V8.13.404.2025.11.10

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

config/hooks/live/0022_dropbear_setup.chroot

@@ -0,0 +1,149 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+
+#######################################
+# Set up the 'dropbear-initramfs' environment.
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+dropbear_setup() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare network_static_ipv4ntpserver_0="192.53.103.108"
+  # shellcheck disable=SC2155
+  declare user_root_sshpubkey="$(< /root/.ssh/authorized_keys)"
+  declare var_force_command_string='command="/usr/local/bin/unlock_wrapper.sh",no-agent-forwarding,no-port-forwarding,no-X11-forwarding '
+
+  ### Prepare strong dropbear host keys.
+  rm -f /etc/dropbear/initramfs/dropbear*key*
+
+  if [[ -d /root/ssh ]]; then
+
+    dropbearconvert openssh dropbear /root/ssh/ssh_host_ed25519_key     /etc/dropbear/initramfs/dropbear_ed25519_host_key
+    dropbearconvert openssh dropbear /root/ssh/ssh_host_rsa_key         /etc/dropbear/initramfs/dropbear_rsa_host_key
+    dropbearkey -y -f /etc/dropbear/initramfs/dropbear_ed25519_host_key /etc/dropbear/initramfs/dropbear_ed25519_host_key.pub
+    dropbearkey -y -f /etc/dropbear/initramfs/dropbear_rsa_host_key     /etc/dropbear/initramfs/dropbear_rsa_host_key.pub
+
+  else
+
+    # shellcheck disable=SC2312
+    /usr/bin/dropbearkey -t ed25519     -f /etc/dropbear/initramfs/dropbear_ed25519_host_key -C "root@live-$(date -I)"
+
+    # shellcheck disable=SC2312
+    /usr/bin/dropbearkey -t rsa -s 4096 -f /etc/dropbear/initramfs/dropbear_rsa_host_key      -C "root@live-$(date -I)"
+
+  fi
+
+  ### Prepare dropbear authorized_keys.
+  printf "%s\n" "${var_force_command_string}${user_root_sshpubkey}" >| /etc/dropbear/initramfs/authorized_keys
+  chmod 0600 /etc/dropbear/initramfs/authorized_keys
+  install -m 0644 -o root -g root /etc/banner /etc/dropbear/initramfs/banner
+
+  ### "IP=<HOST IP>::<GATEWAY IP>:<SUBNET MASK>:<FQDN>:<NIC>:none:<DNS 0 IP>:<DNS 1 IP>:<NTP IP>"
+  ### "IP=:::::<NIC>:dhcp"
+  printf "IP=::::::dhcp\n" >| /etc/initramfs-tools/conf.d/ip
+
+  ### Generate dropbear configuration file.
+  write_dropbear_conf
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f dropbear_setup
+
+#######################################
+# Write '/etc/dropbear/initramfs/dropbear.conf'.
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+write_dropbear_conf() {
+  # shellcheck disable=SC2155
+  declare sshport="$(< /root/sshport)"
+  rm -f /root/sshport
+
+  [[ -z "${sshport:-}" ]] && sshport="2222"
+
+  cat << EOF >| /etc/dropbear/initramfs/dropbear.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Configuration options for the dropbear-initramfs boot scripts.
+# Variable assignment follow shell semantics and escaping/quoting rules.
+# You must run update-initramfs(8) to effect changes to this file (like
+# for other files in the '/etc/dropbear/initramfs' directory).
+
+# Command line options to pass to dropbear(8).
+# Dropbear options for 2025+:
+# -b: Display the contents of bannerfile before user login
+# -E: Log to stderr
+# -I: Idle timeout in seconds
+# -K: Keepalive interval in seconds
+# -p: Specify port (and optionally address)
+# -w: Disable root login (SHOULD NOT be implemented for initramfs)
+DROPBEAR_OPTIONS="-b /etc/dropbear/banner -E -I 300 -K 60 -p ${sshport}"
+
+# On local (non-NFS) mounts, interfaces matching this pattern are
+# brought down before exiting the ramdisk to avoid dirty network
+# configuration in the normal kernel.
+# The special value 'none' keeps all interfaces up and preserves routing
+# tables and addresses.
+#IFDOWN="*"
+
+# On local (non-NFS) mounts, the network stack and dropbear are started
+# asynchronously at init-premount stage.  This value specifies the
+# maximum number of seconds to wait (while the network/dropbear are
+# being configured) at init-bottom stage before terminating dropbear and
+# bringing the network down.
+# If the timeout is too short, and if the boot process is not blocking
+# on user input supplied via SSHd (ie no remote unlocking), then the
+# initrd might pivot to init(1) too early, thereby causing a race
+# condition between network configuration from initramfs vs from the
+# normal system.
+#DROPBEAR_SHUTDOWN_TIMEOUT=60
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f write_dropbear_conf
+
+dropbear_setup
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh