Package: dropbear Version: 2012.55-1.3 Severity: normal Tags: patch Dear Maintainer,
Should the admin change the host's key, the old key remains in use in the dropbear cryptroot initramfs. This is not really a problem -- presumably there's a reason why there's a separate host key for the initramfs -- but it's easy to forget to keep the keys in sync. The attached untested patch to the debian/initramfs/dropbear-hook file should fix this problem by generating a warning message when the host key in the initramfs differs from the normal host key. There could be a configuration option in /etc/default/dropbear that disables this warning message but I thought it best to keep things simple. Regards, Karl O. Pinc -- System Information: Debian Release: 7.1 APT prefers stable APT policy: (500, 'stable'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages dropbear depends on: ii libc6 2.13-38 ii zlib1g 1:1.2.7.dfsg-13 dropbear recommends no packages. Versions of packages dropbear suggests: ii openssh-client 1:6.0p1-4 pn runit <none> ii udev 175-7.2 ii xauth 1:1.0.7-1 -- no debconf information
--- initramfs/dropbear-hook 2013-07-03 22:30:56.000000000 -0500 +++ initramfs/dropbear-hook-new 2013-07-03 23:02:44.557106671 -0500 @@ -37,6 +37,10 @@ if [ ! -f "/etc/initramfs-tools/etc/dropbear/dropbear_${keytype}_host_key" ]; then mkdir -p "/etc/initramfs-tools/etc/dropbear" dropbearkey -t "${keytype}" -f "/etc/initramfs-tools/etc/dropbear/dropbear_${keytype}_host_key" + else + if ! cmp -s "/etc/dropbear/dropbear_${keytype}_host_key" "/etc/initramfs-tools/etc/dropbear/dropbear_${keytype}_host_key"; then + echo "dropbear cryptroot setup: WARNING: /etc/dropbear/dropbear_${keytype}_host_key differs from /etc/initramfs-tools/etc/dropbear/dropbear_${keytype}_host_key: ssh clients may complain of changed host key" + fi fi done cp -R /etc/initramfs-tools/etc/dropbear "${DESTDIR}/etc/"