V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-09-04 21:16:48 +02:00
parent 181e3e91d9
commit 3e3cd1cea2
4 changed files with 43 additions and 11 deletions
--- a/ciss_debian_installer.sh
+++ b/ciss_debian_installer.sh
@@ -12,7 +12,6 @@

 ### Contributions so far see ./docs/CREDITS.md

-# TODO: SSHFP Dropbear Keys Generate
 # TODO: Install zsh Tools, eza
 # TODO: Implement this function 4215_check_crypttab.sh
 # TODO: Implement this function 4435_hardening_fail2ban.sh
@@ -291,7 +290,6 @@ info_echo "4220_installation_cryptsetup.sh"
 installation_cryptsetup
 info_echo "4230_installation_grub.sh"
 installation_grub
-
 if [[ "${VAR_GRUB_PASSWORD}" == "true" ]]; then
  info_echo "4240_update_grub_password.sh"
  update_grub_password
@@ -302,12 +300,14 @@ update_grub_bootparameter
 ### CDI_4300
 info_echo "4300_installation_network.sh"
 installation_network
-info_echo "4310_dropbear_build.sh"
-dropbear_build
-info_echo "4311_dropbear_initramfs.sh"
-dropbear_initramfs
-info_echo "4312_dropbear_setup.sh"
-dropbear_setup
+if [[ "${dropbear_boot}" == "true" ]]; then
+  info_echo "4310_dropbear_build.sh"
+  dropbear_build
+  info_echo "4311_dropbear_initramfs.sh"
+  dropbear_initramfs
+  info_echo "4312_dropbear_setup.sh"
+  dropbear_setup
+fi
 info_echo "4320_update_initramfs.sh"
 update_initramfs

--- a/func/cdi_4300_network/4312_dropbear_setup.sh
+++ b/func/cdi_4300_network/4312_dropbear_setup.sh
@@ -100,7 +100,7 @@ dropbear_setup() {
  install -D -m 0640 -o root -g root "${VAR_SETUP_PATH}${dropbear_sig_file}" \
    "${TARGET}/etc/initramfs-tools/files/"
  install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}${dropbear_pub_key}" \
-    "${TARGET}/root/.ciss/keys/"
+    "${TARGET}/root/.ciss/cdi/keys/"

  ### Install the script to be called inside the Host environment for signing 'unlock_wrapper.sh'-script.
  install -D -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/files/unlock_wrapper_signer.sh" \
--- a/func/cdi_4400_hardening/4420_installation_ssh.sh
+++ b/func/cdi_4400_hardening/4420_installation_ssh.sh
@@ -34,7 +34,7 @@ installation_ssh() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -a ary_user=()
  declare -i i=0
-  declare    var_auth="" var_name="" var_ca=""
+  declare    var_auth="" var_name="" var_ca="" var_pub=""

  chroot_exec "${TARGET}" apt-get install -y --no-install-recommends --no-install-suggests ssh

@@ -106,6 +106,18 @@ installation_ssh() {

  chroot_script "${TARGET}" "ssh-keygen -r ${VAR_FINAL_FQDN}. >| /root/.ciss/cdi/log/SSHFP.log"

+  if [[ "${dropbear_boot}" == "true" ]]; then
+
+    printf "### Dropbear SSHFP RR: \n" >> "${TARGET}/root/.ciss/cdi/log/SSHFP.log"
+
+    for var_pub in "${TARGET}"/etc/dropbear/initramfs/dropbear*key*.pub; do
+
+      chroot_script "${TARGET}" "ssh-keygen -E sha256 -r ${VAR_FINAL_FQDN}. -f ${var_pub} >> /root/.ciss/cdi/log/SSHFP.log"
+
+    done
+
+  fi
+
  ###########################################################################################
  # The file /etc/profile.d/idle-users.sh is created to set the read-only                   #
  # environment variables: TMOUT                                                            #
--- a/includes/target/etc/initramfs-tools/hooks/9999-custom-initramfs.sh
+++ b/includes/target/etc/initramfs-tools/hooks/9999-custom-initramfs.sh
@@ -29,6 +29,7 @@ if [ ! -e /etc/initramfs-tools/files/unlock_wrapper.sh ]; then
  exit 1
 fi

+
 ### Ensure directory structure in initramfs
 mkdir -p "${DESTDIR}/usr/bin"
 mkdir -p "${DESTDIR}/etc/keys"
@@ -37,66 +38,81 @@ mkdir -p "${DESTDIR}/etc/initramfs-tools/conf.d"
 mkdir -p "${DESTDIR}/etc/initramfs-tools/scripts/init-premount"
 mkdir -p "${DESTDIR}/usr/sbin"

+
 ### Include bash
 copy_exec /usr/bin/bash /usr/bin/bash
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/bash /usr/bin/bash] \n\e[0m"

+
 ### Include blkid
 copy_exec /usr/sbin/blkid /usr/sbin/blkid
 printf "\e[92mSuccessfully executed: [copy_exec /usr/sbin/blkid /usr/sbin/blkid] \n\e[0m"

+
 ### Include busybox
 copy_exec /usr/bin/busybox /usr/busybox
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/busybox /usr/busybox] \n\e[0m"

+
 ### Include GNU coreutils 'sort' (has -V)
 copy_exec /usr/bin/sort /usr/bin/sort
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sort /usr/bin/sort] \n\e[0m"

+
 ### Include gpgv
 copy_exec /usr/bin/gpgv /usr/bin/gpgv
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/gpgv /usr/bin/gpgv] \n\e[0m"

+
 ### Include lsblk
 copy_exec /usr/bin/lsblk /usr/bin/lsblk
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/lsblk /usr/bin/lsblk] \n\e[0m"

+
 ### Include mkpasswd
 copy_exec /usr/bin/mkpasswd /usr/mkpasswd
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/mkpasswd /usr/mkpasswd] \n\e[0m"

+
 ### Include udevadm (udev management tool)
 copy_exec /usr/bin/udevadm /usr/bin/udevadm
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/udevadm /usr/bin/udevadm] \n\e[0m"

+
 ### Include sha384sum, sha512sum
 copy_exec /usr/bin/sha384sum /usr/bin/sha384sum
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sha384sum /usr/bin/sha384sum ] \n\e[0m"
 copy_exec /usr/bin/sha512sum /usr/bin/sha512sum
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sha512sum /usr/bin/sha512sum] \n\e[0m"

+
 ### Include tree
 copy_exec /usr/bin/tree /usr/bin/tree
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/tree /usr/bin/tree] \n\e[0m"

+
 ### Include whois
 copy_exec /usr/bin/whois /usr/bin/whois
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/whois /usr/bin/whois] \n\e[0m"

+
 ### Link busybox applets for compatibility
 for dir in bin usr/bin; do
  ln -sf busybox "${DESTDIR}/${dir}/cat"
  ln -sf busybox "${DESTDIR}/${dir}/sleep"
 done

+
 ### Install Dropbear firewall configuration
 install -m 0444 /etc/initramfs-tools/files/dropbear_fw.conf "${DESTDIR}/etc/initramfs-tools/conf.d/dropbear_fw.conf"
 printf "\e[92mSuccessfully executed: [install -m 0444 /etc/initramfs-tools/files/dropbear_fw.conf %s/etc/initramfs-tools/conf.d/dropbear_fw.conf] \n\e[0m" "${DESTDIR}"

+
 ### Install Dropbear configuration
 install -m 0444 /etc/dropbear/initramfs/dropbear.conf "${DESTDIR}/etc/dropbear/dropbear.conf"
 printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/dropbear.conf %s/etc/dropbear/dropbear.conf] \n\e[0m" "${DESTDIR}"

+
 ### Install Dropbear 'cryptroot-unlock'-Wrapper
 install -m 0555 /etc/initramfs-tools/files/unlock_wrapper.sh "${DESTDIR}/usr/local/bin/unlock_wrapper.sh"
 printf "\e[92mSuccessfully executed: [install -m 0555 /etc/initramfs-tools/files/unlock_wrapper.sh %s/usr/local/bin/unlock_wrapper.sh] \n\e[0m" "${DESTDIR}"
@@ -107,13 +123,17 @@ printf "\e[92mSuccessfully executed: [install -m 0444 /etc/initramfs-tools/files
 install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512.sig "${DESTDIR}/usr/local/bin/unlock_wrapper.sh.sha512.sig"
 printf "\e[92mSuccessfully executed: [install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512.sig %s/usr/local/bin/unlock_wrapper.sh.sha512.sig] \n\e[0m" "${DESTDIR}"

+
 ### Install PGP Signing Keys
-install -m 0444 /root/.ciss/keys/unlock_wrapper_pubring.pgp "${DESTDIR}/etc/keys/unlock_wrapper_pubring.gpg"
+install -m 0444 /root/.ciss/cdi/keys/unlock_wrapper_pubring.pgp "${DESTDIR}/etc/keys/unlock_wrapper_pubring.gpg"
+printf "\e[92mSuccessfully executed: [install -m 0444 /root/.ciss/cdi/keys/unlock_wrapper_pubring.pgp %s/etc/keys/unlock_wrapper_pubring.gpg] \n\e[0m" "${DESTDIR}"
+

 ### Install Dropbear Banner
 install -m 0444 /etc/dropbear/initramfs/banner "${DESTDIR}/etc/dropbear/banner"
 printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/banner %s/etc/dropbear/banner] \n\e[0m" "${DESTDIR}"

+
 printf "\e[92mSuccessfully executed: [/etc/initramfs-tools/hooks/9999-custom-initramfs.sh] \n\e[0m"

 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh