbear_*_host_key /etc/dropbear/ 2>/dev/null || true + inst /etc/tinyssh/sshkeydir /etc/tinyssh/ 2>/dev/null || true # Install startup script - inst_hook cmdline 60 "$moddir/dropbear-start.sh" + inst_hook cmdline 60 "$moddir/tinyssh-start.sh" # Install unlock script inst_simple "$moddir/unlock-luks.sh" /bin/unlock-luks @@ -225,15 +224,21 @@ install() { } EOF -cat > /usr/lib/dracut/modules.d/60dropbear/dropbear-start.sh << 'EOF' +cat > /usr/lib/dracut/modules.d/60tinyssh/tinyssh-start.sh << 'EOF' #!/bin/bash -info "Starting dropbear SSH server on port 2222..." -[ -d /etc/dropbear ] || mkdir -p /etc/dropbear -[ -f /etc/dropbear/dropbear_rsa_host_key ] || dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key -dropbear -E -s -j -k -p 2222 -P /var/run/dropbear.pid +info "Starting tinyssh SSH server on port 2222..." +[ -d /etc/tinyssh ] || mkdir -p /etc/tinyssh +[ -d /etc/tinyssh/sshkeydir ] || { + mkdir -p /etc/tinyssh/sshkeydir + ssh-keygen -A + for key in /etc/ssh/ssh_host_*_key; do + [ -f "$key" ] && tinyssh-keyconvert "$key" /etc/tinyssh/sshkeydir/ + done +} +tinysshd -p 2222 /etc/tinyssh/sshkeydir & EOF -cat > /usr/lib/dracut/modules.d/60dropbear/unlock-luks.sh << 'EOF' +cat > /usr/lib/dracut/modules.d/60tinyssh/unlock-luks.sh << 'EOF' #!/bin/bash echo "Available LUKS devices:" ls /dev/mapper/luks-* 2>/dev/null @@ -243,22 +248,23 @@ echo "Then: exit" /bin/bash EOF -chmod +x /usr/lib/dracut/modules.d/60dropbear/*.sh +chmod +x /usr/lib/dracut/modules.d/60tinyssh/*.sh -# Setup dropbear -mkdir -p /etc/dropbear -echo "${SSH_KEY}" > /etc/dropbear/authorized_keys -chmod 600 /etc/dropbear/authorized_keys +# Setup tinyssh +mkdir -p /etc/tinyssh/sshkeydir +echo "${SSH_KEY}" > /etc/tinyssh/authorized_keys +chmod 600 /etc/tinyssh/authorized_keys -# Generate host keys -dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key -dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key -dropbearkey -t ed25519 -f /etc/dropbear/dropbear_ed25519_host_key +# Generate host keys using OpenSSH then convert to tinyssh format +ssh-keygen -A +for key in /etc/ssh/ssh_host_*_key; do + [ -f "$key" ] && tinyssh-keyconvert "$key" /etc/tinyssh/sshkeydir/ +done # Configure dracut -cat > /etc/dracut.conf.d/99-dropbear.conf << 'EOF' -add_dracutmodules+=" network dropbear " -install_items+=" /etc/dropbear/authorized_keys /etc/dropbear/dropbear_*_host_key " +cat > /etc/dracut.conf.d/99-tinyssh.conf << 'EOF' +add_dracutmodules+=" network tinyssh " +install_items+=" /etc/tinyssh/authorized_keys /etc/tinyssh/sshkeydir " EOF # Regenerate initramfs