CISS.debian.live.builder/config/hooks/live/0022_dropbear_setup.chroot

#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail

printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
export INITRD="No"

#######################################
# Set up the 'dropbear-initramfs' environment.
# Globals:
#   None
# Arguments:
#   None
# Returns:
#   0: on success
#######################################
dropbear_setup() {
  ### Declare Arrays, HashMaps, and Variables.
  # shellcheck disable=SC2155
  declare user_root_sshpubkey="$(< /root/.ssh/authorized_keys)"
  declare var_force_command_string='command="/usr/local/bin/unlock_wrapper.sh",no-agent-forwarding,no-port-forwarding,no-X11-forwarding '

  ### Prepare strong dropbear host keys.
  rm -f /etc/dropbear/initramfs/dropbear*key*

  if [[ -d /root/ssh ]]; then

    dropbearconvert openssh dropbear /root/ssh/ssh_host_ed25519_key        /etc/dropbear/initramfs/dropbear_ed25519_host_key
    dropbearkey -y -f /etc/dropbear/initramfs/dropbear_ed25519_host_key >| /etc/dropbear/initramfs/dropbear_ed25519_host_key.pub

  else

    # shellcheck disable=SC2312
    /usr/bin/dropbearkey -t ed25519     -f /etc/dropbear/initramfs/dropbear_ed25519_host_key -C "root@live-$(date -I)"

    # shellcheck disable=SC2312
    /usr/bin/dropbearkey -t rsa -s 4096 -f /etc/dropbear/initramfs/dropbear_rsa_host_key     -C "root@live-$(date -I)"

  fi

  chmod 0600 /etc/dropbear/initramfs/dropbear_ed25519_host_key
  chmod 0644 /etc/dropbear/initramfs/dropbear_ed25519_host_key.pub

  ### Prepare dropbear authorized_keys.
  printf "%s\n" "${var_force_command_string}${user_root_sshpubkey}" >| /etc/dropbear/initramfs/authorized_keys
  chmod 0600 /etc/dropbear/initramfs/authorized_keys
  install -m 0644 -o root -g root /etc/banner /etc/dropbear/initramfs/banner

  ### "IP=<HOST IP>::<GATEWAY IP>:<SUBNET MASK>:<FQDN>:<NIC>:none:<DNS 0 IP>:<DNS 1 IP>:<NTP IP>"
  ### "IP=:::::<NIC>:dhcp"
  printf "IP=::::::dhcp\n" >| /etc/initramfs-tools/conf.d/ip

  ### Generate dropbear configuration file.
  write_dropbear_conf

  return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f dropbear_setup

#######################################
# Write '/etc/dropbear/initramfs/dropbear.conf'.
# Globals:
#   None
# Arguments:
#   None
# Returns:
#   0: on success
#######################################
write_dropbear_conf() {
  # shellcheck disable=SC2155
  declare sshport="$(< /root/sshport)"
  rm -f /root/sshport

  [[ -z "${sshport:-}" ]] && sshport="2222"

  ### CISS internal
  [[ "${sshport}" == "42137" ]] && sshport="44137"

  cat << EOF >| /etc/dropbear/initramfs/dropbear.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

# Configuration options for the dropbear-initramfs boot scripts.
# Variable assignment follow shell semantics and escaping/quoting rules.
# You must run update-initramfs(8) to effect changes to this file (like
# for other files in the '/etc/dropbear/initramfs' directory).

# Command line options to pass to dropbear(8).
# Dropbear options for 2025+:
# -b: Display the contents of bannerfile before user login
# -E: Log to stderr
# -I: Idle timeout in seconds
# -K: Keepalive interval in seconds
# -p: Specify port (and optionally address)
# -w: Disable root login (SHOULD NOT be implemented for initramfs)
DROPBEAR_OPTIONS="-b /etc/dropbear/banner -E -I 300 -K 60 -p ${sshport}"

# On local (non-NFS) mounts, interfaces matching this pattern are
# brought down before exiting the ramdisk to avoid dirty network
# configuration in the normal kernel.
# The special value 'none' keeps all interfaces up and preserves routing
# tables and addresses.
#IFDOWN="*"

# On local (non-NFS) mounts, the network stack and dropbear are started
# asynchronously at init-premount stage.  This value specifies the
# maximum number of seconds to wait (while the network/dropbear are
# being configured) at init-bottom stage before terminating dropbear and
# bringing the network down.
# If the timeout is too short, and if the boot process is not blocking
# on user input supplied via SSHd (ie no remote unlocking), then the
# initrd might pivot to init(1) too early, thereby causing a race
# condition between network configuration from initramfs vs from the
# normal system.
#DROPBEAR_SHUTDOWN_TIMEOUT=60

# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF

  return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f write_dropbear_conf

dropbear_setup

printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh