On 2019-10-24 4:25 p.m., Guilhem Moulin wrote:
On Wed, 23 Oct 2019 at 16:04:31 -0400, Anton Avramov wrote:
On Mon., Oct. 21, 2019, 21:08 Guilhem Moulin, <guil...@debian.org> wrote:
Given the scope of this package, I strongly believe it'd make more sense
to merge it with src:dropbear rather than shipping a separate source
package.
I agree. However I don't know how I can contribute to that.
It's never too late :-) `apt showsrc dropbear-initramfs` gives a link
to the repository (hosted at salsa in the ‘Debian’ group). Bugs,
including feature requests, are to be filed against the Debian BTS like
for any other package: https://bugs.debian.org/dropbear-initramfs .
Thank you very much! I'll do that then.
Following dropbear-initramfs package
You seem to suggest that your code takes inspiration from
dropbear-initramfs, but your copyright information doesn't reflect
that.
Sorry about that! I've tried to change that, but I'm not absolutely
certain I've done it right.
AFAICT only src/* and etc/* are taken from src:dropbear's debian/initramfs/*
(and modified by you), the rest is your own work. Also AFAICT upstream
isn't a copyright holder for these scripts.
Regarding debian/control, your package shouldn't break or replace
dropbear <2015.68-1. This was the case the case for drobear-initramfs
after the package split, but it doesn't apply here. And AFAIK there is
no need to add a lower-bound on dropbear-bin's version.
that will install dropbear and would have the appropriate initramfs
scripts to start it in case the system enters rescue mode.
Why couldn't that be done in dropbear-initramfs instead? Right now the
script is run at premount stage, but I guess we could have an option to
run it at another stage instead.
The only argument I can think of is to give the option to have separate
access for panic and crypt unlock.
[…]
And in principle I can give someone the right to unlock the fs, but
not login in case of panic where in that case and admin with higher
access should step in.
One can already separate access levels with a single authorized_keys(5)
file containing multiple keys and different restriction options.
dropbear-initramfs spawns the sshd at init-premount stage, ie after udev
has been started and modules loaded. AFAIK it's unreliable to start it
earlier, because there might not be any network stack yet. So if
initramfs-tools panics earlier you'll not be able to log in remotely
will you?
Yes, but in case it panics later it would be nice to be able to login :)
(Anyway, again ‘panic’ is not a documented initramfs-tools(7)
subdirectory.)
I'll try to find some time and do something about that also.
And if it panics later, for instance due to a missing
block device, then one should be able to log-in using dropbear-initramfs
alone.
Initially I've tried to just trick dropbear-initramfs by creating empty
/etc/crypttab and then creating only a panic script to start if it
wasn't started. However I've ran into a problem where if there is no
panic and initramfs ipconfig command uses dhcp it would actually finish
after the boot process is complete. And if the system itself uses static
ip it gets overwritten by the dhcp. So the starting script in premount
for dropbear should take care not to start if there is no /etc/crypttab
and only start in case of panic.
By compatible I mean they can run together without interfering given they
use different port. Since there are only 2 scripts in initramfs I'm not
sure how would they suppose to share the code if we assume they are
different packages
Using Depends: plus maybe some refactoring on the drobpear-initramfs
side would be a way, but IMHO no separate binary package (let alone a
source package) is needed :-P dropbear-initramfs's purpose is to expose
the dropbear sshd at initramfs stage, starting as early as possible and
for as long as possible. It can be useful to unlock encrypted volumes,
but it's not its only use-case.
OK. Lets go that path. Considering my comment above should there be an
option to activate dropbear in case of panic but no crypttab or there
should be a config option to include and start dropbear in initramfs in
case crypttab doesn't exists?
Best Regards
