I don't think Recommends is appropriate for the general
case - it's meant for packages used in "all but unusual
installations" (from the policy manual) isn't it?
The key generation should be able to be performed using
dropbearkey (and /usr/lib/dropbear/dropbearconvert if
required), without needing ssh-keygen.
The patchset looks like interesting work.
Matt
Dropbear Developer
On Fri, Feb 15, 2008 at 03:47:45PM +0100, [EMAIL PROTECTED] wrote:
> Package: dropbear
> Version: 0.50-2
> Severity: wishlist
> Tags: patch
>
> this patch is part of three patches (initramfs-tools, cryptsetup,
> dropbear) which enable mkinitramfs to create initramfss that provide the
> ability to log in and unlock a cryptroot during the boot process from
> remote via ssh.
>
> initramfs script, hook-script, and config are added.
> openssh-client is promoted from suggested to recommended, because in
> case of a cryptroot with dropbear it's not really unimportant that
> mkinitramfs is able to create authorization keys. also udev is needed
> for dropbear in initramfs.
> diff -rNc dropbear-0.50.orig/debian/control dropbear-0.50/debian/control
> *** dropbear-0.50.orig/debian/control 2008-02-14 20:17:40.000000000 +0100
> --- dropbear-0.50/debian/control 2008-02-14 20:17:59.000000000 +0100
> ***************
> *** 8,14 ****
> Package: dropbear
> Architecture: any
> Depends: ${shlibs:Depends}
> ! Suggests: openssh-client, runit
> Description: lightweight SSH2 server and client
> dropbear is a SSH 2 server and client designed to be small enough to
> be used in small memory environments, while still being functional and
> --- 8,15 ----
> Package: dropbear
> Architecture: any
> Depends: ${shlibs:Depends}
> ! Recommends: openssh-client, udev
> ! Suggests: runit
> Description: lightweight SSH2 server and client
> dropbear is a SSH 2 server and client designed to be small enough to
> be used in small memory environments, while still being functional and
> diff -rNc dropbear-0.50.orig/debian/initramfs/dropbear-conf
> dropbear-0.50/debian/initramfs/dropbear-conf
> *** dropbear-0.50.orig/debian/initramfs/dropbear-conf 1970-01-01
> 01:00:00.000000000 +0100
> --- dropbear-0.50/debian/initramfs/dropbear-conf 2008-02-14
> 20:17:59.000000000 +0100
> ***************
> *** 0 ****
> --- 1,8 ----
> + #
> + # DROPBEAR: [ y | n ]
> + #
> + # Use dropbear if available. If not specified, dropbear will be used - if
> + # possible - in case of cryptroot.
> + #
> +
> + #DROPBEAR=y
> diff -rNc dropbear-0.50.orig/debian/initramfs/dropbear-hook
> dropbear-0.50/debian/initramfs/dropbear-hook
> *** dropbear-0.50.orig/debian/initramfs/dropbear-hook 1970-01-01
> 01:00:00.000000000 +0100
> --- dropbear-0.50/debian/initramfs/dropbear-hook 2008-02-14
> 20:19:44.000000000 +0100
> ***************
> *** 0 ****
> --- 1,55 ----
> + #!/bin/sh
> +
> + PREREQ=""
> +
> + prereqs() {
> + echo "$PREREQ"
> + }
> +
> + case $1 in
> + prereqs)
> + prereqs
> + exit 0
> + ;;
> + esac
> +
> + . "${CONFDIR}/initramfs.conf"
> + . /usr/share/initramfs-tools/hook-functions
> +
> + # Install dropbear if explicitly enabled, or in case of a cryptroot setup
> if not explicitly disabled
> + if [ "${DROPBEAR}" = "y" ] || ( [ "${DROPBEAR}" != "n" ] && [ -r
> "/etc/crypttab" ] ); then
> + if [ ! -x "/usr/sbin/dropbear" ]; then
> + if [ "${DROPBEAR}" = "y" ]; then
> + echo "dropbear: FAILURE: Dropbear not found!"
> + else
> + echo "dropbear: WARNING: Dropbear not found, remote
> unlocking of cryptroot via ssh won't work!"
> + fi
> + else
> + rm -f "${DESTDIR}/sbin/dropbear"
> + copy_exec "/usr/sbin/dropbear" "/sbin/"
> + cp /lib/libnss_* "${DESTDIR}/lib/"
> + echo "root:x:0:0:root:/root:/bin/sh" > "${DESTDIR}/etc/passwd"
> + for keytype in "dss" "rsa"; do
> + if [ ! -f
> "/etc/initramfs-tools/etc/dropbear/dropbear_${keytype}_host_key" ]; then
> + mkdir -p "/etc/initramfs-tools/etc/dropbear"
> + dropbearkey -t "${keytype}" -f
> "/etc/initramfs-tools/etc/dropbear/dropbear_${keytype}_host_key"
> + fi
> + done
> + cp -R /etc/initramfs-tools/etc/dropbear "${DESTDIR}/etc/"
> + if [ ! -f "/etc/initramfs-tools/root/.ssh/id_rsa.pub" ]; then
> + mkdir -p "/etc/initramfs-tools/root/.ssh"
> + if [ -x "/usr/bin/ssh-keygen" ]; then
> + ssh-keygen -N "" -f
> "/etc/initramfs-tools/root/.ssh/id_rsa"
> + else
> + if [ "${DROPBEAR}" = "y" ]; then
> + echo "dropbear: FAILURE: no authorized
> publickey found and ssh-keygen not available!"
> + else
> + echo "dropbear: WARNING: no authorized
> publickey found and ssh-keygen not available, remote unlocking of cryptroot
> via ssh won't work!"
> + fi
> + fi
> + fi
> + mkdir -p "${DESTDIR}/root/.ssh"
> + cp /etc/initramfs-tools/root/.ssh/id_rsa.pub
> "${DESTDIR}/root/.ssh/authorized_keys"
> + fi
> + fi
> +
> diff -rNc dropbear-0.50.orig/debian/initramfs/dropbear-script
> dropbear-0.50/debian/initramfs/dropbear-script
> *** dropbear-0.50.orig/debian/initramfs/dropbear-script 1970-01-01
> 01:00:00.000000000 +0100
> --- dropbear-0.50/debian/initramfs/dropbear-script 2008-02-14
> 20:17:59.000000000 +0100
> ***************
> *** 0 ****
> --- 1,34 ----
> + #!/bin/sh
> +
> + PREREQ="udev"
> +
> + prereqs() {
> + echo "$PREREQ"
> + }
> +
> + case $1 in
> + # get pre-requisites
> + prereqs)
> + prereqs
> + exit 0
> + ;;
> + esac
> +
> + . /scripts/functions
> +
> + log_begin_msg "Starting dropbear"
> +
> + . /conf/initramfs.conf
> +
> + for x in $(cat /proc/cmdline); do
> + case $x in
> + ip=*)
> + IPOPTS="${x#ip=}"
> + ;;
> + esac
> + done
> +
> + configure_networking
> +
> + /sbin/dropbear
> +
> diff -rNc dropbear-0.50.orig/debian/rules dropbear-0.50/debian/rules
> *** dropbear-0.50.orig/debian/rules 2008-02-14 20:17:40.000000000 +0100
> --- dropbear-0.50/debian/rules 2008-02-14 20:17:59.000000000 +0100
> ***************
> *** 91,96 ****
> --- 91,102 ----
> # copyright, changelog
> cat debian/copyright.in LICENSE >debian/copyright
> test -r changelog || ln -s CHANGES changelog
> + install -d -m0755 '$(DIR)'/usr/share/initramfs-tools/hooks
> + install -m0755 debian/initramfs/dropbear-hook
> '$(DIR)'/usr/share/initramfs-tools/hooks/dropbear
> + install -d -m0755
> '$(DIR)'/usr/share/initramfs-tools/scripts/init-premount
> + install -m0755 debian/initramfs/dropbear-script
> '$(DIR)'/usr/share/initramfs-tools/scripts/init-premount/dropbear
> + install -d -m0755 '$(DIR)'/usr/share/initramfs-tools/conf-hooks.d
> + install -m0644 debian/initramfs/dropbear-conf
> '$(DIR)'/usr/share/initramfs-tools/conf-hooks.d/dropbear
>
> binary-indep:
>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
