[pkg-cryptsetup-devel] Bug#465902: Alternative approach with OpenSSH.

Fri Nov 28 01:53:20 UTC 2008

hullo,

hm, i guess i'm a bit late but i have written something like this
before, but for OpenSSH. It doesn't support multiple targets and other
things i just forgot in this whole discussion, but maybe you could use
parts of it.

it is implemented as a single hook script in /etc/initramfs-tools/hooks/
and it requires you to ommit the root-partition in /etc/crypttab
(currently just to avoid the need to patch any debian packages).

configuration is currently in the hookscript itself with the conf_*-
variables, so it's maybe a good idea to move this to /etc/default or
something like that =)

a!
-- 
aszlig
Universal dilettante
RedMoonStudios
-------------- next part --------------
#!/bin/sh
PREREQ="";

prereqs()
{
	echo "$PREREQ";
}

case "$1" in
	prereqs)
		prereqs;
		exit 0;
		;;
esac;

. /usr/share/initramfs-tools/hook-functions;

# configuration
conf_nic_interface="eth0";
conf_root_partition="/dev/your_root_device";
conf_luks_mappername="root";

niclist="$(sed -n '/^\s*iface\s*'"$conf_nic_interface"'/,/^\s*$/{/^iface/d;/^\s*$/d;p}' /etc/network/interfaces)";
[ "x$niclist" = "x" ] && exit 1;

ifconfig_args="$(echo $(echo "$niclist" | grep -v '^[[:space:]]*gateway[[:space:]]') | sed 's/^\s*address\s*//')";
gateway="$(echo "$niclist" | sed -n 's/^\s*gateway\s*\([^ ]\+\).*$/\1/p')";

cat > "$DESTDIR/scripts/local-top/crypt_remote_luks" <<NETSCRIPT
#!/bin/sh

PREREQ="";

prereqs()
{
	echo "\$PREREQ";
}

case "\$1" in
	prereqs)
		prereqs;
		exit 0;
		;;
esac;

/sbin/ifconfig "$conf_nic_interface" $ifconfig_args;
/sbin/route add default gw $gateway;

/bin/mkdir -p /dev/pts;
[ -e /dev/ptmx ] || /bin/mknod -m 666 /dev/ptmx c 5 2;
/bin/mount -t devpts devpts /dev/pts;

/sbin/modprobe -q dm_crypt;

/usr/sbin/sshd -oUsePrivilegeSeparation=no;
while [ ! -e /crypt_done_stamp ]; do sleep 1; done;
/bin/kill \$(/bin/pidof sshd);
/bin/umount /dev/pts;

/sbin/ifconfig $conf_nic_interface down;
NETSCRIPT

copy_exec /sbin/ifconfig;
copy_exec /sbin/route;
copy_exec /bin/login;
copy_exec /bin/kill;
copy_exec /bin/pidof;

copy_exec /etc/ld.so.cache;
cp -a /etc/nsswitch.conf "$DESTDIR/etc";
cp -a /etc/localtime "$DESTDIR/etc";

chmod +x "$DESTDIR/scripts/local-top/crypt_remote_luks";

for i in $(dpkg -L openssh-server libpam-modules libpam0g libpam-runtime zlib1g libc6);
do
	[ -f "$i" ] || continue;

	new_destdir="$DESTDIR/$(dirname "${i##/}")";
	mkdir -p "$new_destdir";

	if [ -x "$i" ];
	then
		copy_exec "$i";
	else
		cp -a "$i" "$new_destdir";
	fi;
done;

rm -rf "$DESTDIR/etc/ssh" "$DESTDIR/etc/pam.d";
cp -a "/etc/ssh" "$DESTDIR/etc";
cp -a "/etc/pam.d" "$DESTDIR/etc";

cat > "$DESTDIR/mountme.sh" <<MOUNTER
#!/bin/sh
/sbin/cryptsetup luksOpen "${conf_root_partition}" "${conf_luks_mappername}";
[ \$? -eq 0 ] && touch /crypt_done_stamp;
MOUNTER

chmod +x "$DESTDIR/mountme.sh";

if [ -d /root/.ssh ];
then
	mkdir -p "$DESTDIR/root";
	cp -a /root/.ssh "$DESTDIR/root";
fi;

echo "root:x:0:0:root:/root:/mountme.sh" > "$DESTDIR/etc/passwd";
getent group root > "$DESTDIR/etc/group";
getent shadow root > "$DESTDIR/etc/shadow";
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20081128/e38841e9/attachment.pgp 