|
@@ -0,0 +1,186 @@
|
|
|
+#!/usr/bin/env bash
|
|
|
+# Author: samba
|
|
|
+# Date: 2018-02-19
|
|
|
+# Desc: unlock the root partition via initrd
|
|
|
+
|
|
|
+PRIVATE_KEY=$HOME/.ssh/id_ed25519
|
|
|
+KNOWN_HOSTS_FILE=$HOME/.ssh/boot/known_hosts
|
|
|
+KNOWN_HOSTS_TMPFILE=/tmp/unlockboot.known_hosts
|
|
|
+LOGFILE=/tmp/unlockboot.log
|
|
|
+SSHKEY=0
|
|
|
+DEBUG=0
|
|
|
+trap ctrl_c INT
|
|
|
+usage() {
|
|
|
+ cat <<EOF
|
|
|
+Unlock an encrypted root disk remotely.
|
|
|
+
|
|
|
+Usage: $0
|
|
|
+
|
|
|
+ -a|--address Specify the ipaddress of the host to unlock (required)
|
|
|
+ -p|--password Specify the password to unlock the encrypted disk (required)
|
|
|
+ -i|--idssh) Specify the ssh private key file (default: $PRIVATE_KEY)
|
|
|
+ -s|--sshkey Connect via ssh and print the ssh fingerprint (useful to add new trusted hosts)
|
|
|
+ -k|--known-host Specify the known_hosts file to use when connecting to (default: $KNOWN_HOSTS_FILE)
|
|
|
+ -d|--debug) Print debug information
|
|
|
+ -h|--help) Print this help and exit
|
|
|
+
|
|
|
+Example:
|
|
|
+ $0 -a 192.168.97.2 -p \$(pass sys/vm/MYSERVERNAME/luks)
|
|
|
+ $0 -a 192.168.97.2 -i $HOME/.ssh/id_rsa -p \$(pass sys/vm/MYSERVERNAME/luks)
|
|
|
+ $0 -a 192.168.97.2 -i $HOME/.ssh/id_rsa -p \$(pass sys/vm/MYSERVERNAME/luks) -i $HOME/.ssh/id_rsa
|
|
|
+EOF
|
|
|
+ exit 2
|
|
|
+}
|
|
|
+info(){
|
|
|
+ TIMESTAMP=$(date '+%F %T')
|
|
|
+ echo "$TIMESTAMP - INFO: $*" | tee -a $LOGFILE
|
|
|
+}
|
|
|
+warning(){
|
|
|
+ TIMESTAMP=$(date '+%F %T')
|
|
|
+ echo "$TIMESTAMP - WARNING: $*" | tee -a $LOGFILE
|
|
|
+}
|
|
|
+debug(){
|
|
|
+ [ $DEBUG -ne 1 ] && return
|
|
|
+ TIMESTAMP=$(date '+%F %T')
|
|
|
+ echo "$TIMESTAMP - DEBUG: $*" | tee -a $LOGFILE
|
|
|
+}
|
|
|
+error(){
|
|
|
+ TIMESTAMP=$(date '+%F %T')
|
|
|
+ echo "$TIMESTAMP - ERROR: $*" | tee -a $LOGFILE
|
|
|
+ exit 1
|
|
|
+}
|
|
|
+ctrl_c(){
|
|
|
+ error "Force exit"
|
|
|
+}
|
|
|
+
|
|
|
+wait_host_up(){
|
|
|
+ # Wait until the host is up.
|
|
|
+ TIMEOUT=300 #seconds = 5m
|
|
|
+ debug "Waiting for the host to back online, TIMEOUT: $TIMEOUT sec"
|
|
|
+ COUNT=0
|
|
|
+ echo " [*] waiting ${TIMEOUT}s for the host respond to ping"
|
|
|
+ while true ; do
|
|
|
+ ping -n -w 1 -q -c1 "$IP" >/dev/null 2>&1 && break
|
|
|
+ [ $[$TIMEOUT % 60] -eq 0 ] && echo -en "\n [*] " || echo -n "."
|
|
|
+ TIMEOUT=$[$TIMEOUT-1]
|
|
|
+ [ $TIMEOUT -eq 0 ] && echo -e "\n" && error "host $IP reach timeout ${TIMEOUT}s" && exit 1
|
|
|
+ done
|
|
|
+ echo -e "\n [*] host is alive"
|
|
|
+}
|
|
|
+
|
|
|
+ssh_getsshkey(){
|
|
|
+ info "Getting ssh key fingerprint"
|
|
|
+ info "WARNING: the use of this tool works ONLY when is running dropbear-initramfs"
|
|
|
+
|
|
|
+ OUT=$(ssh-keyscan -t ecdsa-sha2-nistp521 $IP)
|
|
|
+ info "Host ssh key:"
|
|
|
+ echo
|
|
|
+ echo "----------- SSH-KEY ---------"
|
|
|
+ echo "$OUT"
|
|
|
+ echo "----------- *** *** *** ---------"
|
|
|
+ echo
|
|
|
+ echo "To add a TRUSTED HOST you can copy the SSH-KEY and paste it into the script \"$0\" "
|
|
|
+ exit 0
|
|
|
+ }
|
|
|
+
|
|
|
+# Add here your SSH pubkey (use -s option)
|
|
|
+cat <<EOF > $KNOWN_HOSTS_TMPFILE
|
|
|
+antifa.tech ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDUB3sQqMpiuu+5vgsOia4iyOHA30UguQe2HdkWnbmfH0fFx5HbXkHWT5z5N4j8mcblt+WCAyDihl7gGl54X0UE=
|
|
|
+EOF
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
+[ $# -eq 0 ] && usage
|
|
|
+
|
|
|
+while [ $# -ne 0 ];do
|
|
|
+ debug "ARGS: $*"
|
|
|
+ case ${1} in
|
|
|
+ -a|--address)
|
|
|
+ shift
|
|
|
+ IP=$1
|
|
|
+ ;;
|
|
|
+ -i|--idssh)
|
|
|
+ shift
|
|
|
+ PRIVATE_KEY=$1
|
|
|
+ ;;
|
|
|
+ -k|--known-hosts)
|
|
|
+ shift
|
|
|
+ KNOWN_HOSTS_FILE=$1
|
|
|
+ ;;
|
|
|
+ -p|--pass)
|
|
|
+ shift
|
|
|
+ PASSWORD=$(echo $1| head -n1)
|
|
|
+ ;;
|
|
|
+ -d|--debug)
|
|
|
+ DEBUG=1
|
|
|
+ ;;
|
|
|
+ -s|--sshkey)
|
|
|
+ SSHKEY=1
|
|
|
+ ;;
|
|
|
+ *)
|
|
|
+ usage
|
|
|
+ ;;
|
|
|
+ esac
|
|
|
+ shift
|
|
|
+done
|
|
|
+
|
|
|
+# check IP
|
|
|
+[ "$IP" == "" ] && error "IP Address not provided (required)"
|
|
|
+
|
|
|
+[ "$SSHKEY" -eq 1 ] && ssh_getsshkey
|
|
|
+
|
|
|
+# check priv key
|
|
|
+[ ! -e $PRIVATE_KEY ] && error "ssh private key not found in $PRIVATE_KEY"
|
|
|
+[ $(grep -c 'PRIVATE KEY' $PRIVATE_KEY) -eq 0 ] && error "unable to find SSH private key at $PRIVATE_KEY"
|
|
|
+
|
|
|
+# check password is valid
|
|
|
+if [ "$PASSWORD" == "" ];then
|
|
|
+ error "No password provided (password is required)
|
|
|
+ you did not provide a password provided to unlock the LUKS disk
|
|
|
+ Please check usage (--help)"
|
|
|
+fi
|
|
|
+
|
|
|
+HASHNEW=$(sha1sum $KNOWN_HOSTS_TMPFILE | cut -f 1 -d ' ')
|
|
|
+HASHOLD=$(sha1sum $KNOWN_HOSTS_FILE | cut -f 1 -d ' ')
|
|
|
+
|
|
|
+# See if we have a dropbear_known_hosts file.
|
|
|
+if [ "$HASHNEW" != "$HASHOLD" ]; then
|
|
|
+ debug "file differs ${KNOWN_HOSTS_FILE} $KNOWN_HOSTS_TMPFILE"
|
|
|
+ info "The file ${KNOWN_HOSTS_FILE} has been automatically updated"
|
|
|
+ #to ensure no-one will steal the LUKS passphrase we need to connect to known_hosts ONLY
|
|
|
+ [ ! -e $(dirname $KNOWN_HOSTS_FILE) ] && mkdir -p $(dirname $KNOWN_HOSTS_FILE)
|
|
|
+ debug "copyting $KNOWN_HOSTS_TMPFILE into $KNOWN_HOSTS_FILE"
|
|
|
+ cp $KNOWN_HOSTS_TMPFILE $KNOWN_HOSTS_FILE
|
|
|
+ debug "clean $KNOWN_HOSTS_TMPFILE"
|
|
|
+ rm $KNOWN_HOSTS_TMPFILE
|
|
|
+fi
|
|
|
+
|
|
|
+
|
|
|
+wait_host_up
|
|
|
+
|
|
|
+# unlock boot using PASSWORD
|
|
|
+
|
|
|
+echo " [*] unlocking the boot"
|
|
|
+ssh \
|
|
|
+ -4 \
|
|
|
+ -o BatchMode=yes \
|
|
|
+ -o MACs=hmac-sha1 \
|
|
|
+ -o UserKnownHostsFile=/dev/null \
|
|
|
+ -o GlobalKnownHostsFile=$KNOWN_HOSTS_FILE \
|
|
|
+ -o VerifyHostKeyDNS=no \
|
|
|
+ -i $PRIVATE_KEY \
|
|
|
+ -F /dev/null \
|
|
|
+ root@$IP \
|
|
|
+ "echo -n '$PASSWORD' > /lib/cryptsetup/passfifo" 2>&1 >/dev/null
|
|
|
+if [ $? -gt 0 ]; then
|
|
|
+ error "FAILED to unlock, reason: HOST UNKNOWN"
|
|
|
+fi
|
|
|
+
|
|
|
+debug "Host unlocked"
|
|
|
+echo " [*] Boot unlock successful, waiting for the machine to complete the boot"
|
|
|
+sleep 10s
|
|
|
+wait_host_up
|
|
|
+debug "host unlocked back online"
|
|
|
+echo " [!] Host started successfully! You can now try to connect via ssh to $IP"
|
|
|
+
|
|
|
+exit 0
|