Package: dropbear
Version: 2012.55-1.3
Severity: normal
Tags: patch
Dear Maintainer,
Should the admin change the host's key, the old key remains in
use in the dropbear cryptroot initramfs. This is not really
a problem -- presumably there's a reason why there's a separate
host key for the initramfs -- but it's easy to forget to keep
the keys in sync.
The attached untested patch to the debian/initramfs/dropbear-hook
file should fix this problem by generating a warning message
when the host key in the initramfs differs from the normal
host key.
There could be a configuration option in /etc/default/dropbear
that disables this warning message but I thought it best to
keep things simple.
Regards,
Karl O. Pinc
-- System Information:
Debian Release: 7.1
APT prefers stable
APT policy: (500, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages dropbear depends on:
ii libc6 2.13-38
ii zlib1g 1:1.2.7.dfsg-13
dropbear recommends no packages.
Versions of packages dropbear suggests:
ii openssh-client 1:6.0p1-4
pn runit <none>
ii udev 175-7.2
ii xauth 1:1.0.7-1
-- no debconf information
--- initramfs/dropbear-hook 2013-07-03 22:30:56.000000000 -0500
+++ initramfs/dropbear-hook-new 2013-07-03 23:02:44.557106671 -0500
@@ -37,6 +37,10 @@
if [ ! -f "/etc/initramfs-tools/etc/dropbear/dropbear_${keytype}_host_key" ]; then
mkdir -p "/etc/initramfs-tools/etc/dropbear"
dropbearkey -t "${keytype}" -f "/etc/initramfs-tools/etc/dropbear/dropbear_${keytype}_host_key"
+ else
+ if ! cmp -s "/etc/dropbear/dropbear_${keytype}_host_key" "/etc/initramfs-tools/etc/dropbear/dropbear_${keytype}_host_key"; then
+ echo "dropbear cryptroot setup: WARNING: /etc/dropbear/dropbear_${keytype}_host_key differs from /etc/initramfs-tools/etc/dropbear/dropbear_${keytype}_host_key: ssh clients may complain of changed host key"
+ fi
fi
done
cp -R /etc/initramfs-tools/etc/dropbear "${DESTDIR}/etc/"
