Added ability for providing username for ssh session.

2025-12-18 12:00:21 +01:00 · 2025-06-27 12:36:05 +02:00
parent e1aef8338b
commit 4633e0bc66
2 changed files with 44 additions and 7 deletions
--- a/README.rst
+++ b/README.rst
@@ -73,6 +73,7 @@ similar to those passed via commandline. Consider following example:
   ip = '192.168.0.1'
   gateway = '192.168.0.254'
   netmask = '24'
+   user = 'gryf'
   authorized_keys = "/full/path/to/the/.ssh/authorized_keys"

 This will inform mkinitramfs script, that dropbear and yubikey features are
@@ -88,6 +89,7 @@ The complete list of supported options is listed below:
 - ``sdcard``
 - ``yubikey``
 - ``dropbear``
+- ``user``

 Using key devices
 -----------------
@@ -104,7 +106,34 @@ There is possibility for using key which is encrypted using response from
 challenge response using `ykchalresp`_ command. The challenge here could be
 any string, so the name of the device from config is used.

+Dropbear
+--------
+
+To unlock LUKS root filesystem remotely `dropbear`_ is used. There are expected
+configuration options in ``mkinitramfs.toml`` file:
+
+- ``dropbear`` - true or false, false by default
+- ``iface`` interface name - ``eth0`` by default
+- ``ip`` - static IP address
+- ``netmask`` - netmask for the network
+- ``gateway`` - gateway for the network
+- ``user`` - username used for logging in, ``root`` by default. Note, whatever
+  username will be placed here, it will be ``root`` effectively anyway
+- ``authorized_keys`` - path to ssh ``authorized_keys`` file. If there is no
+  user set - which mens root username is used, by default it will look for the
+  ``/root/.ssh/authorized_keys``
+
+You'll need to put at least ``ip``, ``netmask``, ``gateway`` to make this work
+with defaults, with assumption that interface is ``eth0`` and ``root`` user
+have needed ``authorized_keys`` file.
+
+Then execute script with flag ``-b`` which include dropbear part.:
+
+.. code:: shell-session
+
+   # mkinitramfs.py -b laptop

 .. _ccrypt: https://sourceforge.net/projects/ccrypt/
 .. _cryptsetup: https://gitlab.com/cryptsetup/cryptsetup/blob/master/README.md
 .. _ykchalresp: https://github.com/Yubico/yubikey-personalization
+.. _dropbear: https://matt.ucc.asn.au/dropbear/dropbear.html
--- a/mkinitramfs.py
+++ b/mkinitramfs.py
@@ -272,7 +272,7 @@ if [ ! -b /dev/mapper/root ]; then
    done
 fi
 if [ ! -b /dev/mapper/root ]; then
-    echo "Failed to open encrypted device. Reboot in 5 seconds."
+    echo "Failed to open encrypted device. Rebooting in 5 seconds."
    reboot -f -d 5
 fi
 """
@@ -336,6 +336,14 @@ class Config:
        self.ip = toml_.get('ip')
        self.gateway = toml_.get('gateway')
        self.netmask = toml_.get('netmask')
+        self.iface =  toml_.get('iface', 'eth0')
+        self.user = toml_.get('user', 'root')
+        if self.user != 'root' and not toml_.get('authorized_keys'):
+            sys.stderr.write(f'User {self.user} is not authorized for '
+                             f'utilizing root .ssh/authorized_keys file. '
+                             f'Set authorized_keys file path in'
+                             f' configuration.')
+            sys.exit(7)
        self.authorized_keys = toml_.get('authorized_keys', ROOT_AK)


@@ -412,6 +420,8 @@ class Initramfs(object):
        if (self.conf.authorized_keys and
            os.path.exists(self.conf.authorized_keys)):
            shutil.copy(self.conf.authorized_keys, 'root/.ssh')
+        else:
+            sys.stderr.write(f'Warning {self.conf.authorized_keys} not found!')

        # Copy OpenSSH's host keys to keep both initramfs' and regular ssh
        # signed the same otherwise openssh clients will see different host
@@ -424,11 +434,11 @@ class Initramfs(object):

        # Basic system defaults
        with open('etc/passwd', 'w') as fobj:
-            fobj.write("root:x:0:0:root:/root:/bin/sh\n")
+            fobj.write(f"{self.conf.user}:x:0:0:root:/root:/bin/sh\n")
        with open('etc/shadow', 'w') as fobj:
-            fobj.write("root:*:::::::\n")
+            fobj.write(f"{self.conf.user}:*:::::::\n")
        with open('etc/group', 'w') as fobj:
-            fobj.write("root:x:0:root\n")
+            fobj.write(f"{self.conf.user}:x:0:{self.conf.user}\n")
        with open('etc/shells', 'w') as fobj:
            fobj.write("/bin/sh\n")
        os.chmod('etc/shadow', 0b110100000)
@@ -469,9 +479,7 @@ class Initramfs(object):
            os.symlink('busybox', command)

    def _copy_key(self, suffix=''):
-        key_path = self.conf.key_path
-        if not os.path.exists(key_path):
-            key_path = os.path.join(self.conf.key_path + suffix)
+        key_path = self.conf.key_path + suffix

        if not os.path.exists(key_path):
            self._cleanup()