Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: dropbear@packages.debian.org
Control: affects -1 + src:dropbear
[ Reason ]
dropbear 2020.81-3 is vulnerable to CVE-2021-36369 and CVE-2023-48795
(terrapin attack).
The security team argued these issues didn't warrant a CVE, and
suggested to go via s-pu instead.
[ Impact ]
Bullseye users will remain vulnerable to CVE-2021-36369 and
CVE-2023-48795. For the latter, details about what that entails has
been discussed on the upstream bug tracker at
https://github.com/mkj/dropbear/issues/270 , where one the terrapin
finders wrote that
| While it is true that not sending server-sig-algs does not prevent the
| client from trying SHA2-based RSA signatures, we observed the suggested
| behavior (preferring SHA-1 over SHA-2 when server-sig-algs is missing)
| in a wide variety of SSH clients. Also, the order of algorithms in
| server-sig-algs is used by some clients in case multiple private keys
| are present, potentially leading to downgrades as well.
|
| However, we do not consider this application of the Terrapin attack to
| have a significant impact. Instead, our main concern is the combination
| of Terrapin with implementation bugs, as seen in AsyncSSH. We evaluated
| only a handful of SSH implementations, where one already allowed for
| in-session man-in-the-middle attacks. Given the wide variety of SSH
| implementations, one can estimate with sufficient probability that other
| implementations face similar issues.
[ Tests ]
I manually checked the updated dropbear SSHd/dbclient against the
Terrapin scanner, and also the new -oDisableTrivialAuth=yes option on
the client.
[ Risks ]
Risk is low: all patches come from upstream and applied cleanly.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* Add option -oDisableTrivialAuth=yes to mitigate CVE-2021-36369.
* Implement Strict KEX mode to fix CVE-2023-48795 (terrapin attack).
* d/t/on-lvm-and-luks: Target bullseye not sid.
* d/t/on-lvm-and-luks: Bump disk image size to 4G as the previous size was
too small for bullseye-security updates (kernel etc.).
* Salsa CI: Target bullseye and disable lintian job.
--
Guilhem.
diffstat for dropbear-2020.81 dropbear-2020.81
changelog | 18 +++
patches/CVE-2021-36369.patch | 182 +++++++++++++++++++++++++++++++++
patches/CVE-2023-48795.patch | 232 +++++++++++++++++++++++++++++++++++++++++++
patches/series | 2
salsa-ci.yml | 8 +
tests/on-lvm-and-luks | 16 +-
6 files changed, 448 insertions(+), 10 deletions(-)
diff -Nru dropbear-2020.81/debian/changelog dropbear-2020.81/debian/changelog
--- dropbear-2020.81/debian/changelog 2021-01-14 21:14:26.000000000 +0100
+++ dropbear-2020.81/debian/changelog 2024-01-26 12:00:26.000000000 +0100
@@ -1,3 +1,21 @@
+dropbear (2020.81-3+deb11u1) bullseye; urgency=medium
+
+ * Fix CVE-2021-36369: Due to a non-RFC-compliant check of the available
+ authentication methods in the client-side SSH code, it is possible for an
+ SSH server to change the login process in its favor.
+ * Fix CVE-2023-48795 (terrapin attack): The SSH transport protocol with
+ certain OpenSSH extensions allows remote attackers to bypass integrity
+ checks such that some packets are omitted (from the extension negotiation
+ message), and a client and server may consequently end up with a
+ connection for which some security features have been downgraded or
+ disabled, aka a Terrapin attack. (Closes: #1059001)
+ * d/t/on-lvm-and-luks: Target bullseye not sid.
+ * d/t/on-lvm-and-luks: Bump disk image size to 4G as the previous size was
+ too small for bullseye-security updates (kernel etc.).
+ * Salsa CI: Target bullseye and disable lintian job.
+
+ -- Guilhem Moulin <guilhem@debian.org> Fri, 26 Jan 2024 12:00:26 +0100
+
dropbear (2020.81-3) unstable; urgency=medium
* Initramfs: Use 10 placeholders in ~root template.
diff -Nru dropbear-2020.81/debian/patches/CVE-2021-36369.patch dropbear-2020.81/debian/patches/CVE-2021-36369.patch
--- dropbear-2020.81/debian/patches/CVE-2021-36369.patch 1970-01-01 01:00:00.000000000 +0100
+++ dropbear-2020.81/debian/patches/CVE-2021-36369.patch 2024-01-26 12:00:26.000000000 +0100
@@ -0,0 +1,182 @@
+From: Manfred Kaiser <37737811+manfred-kaiser@users.noreply.github.com>
+Date: Thu, 19 Aug 2021 17:37:14 +0200
+Subject: Added option to disable trivial auth methods
+
+* added option to disable trivial auth methods
+
+* rename argument to match with other ssh clients
+
+* fixed trivial auth detection for pubkeys
+
+Origin: https://github.com/mkj/dropbear/commit/210a9833496ed2a93b8da93924874938127ce0b5
+Origin: https://github.com/mkj/dropbear/commit/b2b94acc97254c7fffcb375120eea26c42c65292
+Bug: https://github.com/mkj/dropbear/pull/128
+Debian-Bug: https://security-tracker.debian.org/tracker/CVE-2021-36369
+---
+ cli-auth.c | 3 +++
+ cli-authinteract.c | 1 +
+ cli-authpasswd.c | 2 +-
+ cli-authpubkey.c | 1 +
+ cli-runopts.c | 7 +++++++
+ cli-session.c | 1 +
+ dbclient.1 | 20 +++++++++++++++++++-
+ runopts.h | 1 +
+ session.h | 1 +
+ 9 files changed, 35 insertions(+), 2 deletions(-)
+
+diff --git a/cli-auth.c b/cli-auth.c
+index 2e509e5..6f04495 100644
+--- a/cli-auth.c
++++ b/cli-auth.c
+@@ -267,6 +267,9 @@ void recv_msg_userauth_success() {
+ if DROPBEAR_CLI_IMMEDIATE_AUTH is set */
+
+ TRACE(("received msg_userauth_success"))
++ if (cli_opts.disable_trivial_auth && cli_ses.is_trivial_auth) {
++ dropbear_exit("trivial authentication not allowed");
++ }
+ /* Note: in delayed-zlib mode, setting authdone here
+ * will enable compression in the transport layer */
+ ses.authstate.authdone = 1;
+diff --git a/cli-authinteract.c b/cli-authinteract.c
+index e1cc9a1..f7128ee 100644
+--- a/cli-authinteract.c
++++ b/cli-authinteract.c
+@@ -114,6 +114,7 @@ void recv_msg_userauth_info_request() {
+ m_free(instruction);
+
+ for (i = 0; i < num_prompts; i++) {
++ cli_ses.is_trivial_auth = 0;
+ unsigned int response_len = 0;
+ prompt = buf_getstring(ses.payload, NULL);
+ cleantext(prompt);
+diff --git a/cli-authpasswd.c b/cli-authpasswd.c
+index 00fdd8b..a24d43e 100644
+--- a/cli-authpasswd.c
++++ b/cli-authpasswd.c
+@@ -155,7 +155,7 @@ void cli_auth_password() {
+
+ encrypt_packet();
+ m_burn(password, strlen(password));
+-
++ cli_ses.is_trivial_auth = 0;
+ TRACE(("leave cli_auth_password"))
+ }
+ #endif /* DROPBEAR_CLI_PASSWORD_AUTH */
+diff --git a/cli-authpubkey.c b/cli-authpubkey.c
+index 42c4e3f..fa01807 100644
+--- a/cli-authpubkey.c
++++ b/cli-authpubkey.c
+@@ -176,6 +176,7 @@ static void send_msg_userauth_pubkey(sign_key *key, enum signature_type sigtype,
+ buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len);
+ cli_buf_put_sign(ses.writepayload, key, sigtype, sigbuf);
+ buf_free(sigbuf); /* Nothing confidential in the buffer */
++ cli_ses.is_trivial_auth = 0;
+ }
+
+ encrypt_packet();
+diff --git a/cli-runopts.c b/cli-runopts.c
+index 3654b9a..255b47e 100644
+--- a/cli-runopts.c
++++ b/cli-runopts.c
+@@ -152,6 +152,7 @@ void cli_getopts(int argc, char ** argv) {
+ #if DROPBEAR_CLI_ANYTCPFWD
+ cli_opts.exit_on_fwd_failure = 0;
+ #endif
++ cli_opts.disable_trivial_auth = 0;
+ #if DROPBEAR_CLI_LOCALTCPFWD
+ cli_opts.localfwds = list_new();
+ opts.listen_fwd_all = 0;
+@@ -889,6 +890,7 @@ static void add_extendedopt(const char* origstr) {
+ #if DROPBEAR_CLI_ANYTCPFWD
+ "\tExitOnForwardFailure\n"
+ #endif
++ "\tDisableTrivialAuth\n"
+ #ifndef DISABLE_SYSLOG
+ "\tUseSyslog\n"
+ #endif
+@@ -916,5 +918,10 @@ static void add_extendedopt(const char* origstr) {
+ return;
+ }
+
++ if (match_extendedopt(&optstr, "DisableTrivialAuth") == DROPBEAR_SUCCESS) {
++ cli_opts.disable_trivial_auth = parse_flag_value(optstr);
++ return;
++ }
++
+ dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr);
+ }
+diff --git a/cli-session.c b/cli-session.c
+index 5e5af22..afb54a1 100644
+--- a/cli-session.c
++++ b/cli-session.c
+@@ -165,6 +165,7 @@ static void cli_session_init(pid_t proxy_cmd_pid) {
+ /* Auth */
+ cli_ses.lastprivkey = NULL;
+ cli_ses.lastauthtype = 0;
++ cli_ses.is_trivial_auth = 1;
+
+ /* For printing "remote host closed" for the user */
+ ses.remoteclosed = cli_remoteclosed;
+diff --git a/dbclient.1 b/dbclient.1
+index 1516e7c..0f6828a 100644
+--- a/dbclient.1
++++ b/dbclient.1
+@@ -94,7 +94,18 @@ is performed at all, this is usually undesirable.
+ .B \-A
+ Forward agent connections to the remote host. dbclient will use any
+ OpenSSH-style agent program if available ($SSH_AUTH_SOCK will be set) for
+-public key authentication. Forwarding is only enabled if -A is specified.
++public key authentication. Forwarding is only enabled if \fI-A\fR is specified.
++
++Beware that a forwarded agent connection will allow the remote server to have
++the same authentication credentials as you have used locally. A compromised
++remote server could use that to log in to other servers.
++
++In many situations Dropbear's multi-hop mode is a better and more secure alternative
++to agent forwarding, avoiding having to trust the intermediate server.
++
++If the SSH agent program is set to prompt when a key is used, the
++\fI-o DisableTrivialAuth\fR option can prevent UI confusion.
++
+ .TP
+ .B \-W \fIwindowsize
+ Specify the per-channel receive window buffer size. Increasing this
+@@ -153,6 +164,13 @@ Specifies whether dbclient should terminate the connection if it cannot set up a
+ .TP
+ .B UseSyslog
+ Send dbclient log messages to syslog in addition to stderr.
++.TP
++.B DisableTrivialAuth
++Disallow a server immediately
++giving successful authentication (without presenting any password/pubkey prompt).
++This avoids a UI confusion issue where it may appear that the user is accepting
++a SSH agent prompt from their local machine, but are actually accepting a prompt
++sent immediately by the remote server.
+ .RE
+ .TP
+ .B \-s
+diff --git a/runopts.h b/runopts.h
+index 6a4a94c..01201d2 100644
+--- a/runopts.h
++++ b/runopts.h
+@@ -159,6 +159,7 @@ typedef struct cli_runopts {
+ #if DROPBEAR_CLI_ANYTCPFWD
+ int exit_on_fwd_failure;
+ #endif
++ int disable_trivial_auth;
+ #if DROPBEAR_CLI_REMOTETCPFWD
+ m_list * remotefwds;
+ #endif
+diff --git a/session.h b/session.h
+index fb5b8cb..6706592 100644
+--- a/session.h
++++ b/session.h
+@@ -316,6 +316,7 @@ struct clientsession {
+
+ int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD,
+ for the last type of auth we tried */
++ int is_trivial_auth;
+ int ignore_next_auth_response;
+ #if DROPBEAR_CLI_INTERACT_AUTH
+ int auth_interact_failed; /* flag whether interactive auth can still
diff -Nru dropbear-2020.81/debian/patches/CVE-2023-48795.patch dropbear-2020.81/debian/patches/CVE-2023-48795.patch
--- dropbear-2020.81/debian/patches/CVE-2023-48795.patch 1970-01-01 01:00:00.000000000 +0100
+++ dropbear-2020.81/debian/patches/CVE-2023-48795.patch 2024-01-26 12:00:26.000000000 +0100
@@ -0,0 +1,232 @@
+From: Matt Johnston <matt@ucc.asn.au>
+Date: Mon, 20 Nov 2023 14:02:47 +0800
+Subject: Implement Strict KEX mode
+
+As specified by OpenSSH with kex-strict-c-v00@openssh.com and
+kex-strict-s-v00@openssh.com.
+
+Origin: https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-48795
+Bug-Debian: https://bugs.debian.org/1059001
+---
+ cli-session.c | 11 +++++++++++
+ common-algo.c | 6 ++++++
+ common-kex.c | 26 +++++++++++++++++++++++++-
+ kex.h | 3 +++
+ process-packet.c | 34 +++++++++++++++++++---------------
+ ssh.h | 4 ++++
+ svr-session.c | 3 +++
+ 7 files changed, 71 insertions(+), 16 deletions(-)
+
+diff --git a/cli-session.c b/cli-session.c
+index afb54a1..a2e4e3f 100644
+--- a/cli-session.c
++++ b/cli-session.c
+@@ -46,6 +46,7 @@ static void cli_finished(void) ATTRIB_NORETURN;
+ static void recv_msg_service_accept(void);
+ static void cli_session_cleanup(void);
+ static void recv_msg_global_request_cli(void);
++static void cli_algos_initialise(void);
+
+ struct clientsession cli_ses; /* GLOBAL */
+
+@@ -114,6 +115,7 @@ void cli_session(int sock_in, int sock_out, struct dropbear_progress_connection
+ }
+
+ chaninitialise(cli_chantypes);
++ cli_algos_initialise();
+
+ /* Set up cli_ses vars */
+ cli_session_init(proxy_cmd_pid);
+@@ -473,3 +475,12 @@ void cli_dropbear_log(int priority, const char* format, va_list param) {
+ fflush(stderr);
+ }
+
++static void cli_algos_initialise(void) {
++ algo_type *algo;
++ for (algo = sshkex; algo->name; algo++) {
++ if (strcmp(algo->name, SSH_STRICT_KEX_S) == 0) {
++ algo->usable = 0;
++ }
++ }
++}
++
+diff --git a/common-algo.c b/common-algo.c
+index f3961c2..c71b52c 100644
+--- a/common-algo.c
++++ b/common-algo.c
+@@ -332,6 +332,12 @@ algo_type sshkex[] = {
+ /* Set unusable by svr_algos_initialise() */
+ {SSH_EXT_INFO_C, 0, NULL, 1, NULL},
+ #endif
++#endif
++#if DROPBEAR_CLIENT
++ {SSH_STRICT_KEX_C, 0, NULL, 1, NULL},
++#endif
++#if DROPBEAR_SERVER
++ {SSH_STRICT_KEX_S, 0, NULL, 1, NULL},
+ #endif
+ {NULL, 0, NULL, 0, NULL}
+ };
+diff --git a/common-kex.c b/common-kex.c
+index 39d916b..e041348 100644
+--- a/common-kex.c
++++ b/common-kex.c
+@@ -183,6 +183,10 @@ void send_msg_newkeys() {
+ gen_new_keys();
+ switch_keys();
+
++ if (ses.kexstate.strict_kex) {
++ ses.transseq = 0;
++ }
++
+ TRACE(("leave send_msg_newkeys"))
+ }
+
+@@ -193,7 +197,11 @@ void recv_msg_newkeys() {
+
+ ses.kexstate.recvnewkeys = 1;
+ switch_keys();
+-
++
++ if (ses.kexstate.strict_kex) {
++ ses.recvseq = 0;
++ }
++
+ TRACE(("leave recv_msg_newkeys"))
+ }
+
+@@ -551,6 +559,10 @@ void recv_msg_kexinit() {
+
+ ses.kexstate.recvkexinit = 1;
+
++ if (ses.kexstate.strict_kex && !ses.kexstate.donefirstkex && ses.recvseq != 1) {
++ dropbear_exit("First packet wasn't kexinit");
++ }
++
+ TRACE(("leave recv_msg_kexinit"))
+ }
+
+@@ -861,6 +873,18 @@ static void read_kex_algos() {
+ }
+ #endif
+
++ if (!ses.kexstate.donefirstkex) {
++ const char* strict_name;
++ if (IS_DROPBEAR_CLIENT) {
++ strict_name = SSH_STRICT_KEX_S;
++ } else {
++ strict_name = SSH_STRICT_KEX_C;
++ }
++ if (buf_has_algo(ses.payload, strict_name) == DROPBEAR_SUCCESS) {
++ ses.kexstate.strict_kex = 1;
++ }
++ }
++
+ algo = buf_match_algo(ses.payload, sshkex, kexguess2, &goodguess);
+ allgood &= goodguess;
+ if (algo == NULL || algo->data == NULL) {
+diff --git a/kex.h b/kex.h
+index 77cf21a..7fcc3c2 100644
+--- a/kex.h
++++ b/kex.h
+@@ -83,6 +83,9 @@ struct KEXState {
+
+ unsigned our_first_follows_matches : 1;
+
++ /* Boolean indicating that strict kex mode is in use */
++ unsigned int strict_kex;
++
+ time_t lastkextime; /* time of the last kex */
+ unsigned int datatrans; /* data transmitted since last kex */
+ unsigned int datarecv; /* data received since last kex */
+diff --git a/process-packet.c b/process-packet.c
+index 9454160..133a152 100644
+--- a/process-packet.c
++++ b/process-packet.c
+@@ -44,6 +44,7 @@ void process_packet() {
+
+ unsigned char type;
+ unsigned int i;
++ unsigned int first_strict_kex = ses.kexstate.strict_kex && !ses.kexstate.donefirstkex;
+ time_t now;
+
+ TRACE2(("enter process_packet"))
+@@ -54,22 +55,24 @@ void process_packet() {
+ now = monotonic_now();
+ ses.last_packet_time_keepalive_recv = now;
+
+- /* These packets we can receive at any time */
+- switch(type) {
+
+- case SSH_MSG_IGNORE:
+- goto out;
+- case SSH_MSG_DEBUG:
+- goto out;
++ if (type == SSH_MSG_DISCONNECT) {
++ /* Allowed at any time */
++ dropbear_close("Disconnect received");
++ }
+
+- case SSH_MSG_UNIMPLEMENTED:
+- /* debugging XXX */
+- TRACE(("SSH_MSG_UNIMPLEMENTED"))
+- goto out;
+-
+- case SSH_MSG_DISCONNECT:
+- /* TODO cleanup? */
+- dropbear_close("Disconnect received");
++ /* These packets may be received at any time,
++ except during first kex with strict kex */
++ if (!first_strict_kex) {
++ switch(type) {
++ case SSH_MSG_IGNORE:
++ goto out;
++ case SSH_MSG_DEBUG:
++ goto out;
++ case SSH_MSG_UNIMPLEMENTED:
++ TRACE(("SSH_MSG_UNIMPLEMENTED"))
++ goto out;
++ }
+ }
+
+ /* Ignore these packet types so that keepalives don't interfere with
+@@ -98,7 +101,8 @@ void process_packet() {
+ if (type >= 1 && type <= 49
+ && type != SSH_MSG_SERVICE_REQUEST
+ && type != SSH_MSG_SERVICE_ACCEPT
+- && type != SSH_MSG_KEXINIT)
++ && type != SSH_MSG_KEXINIT
++ && !first_strict_kex)
+ {
+ TRACE(("unknown allowed packet during kexinit"))
+ recv_unimplemented();
+diff --git a/ssh.h b/ssh.h
+index ee4a960..44acd51 100644
+--- a/ssh.h
++++ b/ssh.h
+@@ -100,6 +100,10 @@
+ #define SSH_EXT_INFO_C "ext-info-c"
+ #define SSH_SERVER_SIG_ALGS "server-sig-algs"
+
++/* OpenSSH strict KEX feature */
++#define SSH_STRICT_KEX_S "kex-strict-s-v00@openssh.com"
++#define SSH_STRICT_KEX_C "kex-strict-c-v00@openssh.com"
++
+ /* service types */
+ #define SSH_SERVICE_USERAUTH "ssh-userauth"
+ #define SSH_SERVICE_USERAUTH_LEN 12
+diff --git a/svr-session.c b/svr-session.c
+index 6c3147f..ca2178c 100644
+--- a/svr-session.c
++++ b/svr-session.c
+@@ -342,6 +342,9 @@ static void svr_algos_initialise(void) {
+ algo->usable = 0;
+ }
+ #endif
++ if (strcmp(algo->name, SSH_STRICT_KEX_C) == 0) {
++ algo->usable = 0;
++ }
+ }
+ }
+
diff -Nru dropbear-2020.81/debian/patches/series dropbear-2020.81/debian/patches/series
--- dropbear-2020.81/debian/patches/series 2021-01-14 21:14:26.000000000 +0100
+++ dropbear-2020.81/debian/patches/series 2024-01-26 12:00:26.000000000 +0100
@@ -1 +1,3 @@
local-options.patch
+CVE-2021-36369.patch
+CVE-2023-48795.patch
diff -Nru dropbear-2020.81/debian/salsa-ci.yml dropbear-2020.81/debian/salsa-ci.yml
--- dropbear-2020.81/debian/salsa-ci.yml 2021-01-14 21:14:26.000000000 +0100
+++ dropbear-2020.81/debian/salsa-ci.yml 2024-01-26 12:00:26.000000000 +0100
@@ -1,4 +1,8 @@
---
include:
- - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
- - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+
+variables:
+ RELEASE: 'bullseye'
+ SALSA_CI_DISABLE_REPROTEST: 1
+ SALSA_CI_DISABLE_LINTIAN: 1
diff -Nru dropbear-2020.81/debian/tests/on-lvm-and-luks dropbear-2020.81/debian/tests/on-lvm-and-luks
--- dropbear-2020.81/debian/tests/on-lvm-and-luks 2021-01-14 21:14:26.000000000 +0100
+++ dropbear-2020.81/debian/tests/on-lvm-and-luks 2024-01-26 12:00:26.000000000 +0100
@@ -88,12 +88,12 @@
--customize-hook='echo host > "$1/etc/hostname"' \
--customize-hook='echo "127.0.0.1 localhost host" > "$1/etc/hosts"' \
--customize-hook='echo "/dev/vda1 / auto errors=remount-ro 0 1" > "$1/etc/fstab"' \
- unstable debian-unstable-setup.tar
+ bullseye debian-bullseye-setup.tar
# we prepare a second tarball now instead of later inside qemu because
# running mmdebstrap without kvm just wastes cpu cycles
crypt_pkgs="$common_pkgs,mount,console-setup,cryptsetup-initramfs,dropbear-initramfs,grub2"
-mmdebstrap --mode=$MODE --variant=apt --include=$crypt_pkgs unstable debian-unstable-crypt.tar
+mmdebstrap --mode=$MODE --variant=apt --include=$crypt_pkgs bullseye debian-bullseye-crypt.tar
# extlinux config to boot from /dev/vda1 with predictable network interface
# naming and a serial console for logging
@@ -139,13 +139,13 @@
part-disk /dev/sda mbr : \
mkfs ext2 /dev/sda1 : \
mount /dev/sda1 / : \
- tar-in debian-unstable-setup.tar / : \
+ tar-in debian-bullseye-setup.tar / : \
mkdir /root/.ssh : \
upload id_rsa.pub /root/.ssh/authorized_keys : \
chown 0 0 /root/.ssh/authorized_keys : \
copy-in extlinux.conf / : \
copy-in interfaces /etc/network : \
- copy-in debian-unstable-crypt.tar / : \
+ copy-in debian-bullseye-crypt.tar / : \
upload /usr/lib/SYSLINUX/mbr.bin /mbr.bin : \
copy-file-to-device /mbr.bin /dev/sda size:440 : \
rm /mbr.bin : \
@@ -156,7 +156,7 @@
shutdown
# an empty disk image for the crypt system
-fallocate -l 2G crypt.img
+fallocate -l 4G crypt.img
# certain qemu options remain the same for when we run the setup system as well
# as the crypt system
@@ -291,7 +291,7 @@
mkswap /dev/myvg/swap
swapon /dev/myvg/swap
# A volume group for the system
-lvcreate --name root --size 1G myvg
+lvcreate --name root --size 3G myvg
# Create ext4 filesystem on the root volume group and ext2 for /boot
mkfs.ext4 /dev/myvg/root
mkfs.ext2 /dev/vdb2
@@ -305,7 +305,7 @@
mount /dev/myvg/root /mnt
# ...and unpack the tarball we created initially into it
-tar -C /mnt -xf /debian-unstable-crypt.tar
+tar -C /mnt -xf /debian-bullseye-crypt.tar
# Set grub defaults
# The ip option takes care of acquiring an ip address from dhcp for the
@@ -471,6 +471,6 @@
trap - EXIT
# remove all temporary files
-for f in crypt.img setup.img debian-unstable-setup.tar debian-unstable-crypt.tar extlinux.conf id_rsa id_rsa.pub interfaces qemu1.log qemu2.log; do
+for f in crypt.img setup.img debian-bullseye-setup.tar debian-bullseye-crypt.tar extlinux.conf id_rsa id_rsa.pub interfaces qemu1.log qemu2.log; do
rm "$f"
done
Attachment:
signature.asc
Description: PGP signature