/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to dracut-module/cmdline-mandos.sh

  • Committer: Teddy Hogeborn
  • Date: 2024-11-24 00:44:25 UTC
  • Revision ID: teddy@recompile.se-20241124004425-6k3y0ir1ksyjq3c4
mandos-keygen: Show warning about old OpenSSH versions

When generating a config file snippet on the Mandos client system
using mandos-keygen, and the default ssh-keyscan checker is used, and
if the OpenSSH version is 9.8 or later, the "checker" command
generated for the config file on the Mandos server will include the
"-q" option for ssh-keyscan.  This option did not exist on ssh-keyscan
from OpenSSH older than version 9.8.  Therefore, if the Mandos
*server* is running an older version of OpenSSH, where ssh-keyscan
does not support the "-q" option, this option must be removed from the
generated "checker" setting.  Since we cannot know if this is the case
when running mandos-keygen on the Mandos client system, we print this
information as a comment above the generated "checker" setting.

* mandos-keygen: Show warning if the new "-q" options was used with
  ssh-keyscan in the generated "checker" setting.

Show diffs side-by-side

added added

removed removed

Lines of Context:
 
1
#!/bin/sh
 
2
#
 
3
# This file should be present in the root file system directory
 
4
# /usr/lib/dracut/modules.d/90mandos.  When dracut creates the
 
5
# initramfs image, dracut will run the "module-setup.sh" file in the
 
6
# same directory, which (when *not* using the "systemd" dracut module)
 
7
# will copy this file ("cmdline-mandos.sh") into the initramfs as
 
8
# "/lib/dracut/hooks/cmdline/20-cmdline-mandos.sh".
 
9
 
10
# Despite the above #!/bin/sh line and the executable flag, this file
 
11
# is not executed; this file is sourced by the /init script in the
 
12
# initramfs image created by dracut.
 
13
 
 
14
if getargbool 1 mandos && [ -e /lib/dracut-crypt-lib.sh ]; then
 
15
    cat >> /lib/dracut-crypt-lib.sh <<- "EOF"
 
16
        ask_for_password(){
 
17
            local cmd; local prompt; local tries=3
 
18
            local ply_cmd; local ply_prompt; local ply_tries=3
 
19
            local tty_cmd; local tty_prompt; local tty_tries=3
 
20
            local ret
 
21
        
 
22
            while [ $# -gt 0 ]; do
 
23
                case "$1" in
 
24
                    --cmd) ply_cmd="$2"; tty_cmd="$2"; shift;;
 
25
                    --ply-cmd) ply_cmd="$2"; shift;;
 
26
                    --tty-cmd) tty_cmd="$2"; shift;;
 
27
                    --prompt) ply_prompt="$2"; tty_prompt="$2"; shift;;
 
28
                    --ply-prompt) ply_prompt="$2"; shift;;
 
29
                    --tty-prompt) tty_prompt="$2"; shift;;
 
30
                    --tries) ply_tries="$2"; tty_tries="$2"; shift;;
 
31
                    --ply-tries) ply_tries="$2"; shift;;
 
32
                    --tty-tries) tty_tries="$2"; shift;;
 
33
                    --tty-echo-off) tty_echo_off=yes;;
 
34
                    -*) :;;
 
35
                esac
 
36
                shift
 
37
            done
 
38
            if [ -z "$ply_cmd" ]; then
 
39
                ply_cmd="$tty_cmd"
 
40
            fi
 
41
            # Extract device and luksname from $ply_cmd
 
42
            set -- $ply_cmd
 
43
            shift
 
44
            for arg in "$@"; do
 
45
                case "$arg" in
 
46
                    -*) :;;
 
47
                    *)
 
48
                        if [ -z "$device" ]; then
 
49
                            device="$arg"
 
50
                        else
 
51
                            luksname="$arg"
 
52
                            break
 
53
                        fi
 
54
                        ;;
 
55
                esac
 
56
            done
 
57
            { flock -s 9;
 
58
              if [ -z "$ply_prompt" ]; then
 
59
                  if [ -z "$tty_prompt" ]; then
 
60
                      CRYPTTAB_SOURCE="$device" cryptsource="$device" CRYPTTAB_NAME="$luksname" crypttarget="$luksname" /lib/mandos/plugin-runner --config-file=/etc/mandos/plugin-runner.conf | $ply_cmd
 
61
                  else
 
62
                      CRYPTTAB_SOURCE="$device" cryptsource="$device" CRYPTTAB_NAME="$luksname" crypttarget="$luksname" /lib/mandos/plugin-runner --options-for=password-prompt:--prompt="${tty_prompt}" --config-file=/etc/mandos/plugin-runner.conf | $ply_cmd
 
63
                  fi
 
64
              else
 
65
                  if [ -z "$tty_prompt" ]; then
 
66
                      CRYPTTAB_SOURCE="$device" cryptsource="$device" CRYPTTAB_NAME="$luksname" crypttarget="$luksname" /lib/mandos/plugin-runner --options-for=plymouth:--prompt="${ply_prompt}" --config-file=/etc/mandos/plugin-runner.conf | $ply_cmd
 
67
                  else
 
68
                      CRYPTTAB_SOURCE="$device" cryptsource="$device" CRYPTTAB_NAME="$luksname" crypttarget="$luksname" /lib/mandos/plugin-runner --options-for=password-prompt:--prompt="${tty_prompt}" --options-for=plymouth:--prompt="${ply_prompt}" --config-file=/etc/mandos/plugin-runner.conf | $ply_cmd
 
69
                  fi
 
70
              fi
 
71
            } 9>/.console_lock
 
72
        }
 
73
        EOF
 
74
fi