dodox/nullpoint
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: dodox:c19ec14cfd115b967ff701b22e1ed696c4734c04
Branches Tags
dodox:master
dodox:legacy
..
compare: dodox:aa9bac2c5bb219e9ff0f4aa5d5180bbaae1fa497
Branches Tags
dodox:master
dodox:legacy

No commits in common. "c19ec14cfd115b967ff701b22e1ed696c4734c04" and "aa9bac2c5bb219e9ff0f4aa5d5180bbaae1fa497" have entirely different histories.
c19ec14cfd ... aa9bac2c5b

1 changed files with 33 additions and 78 deletions
Show Stats Expand all files Collapse all files

101
post-install.sh
View File

@ -229,12 +229,14 @@ install() {
inst /etc/dropbear/authorized_keys /root/.ssh/authorized_keys inst /etc/dropbear/authorized_keys /root/.ssh/authorized_keys
fi fi
# Install ED25519 host key only # Generate host keys if they don't exist
keyfile="/etc/dropbear/dropbear_ed25519_host_key" for keytype in rsa ecdsa ed25519; do
keyfile="/etc/dropbear/dropbear_${keytype}_host_key"
if [ ! -f "$keyfile" ]; then if [ ! -f "$keyfile" ]; then
dropbearkey -t ed25519 -f "$keyfile" 2>/dev/null dropbearkey -t $keytype -f "$keyfile" 2>/dev/null
fi fi
[ -f "$keyfile" ] && inst "$keyfile" [ -f "$keyfile" ] && inst "$keyfile"
done
# Install the service # Install the service
inst_simple "$moddir/dropbear.service" /etc/systemd/system/dropbear.service inst_simple "$moddir/dropbear.service" /etc/systemd/system/dropbear.service
@ -269,45 +271,15 @@ cat > /usr/lib/dracut/modules.d/60dropbear-ssh/unlock-luks.sh << 'EOF'
#!/bin/bash #!/bin/bash
echo "=== LUKS Remote Unlock Helper ===" echo "=== LUKS Remote Unlock Helper ==="
echo "" echo ""
echo "Checking for encrypted devices..." echo "Available block devices:"
lsblk -o NAME,SIZE,TYPE,FSTYPE
# Show block devices if available
if command -v lsblk >/dev/null 2>&1; then
echo "Block devices:"
lsblk -o NAME,SIZE,TYPE,FSTYPE 2>/dev/null || echo " (lsblk not available)"
else
echo "Block devices: (listing /dev/sd* and /dev/md*)"
ls -la /dev/sd* /dev/md* 2>/dev/null || echo " No standard devices found"
fi
echo "" echo ""
echo "Encrypted devices status:" echo "Encrypted devices waiting for unlock:"
# Check for LUKS devices waiting to be unlocked systemd-ask-password --list
for dev in /dev/mapper/luks-*; do
if [ -e "$dev" ]; then
echo " Found: $dev"
fi
done
# Check systemd-ask-password files directly
if [ -d /run/systemd/ask-password ]; then
echo ""
echo "Password prompts waiting:"
ls -la /run/systemd/ask-password/ 2>/dev/null
fi
echo "" echo ""
echo "Starting unlock process..." echo "To unlock, run: systemd-tty-ask-password-agent"
echo "Enter your LUKS passphrase when prompted:"
echo "" echo ""
exec systemd-tty-ask-password-agent
# Run the password agent
if command -v systemd-tty-ask-password-agent >/dev/null 2>&1; then
systemd-tty-ask-password-agent
else
echo "ERROR: systemd-tty-ask-password-agent not found!"
echo "Try running: /lib/systemd/systemd-tty-ask-password-agent"
fi
EOF EOF
chmod +x /usr/lib/dracut/modules.d/60dropbear-ssh/*.sh chmod +x /usr/lib/dracut/modules.d/60dropbear-ssh/*.sh
@ -317,43 +289,26 @@ mkdir -p /etc/dropbear
echo "${SSH_KEY}" > /etc/dropbear/authorized_keys echo "${SSH_KEY}" > /etc/dropbear/authorized_keys
chmod 600 /etc/dropbear/authorized_keys chmod 600 /etc/dropbear/authorized_keys
# Generate ED25519 host key only (most secure) # Generate host keys and display SHA256 fingerprints
echo "[+] Generating ED25519 SSH host key..." echo "[+] Generating SSH host keys..."
for keytype in rsa ecdsa ed25519; do
keyfile="/etc/dropbear/dropbear_${keytype}_host_key"
if [ ! -f "$keyfile" ]; then
echo " - Generating $keytype key..."
dropbearkey -t $keytype -f "$keyfile" | grep -v "Generating" || true
# Use system SSH key if available, otherwise generate dropbear key # Extract and display SHA256 fingerprint for ed25519
openssh_key="/etc/ssh/ssh_host_ed25519_key" if [ "$keytype" = "ed25519" ] && command -v ssh-keygen >/dev/null 2>&1; then
dropbear_key="/etc/dropbear/dropbear_ed25519_host_key" # Convert dropbear key to OpenSSH format and get SHA256 fingerprint
dropbearkey -y -f "$keyfile" | grep "^ssh-" > "/tmp/dropbear_${keytype}.pub"
if [ -f "$openssh_key" ] && command -v dropbearconvert >/dev/null 2>&1; then fingerprint=$(ssh-keygen -lf "/tmp/dropbear_${keytype}.pub" -E sha256 2>/dev/null | awk '{print $2}')
echo " Converting existing OpenSSH ED25519 key to dropbear format..."
dropbearconvert openssh dropbear "$openssh_key" "$dropbear_key" 2>/dev/null || {
echo " Conversion failed, generating new dropbear key..."
dropbearkey -t ed25519 -f "$dropbear_key" | grep -v "Generating" || true
}
elif [ ! -f "$dropbear_key" ]; then
echo " Generating new ED25519 key..."
dropbearkey -t ed25519 -f "$dropbear_key" | grep -v "Generating" || true
# Also generate OpenSSH format to prevent key mismatch after boot
if command -v ssh-keygen >/dev/null 2>&1; then
echo " Generating matching OpenSSH key..."
mkdir -p /etc/ssh
# Extract public key and generate OpenSSH private key
dropbearkey -y -f "$dropbear_key" | grep "^ssh-" > "${openssh_key}.pub"
# Note: Direct conversion from dropbear to openssh private key requires dropbearconvert
# For now, we'll have different keys but document the solution
fi
fi
# Display SHA256 fingerprint
if command -v ssh-keygen >/dev/null 2>&1; then
fingerprint=$(dropbearkey -y -f "$dropbear_key" | ssh-keygen -lf - -E sha256 2>/dev/null | awk '{print $2}')
if [ -n "$fingerprint" ]; then if [ -n "$fingerprint" ]; then
echo " SHA256 fingerprint: $fingerprint" echo " - ED25519 SHA256 fingerprint: $fingerprint"
echo " Note: This is the initramfs (rescue) SSH fingerprint."
echo " The normal system SSH may have a different fingerprint."
fi fi
fi rm -f "/tmp/dropbear_${keytype}.pub"
fi
fi
done
# Configure dracut # Configure dracut
cat > /etc/dracut.conf.d/60-dropbear-ssh.conf << 'EOF' cat > /etc/dracut.conf.d/60-dropbear-ssh.conf << 'EOF'