mirror of
https://github.com/moparisthebest/cryptsetup-multidisk-ssh
synced 2024-12-21 23:18:48 -05:00
First commit with ssh support
This commit is contained in:
parent
1e800c8319
commit
f7511ff3c7
8
cryptsetup_shell
Normal file
8
cryptsetup_shell
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
#!/usr/bin/ash
|
||||||
|
sed 's/ /\n/g' /proc/cmdline | grep = > /linux.cmdline
|
||||||
|
. /linux.cmdline
|
||||||
|
rm /linux.cmdline
|
||||||
|
. /init_functions
|
||||||
|
. /hooks/encrypt-multidisk-ssh
|
||||||
|
|
||||||
|
run_hook
|
23
encrypt_hook
23
encrypt_hook
@ -69,14 +69,6 @@ EOF
|
|||||||
echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead."
|
echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead."
|
||||||
}
|
}
|
||||||
|
|
||||||
query_password() {
|
|
||||||
echo ""
|
|
||||||
echo "A password is required to access the ${cryptname} volume:"
|
|
||||||
read -rsp "Enter passphrase for ${resolved}: " password
|
|
||||||
echo -n "${password}" > ${cpassfile}
|
|
||||||
echo ""
|
|
||||||
}
|
|
||||||
|
|
||||||
for cryptopt in ${cryptoptions//,/ }; do
|
for cryptopt in ${cryptoptions//,/ }; do
|
||||||
case ${cryptopt} in
|
case ${cryptopt} in
|
||||||
allow-discards)
|
allow-discards)
|
||||||
@ -104,13 +96,22 @@ EOF
|
|||||||
if [ ${dopassphrase} -gt 0 ]; then
|
if [ ${dopassphrase} -gt 0 ]; then
|
||||||
|
|
||||||
if [ ! -f ${cpassfile} ]; then
|
if [ ! -f ${cpassfile} ]; then
|
||||||
query_password
|
query_password "${cryptname}" "${resolved}" "${cpassfile}"
|
||||||
|
if [ -f /.done ]; then
|
||||||
|
break
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#loop until we get a real password
|
#loop until we get a real password
|
||||||
while ! eval cryptsetup --key-file ${cpassfile} open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; do
|
while ! eval cryptsetup --key-file ${cpassfile} open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; do
|
||||||
query_password
|
query_password "${cryptname}" "${resolved}" "${cpassfile}"
|
||||||
|
if [ -f /.done ]; then
|
||||||
|
break
|
||||||
|
fi
|
||||||
done
|
done
|
||||||
|
if [ -f /.done ]; then
|
||||||
|
break
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
if [ -e "/dev/mapper/${cryptname}" ]; then
|
if [ -e "/dev/mapper/${cryptname}" ]; then
|
||||||
if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
|
if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
|
||||||
@ -167,6 +168,8 @@ EOF
|
|||||||
count=$((count + 1))
|
count=$((count + 1))
|
||||||
done
|
done
|
||||||
rm -f ${cpassfile}
|
rm -f ${cpassfile}
|
||||||
|
touch /.done
|
||||||
|
killall query_password
|
||||||
}
|
}
|
||||||
|
|
||||||
# vim: set ft=sh ts=4 sw=4 et:
|
# vim: set ft=sh ts=4 sw=4 et:
|
||||||
|
@ -1,4 +1,9 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
make_etc_passwd() {
|
||||||
|
echo 'root:x:0:0:root:/root:/bin/cryptsetup_shell' > "${BUILDROOT}"/etc/passwd
|
||||||
|
echo '/bin/cryptsetup_shell' > "${BUILDROOT}"/etc/shells
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
build() {
|
build() {
|
||||||
local mod
|
local mod
|
||||||
@ -19,11 +24,25 @@ build() {
|
|||||||
add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
|
add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
|
||||||
add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
|
add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
|
||||||
|
|
||||||
|
add_binary "/usr/share/cryptsetup-multidisk-ssh/bin/cryptsetup_shell" "/bin/cryptsetup_shell"
|
||||||
|
add_binary "/usr/share/cryptsetup-multidisk-ssh/bin/query_password" "/bin/query_password"
|
||||||
|
|
||||||
|
make_etc_passwd
|
||||||
|
|
||||||
add_runscript
|
add_runscript
|
||||||
}
|
}
|
||||||
|
|
||||||
help() {
|
help() {
|
||||||
cat <<HELPEOF
|
cat <<HELPEOF
|
||||||
|
This hook is a drop in replacement for the encrypt multidisk hook and also allows for
|
||||||
|
multiple encrypted root devices to be unlocked remotely over SSH. It works with both
|
||||||
|
mkinitcpio-dropbear and mkinitcpio-tinyssh hooks. It DOES NOT perform any
|
||||||
|
network interface configuration.
|
||||||
|
|
||||||
|
Use this hook in combination with any early userspace networking hook, such as
|
||||||
|
mkinitcpio-netconf or mkinitcpio-ppp. Place this hook AFTER any network
|
||||||
|
configuration hook and BEFORE the filesystems hook.
|
||||||
|
|
||||||
This hook allows for multiple encrypted root devices. Users should specify the
|
This hook allows for multiple encrypted root devices. Users should specify the
|
||||||
device to be unlocked using 'cryptdevice=device:dmname' on the kernel command
|
device to be unlocked using 'cryptdevice=device:dmname' on the kernel command
|
||||||
line, where 'device' is the path to the raw device, and 'dmname' is the name
|
line, where 'device' is the path to the raw device, and 'dmname' is the name
|
||||||
|
9
query_password
Normal file
9
query_password
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
#!/usr/bin/ash
|
||||||
|
cryptname="$1"
|
||||||
|
resolved="$2"
|
||||||
|
cpassfile="$3"
|
||||||
|
echo ""
|
||||||
|
echo "A password is required to access the ${cryptname} volume:"
|
||||||
|
read -rsp "Enter passphrase for ${resolved}: " password
|
||||||
|
echo -n "${password}" > ${cpassfile}
|
||||||
|
echo ""
|
@ -1,5 +1,7 @@
|
|||||||
This is the standard archlinux encrypt hook extended to support multiple encrypted devices via cryptsetup= cryptsetup1= cryptsetup2= etc.
|
This is the standard archlinux encrypt hook extended to support multiple encrypted devices via cryptsetup= cryptsetup1= cryptsetup2= etc.
|
||||||
|
|
||||||
Hopefully one day it will be merged with the normal archlinux cryptsetup package (ask for it [here](https://bugs.archlinux.org/task/23182)), until then it will be available via the aur here:
|
This hook also additionally supports unlocking via ssh with mkinitcpio-dropbear or mkinitcpio-tinyssh packages set up first.
|
||||||
|
|
||||||
https://aur.archlinux.org/packages/cryptsetup-multidisk/
|
Available via the aur here:
|
||||||
|
|
||||||
|
https://aur.archlinux.org/packages/cryptsetup-multidisk-ssh/
|
||||||
|
Loading…
Reference in New Issue
Block a user