msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3a50fc5050b76e3e96b7ea22f15865e5d9decacf8db0d9975c3dfd3a43ac0eba
CISS.debian.installer/func/cdi_4300_network/4312_dropbear_setup.sh
Marc S. Weidner ad4c56fdb5
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m31s
Details
V8.00.000.2025.06.17 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-13 19:51:43 +01:00

210 lines
9.4 KiB
Bash
Raw Blame History

#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Set up the 'dropbear-initramfs' environment.
# Globals:
# TARGET
# VAR_FINAL_FQDN
# VAR_FINAL_IPV4
# VAR_FINAL_IPV4_GW
# VAR_FINAL_IPV4_SUBNET
# VAR_FINAL_NIC
# VAR_SETUP_PATH
# dropbear_dhcp
# dropbear_firewall
# dropbear_port
# dropbear_pub_key
# dropbear_sha_file
# dropbear_sig_file
# network_static_ipv4nameserver_0
# network_static_ipv4nameserver_1
# ssh_allow_ipv4_0
# user_root_sshpubkey
# Arguments:
# None
# Returns:
# 0: on success
#######################################
dropbear_setup() {
### Declare Arrays, HashMaps, and Variables.
declare -r network_static_ipv4ntpserver_0="192.53.103.108" \
var_force_command_string='command="/usr/local/bin/unlock_wrapper.sh",no-agent-forwarding,no-port-forwarding,no-X11-forwarding '
### Prepare strong dropbear host keys.
rm -f "${TARGET}"/etc/dropbear/initramfs/dropbear*key*
# shellcheck disable=SC2312
chroot_exec "${TARGET}" /usr/bin/dropbearkey -t rsa -s 4096 -f /etc/dropbear/initramfs/dropbear_rsa_host_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
# shellcheck disable=SC2312
chroot_exec "${TARGET}" /usr/bin/dropbearkey -t ed25519 -f /etc/dropbear/initramfs/dropbear_ed25519_host_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
chmod 0600 "${TARGET}"/etc/dropbear/initramfs/dropbear*key*
chown root:root "${TARGET}"/etc/dropbear/initramfs/dropbear*key*
### Prepare dropbear authorized_keys.
touch "${TARGET}/etc/dropbear/initramfs/authorized_keys" && chmod 0600 "${TARGET}/etc/dropbear/initramfs/authorized_keys"
printf "%s\n" "${var_force_command_string}${user_root_sshpubkey}" >> "${TARGET}/etc/dropbear/initramfs/authorized_keys"
install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/banner" "${TARGET}/etc/dropbear/initramfs/"
### Check for initramfs "IP"-variable: static or dynamic configuration via dhcp.
if [[ "${dropbear_dhcp}" = "false" ]]; then
### "IP=<HOST IP>::<GATEWAY IP>:<SUBNET MASK>:<FQDN>:<NIC>:none:<DNS 0 IP>:<DNS 1 IP>:<NTP IP>"
printf "IP=%s::%s:%s:%s:%s:none:%s:%s:%s\n" \
"${VAR_FINAL_IPV4}" \
"${VAR_FINAL_IPV4_GW}" \
"${VAR_FINAL_IPV4_SUBNET}" \
"${VAR_FINAL_FQDN}" \
"${VAR_FINAL_NIC}" \
"${network_static_ipv4nameserver_0:-135.181.207.105}" \
"${network_static_ipv4nameserver_1:-89.58.62.53}" \
"${network_static_ipv4ntpserver_0:-192.53.103.104}" \
>| "${TARGET}/etc/initramfs-tools/conf.d/ip"
else
### "IP=:::::<NIC>:dhcp"
printf "IP=:::::%s:dhcp\n" "${VAR_FINAL_NIC}" >| "${TARGET}/etc/initramfs-tools/conf.d/ip"
fi
### Generate dropbear configuration file.
write_dropbear_conf
### Install the script to be called by 'update-initramfs' for updating 'PATH'-variable inside initramfs.
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/scripts/init-premount/1000-fixpath.sh" \
"${TARGET}/etc/initramfs-tools/scripts/init-premount/1000-fixpath"
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/scripts/init-top/0000-fixpath.sh" \
"${TARGET}/etc/initramfs-tools/scripts/init-top/0000-fixpath"
### Install the script to be called by 'update-initramfs' for customizing dropbear inside initramfs.
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/hooks/9999-custom-initramfs.sh" \
"${TARGET}/etc/initramfs-tools/hooks/"
### Install the script to be called by 'update-initramfs' for customizing prompt inside initramfs environment.
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/hooks/9999-custom-prompt.sh" \
"${TARGET}/etc/initramfs-tools/hooks/"
### Install the script to be called inside initramfs environment for unlocking LUKS and NUKE Devices.
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/files/unlock_wrapper.sh" \
"${TARGET}/etc/initramfs-tools/files/"
install -D -m 0640 -o root -g root "${VAR_SETUP_PATH}${dropbear_sha_file}" \
"${TARGET}/etc/initramfs-tools/files/"
install -D -m 0640 -o root -g root "${VAR_SETUP_PATH}${dropbear_sig_file}" \
"${TARGET}/etc/initramfs-tools/files/"
install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}${dropbear_pub_key}" \
"${TARGET}/root/.ciss/cdi/keys/"
### Install the script to be called inside the Host environment for signing 'unlock_wrapper.sh'-script.
install -D -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/files/unlock_wrapper_signer.sh" \
"${TARGET}/etc/initramfs-tools/files/"
### Install the script to be called inside the initramfs environment for preparing dropbear execution.
mkdir -p "${TARGET}/root/.ciss/cdi/backup/usr/share/initramfs-tools/scripts/init-premount"
mv "${TARGET}/usr/share/initramfs-tools/scripts/init-premount/dropbear" \
"${TARGET}/root/.ciss/cdi/backup/usr/share/initramfs-tools/scripts/init-premount/dropbear.trixie"
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/usr/share/initramfs-tools/scripts/init-premount/dropbear" \
"${TARGET}/usr/share/initramfs-tools/scripts/init-premount/"
### Install the variable file to be called inside the initramfs environment for setting up dropbear firewall.
install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/files/dropbear_fw.cnf" \
"${TARGET}/etc/initramfs-tools/files/dropbear_fw.conf"
### Install the firewall script to be called inside initramfs environment for setting up dropbear firewall.
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/files/dropbear_fw.sh" \
"${TARGET}/etc/initramfs-tools/files/"
if [[ "${dropbear_firewall,,}" == "true" && -n "${ssh_allow_ipv4_0}" ]]; then
sed -i 's/^DROPBEAR_FIREWALL_ENABLED=0$/DROPBEAR_FIREWALL_ENABLED=1/' "${TARGET}/etc/initramfs-tools/files/dropbear_fw.cnf"
sed -i '/^# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh$/d' "${TARGET}/etc/initramfs-tools/files/dropbear_fw.cnf"
cat << EOF >> "${TARGET}/includes/initramfs-tools/files/dropbear_fw.cnf"
DROPBEAR_PORT=${dropbear_port}
DROPBEAR_JUMP_SERVER_IP=${ssh_allow_ipv4_0}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
fi
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f dropbear_setup
#######################################
# Write '/etc/dropbear/initramfs/dropbear.conf'.
# Globals:
# TARGET
# ssh_port
# Arguments:
# None
# Returns:
# 0: on success
#######################################
write_dropbear_conf() {
[[ -z "${dropbear_port:-}" ]] && dropbear_port="2222"
insert_header "${TARGET}/etc/dropbear/initramfs/dropbear.conf"
insert_comments "${TARGET}/etc/dropbear/initramfs/dropbear.conf"
cat << EOF >> "${TARGET}/etc/dropbear/initramfs/dropbear.conf"
# Configuration options for the dropbear-initramfs boot scripts.
# Variable assignment follow shell semantics and escaping/quoting rules.
# You must run update-initramfs(8) to effect changes to this file (like
# for other files in the '/etc/dropbear/initramfs' directory).
# Command line options to pass to dropbear(8).
# Dropbear options for 2025+:
# -b: Display the contents of bannerfile before user login
# -E: Log to stderr
# -I: Idle timeout in seconds
# -K: Keepalive interval in seconds
# -p: Specify port (and optionally address)
# -w: Disable root login (SHOULD NOT be implemented for initramfs)
DROPBEAR_OPTIONS="-b /etc/dropbear/banner -E -I 300 -K 60 -p ${dropbear_port}"
# On local (non-NFS) mounts, interfaces matching this pattern are
# brought down before exiting the ramdisk to avoid dirty network
# configuration in the normal kernel.
# The special value 'none' keeps all interfaces up and preserves routing
# tables and addresses.
#IFDOWN="*"
# On local (non-NFS) mounts, the network stack and dropbear are started
# asynchronously at init-premount stage. This value specifies the
# maximum number of seconds to wait (while the network/dropbear are
# being configured) at init-bottom stage before terminating dropbear and
# bringing the network down.
# If the timeout is too short, and if the boot process is not blocking
# on user input supplied via SSHd (ie no remote unlocking), then the
# initrd might pivot to init(1) too early, thereby causing a race
# condition between network configuration from initramfs vs from the
# normal system.
#DROPBEAR_SHUTDOWN_TIMEOUT=60
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
do_log "info" "file_only" "4312() Written: '${TARGET}/etc/dropbear/initramfs/dropbear.conf'."
do_log "info" "file_only" "4312() Written: 'DROPBEAR_OPTIONS=\"-b /etc/dropbear/banner -E -I 300 -K 60 -p ${dropbear_port}\"'."
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f write_dropbear_conf
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
Reference in New Issue View Git Blame Copy Permalink