From 6daa319c17df822e95391b0b85f19a17f697afa6 Mon Sep 17 00:00:00 2001 From: oddlama Date: Sun, 2 May 2021 15:29:21 +0200 Subject: [PATCH] Use encryption key from environment variable; Adjust default ssh config; Remove ansible integration in favor of neutral installation --- TODO | 7 ++-- configure | 5 +-- contrib/sshd_config | 84 ++++---------------------------------- gentoo.conf.example | 68 +++++++++++++++--------------- scripts/config.sh | 4 ++ scripts/dispatch_chroot.sh | 4 ++ scripts/functions.sh | 25 +++++++----- scripts/main.sh | 44 ++++++-------------- 8 files changed, 80 insertions(+), 161 deletions(-) diff --git a/TODO b/TODO index e364767..f780b0b 100644 --- a/TODO +++ b/TODO @@ -1,6 +1,7 @@ - root authorized_keys support -- generalize ansible -> any infrastructure management by allowing only root ssh login. - zfs support -- save meta information to /var/db/gentoo-install + - start systemd services + - create pool + - enable zstd - systemd settings pls -- (dracut -> genkernel, or better?) +- zfs selector dracut diff --git a/configure b/configure index 6666842..caeaf6d 100755 --- a/configure +++ b/configure @@ -143,7 +143,6 @@ function define_swap() { } function define_disk_layout() { - case "$PARTITIONING_SCHEME" in "classic_single_disk") define_disk_configuration_function "create_classic_single_disk_layout swap=$(define_swap) type=${PARTITIONING_BOOT_TYPE@Q} luks=${PARTITIONING_USE_LUKS@Q} root_fs=${PARTITIONING_ROOT_FS@Q}" "${PARTITIONING_DEVICE@Q}" ;; "zfs_centric") define_disk_configuration_function "create_zfs_centric_layout swap=$(define_swap) type=${PARTITIONING_BOOT_TYPE@Q} encrypt=${PARTITIONING_ZFS_ENCRYPTION@Q} pool_type=${PARTITIONING_ZFS_POOL_TYPE@Q}" "${PARTITIONING_DEVICES[@]@Q}" ;; @@ -1062,11 +1061,11 @@ function INIT_SYSTEM_menu() { function GENTOO_MIRROR_tag() { echo "Gentoo mirror"; } function GENTOO_MIRROR_label() { echo "($(ellipsis 20 "$GENTOO_MIRROR"))"; } function GENTOO_MIRROR_show() { return 0; } -function GENTOO_MIRROR_help() { echo "Enter the primary gentoo mirror that should be used for the installation process (until mirrorselect is run)."; } +function GENTOO_MIRROR_help() { echo "Enter the initial gentoo mirror that should be used for the installation process (until mirrorselect is run)."; } function GENTOO_MIRROR_menu() { dialog \ --title "Select gentoo mirror" \ - --inputbox "Enter the desired gentoo mirror location." \ + --inputbox "Enter the initial gentoo mirror that should be used for the installation process (until mirrorselect is run)." \ "${INPUTBOX_SIZE[@]}" "$GENTOO_MIRROR" UNSAVED_CHANGES=true } diff --git a/contrib/sshd_config b/contrib/sshd_config index a2fc460..7b889be 100644 --- a/contrib/sshd_config +++ b/contrib/sshd_config @@ -5,8 +5,8 @@ Port 22 #AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: +ListenAddress 0.0.0.0 +ListenAddress :: #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key @@ -26,52 +26,24 @@ MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@op LogLevel VERBOSE #LoginGraceTime 2m -PermitRootLogin no +PermitRootLogin yes #StrictModes yes -MaxAuthTries 2 +MaxAuthTries 3 MaxSessions 4 -#PubkeyAuthentication yes - -# Only allow sshusers group to login, and explicitly forbid root login -DenyUsers root -DenyGroups root -AllowGroups sshusers +# Only allow root to login +AllowGroups root # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys -#AuthorizedPrincipalsFile none - -#AuthorizedKeysCommand none -#AuthorizedKeysCommandUser nobody - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - # To disable tunneled clear text passwords, change to no here! PasswordAuthentication no -#PermitEmptyPasswords no # Change to no to disable s/key passwords ChallengeResponseAuthentication no -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and @@ -84,7 +56,7 @@ ChallengeResponseAuthentication no UsePAM yes AllowAgentForwarding no -AllowTcpForwarding no +AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no #X11DisplayOffset 10 @@ -105,47 +77,5 @@ ClientAliveCountMax 2 #ChrootDirectory none #VersionAddendum none -# no default banner path -#Banner none - -# here are the new patched ldap related tokens -# entries in your LDAP must have posixAccount & ldapPublicKey objectclass -#UseLPK yes -#LpkLdapConf /etc/ldap.conf -#LpkServers ldap://10.1.7.1/ ldap://10.1.7.2/ -#LpkUserDN ou=users,dc=phear,dc=org -#LpkGroupDN ou=groups,dc=phear,dc=org -#LpkBindDN cn=Manager,dc=phear,dc=org -#LpkBindPw secret -#LpkServerGroup mail -#LpkFilter (hostAccess=master.phear.org) -#LpkForceTLS no -#LpkSearchTimelimit 3 -#LpkBindTimelimit 3 -#LpkPubKeyAttr sshPublicKey - # override default of no subsystems Subsystem sftp /usr/lib64/misc/sftp-server - -# the following are HPN related configuration options -# tcp receive buffer polling. disable in non autotuning kernels -#TcpRcvBufPoll yes - -# disable hpn performance boosts -#HPNDisabled no - -# buffer size for hpn to non-hpn connections -#HPNBufferSize 2048 - -# allow the use of the none cipher -#NoneEnabled no - -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# PermitTTY no -# ForceCommand cvs server - -# Allow client to pass locale environment variables #367017 -AcceptEnv LANG LC_* diff --git a/gentoo.conf.example b/gentoo.conf.example index 70b5c3d..aa16703 100644 --- a/gentoo.conf.example +++ b/gentoo.conf.example @@ -87,33 +87,42 @@ function disk_configuration() { ################################################ -# LUKS configuration +# LUKS/ZFS encryption configuration -# If you have selected a disk layout that uses encryption with luks, -# you need to define the encryption key. If you have not used an encrypted -# layout, you can skip this section and leave the defaults. +# If you have selected a disk layout that uses encryption with LUKS or ZFS, +# you need to define an encryption key. If you have not used an encrypted +# layout, you can skip this section. # # ######## Example: Password # -# If you want a standard password, you should do the following: -# 1. echo -n "mypassword" > /tmp/a_strong_encryption_key -# 2. Adjust the function below to return the path: echo -n "/tmp/a_strong_encryption_key" +# If you want a standard password, simply export it to the variable $GENTOO_INSTALL_ENCRYPTION_KEY, +# or echo it in the function below. +# 1. export GENTOO_INSTALL_ENCRYPTION_KEY="my strong passphrase" +# 2. OR: Adjust the function below to return the key: echo "my strong passphrase" +# +# ATTENTION: DO NOT INCLUDE A NEWLINE IN YOUR PASSWORD! Use a longer passphrase instead. +# It will save you a lot of trouble, because most software doesn't support reading passwords +# with newlines from stdin. # # By default, the selected KEYMAP will also be applied in the initramfs. -# If you want to be sure, use a long passphrase with standard alphanumeric characters, -# so that you could also type it without your selected keymap on the default english layout. +# If you want to be safe, use a long passphrase with standard alphanumeric characters, +# so that you can type it without your selected keymap on the default english layout. # # ######## Example: Keyfile # # If you want to generate a strong password and use it as a keyfile, -# you can do so by generating a keyfile from /dev/urandom. I would suggest piping +# you will have to do the necessary adjustments to the initramfs yourself. +# Begin setup with a temporary passphrase and replace it later with a keyfile. +# +# Generate a strong keyfile from /dev/urandom. I would suggest piping # it into base64 afterwards, to avoid problems with special characters in different # initramfs implementations and to allow manual typing for rescue purposes. # -# Be aware that the initramfs generated by this script will always ask for a passphrase. -# If you want to use the keyfile on a USB stick or want an even more advanced setup, you -# will have to make these modifications yourself. This basically means adjusting -# the initramfs cmdline, which you can do here with the following statement: +# Be aware that the initramfs generated by this script will always ask for a user +# supplied passphrase. If you want to use the keyfile on a USB stick or want an +# even more advanced setup, you will have to make these modifications yourself. +# This basically means adjusting the initramfs cmdline, which you can do here with +# the following statement: # DISK_DRACUT_CMDLINE+=("rd.luks.keyfile=whatever") # # You can also adjust the boot entry manually after the installation is complete, @@ -136,19 +145,12 @@ function disk_configuration() { # isn't as easy, so it's currently not part of this script, but might be later. # Feel free to experiment though. - -# This function will be called when the key for a luks device is needed. -# Theoretically you can give every encrypted partition it's own key, -# but most likely you will only have one partition. -# By default this function returns the same keyfile for all partitions. -# If you want to make this more granular, run the install script and -# select here based on the id reported in the partitioning overview. -function luks_getkeyfile() { - case "$1" in - #'my_luks_partition') echo -n '/path/to/my_luks_partition_keyfile' ;; - *) echo -n "/path/to/luks-keyfile" ;; - esac -} +# If you don't want to write your password to your disk, simply export it +# in your terminal before running ./install, like so: +# `export GENTOO_INSTALL_ENCRYPTION_KEY="my strong passphrase"` +# You can also just set the variable here, but this is not recommended because +# depending on your current environment, this file might be stored on an actual disk, +# and so your password would be written to that disk at least once. ################################################ # System configuration @@ -228,14 +230,10 @@ ADDITIONAL_PACKAGES=() # only allows the use of ed25519 keys, and requires pubkey authentication) INSTALL_SSHD=true -# Install ansible, and add a user for it. This requires INSTALL_SSHD=true -INSTALL_ANSIBLE=false -# The home directory for the ansible user -ANSIBLE_HOME="/var/lib/ansible" -# An ssh key to add to the .authorized_keys file for the ansible user. -# This variable will become the content of the .authorized_keys file, -# so you may specify one key per line. -ANSIBLE_SSH_AUTHORIZED_KEYS="" +# An ssh key to add to the authorized_keys file for the root user. +# This variable will become the content of the authorized_keys file, +# so you may specify one key per line (include the newlines in the variable). +ROOT_SSH_AUTHORIZED_KEYS="" ################################################ diff --git a/scripts/config.sh b/scripts/config.sh index c82b224..0717d8e 100644 --- a/scripts/config.sh +++ b/scripts/config.sh @@ -25,6 +25,8 @@ USED_LUKS=false USED_ZFS=false # Flag to track usage of btrfs USED_BTRFS=false +# Flag to track usage of encryption +USED_ENCRYPTION=false # An array of disk related actions to perform DISK_ACTIONS=() @@ -175,6 +177,7 @@ function create_raid() { # id: The operand device id function create_luks() { USED_LUKS=true + USED_ENCRYPTION=true local known_arguments=('+new_id' '+name' '+device|id') local extra_arguments=() @@ -243,6 +246,7 @@ function format_zfs() { verify_existing_unique_ids ids + USED_ENCRYPTION=${arguments[encrypt]:-false} DISK_ACTIONS+=("action=format_zfs" "$@" ";") } diff --git a/scripts/dispatch_chroot.sh b/scripts/dispatch_chroot.sh index 3d51bfb..44bf62e 100755 --- a/scripts/dispatch_chroot.sh +++ b/scripts/dispatch_chroot.sh @@ -19,5 +19,9 @@ export NPROC_ONE="$((NPROC + 1))" export MAKEFLAGS="-j$NPROC" export EMERGE_DEFAULT_OPTS="--jobs=$NPROC_ONE --load-average=$NPROC" +# Unset critical variables +unset GENTOO_INSTALL_ENCRYPTION_KEY +unset key + # Execute the requested command exec "$@" diff --git a/scripts/functions.sh b/scripts/functions.sh index 900815c..a4e5d1e 100644 --- a/scripts/functions.sh +++ b/scripts/functions.sh @@ -49,13 +49,6 @@ function check_config() { else IS_EFI=false fi - - if [[ $INSTALL_ANSIBLE == "true" ]]; then - [[ $INSTALL_SSHD == "true" ]] \ - || die "You must enable INSTALL_SSHD for ansible" - [[ -n $ANSIBLE_SSH_AUTHORIZED_KEYS ]] \ - || die "Missing pubkey for ansible user" - fi } function preprocess_config() { @@ -85,9 +78,22 @@ function prepare_installation_environment() { [[ $USED_LUKS == "true" ]] \ && check_has_program cryptsetup + # Check encryption key if used + [[ $USED_ENCRYPTION == "true" ]] \ + && check_encryption_key + + # Sync time now to prevent issues later sync_time } +function check_encryption_key() { + [[ -n "${GENTOO_INSTALL_ENCRYPTION_KEY+set}" ]] \ + || die "You are using encryption but GENTOO_INSTALL_ENCRYPTION_KEY is unset or empty. Export it before running this script." + + [[ ${#GENTOO_INSTALL_ENCRYPTION_KEY} -ge 8 ]] \ + || die "Your encryption key must be at least 8 characters long." +} + function add_summary_entry() { local parent="$1" local id="$2" @@ -259,13 +265,10 @@ function disk_create_luks() { local uuid="${DISK_ID_TO_UUID[$new_id]}" einfo "Creating luks ($new_id) on $device_desc" - local keyfile - keyfile="$(luks_getkeyfile "$new_id")" \ - || die "Error in luks_getkeyfile for $device_desc" cryptsetup luksFormat \ --type luks2 \ --uuid "$uuid" \ - --key-file "$keyfile" \ + --key-file <(echo -n "$GENTOO_INSTALL_ENCRYPTION_KEY") \ --cipher aes-xts-plain64 \ --hash sha512 \ --pbkdf argon2id \ diff --git a/scripts/main.sh b/scripts/main.sh index 5f812e3..4324e71 100644 --- a/scripts/main.sh +++ b/scripts/main.sh @@ -116,8 +116,16 @@ function install_sshd() { install -m0600 -o root -g root "$GENTOO_INSTALL_REPO_DIR/contrib/sshd_config" /etc/ssh/sshd_config \ || die "Could not install /etc/ssh/sshd_config" enable_service sshd - groupadd -r sshusers \ - || die "Could not create group 'sshusers'" + + mkdir_or_die 0700 "/root/" + mkdir_or_die 0700 "/root/.ssh" + + if [[ -n "$ROOT_SSH_AUTHORIZED_KEYS" ]]; then + einfo "Adding authorized keys for root" + touch_or_die 0600 "/root/.ssh/authorized_keys" + echo "$ROOT_SSH_AUTHORIZED_KEYS" > "$ROOT_HOME/.ssh/authorized_keys" \ + || die "Could not add ssh key to /root/.ssh/authorized_keys" + fi } function generate_initramfs() { @@ -262,31 +270,6 @@ function generate_fstab() { fi } -function install_ansible() { - einfo "Installing ansible" - try emerge --verbose app-admin/ansible - - einfo "Creating ansible user" - useradd -r -d "$ANSIBLE_HOME" -s /bin/bash ansible \ - || die "Could not create user 'ansible'" - mkdir_or_die 0700 "$ANSIBLE_HOME" - mkdir_or_die 0700 "$ANSIBLE_HOME/.ssh" - - if [[ -n $ANSIBLE_SSH_AUTHORIZED_KEYS ]]; then - einfo "Adding authorized keys for ansible" - touch_or_die 0600 "$ANSIBLE_HOME/.ssh/authorized_keys" - echo "$ANSIBLE_SSH_AUTHORIZED_KEYS" >> "$ANSIBLE_HOME/.ssh/authorized_keys" \ - || die "Could not add ssh key to authorized_keys" - fi - - chown -R ansible: "$ANSIBLE_HOME" \ - || die "Could not change ownership of ansible home" - - einfo "Adding ansible to some auxiliary groups" - usermod -a -G wheel,sshusers ansible \ - || die "Could not add ansible to auxiliary groups" -} - function main_install_gentoo_in_chroot() { [[ $# == 0 ]] || die "Too many arguments" @@ -374,11 +357,6 @@ function main_install_gentoo_in_chroot() { || die "Could not change owner of '/etc/systemd/network/20-wired-dhcp.network'" fi - # Install ansible - if [[ $INSTALL_ANSIBLE == "true" ]]; then - install_ansible - fi - # Install additional packages, if any. if [[ ${#ADDITIONAL_PACKAGES[@]} -gt 0 ]]; then einfo "Installing additional packages" @@ -395,6 +373,8 @@ function main_install_gentoo_in_chroot() { fi einfo "Gentoo installation complete." + [[ $USED_LUKS == "true" ]] \ + && einfo "A backup of your luks headers can be found at '$LUKS_HEADER_BACKUP_DIR', in case you want to have a backup." einfo "To chroot into the new system, simply execute the provided 'chroot' wrapper." einfo "Otherwise, you may now reboot your system." }