From 2783c75043ea4f6a1cc8bff7d0335bdbd9e61f9469ce526c829f18380cd4864d Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Mon, 10 Nov 2025 08:12:31 +0100 Subject: [PATCH] V8.13.400.2025.11.08 Signed-off-by: Marc S. Weidner --- .../hooks/live/0021_dropbear_initramfs.chroot | 124 ++++++++++++++++++ lib/lib_primordial.sh | 12 +- 2 files changed, 135 insertions(+), 1 deletion(-) create mode 100644 config/hooks/live/0021_dropbear_initramfs.chroot diff --git a/config/hooks/live/0021_dropbear_initramfs.chroot b/config/hooks/live/0021_dropbear_initramfs.chroot new file mode 100644 index 0000000..d06ea54 --- /dev/null +++ b/config/hooks/live/0021_dropbear_initramfs.chroot @@ -0,0 +1,124 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -Ceuo pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" "${0}" + +[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh +export DEBIAN_FRONTEND="noninteractive" INITRD="No" + +### Declare Arrays, HashMaps, and Variables. +declare var_file="" +declare -r var_logfile="/root/.ciss/cdi/log/4311_dropbear_initramfs.log" +declare var_target="${TARGET}" + +### Check for TARGET / RECOVERY. +[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}" + +chroot_logger "${var_target}${var_logfile}" + +chroot_script "${var_target}" " + export INITRD=No + [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh + apt-get install -y --no-install-recommends --no-install-suggests dropbear-initramfs dropbear-bin 2>&1 | tee -a ${var_logfile} + " + +chroot_script "${var_target}" " + export INITRD=No + [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh + apt-get purge -y dropbear dropbear-run || true + " + +chroot_script "${var_target}" " + export INITRD=No + [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh + apt-get install -y --no-install-recommends --no-install-suggests gpgv 2>&1 | tee -a ${var_logfile} + " + +chroot_script "${var_target}" " + export INITRD=No + [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh + apt-mark hold dropbear dropbear-initramfs 2>&1 | tee -a ${var_logfile} + " + +mv "${var_target}/usr/sbin/dropbear" "${var_target}/usr/sbin/dropbear.trixie" +install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/dropbear" "${var_target}/usr/sbin/" +do_log "debug" "file_only" "4311() Installation [dropbear] successful." + + +for var_file in dbclient dropbearconvert dropbearkey; do + + mv "${var_target}/usr/bin/${var_file}" "${var_target}/usr/bin/${var_file}.trixie" + install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/${var_file}" "${var_target}/usr/bin/" + do_log "debug" "file_only" "4311() Installation [${var_file}] successful." + +done + +mkdir -p "${var_target}/etc/initramfs-tools/scripts/init-bottom" + +cat << 'EOF' >| "${var_target}/etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill" +#!/bin/sh + +PREREQ="" +prereqs() { echo "${PREREQ}"; } +# shellcheck disable=SC2249 +case "${1}" in + prereqs) prereqs; exit 0 ;; +esac + +### Stop dropbear shipped in the initramfs after root pivot. +[ -x /bin/pidof ] || exit 0 + +P=$(/bin/pidof dropbear 2>/dev/null) || true + +[ -n "${P}" ] || exit 0 + +/bin/kill -TERM "${P}" 2>/dev/null || true +/bin/sleep 1 + +/bin/kill -KILL "${P}" 2>/dev/null || true +exit 0 + +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh +EOF + +chmod 0755 "${var_target}/etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill" + +insert_header "${var_target}/etc/apt/preferences.d/99-mask-dropbear" +insert_comments "${var_target}/etc/apt/preferences.d/99-mask-dropbear" +cat << 'EOF' >> "${var_target}/etc/apt/preferences.d/99-mask-dropbear" +# Never install the dropbear daemon package at all. +Package: dropbear +Pin: release * +Pin-Priority: -1 + +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf +EOF + +insert_header "${var_target}/etc/apt/preferences.d/99-mask-dropbear-initramfs" +insert_comments "${var_target}/etc/apt/preferences.d/99-mask-dropbear-initramfs" +cat << 'EOF' >> "${var_target}/etc/apt/preferences.d/99-mask-dropbear-initramfs" +# Keep the currently installed initramfs integration; never upgrade it. +Package: dropbear-initramfs +Pin: release * +Pin-Priority: -1 + +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf +EOF + +chroot_script "${var_target}" "systemctl mask dropbear.service dropbear.socket" +do_log "info" "file_only" "4311() Masked: [dropbear.service dropbear.socket]" + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… '%s' applied successfully. \e[0m\n" "${0}" + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_primordial.sh b/lib/lib_primordial.sh index 18817d5..d9e6eb7 100644 --- a/lib/lib_primordial.sh +++ b/lib/lib_primordial.sh @@ -113,8 +113,18 @@ normalize_ssh_key_file() { fi + if ! ssh-keygen -yf "${var_key_file}" >/dev/null; then + + printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ โŒ Failed check ssh-keygen -lf: [%s] \e[0m\n" "${var_key_file}" + return "${ERR_SANITIZING}" + + fi + fi + sha256sum "${var_key_file}" >| "${var_key_file}.sha256sum.txt" + chmod 0444 "${var_key_file}.sha256sum.txt" + fi return 0 @@ -139,7 +149,7 @@ normalize_ssh_keys_in_dir() { shopt -s nullglob dotglob - if [[ -d "${var_key_dir}" ]]; then + if [[ ! -d "${var_key_dir}" ]]; then shopt -u nullglob dotglob return 0 fi