V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.preseed/preseed.yaml

@@ -756,7 +756,7 @@ user:
     protected: true            # Prevent unintentional edits or deletions.
     shell: /bin/zsh            # Login shell (e.g., '/bin/bash', '/bin/zsh'); use '/usr/sbin/nologin' for non-interactive users.
     password: ""
-    sshpubkey: ""
+    sshpubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
     authentication:
       access:
         ssh: false             # Allow SSH access.

func/cdi_4300_network/4310_dropbear_build.sh

@@ -16,7 +16,10 @@ guard_sourcing
 # Build Ultra Hardened dropbear-2025.88 from sources.
 # Globals:
 #   DIR_TMP
-#   ERR_PATH_NOT_VALID
+#   PATH
+#   PATH_SEPARATOR
+#   SHELLOPTS
+#   VAR_DEBUG_TRACE
 #   VAR_SETUP_PATH
 # Arguments:
 #   None
@@ -38,7 +41,7 @@ dropbear_build() {
   cp "${VAR_SETUP_PATH}/upgrades/dropbear/localoptions.h" "${var_build_dir}"
   cd "${var_build_dir}" || return "${ERR_PATH_NOT_VALID}"
 
-  # Flag Purpose
+  ### Flag Purpose:
   #  -fPIE              : Generate position-independent executable code
   #  -pie               : Link the executable as PIE (so that ASLR works)
   #  -static            : Fully statically linked against musl

func/cdi_4300_network/4311_dropbear_initramfs.sh

@@ -31,7 +31,7 @@ dropbear_initramfs() {
 
   do_in_target_script "${TARGET}" '
     export INITRD=No
-    apt-get install -y --no-install-recommends --no-install-suggests dropbear dropbear-initramfs 2>&1 | tee -a '"${var_logfile}"'
+    apt-get install -y --no-install-recommends --no-install-suggests dropbear-initramfs 2>&1 | tee -a '"${var_logfile}"'
     echo ExitCode: $? >> '"${var_logfile}"'
   '
 
@@ -43,6 +43,7 @@ dropbear_initramfs() {
 
   mv "${TARGET}/usr/sbin/dropbear" "${TARGET}/usr/sbin/dropbear.2022.83"
   install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/dropbear" "${TARGET}/usr/sbin/"
+  do_log "debug" "file_only" "4311() Installation [dropbear] successful."
 
   for var_file in dbclient dropbearconvert dropbearkey; do
     mv "${TARGET}/usr/bin/${var_file}" "${TARGET}/usr/bin/${var_file}.2022.83"
@@ -50,7 +51,7 @@ dropbear_initramfs() {
     do_log "debug" "file_only" "4311() Installation [${var_file}] successful."
   done
 
-  do_log "info" "file_only" "4311() Installation [dropbear dropbear-initramfs] successful."
+  do_log "info" "file_only" "4311() Installation [dropbear-initramfs] successful."
 
   return 0
 }

func/cdi_4300_network/4312_dropbear_setup.sh

@@ -59,7 +59,7 @@ dropbear_setup() {
   install -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/banner" "${TARGET}/etc/dropbear/initramfs/"
 
   ### Check for initramfs "IP"-variable: static or dynamic configuration vai dhcp.
-  if [[ "${VAR_DROPBEAR}" != "true" ]]; then
+  if [[ "${network_autoconfig_enable}" = "false" ]]; then
 
     ### "IP=<HOST IP>::<GATEWAY IP>:<SUBNET MASK>:<FQDN>:<NIC>:none:<DNS 0 IP>:<DNS 1 IP>:<NTP IP>"
     printf "IP=%s::%s:%s:%s:%s:none:%s:%s:%s\n" \
@@ -85,27 +85,27 @@ dropbear_setup() {
 
   ### Install the script to be called by 'update-initramfs' for updating 'PATH'-variable inside initramfs.
   install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/scripts/init-top/fixpath.sh" \
-    "${TARGET}/includes/initramfs-tools/scripts/init-top/"
+    "${TARGET}/etc/initramfs-tools/scripts/init-top/"
 
   ### Install the script to be called by 'update-initramfs' for customizing dropbear inside initramfs.
   install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/hooks/custom-initramfs.sh" \
-    "${TARGET}/includes/initramfs-tools/hooks/"
+    "${TARGET}/etc/initramfs-tools/hooks/"
 
   ### Install the script to be called by 'update-initramfs' for customizing prompt inside initramfs environment.
   install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/hooks/custom-prompt.sh" \
-    "${TARGET}/includes/initramfs-tools/hooks/"
+    "${TARGET}/etc/initramfs-tools/hooks/"
 
   ### Install the script to be called inside initramfs environment for unlocking LUKS and NUKE Devices.
   install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/files/unlock_wrapper.sh" \
-    "${TARGET}/includes/initramfs-tools/files/"
+    "${TARGET}/etc/initramfs-tools/files/"
 
   ### Install the script to be called inside the Host environment for signing 'unlock_wrapper.sh'-script.
   install -D -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/files/unlock_wrapper_signer.sh" \
-    "${TARGET}/includes/initramfs-tools/files/"
+    "${TARGET}/etc/initramfs-tools/files/"
 
   ### Install the script to be called by 'update-initramfs' for installing the necessary modules to load into initramfs environment.
   install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/modules" \
-    "${TARGET}/includes/initramfs-tools/"
+    "${TARGET}/etc/initramfs-tools/"
 
   var_modules=$(grep_nic_driver_modules)
 
@@ -160,14 +160,29 @@ write_dropbear_conf() {
   [[ -z "${dropbear_port:-}" ]] && dropbear_port="2222"
 
   cat << EOF >| "${TARGET}/etc/dropbear/initramfs/dropbear.conf"
-#
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+# /etc/dropbear/dropbear.conf  : Generated by CISS.debian.installer ${VAR_VERSION}
+# Architecture                 : ${VAR_ARCHITECTURE}
+# Distribution                 : ${VAR_CODENAME}
+
+# Static file system information: '/etc/dropbear/initramfs/dropbear.conf'.
+
 # Configuration options for the dropbear-initramfs boot scripts.
 # Variable assignment follow shell semantics and escaping/quoting rules.
 # You must run update-initramfs(8) to effect changes to this file (like
 # for other files in the '/etc/dropbear/initramfs' directory).
 
-#
+# Command line options to pass to dropbear(8).
-# Command line options to pass to dropbear(8)
 # Dropbear options for 2025+:
 # -b: Display the contents of bannerfile before user login
 # -E: Log to stderr
@@ -177,16 +192,13 @@ write_dropbear_conf() {
 # -w: Disable root login (SHOULD NOT be implemented for initramfs)
 DROPBEAR_OPTIONS="-b /etc/dropbear/banner -c /usr/local/bin/unlock_wrapper.sh -E -I 300 -K 60 -p ${dropbear_port}"
 
-#
 # On local (non-NFS) mounts, interfaces matching this pattern are
 # brought down before exiting the ramdisk to avoid dirty network
 # configuration in the normal kernel.
 # The special value 'none' keeps all interfaces up and preserves routing
 # tables and addresses.
-#
 #IFDOWN="*"
 
-#
 # On local (non-NFS) mounts, the network stack and dropbear are started
 # asynchronously at init-premount stage.  This value specifies the
 # maximum number of seconds to wait (while the network/dropbear are
@@ -197,8 +209,9 @@ DROPBEAR_OPTIONS="-b /etc/dropbear/banner -c /usr/local/bin/unlock_wrapper.sh -E
 # initrd might pivot to init(1) too early, thereby causing a race
 # condition between network configuration from initramfs vs from the
 # normal system.
-#
 #DROPBEAR_SHUTDOWN_TIMEOUT=60
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 
   do_log "info" "file_only" "4312() Written: '${TARGET}/etc/dropbear/initramfs/dropbear.conf'."