From dcbbede79248736154a5c817fe84cc767c2cae22 Mon Sep 17 00:00:00 2001 From: Dominik Roth Date: Tue, 13 May 2025 18:43:59 +0200 Subject: [PATCH] dropbear ssh --- README.md | 4 ++-- build.py | 11 +++++++++++ 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 669a9c7..cb2a885 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,6 @@ Secure Fedora Server setup with LUKS encryption, TPM, and BTRFS RAID1 with focus - BTRFS RAID1 for data redundancy - Dedicated database subvolume with `nodatacow` and `noatime` - Automated deployment to Hetzner -- Kickstart-based automated installation ## Security Model @@ -26,7 +25,8 @@ The system uses multiple methods to unlock the LUKS volumes: - Tang server provides remote unlock capability - Both must succeed for automatic unlock 2. **Fallback Method**: Manual passphrase - - Available via SSH if primary method fails + - Available via SSH before LUKS unlock + - Uses dropbear for early SSH access - Can be used for recovery or maintenance ### TPM Updates diff --git a/build.py b/build.py index e334757..28c7af1 100644 --- a/build.py +++ b/build.py @@ -323,6 +323,7 @@ systemd curl shim-x64 grub2-efi-x64 +dropbear %end # Pre-installation script @@ -382,6 +383,16 @@ UUID=$BTRFS_UUID /home btrfs subvol=@home,compress=zstd,raid1 0 0 UUID=$BTRFS_UUID /db btrfs subvol=@db,nodatacow,noatime,compress=zstd,raid1 0 0 EOF + # Configure dropbear for early SSH access + printf "Configuring early SSH access...\r\n" > /dev/tty1 + mkdir -p /etc/dropbear + echo "{config['admin_ssh_key']}" > /etc/dropbear/authorized_keys + chmod 600 /etc/dropbear/authorized_keys + + # Enable dropbear for early SSH + systemctl enable dropbear + systemctl enable dropbear.socket + # Enable services printf "Enabling system services...\r\n" > /dev/tty1 systemctl enable clevis-luks-askpass.service