-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathadd-unluks
executable file
·136 lines (107 loc) · 3.61 KB
/
add-unluks
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
#!/bin/sh
#
# Preüare initrd to unlock LUKS via SSH (on tagged VLAN/bond)
#
# Maximilian Wilhelm <[email protected]>
# -- Sun, 3 Nov 2016 21:42:00 +0100
#
# DESTDIR -- The staging directory where we are building the image.
# No prereqs needed
case $1 in
prereqs)
echo ""
exit 0
;;
esac
# Source the optional 'hook-functions' scriptlet, if you need the
# functions defined within it. Read it to see what is available to
# you. It contains functions for copying dynamically linked program
# binaries, and kernel modules into the DESTDIR.
#
. /usr/share/initramfs-tools/hook-functions
################################################################################
# Load 801.1q and bonding Kernel module and install vconfig #
################################################################################
# In case a bond shall be set up on boot
manual_add_modules bonding
# In case a VLAN sub-interface shall be set up on boot
manual_add_modules 8021q
copy_exec /sbin/vconfig
################################################################################
# Install SSH #
################################################################################
copy_exec /usr/sbin/sshd
# Copy SSH key files and configuration
cp -a /etc/ssh/ "${DESTDIR}/etc/"
# Copy authorized_keys from the system
mkdir -p "${DESTDIR}/root/.ssh/"
chmod 700 "${DESTDIR}/root/.ssh/"
cp /root/.ssh/authorized_keys "${DESTDIR}/root/.ssh/"
# Overwrite sshd_config for initrd
cat << SSHCONF > "${DESTDIR}/etc/ssh/sshd_config"
# Allow root access via Key
PermitRootLogin without-password
PubkeyAuthentication yes
StrictModes yes
# Disable password auth
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
SSHCONF
# To get rid of sshd once we're done (requires psmisc package to be installed!)
copy_exec /bin/killall
################################################################################
# Setup required NSS environment #
################################################################################
# Generate minimal NSS files
cat << PASSWD > "${DESTDIR}/etc/passwd"
root:x:0:0:root:/root:/bin/sh
sshd:*:27:27:sshd privsep:/var/empty:/sbin/nologin
PASSWD
cat << GROUP > "${DESTDIR}/etc/group"
root:x:0
sshd:*:27:
GROUP
cp /etc/protocols "${DESTDIR}/etc/"
cp /etc/hosts "${DESTDIR}/etc/"
# Generate minimal nsswitch.conf
cat << NSS > "${DESTDIR}/etc/nsswitch.conf"
# /etc/nsswitch.conf
passwd: files
group: files
shadow: files
hosts: files
networks: files
protocols: files
services: files
ethers: files
rpc: files
NSS
# Install required NSS libraries
mkdir -p "${DESTDIR}/lib/x86_64-linux-gnu"
cp /lib/x86_64-linux-gnu/libnss_files* "${DESTDIR}/lib/x86_64-linux-gnu"
################################################################################
# Write convenience unlock script to /unluks #
################################################################################
# Uncomment - and most likely edit - the following lines to add a convenience
# "shell" when you log in via SSH to unlock the disks.
#
# For full convencience you can also change the root line of /etc/passwd above
# to:
# root:x:0:0:root:/root:/unluks
# cat << SCRIPT > "${DESTDIR}/unluks"
# #!/bin/sh
#
# cryptsetup luksOpen /dev/md1 md1_crypt
# cryptsetup luksOpen /dev/md2 md2_crypt
# cryptsetup luksOpen /dev/md3 md3_crypt
#
# lvm pvscan
#
# vgchange -ay
#
# echo "Cool thanks, booting..."
# SCRIPT
#
# chmod 755 "${DESTDIR}/unluks"
exit 0