naskpass initramfs script fixup

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
author: Toni Uhlig <matzeton@googlemail.com> 2018-10-18 15:38:26 +0200
committer: Toni Uhlig <matzeton@googlemail.com> 2018-10-18 18:55:38 +0200
commit: 9ab9dd54247fba00f1d7644ff7ee82ef59bf8157 (patch)
tree: 7cb3f30d5a02716ec7f3f2a38e72cc44848b61f0
parent: ed25e33899cb55377b1bc1f4f47625889bb52fa7 (diff)
10 files changed, 68 insertions, 195 deletions
diff --git a/debian/naskpass.postinst b/debian/naskpass.postinst
index 255bfd0..025c25d 100755
--- a/debian/naskpass.postinst
+++ b/debian/naskpass.postinst
@@ -6,25 +6,10 @@
 set -e
 
 . /usr/share/debconf/confmodule
-. /usr/share/naskpass/naskconf
 
 case "$1" in
 
     configure)
-        nask_update
-        db_input high naskpass/activate || true
-        db_go
-        db_get naskpass/activate
-        if [ "x$RET" = "xtrue" ]; then
-          nask_activate || true
-          if [ "x${ERRMSG}" != "x" ]; then
-            echo "* ${ERRMSG}" >&2
-            nask_deactivate
-            false
-          fi
-        else
-          nask_deactivate
-        fi
 	if [ -x /usr/bin/ssh-keygen ]; then
 		[ -r /etc/initramfs-tools/etc/ssh/ssh_host_rsa_key ] || /usr/bin/ssh-keygen -t rsa -N '' -b 4096 -f /etc/initramfs-tools/etc/ssh/ssh_host_rsa_key
 		[ -r /etc/initramfs-tools/etc/ssh/ssh_host_dsa_key ] || /usr/bin/ssh-keygen -t dsa -N '' -b 1024 -f /etc/initramfs-tools/etc/ssh/ssh_host_dsa_key
diff --git a/debian/naskpass.prerm b/debian/naskpass.prerm
index 47beafb..86d693d 100755
--- a/debian/naskpass.prerm
+++ b/debian/naskpass.prerm
@@ -7,12 +7,9 @@ set -e
 
 
 . /usr/share/debconf/confmodule
-. /usr/share/naskpass/naskconf
 
 case "$1" in
     remove)
-        nask_deactivate
-        db_purge
         update-initramfs -u
     ;;
     upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
diff --git a/debian/rules b/debian/rules
index 2cf220c..f26c7d3 100755
--- a/debian/rules
+++ b/debian/rules
@@ -45,15 +45,11 @@ install: build
 	dh_installchangelogs
 	dh_installdebconf
 	$(MAKE) install-strip prefix=$(CURDIR)/debian/naskpass
-	install -d -m755 $(CURDIR)/debian/naskpass/usr/share/naskpass
-	install -D -m755 ./scripts/naskconf            $(CURDIR)/debian/naskpass/usr/share/naskpass/
-	install -D -m755 ./scripts/naskpass.inithook   $(CURDIR)/debian/naskpass/usr/share/naskpass/
-	install -D -m755 ./scripts/naskpass.initscript $(CURDIR)/debian/naskpass/usr/share/naskpass/
-	install -D -m755 ./scripts/naskpass.initconf   $(CURDIR)/debian/naskpass/usr/share/naskpass/
-	install -D -m755 ./scripts/naskpass.pre        $(CURDIR)/debian/naskpass/usr/share/naskpass/
-	install -D -m755 ./scripts/naskpass.post       $(CURDIR)/debian/naskpass/usr/share/naskpass/
-	install -d -m755                               $(CURDIR)/debian/naskpass/etc/initramfs-tools/etc/ssh/
-	install -D -m644 ./scripts/sshd_config         $(CURDIR)/debian/naskpass/etc/initramfs-tools/etc/ssh/
+	install -d -m755 $(CURDIR)/debian/naskpass/usr/share/initramfs-tools/scripts/local-top
+	install -D -m755 ./scripts/naskpass_debian.inithook   $(CURDIR)/debian/naskpass/usr/share/initramfs-tools/hooks/naskpass
+	install -D -m755 ./scripts/naskpass_debian.initscript $(CURDIR)/debian/naskpass/usr/share/initramfs-tools/scripts/local-top/naskpass
+	install -d -m755                                      $(CURDIR)/debian/naskpass/etc/initramfs-tools/etc/ssh/
+	install -D -m644 ./scripts/sshd_config                $(CURDIR)/debian/naskpass/etc/initramfs-tools/etc/ssh/
 
 binary-indep: build install
 
diff --git a/debian/templates b/debian/templates
deleted file mode 100644
index 7e664ab..0000000
--- a/debian/templates
+++ /dev/null
@@ -1,11 +0,0 @@
-Template: naskpass/activate
-Type: boolean
-Default: false
-Description.UTF-8: Do you want to activate naskpass?
- Activate or Deactivate the naskpass initramfs replacement
- for askpass. You can activate/deactivate it later with
- 'dpkg-reconfigure naskpass'.
-
-Template: naskpass/active
-Type: boolean
-Default: false
diff --git a/scripts/naskconf b/scripts/naskconf
deleted file mode 100755
index 5f82f22..0000000
--- a/scripts/naskconf
+++ /dev/null
@@ -1,35 +0,0 @@
-#!/bin/sh
-
-export ORGCHKSM="2057abcd4c0038fb3357680ac3057b208672d5d81bca85e1cc668f17d4060a23bda4c34352682b289d17a18f6ab75c4b9ea9df1a9f85709e3042ff7fdc83e245"
-export ORGFILE="/usr/share/initramfs-tools/scripts/local-top/cryptroot"
-
-
-. /usr/share/debconf/confmodule
-
-_nask_cmd () {
-  db_get naskpass/active
-  if [ "x$1" = "xACTV" ] && [ "$RET" = "false" ]; then
-    if [ "${ORGCHKSM}" != "$(/usr/bin/sha512sum ${ORGFILE} | grep -Eo '^[0-9a-zA-Z]*')" ]; then
-      export ERRMSG="$0: sha512sum mismatch"
-      return 1
-    fi
-    dpkg-divert --package naskpass --add --rename --divert /var/backups/cryptroot.initramfs.bak ${ORGFILE}
-    cp /usr/share/naskpass/naskpass.initscript ${ORGFILE}
-    ln -s /usr/share/naskpass/naskpass.inithook \
-      /usr/share/initramfs-tools/hooks/naskpass
-    db_set naskpass/active true
-  elif [ "x$1" = "xDCTV" ] && [ "$RET" = "true" ]; then
-    rm ${ORGFILE}
-    rm /usr/share/initramfs-tools/hooks/naskpass
-    dpkg-divert --package naskpass --rename --remove ${ORGFILE}
-    db_set naskpass/active false
-  elif [ "x$1" = "xUPDT" ] && [ "$RET" = "true" ]; then
-    cp /usr/share/naskpass/naskpass.initscript ${ORGFILE}
-  fi
-  return 0
-}
-
-nask_activate ()	{ _nask_cmd "ACTV"; return $?; }
-nask_deactivate ()	{ _nask_cmd "DCTV"; return $?; }
-nask_update ()		{ _nask_cmd "UPDT"; return $?; }
-
diff --git a/scripts/naskpass.initconf b/scripts/naskpass.initconf
deleted file mode 100755
index fa1f945..0000000
--- a/scripts/naskpass.initconf
+++ /dev/null
@@ -1,5 +0,0 @@
-# initramfs naskpass config file
-
-# kernel printk path
-PRINTK=/proc/sys/kernel/printk
-OLDPRINTK=/tmp/naskpass.oldprintk
diff --git a/scripts/naskpass.post b/scripts/naskpass.post
deleted file mode 100755
index a38e1c5..0000000
--- a/scripts/naskpass.post
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/bin/sh
-
-. /etc/naskpass.conf
-
-if [ "x${OLDPRINTK}" != "x" ] && [ -r ${OLDPRINTK} ] && [ -w ${PRINTK} ]; then
-	cat ${OLDPRINTK} >${PRINTK}
-fi
-
-kill $(pidof sshd)
-
-for interface in $(ifconfig | grep -oE '^[a-zA-Z0-9]+\s+'); do
-	echo "disable ${interface}"
-	ifconfig ${interface} 0.0.0.0
-	ifconfig ${interface} down
-done
-
diff --git a/scripts/naskpass.pre b/scripts/naskpass.pre
deleted file mode 100755
index 4eb6d3b..0000000
--- a/scripts/naskpass.pre
+++ /dev/null
@@ -1,15 +0,0 @@
-#!/bin/sh
-
-. /scripts/functions
-. /etc/naskpass.conf
-
-
-if [ "x${PRINTK}" != "x" ] && [ -r ${PRINTK} ] && [ -w ${PRINTK} ]; then
-	cat ${PRINTK} >${OLDPRINTK}
-	echo "0 0 0 0" >${PRINTK}
-fi
-
-if [ -x /sbin/sshd ]; then
-[ -x /bin/ipconfig ] && configure_networking >/dev/null 2>/dev/null &
-/sbin/sshd
-fi
diff --git a/scripts/naskpass.inithook b/scripts/naskpass_debian.inithook
index 9f7eaf5..d45a142 100755
--- a/scripts/naskpass.inithook
+++ b/scripts/naskpass_debian.inithook
@@ -16,23 +16,23 @@ esac
 
 . /usr/share/initramfs-tools/hook-functions
 
+# copy executables
 copy_exec /lib/cryptsetup/naskpass              /lib/cryptsetup
 copy_exec /lib/cryptsetup/naskshell             /bin
 copy_exec /lib/cryptsetup/naskpass_check        /lib/cryptsetup
-copy_exec /usr/share/naskpass/naskpass.pre      /lib/cryptsetup
-copy_exec /usr/share/naskpass/naskpass.post     /lib/cryptsetup
-dash -n /usr/share/naskpass/naskpass.initconf
-copy_exec /usr/share/naskpass/naskpass.initconf /etc/naskpass.conf
-
 copy_exec /usr/sbin/sshd /sbin/sshd
+
+# OpenSSH config directory
 cp -R /etc/initramfs-tools/etc/ssh "${DESTDIR}/etc/"
 
+# /root is required for a successful SSH login
 if [ ! -r "${DESTDIR}/root" ]; then
 	mkdir -p "${DESTDIR}/root"
 	chown root:root "${DESTDIR}/root"
 	chmod 0700 "${DESTDIR}/root"
 fi
 
+# libnss and nsswitch are required for a successful SSH login
 copy_exec /usr/lib/$(dpkg-architecture -q DEB_HOST_MULTIARCH)/libnss_compat.so /usr/lib/$(dpkg-architecture -q DEB_HOST_MULTIARCH)/
 if [ -r "${DESTDIR}/etc/nsswitch.conf" ]; then
 echo "passwd:         compat" > "${DESTDIR}/etc/nsswitch.conf"
@@ -40,10 +40,12 @@ echo "group:          compat" >>"${DESTDIR}/etc/nsswitch.conf"
 echo "shadow:         compat" >>"${DESTDIR}/etc/nsswitch.conf"
 fi
 
+# passwd, group, shadow entries to enable root with naskshell login
 [ -r "${DESTDIR}/etc/passwd" ] || echo 'root:x:0:0:root:/root:/bin/naskshell' >"${DESTDIR}/etc/passwd"
 [ -r "${DESTDIR}/etc/group" ] || echo 'root:x:0:' >"${DESTDIR}/etc/group"
 [ -r "${DESTDIR}/etc/shadow" ] || echo 'root:*:15446:0:99999:7:::' >"${DESTDIR}/etc/shadow"
 
+# terminfo is viable for ncurses programs
 mkdir -p ${DESTDIR}/lib/terminfo/l
 cp /lib/terminfo/l/linux ${DESTDIR}/lib/terminfo/l/
 
diff --git a/scripts/naskpass.initscript b/scripts/naskpass_debian.initscript
index b92381f..3cffd4f 100755
--- a/scripts/naskpass.initscript
+++ b/scripts/naskpass_debian.initscript
@@ -7,13 +7,7 @@ PREREQ="cryptroot-prepare"
 #
 prereqs()
 {
-	# Make sure that cryptroot is run last in local-top
-	for req in $(dirname $0)/*; do
-		script=${req##*/}
-		if [ $script != cryptroot ]; then
-			echo $script
-		fi
-	done
+	echo "$PREREQ"
 }
 
 case $1 in
@@ -69,8 +63,10 @@ parse_options()
 	cryptlvm=""
 	cryptkeyscript=""
 	cryptkey="" # This is only used as an argument to an eventual keyscript
+	cryptkeyslot=""
 	crypttries=3
 	crypttcrypt=""
+	cryptveracrypt=""
 	cryptrootdev=""
 	cryptdiscard=""
 	CRYPTTAB_OPTIONS=""
@@ -96,7 +92,7 @@ parse_options()
 			if [ ${cryptsource#UUID=} != $cryptsource ]; then
 				cryptsource="/dev/disk/by-uuid/${cryptsource#UUID=}"
 			elif [ ${cryptsource#LABEL=} != $cryptsource ]; then
-				cryptsource="/dev/disk/by-label/${cryptsource#LABEL=}"
+				cryptsource="/dev/disk/by-label/$(printf '%s' "${cryptsource#LABEL=}" | sed 's,/,\\x2f,g')"
 			fi
 			export CRYPTTAB_SOURCE="$cryptsource"
 			;;
@@ -119,6 +115,9 @@ parse_options()
 			fi
 			export CRYPTTAB_KEY="$cryptkey"
 			;;
+		keyslot=*)
+			cryptkeyslot=${x#keyslot=}
+			;;
 		tries=*)
 			crypttries="${x#tries=}"
 			case "$crypttries" in
@@ -130,6 +129,9 @@ parse_options()
 		tcrypt)
 			crypttcrypt="yes"
 			;;
+		veracrypt)
+			cryptveracrypt="--veracrypt"
+			;;
 		rootdev)
 			cryptrootdev="yes"
 			;;
@@ -149,7 +151,7 @@ parse_options()
 	export CRYPTTAB_OPTIONS
 
 	if [ -z "$cryptsource" ]; then
-		message "cryptsetup: source parameter missing"
+		message "cryptsetup ($crypttarget): source parameter missing"
 		return 1
 	fi
 	return 0
@@ -159,7 +161,7 @@ activate_vg()
 {
 	# Sanity checks
 	if [ ! -x /sbin/lvm ]; then
-		message "cryptsetup: lvm is not available"
+		message "cryptsetup ($crypttarget): lvm is not available"
 		return 1
 	fi
 
@@ -180,13 +182,29 @@ setup_mapping()
 
 	parse_options "$opts" || return 1
 
-	if [ -n "$cryptkeyscript" ] && ! type "$cryptkeyscript" >/dev/null; then
-		message "cryptsetup: error - script \"$cryptkeyscript\" missing"
+	if [ -z "$cryptkeyscript" ]; then
+		if [ ${cryptsource#/dev/disk/by-uuid/} != $cryptsource ]; then
+			# UUIDs are not very helpful
+			diskname="$crypttarget"
+		else
+			diskname="$cryptsource ($crypttarget)"
+		fi
+		cryptkeyscript="/lib/cryptsetup/naskpass"
+		cryptkey="Please unlock disk $diskname: "
+	elif ! type "$cryptkeyscript" >/dev/null; then
+		message "cryptsetup ($crypttarget): error - script \"$cryptkeyscript\" missing"
 		return 1
 	fi
 
+	if [ "$cryptkeyscript" = "cat" ] && [ "${cryptkey#/root/}" != "$cryptkey" ]; then
+		# skip the mapping if the root FS is not mounted yet
+		sed -rn 's/^\s*[^#]\S*\s+(\S+)\s.*/\1/p' /proc/mounts | grep -Fxq "$rootmnt" || return 1
+		# substitute the "/root" prefix by the real root FS mountpoint otherwise
+		cryptkey="${rootmnt}/${cryptkey#/root/}"
+	fi
+
 	if [ -n "$cryptheader" ] && ! type "$cryptheader" >/dev/null; then
-		message "cryptsetup: error - LUKS header \"$cryptheader\" missing"
+		message "cryptsetup ($crypttarget): error - LUKS header \"$cryptheader\" missing"
 		return 1
 	fi
 
@@ -261,12 +279,15 @@ setup_mapping()
 	if [ -n "$cryptheader" ]; then
 		cryptopen="$cryptopen --header=$cryptheader"
 	fi
+	if [ -n "$cryptkeyslot" ]; then
+		cryptopen="$cryptopen --key-slot=$cryptkeyslot"
+	fi
 	if /sbin/cryptsetup isLuks ${cryptheader:-$cryptsource} >/dev/null 2>&1; then
-		cryptopen="$cryptopen open --type luks $cryptsource $crypttarget --key-file=-"
+		cryptopen="$cryptopen open --type luks $cryptsource $crypttarget"
 	elif [ "$crypttcrypt" = "yes" ]; then
-		cryptopen="$cryptopen open --type tcrypt $cryptsource $crypttarget"
+		cryptopen="$cryptopen open --type tcrypt $cryptveracrypt $cryptsource $crypttarget"
 	else
-		cryptopen="$cryptopen -c $cryptcipher -s $cryptsize -h $crypthash open --type plain $cryptsource $crypttarget --key-file=-"
+		cryptopen="$cryptopen -c $cryptcipher -s $cryptsize -h $crypthash open --type plain $cryptsource $crypttarget"
 	fi
 	cryptremove="/sbin/cryptsetup remove $crypttarget"
 	NEWROOT="/dev/mapper/$crypttarget"
@@ -277,65 +298,16 @@ setup_mapping()
 		export CRYPTTAB_TRIED="$count"
 		count=$(( $count + 1 ))
 
-		if [ -z "$cryptkeyscript" ]; then
-			if [ ${cryptsource#/dev/disk/by-uuid/} != $cryptsource ]; then
-				# UUIDs are not very helpful
-				diskname="$crypttarget"
-			else
-				diskname="$cryptsource ($crypttarget)"
-			fi
-
-			if [ -x /bin/plymouth ] && plymouth --ping; then
-				cryptkeyscript="plymouth ask-for-password --prompt"
-				# Plymouth will add a : if it is a non-graphical prompt
-				cryptkey="Please unlock disk $diskname"
-			else
-				if [ -x /lib/cryptsetup/naskpass ] && [ $askpass_fallback -eq 0 ]; then
-					cryptkeyscript="/lib/cryptsetup/naskpass"
-					cryptkey=""
-				else
-					cryptkeyscript="/lib/cryptsetup/askpass"
-					cryptkey="Please unlock disk $diskname: "
-				fi
-			fi
-		fi
-
-
 		if [ ! -e "$NEWROOT" ]; then
-			if [ -x /bin/plymouth ] && plymouth --ping || [ $askpass_fallback -ne 0 ]; then
-				if [ $askpass_fallback -eq 0 ]; then
-                                        message "naskpass does not work with plymouth, falling back to default askpass .."
-                                fi
-				if ! crypttarget="$crypttarget" cryptsource="$cryptsource" \
-				     $cryptkeyscript "$cryptkey" | $cryptopen; then
-					message "cryptsetup: cryptsetup failed, bad password or options?"
-					continue
-				fi
-			else
-				[ -z ${NASK_FAIL} ] && /lib/cryptsetup/naskpass.pre
-				if ! $cryptkeyscript -c "/sbin/cryptsetup -T 1 open $cryptsource $crypttarget"; then
-					NASK_FAIL=1
-					message "naskpass: failed ${count}/${crypttries}"
-					if [ $crypttries -gt 0 ] && [ $count -ge $crypttries ]; then
-						message "cryptsetup: maximum number of tries exceeded for $crypttarget"
-						message "shutdown in 3 seconds"
-						sleep 3
-						[ -w /proc/sysrq-trigger ] && /bin/echo 'o' > /proc/sysrq-trigger
-						[ -w /proc/sysrq ] && /bin/echo 'o' > /proc/sysrq
-						[ -x /sbin/poweroff ] && /sbin/poweroff -n -f
-						sleep 10
-						return 1
-					fi
-					continue
-				else
-					message "naskpass: success"
-				fi
-				/lib/cryptsetup/naskpass.post
+			if ! crypttarget="$crypttarget" cryptsource="$cryptsource" \
+			     $cryptkeyscript -c"$cryptopen"; then
+				message "cryptsetup ($crypttarget): cryptsetup failed, bad password or options?"
+				continue
 			fi
 		fi
 
 		if [ ! -e "$NEWROOT" ]; then
-			message "cryptsetup: unknown error setting up device mapping"
+			message "cryptsetup ($crypttarget): unknown error setting up device mapping"
 			return 1
 		fi
 
@@ -347,11 +319,11 @@ setup_mapping()
 		#if [ "$FSTYPE" = "lvm" ] || [ "$FSTYPE" = "lvm2" ]; then
 		if [ "$FSTYPE" = "LVM_member" ] || [ "$FSTYPE" = "LVM2_member" ]; then
 			if [ -z "$cryptlvm" ]; then
-				message "cryptsetup: lvm fs found but no lvm configured"
+				message "cryptsetup ($crypttarget): lvm fs found but no lvm configured"
 				return 1
 			elif ! activate_vg; then
 				# disable error message, LP: #151532
-				#message "cryptsetup: failed to setup lvm device"
+				#message "cryptsetup ($crypttarget): failed to setup lvm device"
 				return 1
 			fi
 
@@ -372,19 +344,26 @@ setup_mapping()
 
 		#if [ -z "$FSTYPE" ] || [ "$FSTYPE" = "unknown" ]; then
 		if [ -z "$FSTYPE" ]; then
-			message "cryptsetup: unknown fstype, bad password or options?"
+			message "cryptsetup ($crypttarget): unknown fstype, bad password or options?"
 			udev_settle
 			$cryptremove
 			continue
 		fi
 
-		message "cryptsetup: $crypttarget set up successfully"
+		# decrease $count by 1, apparently last try was successful.
+		count=$(( $count - 1 ))
+
+		message "cryptsetup ($crypttarget): set up successfully"
 		break
 	done
 
-	if [ $crypttries -gt 0 ] && [ $count -gt $crypttries ]; then
-		message "cryptsetup: maximum number of tries exceeded for $crypttarget"
-		return 1
+	failsleep=60 # make configurable later?
+
+	if [ "$cryptrootdev" = "yes" ] && [ $crypttries -gt 0 ] && [ $count -ge $crypttries ]; then
+		message "cryptsetup ($crypttarget): maximum number of tries exceeded"
+		message "cryptsetup: going to sleep for $failsleep seconds..."
+		sleep $failsleep
+		exit 1
 	fi
 
 	udev_settle
@@ -396,7 +375,6 @@ setup_mapping()
 #
 
 # Do we have any kernel boot arguments?
-askpass_fallback=0
 cmdline_cryptopts=''
 unset cmdline_root
 for opt in $(cat /proc/cmdline); do
@@ -420,9 +398,6 @@ for opt in $(cat /proc/cmdline); do
 		*) # lilo major/minor number (See #398957). Ignore
 		esac
 		;;
-        cryptfallback)
-                askpass_fallback=1
-                ;;
 	esac
 done
author	Toni Uhlig <matzeton@googlemail.com>	2018-10-18 15:38:26 +0200
committer	Toni Uhlig <matzeton@googlemail.com>	2018-10-18 18:55:38 +0200
commit	9ab9dd54247fba00f1d7644ff7ee82ef59bf8157 (patch)
tree	7cb3f30d5a02716ec7f3f2a38e72cc44848b61f0
parent	ed25e33899cb55377b1bc1f4f47625889bb52fa7 (diff)