V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 51s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 51s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -756,7 +756,7 @@ user:
|
||||
protected: true # Prevent unintentional edits or deletions.
|
||||
shell: /bin/zsh # Login shell (e.g., '/bin/bash', '/bin/zsh'); use '/usr/sbin/nologin' for non-interactive users.
|
||||
password: ""
|
||||
sshpubkey: ""
|
||||
sshpubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
|
||||
authentication:
|
||||
access:
|
||||
ssh: false # Allow SSH access.
|
||||
|
||||
@@ -16,7 +16,10 @@ guard_sourcing
|
||||
# Build Ultra Hardened dropbear-2025.88 from sources.
|
||||
# Globals:
|
||||
# DIR_TMP
|
||||
# ERR_PATH_NOT_VALID
|
||||
# PATH
|
||||
# PATH_SEPARATOR
|
||||
# SHELLOPTS
|
||||
# VAR_DEBUG_TRACE
|
||||
# VAR_SETUP_PATH
|
||||
# Arguments:
|
||||
# None
|
||||
@@ -38,11 +41,11 @@ dropbear_build() {
|
||||
cp "${VAR_SETUP_PATH}/upgrades/dropbear/localoptions.h" "${var_build_dir}"
|
||||
cd "${var_build_dir}" || return "${ERR_PATH_NOT_VALID}"
|
||||
|
||||
# Flag Purpose
|
||||
# -fPIE: Generate position-independent executable code
|
||||
# -pie: Link the executable as PIE (so that ASLR works)
|
||||
# -static: Fully statically linked against musl
|
||||
# -s: Strip unnecessary symbols directly during linking
|
||||
### Flag Purpose:
|
||||
# -fPIE : Generate position-independent executable code
|
||||
# -pie : Link the executable as PIE (so that ASLR works)
|
||||
# -static : Fully statically linked against musl
|
||||
# -s : Strip unnecessary symbols directly during linking
|
||||
# -Wl,-z,relro,-z,now: Enables full RELRO (symbol resolution at program startup)
|
||||
|
||||
[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
|
||||
|
||||
@@ -31,7 +31,7 @@ dropbear_initramfs() {
|
||||
|
||||
do_in_target_script "${TARGET}" '
|
||||
export INITRD=No
|
||||
apt-get install -y --no-install-recommends --no-install-suggests dropbear dropbear-initramfs 2>&1 | tee -a '"${var_logfile}"'
|
||||
apt-get install -y --no-install-recommends --no-install-suggests dropbear-initramfs 2>&1 | tee -a '"${var_logfile}"'
|
||||
echo ExitCode: $? >> '"${var_logfile}"'
|
||||
'
|
||||
|
||||
@@ -43,6 +43,7 @@ dropbear_initramfs() {
|
||||
|
||||
mv "${TARGET}/usr/sbin/dropbear" "${TARGET}/usr/sbin/dropbear.2022.83"
|
||||
install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/dropbear" "${TARGET}/usr/sbin/"
|
||||
do_log "debug" "file_only" "4311() Installation [dropbear] successful."
|
||||
|
||||
for var_file in dbclient dropbearconvert dropbearkey; do
|
||||
mv "${TARGET}/usr/bin/${var_file}" "${TARGET}/usr/bin/${var_file}.2022.83"
|
||||
@@ -50,7 +51,7 @@ dropbear_initramfs() {
|
||||
do_log "debug" "file_only" "4311() Installation [${var_file}] successful."
|
||||
done
|
||||
|
||||
do_log "info" "file_only" "4311() Installation [dropbear dropbear-initramfs] successful."
|
||||
do_log "info" "file_only" "4311() Installation [dropbear-initramfs] successful."
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
@@ -59,7 +59,7 @@ dropbear_setup() {
|
||||
install -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/banner" "${TARGET}/etc/dropbear/initramfs/"
|
||||
|
||||
### Check for initramfs "IP"-variable: static or dynamic configuration vai dhcp.
|
||||
if [[ "${VAR_DROPBEAR}" != "true" ]]; then
|
||||
if [[ "${network_autoconfig_enable}" = "false" ]]; then
|
||||
|
||||
### "IP=<HOST IP>::<GATEWAY IP>:<SUBNET MASK>:<FQDN>:<NIC>:none:<DNS 0 IP>:<DNS 1 IP>:<NTP IP>"
|
||||
printf "IP=%s::%s:%s:%s:%s:none:%s:%s:%s\n" \
|
||||
@@ -85,27 +85,27 @@ dropbear_setup() {
|
||||
|
||||
### Install the script to be called by 'update-initramfs' for updating 'PATH'-variable inside initramfs.
|
||||
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/scripts/init-top/fixpath.sh" \
|
||||
"${TARGET}/includes/initramfs-tools/scripts/init-top/"
|
||||
"${TARGET}/etc/initramfs-tools/scripts/init-top/"
|
||||
|
||||
### Install the script to be called by 'update-initramfs' for customizing dropbear inside initramfs.
|
||||
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/hooks/custom-initramfs.sh" \
|
||||
"${TARGET}/includes/initramfs-tools/hooks/"
|
||||
"${TARGET}/etc/initramfs-tools/hooks/"
|
||||
|
||||
### Install the script to be called by 'update-initramfs' for customizing prompt inside initramfs environment.
|
||||
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/hooks/custom-prompt.sh" \
|
||||
"${TARGET}/includes/initramfs-tools/hooks/"
|
||||
"${TARGET}/etc/initramfs-tools/hooks/"
|
||||
|
||||
### Install the script to be called inside initramfs environment for unlocking LUKS and NUKE Devices.
|
||||
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/files/unlock_wrapper.sh" \
|
||||
"${TARGET}/includes/initramfs-tools/files/"
|
||||
"${TARGET}/etc/initramfs-tools/files/"
|
||||
|
||||
### Install the script to be called inside the Host environment for signing 'unlock_wrapper.sh'-script.
|
||||
install -D -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/files/unlock_wrapper_signer.sh" \
|
||||
"${TARGET}/includes/initramfs-tools/files/"
|
||||
"${TARGET}/etc/initramfs-tools/files/"
|
||||
|
||||
### Install the script to be called by 'update-initramfs' for installing the necessary modules to load into initramfs environment.
|
||||
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/modules" \
|
||||
"${TARGET}/includes/initramfs-tools/"
|
||||
"${TARGET}/etc/initramfs-tools/"
|
||||
|
||||
var_modules=$(grep_nic_driver_modules)
|
||||
|
||||
@@ -160,14 +160,29 @@ write_dropbear_conf() {
|
||||
[[ -z "${dropbear_port:-}" ]] && dropbear_port="2222"
|
||||
|
||||
cat << EOF >| "${TARGET}/etc/dropbear/initramfs/dropbear.conf"
|
||||
#
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-FileType: SOURCE
|
||||
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
||||
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
||||
# SPDX-PackageName: CISS.debian.installer
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
|
||||
# /etc/dropbear/dropbear.conf : Generated by CISS.debian.installer ${VAR_VERSION}
|
||||
# Architecture : ${VAR_ARCHITECTURE}
|
||||
# Distribution : ${VAR_CODENAME}
|
||||
|
||||
# Static file system information: '/etc/dropbear/initramfs/dropbear.conf'.
|
||||
|
||||
# Configuration options for the dropbear-initramfs boot scripts.
|
||||
# Variable assignment follow shell semantics and escaping/quoting rules.
|
||||
# You must run update-initramfs(8) to effect changes to this file (like
|
||||
# for other files in the '/etc/dropbear/initramfs' directory).
|
||||
|
||||
#
|
||||
# Command line options to pass to dropbear(8)
|
||||
# Command line options to pass to dropbear(8).
|
||||
# Dropbear options for 2025+:
|
||||
# -b: Display the contents of bannerfile before user login
|
||||
# -E: Log to stderr
|
||||
@@ -177,16 +192,13 @@ write_dropbear_conf() {
|
||||
# -w: Disable root login (SHOULD NOT be implemented for initramfs)
|
||||
DROPBEAR_OPTIONS="-b /etc/dropbear/banner -c /usr/local/bin/unlock_wrapper.sh -E -I 300 -K 60 -p ${dropbear_port}"
|
||||
|
||||
#
|
||||
# On local (non-NFS) mounts, interfaces matching this pattern are
|
||||
# brought down before exiting the ramdisk to avoid dirty network
|
||||
# configuration in the normal kernel.
|
||||
# The special value 'none' keeps all interfaces up and preserves routing
|
||||
# tables and addresses.
|
||||
#
|
||||
#IFDOWN="*"
|
||||
|
||||
#
|
||||
# On local (non-NFS) mounts, the network stack and dropbear are started
|
||||
# asynchronously at init-premount stage. This value specifies the
|
||||
# maximum number of seconds to wait (while the network/dropbear are
|
||||
@@ -197,8 +209,9 @@ DROPBEAR_OPTIONS="-b /etc/dropbear/banner -c /usr/local/bin/unlock_wrapper.sh -E
|
||||
# initrd might pivot to init(1) too early, thereby causing a race
|
||||
# condition between network configuration from initramfs vs from the
|
||||
# normal system.
|
||||
#
|
||||
#DROPBEAR_SHUTDOWN_TIMEOUT=60
|
||||
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|
||||
EOF
|
||||
|
||||
do_log "info" "file_only" "4312() Written: '${TARGET}/etc/dropbear/initramfs/dropbear.conf'."
|
||||
|
||||
Reference in New Issue
Block a user