gryf/mkinitramfs
1
0
Fork 0
mirror of https://github.com/gryf/mkinitramfs.git synced 2025-12-18 12:00:21 +01:00
Code Issues Projects Releases Wiki Activity

Added ability for providing username for ssh session.

Browse Source
This commit is contained in:
gryf
2025-06-27 12:36:05 +02:00
parent e1aef8338b
commit 4633e0bc66
2 changed files with 44 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
README.rst
View File

@@ -73,6 +73,7 @@ similar to those passed via commandline. Consider following example:
ip = '192.168.0.1' ip = '192.168.0.1'
gateway = '192.168.0.254' gateway = '192.168.0.254'
netmask = '24' netmask = '24'
user = 'gryf'
authorized_keys = "/full/path/to/the/.ssh/authorized_keys" authorized_keys = "/full/path/to/the/.ssh/authorized_keys"
This will inform mkinitramfs script, that dropbear and yubikey features are This will inform mkinitramfs script, that dropbear and yubikey features are
@@ -88,6 +89,7 @@ The complete list of supported options is listed below:
- ``sdcard`` - ``sdcard``
- ``yubikey`` - ``yubikey``
- ``dropbear`` - ``dropbear``
- ``user``
Using key devices Using key devices
----------------- -----------------
@@ -104,7 +106,34 @@ There is possibility for using key which is encrypted using response from
challenge response using `ykchalresp`_ command. The challenge here could be challenge response using `ykchalresp`_ command. The challenge here could be
any string, so the name of the device from config is used. any string, so the name of the device from config is used.
Dropbear
--------
To unlock LUKS root filesystem remotely `dropbear`_ is used. There are expected
configuration options in ``mkinitramfs.toml`` file:
- ``dropbear`` - true or false, false by default
- ``iface`` interface name - ``eth0`` by default
- ``ip`` - static IP address
- ``netmask`` - netmask for the network
- ``gateway`` - gateway for the network
- ``user`` - username used for logging in, ``root`` by default. Note, whatever
username will be placed here, it will be ``root`` effectively anyway
- ``authorized_keys`` - path to ssh ``authorized_keys`` file. If there is no
user set - which mens root username is used, by default it will look for the
``/root/.ssh/authorized_keys``
You'll need to put at least ``ip``, ``netmask``, ``gateway`` to make this work
with defaults, with assumption that interface is ``eth0`` and ``root`` user
have needed ``authorized_keys`` file.
Then execute script with flag ``-b`` which include dropbear part.:
.. code:: shell-session
# mkinitramfs.py -b laptop
.. _ccrypt: https://sourceforge.net/projects/ccrypt/ .. _ccrypt: https://sourceforge.net/projects/ccrypt/
.. _cryptsetup: https://gitlab.com/cryptsetup/cryptsetup/blob/master/README.md .. _cryptsetup: https://gitlab.com/cryptsetup/cryptsetup/blob/master/README.md
.. _ykchalresp: https://github.com/Yubico/yubikey-personalization .. _ykchalresp: https://github.com/Yubico/yubikey-personalization
.. _dropbear: https://matt.ucc.asn.au/dropbear/dropbear.html

22
mkinitramfs.py
View File

@@ -272,7 +272,7 @@ if [ ! -b /dev/mapper/root ]; then
done done
fi fi
if [ ! -b /dev/mapper/root ]; then if [ ! -b /dev/mapper/root ]; then
echo "Failed to open encrypted device. Reboot in 5 seconds." echo "Failed to open encrypted device. Rebooting in 5 seconds."
reboot -f -d 5 reboot -f -d 5
fi fi
""" """
@@ -336,6 +336,14 @@ class Config:
self.ip = toml_.get('ip') self.ip = toml_.get('ip')
self.gateway = toml_.get('gateway') self.gateway = toml_.get('gateway')
self.netmask = toml_.get('netmask') self.netmask = toml_.get('netmask')
self.iface = toml_.get('iface', 'eth0')
self.user = toml_.get('user', 'root')
if self.user != 'root' and not toml_.get('authorized_keys'):
sys.stderr.write(f'User {self.user} is not authorized for '
f'utilizing root .ssh/authorized_keys file. '
f'Set authorized_keys file path in'
f' configuration.')
sys.exit(7)
self.authorized_keys = toml_.get('authorized_keys', ROOT_AK) self.authorized_keys = toml_.get('authorized_keys', ROOT_AK)
@@ -412,6 +420,8 @@ class Initramfs(object):
if (self.conf.authorized_keys and if (self.conf.authorized_keys and
os.path.exists(self.conf.authorized_keys)): os.path.exists(self.conf.authorized_keys)):
shutil.copy(self.conf.authorized_keys, 'root/.ssh') shutil.copy(self.conf.authorized_keys, 'root/.ssh')
else:
sys.stderr.write(f'Warning {self.conf.authorized_keys} not found!')
# Copy OpenSSH's host keys to keep both initramfs' and regular ssh # Copy OpenSSH's host keys to keep both initramfs' and regular ssh
# signed the same otherwise openssh clients will see different host # signed the same otherwise openssh clients will see different host
@@ -424,11 +434,11 @@ class Initramfs(object):
# Basic system defaults # Basic system defaults
with open('etc/passwd', 'w') as fobj: with open('etc/passwd', 'w') as fobj:
fobj.write("root:x:0:0:root:/root:/bin/sh\n") fobj.write(f"{self.conf.user}:x:0:0:root:/root:/bin/sh\n")
with open('etc/shadow', 'w') as fobj: with open('etc/shadow', 'w') as fobj:
fobj.write("root:*:::::::\n") fobj.write(f"{self.conf.user}:*:::::::\n")
with open('etc/group', 'w') as fobj: with open('etc/group', 'w') as fobj:
fobj.write("root:x:0:root\n") fobj.write(f"{self.conf.user}:x:0:{self.conf.user}\n")
with open('etc/shells', 'w') as fobj: with open('etc/shells', 'w') as fobj:
fobj.write("/bin/sh\n") fobj.write("/bin/sh\n")
os.chmod('etc/shadow', 0b110100000) os.chmod('etc/shadow', 0b110100000)
@@ -469,9 +479,7 @@ class Initramfs(object):
os.symlink('busybox', command) os.symlink('busybox', command)
def _copy_key(self, suffix=''): def _copy_key(self, suffix=''):
key_path = self.conf.key_path key_path = self.conf.key_path + suffix
if not os.path.exists(key_path):
key_path = os.path.join(self.conf.key_path + suffix)
if not os.path.exists(key_path): if not os.path.exists(key_path):
self._cleanup() self._cleanup()