tinyssh over dropbear
This commit is contained in:
parent
ca24354114
commit
0fe95ab969
@ -13,7 +13,7 @@ Secure AlmaLinux (RHEL) Server setup with LUKS encryption, Tang, TPM and RAID1 f
|
|||||||
- Remote unlock via Tang server
|
- Remote unlock via Tang server
|
||||||
- TPM-based boot verification
|
- TPM-based boot verification
|
||||||
- mdadm RAID1 + XFS (RHEL standard)
|
- mdadm RAID1 + XFS (RHEL standard)
|
||||||
- SSH key-only access with early boot SSH via dropbear
|
- SSH key-only access with early boot SSH via tinyssh
|
||||||
- Best-in-class terminal: zsh + powerlevel10k + evil tmux
|
- Best-in-class terminal: zsh + powerlevel10k + evil tmux
|
||||||
|
|
||||||
## Unlock Strategy
|
## Unlock Strategy
|
||||||
@ -24,7 +24,7 @@ Secure AlmaLinux (RHEL) Server setup with LUKS encryption, Tang, TPM and RAID1 f
|
|||||||
- No manual intervention required
|
- No manual intervention required
|
||||||
|
|
||||||
2. **Manual unlock via SSH** (fallback):
|
2. **Manual unlock via SSH** (fallback):
|
||||||
- SSH to server on port 22 (dropbear in early boot)
|
- SSH to server on port 2222 (tinyssh in early boot)
|
||||||
- Enter LUKS passphrase when prompted (twice, once per disk)
|
- Enter LUKS passphrase when prompted (twice, once per disk)
|
||||||
- Used when automatic unlock fails or is not configured
|
- Used when automatic unlock fails or is not configured
|
||||||
|
|
||||||
|
|||||||
@ -104,19 +104,18 @@ echo "[+] Installing additional packages..."
|
|||||||
dnf install -y \
|
dnf install -y \
|
||||||
clevis clevis-luks tpm2-tools tpm2-tss \
|
clevis clevis-luks tpm2-tools tpm2-tss \
|
||||||
tmux neovim python3-pip \
|
tmux neovim python3-pip \
|
||||||
tree gcc make zlib-devel autoconf automake tar bzip2 || exit 1
|
tree gcc make autoconf automake tar bzip2 || exit 1
|
||||||
|
|
||||||
# Build and install dropbear from source since AlmaLinux doesn't package it
|
# Build and install tinyssh from source since AlmaLinux doesn't package it
|
||||||
echo "[+] Installing dropbear from source..."
|
echo "[+] Installing tinyssh from source..."
|
||||||
cd /tmp || exit 1
|
cd /tmp || exit 1
|
||||||
wget -q https://matt.ucc.asn.au/dropbear/releases/dropbear-2022.83.tar.bz2 || exit 1
|
wget -q https://github.com/janmojzis/tinyssh/archive/refs/tags/20250126.tar.gz || exit 1
|
||||||
tar xf dropbear-2022.83.tar.bz2 || exit 1
|
tar xf 20250126.tar.gz || exit 1
|
||||||
cd dropbear-2022.83 || exit 1
|
cd tinyssh-20250126 || exit 1
|
||||||
./configure --prefix=/usr/local --enable-static || exit 1
|
make || exit 1
|
||||||
make PROGRAMS="dropbear dropbearkey" MULTI=1 || exit 1
|
make install PREFIX=/usr/local || exit 1
|
||||||
make install || exit 1
|
ln -sf /usr/local/bin/tinysshd /usr/bin/tinysshd
|
||||||
ln -sf /usr/local/bin/dropbear /usr/bin/dropbear
|
ln -sf /usr/local/bin/tinyssh-keyconvert /usr/bin/tinyssh-keyconvert
|
||||||
ln -sf /usr/local/bin/dropbearkey /usr/bin/dropbearkey
|
|
||||||
|
|
||||||
# Install lsd and bat
|
# Install lsd and bat
|
||||||
echo "[+] Installing lsd and bat..."
|
echo "[+] Installing lsd and bat..."
|
||||||
@ -188,16 +187,16 @@ fi
|
|||||||
echo "[+] Enabling Clevis for early boot..."
|
echo "[+] Enabling Clevis for early boot..."
|
||||||
systemctl enable clevis-luks-askpass.service
|
systemctl enable clevis-luks-askpass.service
|
||||||
|
|
||||||
# Configure dropbear for remote unlock
|
# Configure tinyssh for remote unlock
|
||||||
echo "[+] Configuring dropbear for remote unlock..."
|
echo "[+] Configuring tinyssh for remote unlock..."
|
||||||
|
|
||||||
# Create dropbear dracut module
|
# Create tinyssh dracut module
|
||||||
mkdir -p /usr/lib/dracut/modules.d/60dropbear
|
mkdir -p /usr/lib/dracut/modules.d/60tinyssh
|
||||||
|
|
||||||
cat > /usr/lib/dracut/modules.d/60dropbear/module-setup.sh << 'EOF'
|
cat > /usr/lib/dracut/modules.d/60tinyssh/module-setup.sh << 'EOF'
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
check() {
|
check() {
|
||||||
require_binaries dropbear dropbearkey || return 1
|
require_binaries tinysshd tinyssh-keyconvert || return 1
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -207,17 +206,17 @@ depends() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
install() {
|
install() {
|
||||||
inst_multiple dropbear dropbearkey
|
inst_multiple tinysshd tinyssh-keyconvert ssh-keygen
|
||||||
mkdir -p "$initdir/etc/dropbear"
|
mkdir -p "$initdir/etc/tinyssh"
|
||||||
|
|
||||||
# Copy authorized keys
|
# Copy authorized keys
|
||||||
[ -f /etc/dropbear/authorized_keys ] && inst /etc/dropbear/authorized_keys /etc/dropbear/authorized_keys
|
[ -f /etc/tinyssh/authorized_keys ] && inst /etc/tinyssh/authorized_keys /etc/tinyssh/authorized_keys
|
||||||
|
|
||||||
# Copy host keys
|
# Copy host keys
|
||||||
inst /etc/dropbear/dropbear_*_host_key /etc/dropbear/ 2>/dev/null || true
|
inst /etc/tinyssh/sshkeydir /etc/tinyssh/ 2>/dev/null || true
|
||||||
|
|
||||||
# Install startup script
|
# Install startup script
|
||||||
inst_hook cmdline 60 "$moddir/dropbear-start.sh"
|
inst_hook cmdline 60 "$moddir/tinyssh-start.sh"
|
||||||
|
|
||||||
# Install unlock script
|
# Install unlock script
|
||||||
inst_simple "$moddir/unlock-luks.sh" /bin/unlock-luks
|
inst_simple "$moddir/unlock-luks.sh" /bin/unlock-luks
|
||||||
@ -225,15 +224,21 @@ install() {
|
|||||||
}
|
}
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
cat > /usr/lib/dracut/modules.d/60dropbear/dropbear-start.sh << 'EOF'
|
cat > /usr/lib/dracut/modules.d/60tinyssh/tinyssh-start.sh << 'EOF'
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
info "Starting dropbear SSH server on port 2222..."
|
info "Starting tinyssh SSH server on port 2222..."
|
||||||
[ -d /etc/dropbear ] || mkdir -p /etc/dropbear
|
[ -d /etc/tinyssh ] || mkdir -p /etc/tinyssh
|
||||||
[ -f /etc/dropbear/dropbear_rsa_host_key ] || dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key
|
[ -d /etc/tinyssh/sshkeydir ] || {
|
||||||
dropbear -E -s -j -k -p 2222 -P /var/run/dropbear.pid
|
mkdir -p /etc/tinyssh/sshkeydir
|
||||||
|
ssh-keygen -A
|
||||||
|
for key in /etc/ssh/ssh_host_*_key; do
|
||||||
|
[ -f "$key" ] && tinyssh-keyconvert "$key" /etc/tinyssh/sshkeydir/
|
||||||
|
done
|
||||||
|
}
|
||||||
|
tinysshd -p 2222 /etc/tinyssh/sshkeydir &
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
cat > /usr/lib/dracut/modules.d/60dropbear/unlock-luks.sh << 'EOF'
|
cat > /usr/lib/dracut/modules.d/60tinyssh/unlock-luks.sh << 'EOF'
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
echo "Available LUKS devices:"
|
echo "Available LUKS devices:"
|
||||||
ls /dev/mapper/luks-* 2>/dev/null
|
ls /dev/mapper/luks-* 2>/dev/null
|
||||||
@ -243,22 +248,23 @@ echo "Then: exit"
|
|||||||
/bin/bash
|
/bin/bash
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
chmod +x /usr/lib/dracut/modules.d/60dropbear/*.sh
|
chmod +x /usr/lib/dracut/modules.d/60tinyssh/*.sh
|
||||||
|
|
||||||
# Setup dropbear
|
# Setup tinyssh
|
||||||
mkdir -p /etc/dropbear
|
mkdir -p /etc/tinyssh/sshkeydir
|
||||||
echo "${SSH_KEY}" > /etc/dropbear/authorized_keys
|
echo "${SSH_KEY}" > /etc/tinyssh/authorized_keys
|
||||||
chmod 600 /etc/dropbear/authorized_keys
|
chmod 600 /etc/tinyssh/authorized_keys
|
||||||
|
|
||||||
# Generate host keys
|
# Generate host keys using OpenSSH then convert to tinyssh format
|
||||||
dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key
|
ssh-keygen -A
|
||||||
dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key
|
for key in /etc/ssh/ssh_host_*_key; do
|
||||||
dropbearkey -t ed25519 -f /etc/dropbear/dropbear_ed25519_host_key
|
[ -f "$key" ] && tinyssh-keyconvert "$key" /etc/tinyssh/sshkeydir/
|
||||||
|
done
|
||||||
|
|
||||||
# Configure dracut
|
# Configure dracut
|
||||||
cat > /etc/dracut.conf.d/99-dropbear.conf << 'EOF'
|
cat > /etc/dracut.conf.d/99-tinyssh.conf << 'EOF'
|
||||||
add_dracutmodules+=" network dropbear "
|
add_dracutmodules+=" network tinyssh "
|
||||||
install_items+=" /etc/dropbear/authorized_keys /etc/dropbear/dropbear_*_host_key "
|
install_items+=" /etc/tinyssh/authorized_keys /etc/tinyssh/sshkeydir "
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
# Regenerate initramfs
|
# Regenerate initramfs
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user