====== Configuration d'un accès SSH à l'init du système pour pouvoir déchiffrer les partitions à distance ======
Installation de dropbear
sudo apt install dropbear
Ajout au fichier config de dropbear:
sudo nano /etc/dropbear-initramfs/config
DROPBEAR_OPTIONS="-j -k -p -s -c cryptroot-unlock"
est à remplacer par numéro de port ssh DIFFÉRENT du port ssh défini pour se connecter ensuite au système
Créer une clé SSH SUR VOTRE ORDI PERSO :
ssh-keygen -t ed25519 -C "your_email@example.com"
METTRE UNE PASSPHRASE ROBUSTE
Envoi de la clé sur le serveur :
ssh-copy-id -i /home//.ssh/id_ed25519.pub {-p } @
Copie de la clé SSH de l'utilisateur vers dropbear :
sudo cp /home//.ssh/authorized_keys /etc/dropbear-initramfs/
Ajouter "wireguard" dans /etc/initramfs-tools/modules :
sudo nano /etc/initramfs-tools/modules
# List of modules that you want to include in your initramfs.
# They will be loaded at boot time in the order below.
#
# Syntax: module_name [args ...]
#
# You must run update-initramfs(8) to effect this change.
#
# Examples:
#
# raid1
# sd_mod
wireguard
Créer les fichiers suivants :
sudo nano /etc/initramfs-tools/scripts/init-bottom/wg-down
#!/bin/sh
# /etc/initramfs-tools/scripts/init-bottom/wg-down
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
ip link delete wg0
sudo nano /etc/initramfs-tools/scripts/init-premount/wg-up
#!/bin/sh
# /etc/initramfs-tools/scripts/init-premount/wg-up
PREREQ="udev"
prereqs() {
echo "$PREREQ"
}
case "$1" in
prereqs)
prereqs
exit 0
;;
esac
. /scripts/functions
log_begin_msg "Configuring wg"
setup_wg() {
configure_networking
CONFIG="/etc/wireguard/wg0.conf"
echo "Create interface"
ip link add dev wg0 type wireguard
echo "Stripping config"
grep -v "^\s*#\?\s*Address\s*=.*" $CONFIG > $CONFIG.strip
echo "Configure interface"
wg setconf wg0 $CONFIG.strip
echo "Upping interface"
ip link set dev wg0 up
for I in $(grep "^.*#\?\s*Address\s*=\s*..*" $CONFIG | cut -d "=" -f2 | tr -d ',')
do
echo "Add address $I to interface wg0"
ip address add $I dev wg0
done
host="$(wg show wg0 endpoints | sed -n 's/.*\t\(.*\):.*/\1/p')"
ip route add $(ip route get $host | sed '/ via [0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}/{s/^\(.* via [0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\).*/\1/}' | head -n 1) 2>/dev/null || true
ip route add 0/1 dev wg0
ip route add 128/1 dev wg0
}
setup_wg
sleep 10 && ping -c 1 1.1.1.1
sudo nano /etc/initramfs-tools/hooks/wg
#!/bin/bash
# /etc/initramfs-tools/hooks/wg
set -e
PREREQ=""
prereqs()
{
echo "${PREREQ}"
}
case "${1}" in
prereqs)
prereqs
exit 0
;;
esac
. /usr/share/initramfs-tools/hook-functions
copy_exec /usr/bin/wg
copy_file config /etc/initramfs-tools/wg0.conf /etc/wireguard/wg0.conf
sudo nano /etc/initramfs-tools/wg0.conf
# /etc/initramfs-tools/wg0.conf&
[Interface]
#Address = 80.67.xxx.xxx/32
PrivateKey = …
[Peer]
PublicKey = …
AllowedIPs = 0.0.0.0/0
Endpoint = 80.67.xxx.xxx:xxxxx
PersistentKeepalive = 25
Rendre les fichiers exécutables :
sudo chmod +x /etc/initramfs-tools/scripts/init-bottom/wg-down
sudo chmod +x /etc/initramfs-tools/scripts/init-premount/wg-up
sudo chmod +x /etc/initramfs-tools/hooks/wg
Recharger initramfs et grub :
sudo update-initramfs -u -v
sudo update-grub
Pour se connecter après redémarrage :
ssh -i -p root@