going back to dropbear

README.md

@@ -13,7 +13,7 @@ Secure AlmaLinux (RHEL) Server setup with LUKS encryption, Tang, TPM and RAID1 f
 - Remote unlock via Tang server
 - TPM-based boot verification
 - mdadm RAID1 + XFS (RHEL standard)
-- SSH key-only access with early boot SSH via tinyssh
+- SSH key-only access with early boot SSH via dropbear
 - Best-in-class terminal: zsh + powerlevel10k + evil tmux
 
 ## Unlock Strategy
@@ -24,7 +24,7 @@ Secure AlmaLinux (RHEL) Server setup with LUKS encryption, Tang, TPM and RAID1 f
    - No manual intervention required
 
 2. **Manual unlock via SSH** (fallback):
-   - SSH to server on port 2222 (tinyssh in early boot)
+   - SSH to server on port 22 (dropbear in early boot)
    - Enter LUKS passphrase when prompted (twice, once per disk)
    - Used when automatic unlock fails or is not configured
 

post-install.sh

@@ -107,16 +107,9 @@ dnf install -y \
   tree gcc make autoconf automake tar bzip2 || exit 1
 
 
-# Build and install tinyssh from source since AlmaLinux doesn't package it
+# Install dropbear and dracut-sshd for early boot SSH
-echo "[+] Installing tinyssh from source..."
+echo "[+] Installing dropbear and dracut-sshd..."
-cd /tmp || exit 1
+dnf install -y dropbear dracut-network dracut-sshd || exit 1
-wget -q https://github.com/janmojzis/tinyssh/archive/refs/tags/20250126.tar.gz || exit 1
-tar xf 20250126.tar.gz || exit 1
-cd tinyssh-20250126 || exit 1
-make || exit 1
-make install PREFIX=/usr/local || exit 1
-ln -sf /usr/local/sbin/tinysshd /usr/bin/tinysshd
-ln -sf /usr/local/sbin/tinysshd-makekey /usr/bin/tinysshd-makekey
 
 # Install lsd and bat
 echo "[+] Installing lsd and bat..."
@@ -184,85 +177,49 @@ if [ ${#TANG_SERVERS[@]} -gt 0 ] || [ "$TPM_ENABLED" = true ]; then
     done
 fi
 
-# Enable Clevis for early boot
+# Enable Clevis for early boot (only needed for AlmaLinux < 8.7)
-echo "[+] Enabling Clevis for early boot..."
+echo "[+] Configuring Clevis for early boot..."
+OS_VERSION=$(cat /etc/redhat-release | grep -oE '[0-9]+\.[0-9]+' | head -1)
+if [[ "$(echo "$OS_VERSION < 8.7" | bc)" -eq 1 ]]; then
+    echo "  - Enabling clevis-luks-askpass.path for AlmaLinux $OS_VERSION"
     systemctl enable clevis-luks-askpass.path || true
-
+else
-# Configure tinyssh for remote unlock
+    echo "  - AlmaLinux $OS_VERSION: clevis-luks-askpass.path not needed"
-echo "[+] Configuring tinyssh for remote unlock..."
-
-# Create tinyssh dracut module
-mkdir -p /usr/lib/dracut/modules.d/90tinyssh
-
-cat > /usr/lib/dracut/modules.d/90tinyssh/module-setup.sh << 'EOF'
-#!/bin/bash
-
-check() {
-    require_binaries tinysshd tinysshd-makekey nc
-}
-
-depends() {
-    echo network
-}
-
-install() {
-    inst_multiple tinysshd tinysshd-makekey nc
-    
-    inst_dir /etc/tinyssh
-    
-    # Copy authorized keys
-    if [[ -f /etc/tinyssh/authorized_keys ]]; then
-        inst /etc/tinyssh/authorized_keys /etc/tinyssh/authorized_keys
 fi
 
-    # Copy host keys directory
+# Configure dropbear for remote unlock
-    if [[ -d /etc/tinyssh/sshkeydir ]]; then
+echo "[+] Configuring dropbear SSH for remote unlock..."
-        cp -r /etc/tinyssh/sshkeydir "$initdir/etc/tinyssh/"
-    fi
 
-    # Install startup script
+# Setup dropbear directory
-    inst_hook cmdline 60 "$moddir/tinyssh-start.sh"
+mkdir -p /etc/dropbear
 
-    # Install unlock script
+# Add SSH key for initramfs access
-    inst_simple "$moddir/unlock-luks.sh" /bin/unlock-luks
+echo "${SSH_KEY}" > /etc/dropbear/initramfs.authorized_keys
-    chmod +x "$initdir/bin/unlock-luks"
+chmod 600 /etc/dropbear/initramfs.authorized_keys
-}
+
+# Configure dracut to include dropbear
+cat > /etc/dracut.conf.d/99-dropbear-sshd.conf << 'EOF'
+# Enable network and SSH in initramfs
+add_dracutmodules+=" network sshd "
+# Ensure we wait for network
+rd_neednet=1
 EOF
 
-cat > /usr/lib/dracut/modules.d/90tinyssh/tinyssh-start.sh << 'EOF'
+# Create a helper script for LUKS unlocking
-#!/bin/bash
+cat > /usr/local/bin/cryptroot-unlock << 'EOF'
-info "Starting tinyssh SSH server on port 2222..."
-[ -d /etc/tinyssh ] || mkdir -p /etc/tinyssh
-[ -d /etc/tinyssh/sshkeydir ] || tinysshd-makekey /etc/tinyssh/sshkeydir
-while true; do
-    nc -l -p 2222 -e "tinysshd -l /etc/tinyssh/sshkeydir"
-done &
-EOF
-
-cat > /usr/lib/dracut/modules.d/90tinyssh/unlock-luks.sh << 'EOF'
 #!/bin/bash
+echo "Starting LUKS unlock process..."
 echo "Available LUKS devices:"
-ls /dev/mapper/luks-* 2>/dev/null
+ls /dev/mapper/luks-* 2>/dev/null || echo "No LUKS devices found yet"
-echo "Run: systemctl start systemd-cryptsetup@<device>.service"
+echo ""
-echo "Or use: cryptsetup luksOpen /dev/md/<X> <name>"
+echo "Triggering password prompts..."
-echo "Then: exit"
+systemd-tty-ask-password-agent
-/bin/bash
 EOF
+chmod +x /usr/local/bin/cryptroot-unlock
 
-chmod +x /usr/lib/dracut/modules.d/90tinyssh/*.sh
+# Ensure the helper script is available in initramfs
-
+cat >> /etc/dracut.conf.d/99-dropbear-sshd.conf << 'EOF'
-# Setup tinyssh
+install_items+=" /usr/local/bin/cryptroot-unlock "
-mkdir -p /etc/tinyssh
-echo "${SSH_KEY}" > /etc/tinyssh/authorized_keys
-chmod 600 /etc/tinyssh/authorized_keys
-
-# Generate host keys using tinyssh directly
-tinysshd-makekey /etc/tinyssh/sshkeydir
-
-# Configure dracut
-cat > /etc/dracut.conf.d/99-tinyssh.conf << 'EOF'
-add_dracutmodules+=" network tinyssh "
-install_items+=" /etc/tinyssh/authorized_keys /etc/tinyssh/sshkeydir "
 EOF
 
 # Regenerate initramfs