Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package dracut-sshd for openSUSE:Factory checked in at 2025-02-25 16:58:39 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/dracut-sshd (Old) and /work/SRC/openSUSE:Factory/.dracut-sshd.new.1873 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dracut-sshd" Tue Feb 25 16:58:39 2025 rev:5 rq:1248361 version:0.6.7 Changes: -------- --- /work/SRC/openSUSE:Factory/dracut-sshd/dracut-sshd.changes 2024-08-01 22:04:39.621038156 +0200 +++ /work/SRC/openSUSE:Factory/.dracut-sshd.new.1873/dracut-sshd.changes 2025-02-25 16:58:49.283121541 +0100 @@ -1,0 +2,10 @@ +Wed Jan 1 15:56:54 UTC 2025 - Taeyeon Mori <[email protected]> + +- Update to 0.6.7 + * Enable SFTP access + * Removed 0001-Give-some-guidance-through-motd-prompt.patch (upstream) + * Removed 0002-Support-OpenSSH-9.8.patch (upstream) + * Removed 0003-Support-OpenSSH-9.8-for-openSUSE.patch (upstream) +- Add Suggests: systemd-network to go with included docs and examples + +------------------------------------------------------------------- Old: ---- 0001-Give-some-guidance-through-motd-prompt.patch 0002-Support-OpenSSH-9.8.patch 0003-Support-OpenSSH-9.8-for-openSUSE.patch dracut-sshd-0.6.1-2.tar.gz New: ---- dracut-sshd-0.6.7.tar.gz BETA DEBUG BEGIN: Old: * Enable SFTP access * Removed 0001-Give-some-guidance-through-motd-prompt.patch (upstream) * Removed 0002-Support-OpenSSH-9.8.patch (upstream) Old: * Removed 0001-Give-some-guidance-through-motd-prompt.patch (upstream) * Removed 0002-Support-OpenSSH-9.8.patch (upstream) * Removed 0003-Support-OpenSSH-9.8-for-openSUSE.patch (upstream) Old: * Removed 0002-Support-OpenSSH-9.8.patch (upstream) * Removed 0003-Support-OpenSSH-9.8-for-openSUSE.patch (upstream) - Add Suggests: systemd-network to go with included docs and examples BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dracut-sshd.spec ++++++ --- /var/tmp/diff_new_pack.WavvnN/_old 2025-02-25 16:58:49.847145174 +0100 +++ /var/tmp/diff_new_pack.WavvnN/_new 2025-02-25 16:58:49.851145342 +0100 @@ -1,7 +1,7 @@ # # spec file for package dracut-sshd # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2025 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,20 +16,17 @@ # -%define pkg_rel -2 Name: dracut-sshd -Version: 0.6.1 +Version: 0.6.7 Release: 0 Summary: Provide SSH access to initramfs early user space License: GPL-3.0-or-later Group: System/Boot URL: https://github.com/gsauthof/dracut-sshd -Source: https://github.com/gsauthof/dracut-sshd/archive/%{version}%{pkg_rel}/%{name}-%{version}%{pkg_rel}.tar.gz -Patch1: 0001-Give-some-guidance-through-motd-prompt.patch -Patch2: 0002-Support-OpenSSH-9.8.patch -Patch3: 0003-Support-OpenSSH-9.8-for-openSUSE.patch +Source: https://github.com/gsauthof/dracut-sshd/archive/%{version}/%{name}-%{version}.tar.gz BuildRequires: dracut Requires: dracut +Suggests: systemd-network BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch @@ -40,7 +37,7 @@ (i.e. early userspace). %prep -%autosetup -p1 -n %{name}-%{version}%{pkg_rel} +%autosetup -p1 -n %{name}-%{version} %build # empty ++++++ dracut-sshd-0.6.1-2.tar.gz -> dracut-sshd-0.6.7.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dracut-sshd-0.6.1-2/46sshd/module-setup.sh new/dracut-sshd-0.6.7/46sshd/module-setup.sh --- old/dracut-sshd-0.6.1-2/46sshd/module-setup.sh 2020-05-28 21:04:13.000000000 +0200 +++ new/dracut-sshd-0.6.7/46sshd/module-setup.sh 2024-08-03 22:32:36.000000000 +0200 @@ -22,17 +22,25 @@ if [ "$(find /etc/ssh -maxdepth 1 -name 'dracut_ssh_host_*_key')" ]; then key_prefix=dracut_ fi + local found_host_key=no for key_type in dsa ecdsa ed25519 rsa; do ssh_host_key=/etc/ssh/"$key_prefix"ssh_host_"$key_type"_key if [ -f "$ssh_host_key" ]; then inst_simple "$ssh_host_key".pub /etc/ssh/ssh_host_"$key_type"_key.pub /usr/bin/install -m 600 "$ssh_host_key" \ "$initdir/etc/ssh/ssh_host_${key_type}_key" + found_host_key=yes fi done + if [ "$found_host_key" = no ]; then + dfatal "Didn't find any SSH host key!" + return 1 + fi if [ -e /root/.ssh/dracut_authorized_keys ]; then authorized_keys=/root/.ssh/dracut_authorized_keys + elif [ -e /etc/dracut-sshd/authorized_keys ]; then + authorized_keys=/etc/dracut-sshd/authorized_keys else authorized_keys=/root/.ssh/authorized_keys fi @@ -50,28 +58,44 @@ inst_multiple -o /etc/sysconfig/sshd /etc/sysconfig/ssh \ /etc/sysconfig/dracut-sshd + # Copy ssh helper executables for OpenSSH 9.8+ + # /usr/lib/ssh -> Arch + # /usr/lib(64)/misc -> Gentoo + # /usr/libexec/openssh -> Fedora + # /usr/libexec/ssh -> openSUSE + local d + for d in /usr/lib/ssh /usr/lib64/misc /usr/lib/misc /usr/libexec/openssh /usr/libexec/ssh ; do + if [ -f "$d"/sshd-session ]; then + inst_multiple "$d"/{sshd-session,sftp-server} + break + fi + done + # First entry for Fedora 28, second for Fedora 27 inst_multiple -o /etc/crypto-policies/back-ends/opensshserver.config \ /etc/crypto-policies/back-ends/openssh-server.config inst_simple "${moddir}/sshd.service" "$systemdsystemunitdir/sshd.service" inst_simple "${moddir}/sshd_config" /etc/ssh/sshd_config - grep '^sshd:' /etc/passwd >> "$initdir/etc/passwd" - grep '^sshd:' /etc/group >> "$initdir/etc/group" + { grep '^sshd:' $dracutsysrootdir/etc/passwd || echo 'sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin'; } >> "$initdir/etc/passwd" + { grep '^sshd:' $dracutsysrootdir/etc/group || echo 'sshd:x:74:'; } >> "$initdir/etc/group" - # Create privilege seperation directory - # /var/empty/sshd -> Fedora, CentOS, RHEL - # /var/emtpy -> Arch, OpenSSH upstream - # /var/lib/empty -> Suse - # /run/sshd -> Debian - # /var/chroot/ssh -> Void Linux + # Create privilege separation directory + # /var/empty/sshd -> Fedora, CentOS, RHEL + # /usr/share/empty.sshd -> Fedora >= 34 + # /var/emtpy -> Arch, OpenSSH upstream + # /var/lib/empty -> Suse + # /var/chroot/ssh -> Void Linux local d - for d in /var/empty/sshd /var/empty /var/lib/empty /run/sshd /var/chroot/ssh ; do + for d in /var/empty/sshd /usr/share/empty.sshd /var/empty /var/lib/empty /var/chroot/ssh ; do if [ -d "$d" ]; then mkdir -p -m 0755 "$initdir$d" - break fi done + # workaround for Silverblue (in general for ostree based os) + if grep ^OSTREE_VERSION= /etc/os-release > /dev/null; then + mkdir -p -m 0755 "$initdir/var/empty/sshd" + fi systemctl -q --root "$initdir" enable sshd @@ -83,6 +107,9 @@ mkdir -p -m 0755 "$initdir/var/log" touch "$initdir/var/log/lastlog" + inst_simple "${moddir}/motd" /etc/motd + inst_simple "${moddir}/profile" /root/.profile + return 0 } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dracut-sshd-0.6.1-2/46sshd/motd new/dracut-sshd-0.6.7/46sshd/motd --- old/dracut-sshd-0.6.1-2/46sshd/motd 1970-01-01 01:00:00.000000000 +0100 +++ new/dracut-sshd-0.6.7/46sshd/motd 2024-08-03 22:32:36.000000000 +0200 @@ -0,0 +1,10 @@ + +Welcome to the early boot SSH environment. You may type + + systemd-tty-ask-password-agent + +(or press "arrow up") to unlock your disks. + +This shell will terminate automatically a few seconds after the +unlocking process has succeeded and when the boot proceeds. + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dracut-sshd-0.6.1-2/46sshd/profile new/dracut-sshd-0.6.7/46sshd/profile --- old/dracut-sshd-0.6.1-2/46sshd/profile 1970-01-01 01:00:00.000000000 +0100 +++ new/dracut-sshd-0.6.7/46sshd/profile 2024-08-03 22:32:36.000000000 +0200 @@ -0,0 +1,7 @@ +if [ -n "$SSH_TTY" ]; then + export PS1='initramfs-ssh:${PWD}# ' +fi + +if [ -n "$TERM" ]; then + export TERM=vt220 +fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dracut-sshd-0.6.1-2/46sshd/sshd.service new/dracut-sshd-0.6.7/46sshd/sshd.service --- old/dracut-sshd-0.6.1-2/46sshd/sshd.service 2020-05-28 21:04:13.000000000 +0200 +++ new/dracut-sshd-0.6.7/46sshd/sshd.service 2024-08-03 22:32:36.000000000 +0200 @@ -4,6 +4,7 @@ DefaultDependencies=no Before=cryptsetup.target + [Service] # With `Type=notify` the sshd service is started in a reliable # and robust way but it requires an sshd with systemd support. @@ -28,5 +29,9 @@ Restart=on-failure RestartSec=42s +# Create privilege separation directory /run/sshd for Debian/Ubuntu +RuntimeDirectory=sshd +RuntimeDirectoryMode=0755 + [Install] WantedBy=sysinit.target diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dracut-sshd-0.6.1-2/46sshd/sshd_config new/dracut-sshd-0.6.7/46sshd/sshd_config --- old/dracut-sshd-0.6.1-2/46sshd/sshd_config 2020-05-28 21:04:13.000000000 +0200 +++ new/dracut-sshd-0.6.7/46sshd/sshd_config 2024-08-03 22:32:36.000000000 +0200 @@ -4,8 +4,5 @@ AuthenticationMethods publickey UsePAM no X11Forwarding no - -AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT -AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE +Subsystem sftp internal-sftp diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dracut-sshd-0.6.1-2/README.md new/dracut-sshd-0.6.7/README.md --- old/dracut-sshd-0.6.1-2/README.md 2020-05-28 21:04:13.000000000 +0200 +++ new/dracut-sshd-0.6.7/README.md 2024-08-03 22:32:36.000000000 +0200 @@ -1,4 +1,3 @@ -[](https://travis-ci.org/gsauthof/dracut-sshd) [](https://copr.fedorainfracloud.org/coprs/gsauthof/dracut-sshd/) This [Dracut][dracut] module (dracut-sshd) integrates the @@ -13,6 +12,21 @@ 2018, Georg Sauthoff <[email protected]>, GPLv3+ +## TOC + +- [Example: Open Encrypted Root Filesystem](#example-open-encrypted-root-filesystem) +- [Example: Emergency Shell](#example-emergency-shell) +- [Install](#install) +- [Space Overhead](#space-overhead) +- [Host Keys](#host-keys) +- [Timeout](#timeout) +- [Network](#network) +- [Hardware Alternatives](#hardware-alternatives) +- [FAQ](#faq) +- [Related Work](#related-work) +- [Tested Environments](#tested-environments) +- [Packages](#packages) + ## Example: Open Encrypted Root Filesystem After booting a Fedora system with encrypted root filesystem @@ -84,13 +98,17 @@ -i \ /usr/lib/dracut/modules.d/46sshd/sshd.service -Make sure that `/root/.ssh/authorized_keys` contains the right -keys, as it's included in the [initramfs][iramfs]: +Dracut-sshd includes the first available ssh authorized keys file of the +following list into the initramfs: - # cat /root/.ssh/authorized_keys - -That said, if `/root/.ssh/dracut_authorized_keys` is present -then it is included, instead. +- /root/.ssh/dracut_authorized_keys +- /etc/dracut-sshd/authorized_keys +- /root/.ssh/authorized_keys + +Note that on some distributions such as [Fedora +Silverblue][rpm-ostree] your only option is to create a keys file +under `/etc/dracut-sshd` as `/root` isn't accessible during +`dracut` runtime. Of course, our initramfs image needs network support. The simplest way to achieve this is to include [networkd][networkd]. To install @@ -104,12 +122,14 @@ Create a non-[NetworkManager][nm] network config, e.g. via [Networkd][networkd]: - $ cat /etc/systemd/network/20-wired.network - [Match] - Name=e* - - [Network] - DHCP=ipv4 +``` +$ cat /etc/systemd/network/20-wired.network +[Match] +Name=e* + +[Network] +DHCP=ipv4 +``` Adjust the `Name=`, if necessary. @@ -119,9 +139,11 @@ Dracut for networkd (cf. the [install_items][iitems] and [add_dracutmodules][addmod] directives). Example: - # cat /etc/dracut.conf.d/90-networkd.conf - install_items+=" /etc/systemd/network/20-wired.network " - add_dracutmodules+=" systemd-networkd " +``` +# cat /etc/dracut.conf.d/90-networkd.conf +install_items+=" /etc/systemd/network/20-wired.network " +add_dracutmodules+=" systemd-networkd " +``` Alternatively, early boot network connectivity can be configured by other means (i.e. kernel parameters, see below). However, @@ -138,8 +160,21 @@ # dracut -f -v +Note that Ubuntu's dracut defaults to an initramfs filename that +is incompatible with Ubuntu's grub default initrd settings ... m( +Thus, on Ubuntu one has to explicitly specify the initramfs filename like this: + + # dracut -f -v /boot/initrd.img-$(uname -r) + Verify that this `sshd` module is included. Either via inspecting the verbose -output or via `lsinitrd`. Reboot. +output or via `lsinitrd`, e.g.: + + # lsinitrd | grep 'authorized\|bin/sshd\|network/20' + -rw-r--r-- 1 root root 119 Jul 17 15:08 etc/systemd/network/20-wired.network + -rw------- 1 root root 99 Jul 17 17:04 root/.ssh/authorized_keys + -rwxr-xr-x 1 root root 876328 Jul 17 17:04 usr/sbin/sshd + +Finally, reboot. ## Space Overhead @@ -179,9 +214,11 @@ initramfs. A few KiBs could be saved via switching from [OpenSSH][ossh]'s sshd to something like [Dropbear][dropbear], but such an alternative sshd server is likely less well audited -for security issues and supports less features (e.g. as of 2018 -[Dropbear doesn't support public authentication with -ssh-ed25519][drop25519] keys). +for security issues and supports less features (e.g. ssh-ed25519 +public key authentication was only [added as late as +2020][drop25519], and, as of 2021, there are some [interoperability +issues][drop25519b] and [ed25519-sk keys aren't +supported][dropsk]). Last but not least, in times where even embedded systems feature hundreds of megabytes RAM, temporarily occupying a few extra @@ -315,23 +352,95 @@ ## FAQ - How to make the early boot sshd listen on a non-standard port? + A: If you really [want to do that][port] you can provide a `/etc/sysconfig/dracut-sshd` that defines `SSHD_OPTS` ([see also][port]). - Why does sshd hangs during early-boot when running dracut-sshd inside a virtual machine (VM)? + A: Most likely the VM guest is short of entropy and thus sshd blocks during startup (without logging a warning) for an indefinite amount of time. Possible up to the systemd service restart timeout. Directing some of the VM host's entropy into the VM guest fixes this issue ([cf. these comments for examples of how to do this][entropy]). +- Why do I get `Permission denied (publickey)` although the same + authorized key works after the system is booted? + + A: This can be caused by a root account that is locked with `!` + instead of `*`. In that case it's enough to change the lock + method (or set a password) and regenerate the initramfs. + Background: On some systems Dracut also includes `/etc/shadow` + which is then used by sshd. In early userspace, there is no + PAM, thus sshd uses built-in code for shadow handling. In + contrast to usual PAM configuration (which is used by late + userspace sshd, by default), sshd itself differentiates + between `*` and `!` as invalid password field tokens. Meaning + that only `*` allows public key authentication while `!` blocks + any login ([see also][i30]). +- Can I use dracut-sshd when my root account is locked? + + A: Yes, you can. + However, you have to make sure that your account isn't locked + with a `!` in `/etc/shadow`. If it is locked like that, you + have to lock it differently, e.g. via `usermod -p '*' root` + or simply set a strong password for the root user, followed + by `dracut -f`. + See also the previous question for additional details. +- Does dracut-sshd only work with networkd? + + A: No, it doesn't. + Dracut-sshd is network service agnostic. + It just requires the network being online during early boot. + Depending on the distribution, there might be different + alternatives available for bringing network + interfaces up early, such as Systemd's networkd, legacy network + scripts, NetworkManager etc. + A given distribution and release might support one of those + or many, and default to one of them when the `network` dracut + module is included. + Besides selecting a specific dracut network module, there are + also dracut cmdline parameters for configuring network options + and addresses. + Depending on your concrete network setup and distribution, a + certain network module might be more suitable than another. + In general, it isn't an issue to use one network service during + early boot and another for late boot (e.g. networkd and + NetworkManager). + The same goes for configurations, e.g. perhaps for early boot a + simple DHCP setups makes most sense while in late boot you have a + more complicated network configuration. +- How do I make it work on Ubuntu 20.04? + + A: There are some pitfalls on Ubuntu. Firstly, dracut isn't + installed by default (fix: `apt install dracut-core + dracut-network`). Secondly, dracut isn't a first class citizen + on Ubuntu (i.e. it's only included in the universe repository, + not in the main repository). As a result, the default dracut + initramfs filename doesn't match what Ubuntu uses in its + Grub configuration. Thus, you have to explicitly specify + the right one (i.e. `/boot/initrd.img-$(uname -r)`) in the + `dracut` and `lsinitrd` commands. +- How do I debug dracut-sshd issues in the early boot + environment? + + A: You start by dropping into the dracut emergency shell and + looking at the journal and status of the involved services. + For example, via `systemctl status sshd.service`, `journalctl + -u sshd` etc. You drop into the emergency shell by adding + `rd.break` (and possibly `rd.shell`) to kernel parameter + command-line. Of course, you need some kind of console + access when doing such debugging. Using a virtual machine + usually is sufficient to reproduce issues which simplifies + things. ## Related Work -There is [dracut-crypt-ssh][cryptssh] module which aims to -provide SSH access for remotely unlocking an encrypted LUKS -volume. Main differences to dracut-sshd: +There is the [unmaintained][cryptssh-unm] (since 2019 or earlier) +[dracut-crypt-ssh][cryptssh] module which aimed to provide SSH +access for remotely unlocking an encrypted LUKS volume. Main +differences to dracut-sshd: - uses [Dropbear][dropbear] instead of [OpenSSH][ossh] sshd (cf. the Space Overhead Section for the implications) @@ -345,19 +454,13 @@ dangerous to use, e.g. when the password prompt times out the password is echoed to the console -A [dracut-crypt-ssh pull request][cryptssh-uwe] (open as -of 2018) for optionally using OpenSSH's sshd instead of Dropbear. -Main differences to dracut-sshd: - -- doesn't use systemd for starting/stopping the sshd daemon -- generates a new set of host keys, by default -- listens on a non-standard port for ssh, by default -- arguably more complex than dracut-sshd - certainly more lines - of code and some options -- unlock command still present -- pull-request evolved via additional commits without cleanup rebases +In 2017, a [dracut-crypt-ssh pull request][cryptssh-uwe] added +support for optionally using OpenSSH's sshd instead of Dropbear, +without changing the other differences. It was closed without +being merged in 2021. -There is [mk-fg/dracut-crypt-sshd][mkfg] which was marked +There are also some other dracut modules that use Dropbear: +[mk-fg/dracut-crypt-sshd][mkfg] which was marked deprecated in 2016 in favour of the above dracut-crypt-ssh. It uses Dropbear and some console hacks instead of `systemd-tty-ask-password-agent`. @@ -370,26 +473,67 @@ Dropbear although it still explicitly starts/stops it via hook files instead of making use of the systemd dependency features. +The [ArchWiki dm-crypt page][arch] lists two initramfs hooks for +remote access. Both don't use [Dracut][dracut] nor systemd, +though. Also, they use Dropbear and Tinyssh as ssh daemon. + [Clevis][clevis], an automatic decryption framework, has some [LUKS][luks] unlocking and Dracut support. Looking at its documentation, when it comes to automatic LUKS unlocking, the LUKS passphrase is stored encrypted in the LUKS header. Clevis then decrypts it -using an external service/hardware (e.g. a [TPM] module). +using an external service/hardware (e.g. a [Tang][tang] server +or a [TPM] module). -The [ArchWiki dm-crypt page][arch] lists two initramfs hooks for -remote access. Both don't use [Dracut][dracut] nor systemd, -though. Also, they use Dropbear and Tinyssh as ssh daemon. +Similar to Clevis, [Mandos][mandos] also implements a framework +for unattended LUKS unlocking. Unlike Clevis, it primarily +targets Debian and doesn't support TPM. That means for unlocking +the Mandos client fetches the asymmetrically encrypted LUKS +password from a Mandos server. + +With version 248 (i.e. available since early 2021 or so), +[systemd integrated some automatic LUKS2 volume unlocking +features][systemd248]. Similar to Clevis it supports TPM2 modules. +In addition, it also supports smart cards and FIDO2/hmac-secret +devices. At least some of those FIDO2 devices seem to support +non-interactive HMAC computation and thus allow to auto-unlock +LUKS volumes as long as the enrolled FIDO2 device is connected. + +If your threat model goes beyond what is described in the [Host +Keys](#host-keys) Section, you have to look into [authenticated +boot and disk encryption][authboot]. + +Although enterprise motherboard and server vendors often +integrate unpleasant BMCs (cf. the [Hardware Alternatives +Section](#hardware-alternatives)), a hardware solution for remote +access to early boot doesn't have to be awful. For example, there is +the open and DIY [Pi-KVM][pikvm] project which looks quite +promising. -Related ticket: [Bug 524727 - Dracut + encrypted root + networking (2009)][bug524727] +Related Fedora ticket: [Bug 524727 - Dracut + encrypted root + networking (2009)][bug524727] ## Tested Environments -- Fedora 27 to 32 +- Fedora Silverblue 33 +- Fedora 27 to 38 - CentOS 7, 8 +- CentOS Stream 9 (by a contributor) - RHEL 8 beta 1 +- Rocky Linux 8.8, 9 (by a contributor) - Gentoo (by a contributor) - SUSE (by a contributor) +- openSUSE Leap 15.5 - Arch (by a contributor) +- Ubuntu 20.04 LTS +- Debian 12 (by a contributor) + + +## Packages + +- [Copr][copr] - for Fedora, EPEL (i.e. RHEL or RHEL clones such + as AlmaLinux or Rocky) +- [openSUSE](https://build.opensuse.org/package/show/openSUSE:Factory/dracut-sshd) +- [Arch AUR](https://aur.archlinux.org/packages/dracut-sshd-git) + [arch]: https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Remote_unlocking_.28hooks:_netconf.2C_dropbear.2C_tinyssh.2C_ppp.29 [bls]: https://systemd.io/BOOT_LOADER_SPECIFICATION @@ -399,10 +543,13 @@ [copr]: https://copr.fedorainfracloud.org/coprs/gsauthof/dracut-sshd/ [cryptssh]: https://github.com/dracut-crypt-ssh/dracut-crypt-ssh [cryptssh-uwe]: https://github.com/dracut-crypt-ssh/dracut-crypt-ssh/pull/17 +[cryptssh-unm]: https://github.com/dracut-crypt-ssh/dracut-crypt-ssh/issues/43 [dracut]: https://dracut.wiki.kernel.org/index.php/Main_Page [dracut-cmdline]: https://manpath.be/f32/7/dracut.cmdline [dropbear]: https://en.wikipedia.org/wiki/Dropbear_(software) -[drop25519]: https://github.com/pts/pts-dropbear +[drop25519]: https://github.com/mkj/dropbear/pull/91 +[drop25519b]: https://github.com/mkj/dropbear/issues/136#issuecomment-913134728 +[dropsk]: https://github.com/mkj/dropbear/issues/135 [ifcfg]: https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-networkscripts-interfaces.html [iramfs]: https://en.wikipedia.org/wiki/Initial_ramdisk [kvm]: https://en.wikipedia.org/wiki/KVM_switch#Remote_KVM_devices @@ -416,6 +563,7 @@ [ossh]: https://en.wikipedia.org/wiki/OpenSSH [pwagent]: https://manpath.be/f32/1/systemd-tty-ask-password-agent [systemd]: https://en.wikipedia.org/wiki/Systemd +[systemd248]: http://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html [switchroot]: https://www.kernel.org/doc/Documentation/filesystems/ramfs-rootfs-initramfs.txt [tmpfs]: https://en.wikipedia.org/wiki/Tmpfs [tpm]: https://en.wikipedia.org/wiki/Trusted_Platform_Module @@ -423,4 +571,9 @@ [port]: https://github.com/gsauthof/dracut-sshd/issues/9#issuecomment-531308602 [entropy]: https://github.com/gsauthof/dracut-sshd/issues/12 [iitems]: https://manpath.be/f32/dracut/050-26.git20200316.fc32.x86_64/5/dracut.conf#L74 - +[i30]: https://github.com/gsauthof/dracut-sshd/issues/30 +[rpm-ostree]: https://discussion.fedoraproject.org/t/using-dracut-sshd-to-unlock-a-luks-encrypted-system/23449/6 +[pikvm]: https://github.com/pikvm/pikvm +[authboot]: https://0pointer.net/blog/authenticated-boot-and-disk-encryption-on-linux.html +[tang]: https://github.com/latchset/tang +[mandos]: https://www.recompile.se/mandos diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dracut-sshd-0.6.1-2/dracut-sshd.spec new/dracut-sshd-0.6.7/dracut-sshd.spec --- old/dracut-sshd-0.6.1-2/dracut-sshd.spec 2020-05-28 21:04:13.000000000 +0200 +++ new/dracut-sshd-0.6.7/dracut-sshd.spec 2024-08-03 22:32:36.000000000 +0200 @@ -4,10 +4,10 @@ # the 'lead' parameter, anyways # cf. https://pagure.io/rpkg-util/issue/21#comment-601077 #Version: {{{ git_dir_version }}} -Version: 0.6.1 -Release: 2%{?dist} +Version: 0.6.7 +Release: 1%{?dist} Summary: Provide SSH access to initramfs early user space -URL: https://github.com/gsauthof +URL: https://github.com/gsauthof/dracut-sshd License: GPLv3+ VCS: {{{ git_dir_vcs }}} Source: {{{ git_dir_pack }}} @@ -31,14 +31,40 @@ cp -r 46sshd %{buildroot}/usr/lib/dracut/modules.d/ %files +%dir /usr/lib/dracut/modules.d/46sshd /usr/lib/dracut/modules.d/46sshd/module-setup.sh /usr/lib/dracut/modules.d/46sshd/sshd.service +/usr/lib/dracut/modules.d/46sshd/motd +/usr/lib/dracut/modules.d/46sshd/profile %config(noreplace) /usr/lib/dracut/modules.d/46sshd/sshd_config %doc README.md %doc example/20-wired.network %doc example/90-networkd.conf %changelog +* Sat Aug 08 2024 Georg Sauthoff <[email protected]> - 0.6.7-1 +- support recent sshd versions +- enable sftp access + +* Sun Jun 18 2023 Georg Sauthoff <[email protected]> - 0.6.6-1 +- update docs and add directory to files list + +* Sat May 27 2023 Georg Sauthoff <[email protected]> - 0.6.5-1 +- eliminate tmpfiles and fix Debian/Ubuntu support + +* Sun May 7 2023 Georg Sauthoff <[email protected]> - 0.6.4-1 +- fix motd + +* Sat May 1 2021 Georg Sauthoff <[email protected]> - 0.6.3-1 +- fix privilege separation directory for Fedora 34 + +* Sun Nov 22 2020 Akos Balla <[email protected]> - 0.6.2-2 +- support Fedora Silverblue +- add motd/profile files + +* Sat Oct 31 2020 Georg Sauthoff <[email protected]> - 0.6.2-1 +- check whether key is included + * Thu May 28 2020 Georg Sauthoff <[email protected]> - 0.6.1-2 - add example dracut config
