switch from dropbear to tinysshd

Author: Andrei-Pozolotin

initrd-build.sh

@@ -26,7 +26,7 @@ do_secret_clean() {
 }
 
 # ensure dropbear server host keys
-do_ssh_host_keys() {
+do_dropbear_keys() {
 
     quiet "provide host server ssh keys"
 
@@ -52,6 +52,22 @@ do_ssh_host_keys() {
 
 }
 
+# ensure tinyssh server host keys
+do_tinysshd_keys() {
+	
+    quiet "provide host server ssh keys"
+    
+    local keydir=/etc/tinyssh/sshkeydir
+    
+    mkdir -p $keydir
+    chmod go-rwx $keydir 
+    
+    plain "convert openssh to tinysshd host key ed25519"
+    
+    run_command tinyssh-convert -f /etc/ssh/ssh_host_ed25519_key -d $keydir
+	
+}
+
 # location of server host keys used by openssh
 keypath_openssh() {
     local type=$1

initrd-dropbear.service

@@ -2,6 +2,10 @@
 
 # Provide ssh server in initramfs
 
+# TODO
+# see #21
+# see #22
+
 [Unit]
 Description=Initrd Dropbear Service
 Documentation=https://github.com/random-archer/mkinitcpio-systemd-tool/blob/master/README.md
@@ -31,11 +35,13 @@ WantedBy=sysinit.target
 
 [X-SystemdTool]
 
+# TODO support new key formats
+
 # enable service
-InitrdService=enable
+InitrdService=disable
 
 # ensure dropbear server host keys
-InitrdBuild=/etc/systemd/system/initrd-build.sh command=do_ssh_host_keys
+#InitrdBuild=/etc/systemd/system/initrd-build.sh command=do_dropbear_keys
 
 # include generated dropbear configuration
 InitrdPath=/etc/dropbear

initrd-network.service

@@ -43,6 +43,9 @@ InitrdCall=add_checked_modules /drivers/net/
 # runtime location of resolv.conf provided by systemd-resolved.service
 InitrdLink=/etc/resolv.conf /run/systemd/resolve/resolv.conf
 
+# ensure consistent host name 
+InitrdPath=/etc/hostname replace=yes
+
 # include default config file for systemd-resolved.service 
 InitrdPath=/usr/lib/systemd/resolv.conf
 

initrd-tinysshd.service

@@ -0,0 +1,50 @@
+# This file is part of https://github.com/random-archer/mkinitcpio-systemd-tool
+
+# Provide ssh server in initramfs
+
+# note:
+# - tinysshd supports only ed25519 keys
+# - make sure opensshd host keys include ed25519 keys
+# - make sure remote user account also has ed25519 key pair    
+
+# service dependencies:
+# - https://www.archlinux.org/packages/community/x86_64/busybox/
+# - https://www.archlinux.org/packages/community/x86_64/tinyssh/
+# - https://aur.archlinux.org/packages/tinyssh-convert/
+
+[Unit]
+Description=Initrd TinySSHD Service
+Documentation=https://github.com/random-archer/mkinitcpio-systemd-tool/blob/master/README.md
+ConditionPathExists=/etc/initrd-release
+DefaultDependencies=no
+After=initrd-shell.service
+After=initrd-network.service
+Before=cryptsetup-pre.target
+Requires=initrd-shell.service
+Requires=initrd-network.service
+
+[Service]
+ExecStart=/usr/bin/busybox tcpsvd -v 0 22 /usr/bin/tinysshd -v /etc/tinyssh/sshkeydir
+Restart=always
+RestartSec=3s
+
+[Install]
+WantedBy=sysinit.target
+
+[X-SystemdTool]
+
+# enable service
+InitrdService=enable
+
+# ensure tinyssh keys are based on openssh keys
+InitrdBuild=/etc/systemd/system/initrd-build.sh command=do_tinysshd_keys
+
+# provision tinyssh server
+InitrdBinary=/usr/bin/tinysshd
+
+# use full busybox (provides tcpsvd applet)
+InitrdBinary=/usr/bin/busybox replace=yes
+
+# include tinyssh configuration
+InitrdPath=/etc/tinyssh/sshkeydir/.ed25519.sk
+InitrdPath=/etc/tinyssh/sshkeydir/ed25519.pk