adding some code

2022-03-29 02:12:48 +02:00 · 2022-03-29 02:12:48 +02:00 · 3ac985ec30
commit 3ac985ec30
parent d55e143fba
2 changed files with 225 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -1,3 +1,41 @@
 # unlock-boot

-un modo per sbloccare server cifrati con LUKS
+unlock-boot è un tool per sbloccare server cifrati con LUKS
+
+- rimane in ascolto facendo un ping al secondo 
+- quando la macchina risponde al ping verifica la chiave ssh del server
+- se la chiave è corretta allora invia la passhphrase di luks per fare il boot
+- rimane nuovamente in attesa via ping fino al completamento del boot
+
+
+# add new trusted host
+
+By default the script has no TRUSTED HOST.
+
+TRUSTED HOST are a list of ssh fingerprint insto the unlock-boot script. That's very important because you need to trust the ssh key from the dropbear server starting at the boot (which is not the ssh server of your unlocked machine). 
+
+If you are not checking the ssh fingerprint in some TRUSTED HOST  you may send the luks key to a random server with the same ip address!
+
+Do be safer is better to add a ssh key into the script as new TRUSED HOST, that's how you can do that:
+
+```
+$ ./unlock-boot -a 192.168.13.12 -s 
+2022-03-28 11:20:03 - INFO: Getting ssh key fingerprint
+# 192.168.13.12:22 SSH-2.0-OpenSSH_8.4p1 Debian-5                 
+2022-03-28 11:20:05 - INFO: Host ssh key:                       
+                                                                               
+----------- SSH-KEY ---------
+myserver.tech ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDUB3sQqMpiuu+5vgsOia4iyOHA30UguQe2HdkWnbmfH0fFx5HbXkHWT5z5N4j8mcblt+WCAyDshl7gGl54X0UE=
+----------- *** *** *** ---------
+```
+
+# unlock the boot
+
+Once you have added the host in your trusted host you can unlock the boot by specifying the ip address (-a) and the luks password (-p) as you can see from the following output.
+
+
+```
+./unlock-boot -a 192.168.13.12 -p $(pass me/servername/luks )
+...
+```
+
--- a/186
+++ b/186
@ -0,0 +1,186 @@
+#!/usr/bin/env bash
+# Author: samba
+# Date: 2018-02-19
+# Desc: unlock the root partition via initrd
+
+PRIVATE_KEY=$HOME/.ssh/id_ed25519
+KNOWN_HOSTS_FILE=$HOME/.ssh/boot/known_hosts
+KNOWN_HOSTS_TMPFILE=/tmp/unlockboot.known_hosts
+LOGFILE=/tmp/unlockboot.log
+SSHKEY=0
+DEBUG=0
+trap ctrl_c INT
+usage() {
+    cat <<EOF
+Unlock an encrypted root disk remotely.
+
+Usage: $0
+
+    -a|--address    Specify the ipaddress of the host to unlock (required)
+    -p|--password   Specify the password to unlock the encrypted disk (required)
+    -i|--idssh)     Specify the ssh private key file (default: $PRIVATE_KEY)
+    -s|--sshkey     Connect via ssh and print the ssh fingerprint (useful to add new trusted hosts)
+    -k|--known-host Specify the known_hosts file to use when connecting to (default: $KNOWN_HOSTS_FILE)
+    -d|--debug)     Print debug information 
+    -h|--help)      Print this help and exit
+
+Example:
+    $0 -a 192.168.97.2 -p \$(pass sys/vm/MYSERVERNAME/luks)
+    $0 -a 192.168.97.2 -i $HOME/.ssh/id_rsa -p \$(pass sys/vm/MYSERVERNAME/luks)
+    $0 -a 192.168.97.2 -i $HOME/.ssh/id_rsa -p \$(pass sys/vm/MYSERVERNAME/luks) -i $HOME/.ssh/id_rsa
+EOF
+    exit 2
+}
+info(){
+    TIMESTAMP=$(date '+%F %T')
+    echo "$TIMESTAMP - INFO: $*" | tee -a $LOGFILE
+}
+warning(){
+    TIMESTAMP=$(date '+%F %T')
+    echo "$TIMESTAMP - WARNING: $*" | tee -a $LOGFILE
+}
+debug(){
+    [ $DEBUG -ne 1 ] && return
+    TIMESTAMP=$(date '+%F %T')
+    echo "$TIMESTAMP - DEBUG:  $*" | tee -a $LOGFILE
+}
+error(){
+    TIMESTAMP=$(date '+%F %T')
+    echo "$TIMESTAMP - ERROR: $*" | tee -a $LOGFILE
+    exit 1
+}
+ctrl_c(){
+    error "Force exit"
+}
+
+wait_host_up(){
+    # Wait until the host is up.
+    TIMEOUT=300 #seconds = 5m
+    debug "Waiting for the host to back online, TIMEOUT: $TIMEOUT sec"
+    COUNT=0
+    echo " [*] waiting ${TIMEOUT}s for the host respond to ping"
+    while true ; do
+      ping -n -w 1 -q -c1 "$IP" >/dev/null 2>&1 && break
+      [ $[$TIMEOUT % 60] -eq 0 ] && echo -en "\n [*] " || echo -n "."
+      TIMEOUT=$[$TIMEOUT-1]
+      [ $TIMEOUT -eq 0 ] && echo -e "\n" && error "host $IP reach timeout ${TIMEOUT}s" && exit 1
+    done
+    echo -e "\n [*] host is alive"
+}
+
+ssh_getsshkey(){
+    info "Getting ssh key fingerprint"
+    info "WARNING: the use of this tool works ONLY when is running dropbear-initramfs"
+
+    OUT=$(ssh-keyscan -t ecdsa-sha2-nistp521 $IP)
+    info "Host ssh key:"
+    echo
+    echo "----------- SSH-KEY ---------"
+    echo "$OUT"
+    echo "----------- *** *** *** ---------"
+    echo 
+    echo "To add a TRUSTED HOST you can copy the SSH-KEY and paste it into the script \"$0\" "
+    exit 0
+    }
+
+# Add here your SSH pubkey (use -s option)
+cat <<EOF > $KNOWN_HOSTS_TMPFILE
+antifa.tech ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDUB3sQqMpiuu+5vgsOia4iyOHA30UguQe2HdkWnbmfH0fFx5HbXkHWT5z5N4j8mcblt+WCAyDihl7gGl54X0UE=
+EOF
+
+
+
+[ $# -eq 0 ] && usage
+
+while [ $# -ne 0 ];do
+    debug "ARGS: $*"
+    case ${1} in
+        -a|--address)
+            shift
+            IP=$1
+            ;;
+        -i|--idssh)
+            shift
+            PRIVATE_KEY=$1
+            ;;
+        -k|--known-hosts)
+            shift
+            KNOWN_HOSTS_FILE=$1
+            ;;
+        -p|--pass)
+            shift
+            PASSWORD=$(echo $1| head -n1)
+            ;;
+        -d|--debug)
+            DEBUG=1
+            ;;
+        -s|--sshkey)
+            SSHKEY=1
+            ;;
+        *)
+            usage 
+            ;;
+        esac
+        shift
+done
+
+# check IP
+[ "$IP" == "" ] && error "IP Address not provided (required)"
+
+[ "$SSHKEY" -eq 1 ] && ssh_getsshkey
+
+# check priv key
+[ ! -e $PRIVATE_KEY ] && error "ssh private key not found in $PRIVATE_KEY"
+[ $(grep -c 'PRIVATE KEY' $PRIVATE_KEY) -eq 0 ] && error "unable to find SSH private key at $PRIVATE_KEY"
+
+# check password is valid
+if [ "$PASSWORD" == "" ];then
+    error "No password provided  (password is required)
+    you did not provide a password provided to unlock the LUKS disk
+    Please check usage (--help)"
+fi
+
+HASHNEW=$(sha1sum $KNOWN_HOSTS_TMPFILE | cut -f 1 -d ' ')
+HASHOLD=$(sha1sum $KNOWN_HOSTS_FILE | cut -f 1 -d ' ')
+
+# See if we have a dropbear_known_hosts file.
+if [ "$HASHNEW" != "$HASHOLD" ]; then
+    debug "file differs ${KNOWN_HOSTS_FILE} $KNOWN_HOSTS_TMPFILE"
+    info "The file ${KNOWN_HOSTS_FILE} has been automatically updated"
+    #to ensure no-one will steal the LUKS passphrase we need to connect to known_hosts ONLY
+    [ ! -e $(dirname $KNOWN_HOSTS_FILE) ] && mkdir -p $(dirname $KNOWN_HOSTS_FILE)
+    debug "copyting $KNOWN_HOSTS_TMPFILE into $KNOWN_HOSTS_FILE"
+    cp $KNOWN_HOSTS_TMPFILE  $KNOWN_HOSTS_FILE
+    debug "clean $KNOWN_HOSTS_TMPFILE"
+    rm $KNOWN_HOSTS_TMPFILE
+fi
+
+
+wait_host_up
+
+# unlock boot using PASSWORD
+
+echo " [*] unlocking the boot"
+ssh \
+    -4 \
+    -o BatchMode=yes \
+    -o MACs=hmac-sha1 \
+    -o UserKnownHostsFile=/dev/null \
+    -o GlobalKnownHostsFile=$KNOWN_HOSTS_FILE \
+    -o VerifyHostKeyDNS=no \
+    -i $PRIVATE_KEY \
+    -F /dev/null \
+    root@$IP \
+    "echo -n '$PASSWORD' > /lib/cryptsetup/passfifo" 2>&1 >/dev/null
+if [ $? -gt 0 ]; then
+    error "FAILED to unlock, reason: HOST UNKNOWN"
+fi
+
+debug "Host unlocked"
+echo " [*] Boot unlock successful, waiting for the machine to complete the boot"
+sleep 10s 
+wait_host_up
+debug "host unlocked back online"
+echo " [!] Host started successfully! You can now try to connect via ssh to $IP"
+
+exit 0