[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFH: dropbear initramfs support

Alright, that's it :-)  The changelog is pretty heavy because I also
lintian-cleaned and modernized (using dh_* tools) the packages, as well as
fixed most bugs:

  * debian/source/format: 3.0 (quilt)
  * debian/compat: 9
  * debian/control: bump Standards-Version to 3.9.6 (no changes necessary).
  * debian/copyright: add machine-readable file.
  * Split up package in dropbear-bin (binaries), dropbear-run (init scripts)
    and dropbear-initramfs (initramfs integration).  'dropbear' is now a
    transitional dummy package depending on on dropbear-run and
    dropbear-initramfs.  (Closes: #692932.)
  * Refactorize the package using dh_* tools, including dh_autoreconf.
    (Closes: #689618, #777324.)
  * dropbear-run:
    + Add a status option to the /etc/init.d script.
    + Pass key files with -r not -d in /etc/init.d script.  (Closes: #761143.)
    + Post-installation script: Generate missing ECDSA in addition to RSA and
      DSS host keys.  (Closes: #776976.)
  * dropbear-initramfs:
    + Don't mark /usr/share/initramfs-tools/conf-hooks.d/dropbear as a
      configuration file, since it violates the Debian Policy Manual section
      10.7.2.  (Regression from 2014.64-1.)
    + Delete debian/initramfs/premount-devpts, since /dev/pts in mounted by
      init since initramfs-tools 0.94.  (Closes: #632656.)
    + Auto-generate host keys in the postinstall script, not when runing
      update-initramfs.  Pass the '-R' option (via $PKGOPTION_dropbear_OPTION)
      for the old behavior.  Also, print fingerprint and ASCII art for
      generated keys (if ssh-keygen is available).
    + Revert ad2fb1c and remove warning about changing host key.  Users
      shouldn't be encouraged to use the same keys in the encrypted partition
      and in the initramfs.  The proper fix is to use an alternative port or
    + Set ~root to `mktemp -d "$DESTDIR/root-XXXXXX"` to avoid collisions with
      $rootmnt.  (Closes: #558115.)
    + Exit gracefully if $IP is 'none' or 'off'.  (Closes: #692932.)
    + Start dropbear with flag -s to explicitly disable password logins.
    + Terminate all children before killing dropbear, to avoid stalled SSH
      connections.  (Closes: #735203.)
    + Run configure_networking in the foreground.  (Closes: #584780, #626181,
    + Bring down interfaces and flush network configuration before existing
      the ramdisk, to avoid misconfigured network in the regular kernel.
      (Closes: #715048, #720987, #720988.)
    + Add a script '/bin/unlock' to the initramfs to make remote unlocking
      easier and possibly as a forced-command restrictions in authorized_keys.

https://mentors.debian.net/package/dropbear – Now sending a sponsorship request.


Attachment: signature.asc
Description: Digital signature

Reply to: