blob: dacc80456c482c520c31e2ad8cfdee43a10caf2a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
|
#!/bin/sh
set -e
. /usr/share/debconf/confmodule
password_hash_path="/etc/cryptsetup-nuke-password/password_hash"
get_nuke_password() {
db_get cryptsetup-nuke-password/password || true
local NUKE_PASS="$RET"
db_get cryptsetup-nuke-password/password-again || true
local NUKE_PASS_CONFIRMATION="$RET"
if [ "$NUKE_PASS" != "$NUKE_PASS_CONFIRMATION" ]; then
return
fi
echo -n "$NUKE_PASS"
}
log() {
if [ -n "$DEBCONF_RECONFIGURE" ]; then
echo "$1"
fi
}
store_password_hash() {
local password=$(get_nuke_password)
if [ -z "$password" ]; then
if [ -e "$password_hash_path" ]; then
log "INFO: Keeping current nuke password."
else
log "INFO: No nuke password found in debconf's database, nothing to configure."
log "INFO: Try 'dpkg-reconfigure cryptsetup-nuke-password' to set a nuke password."
fi
return
fi
echo "INFO: Storing the nuke password's crypted hash in $password_hash_path"
mkdir -p $(dirname $password_hash_path)
:> $password_hash_path
chmod 600 $password_hash_path
echo "$password" | /usr/lib/cryptsetup-nuke-password/crypt --generate >$password_hash_path
# Drop the password from the debconf database for extra safety
db_reset cryptsetup-nuke-password/password || true
db_reset cryptsetup-nuke-password/password-again || true
}
update_initramfs() {
# The usual postinst run already triggers it due to the "triggers"
# file generated by dh_installinitramfs. But there's no harm in
# triggering twice and we want to make sure it also gets triggered
# when the postinst is run by dpkg-reconfigure.
dpkg-trigger --no-await update-initramfs
}
configure_nuke_password() {
if test "$(dpkg-divert --truename /lib/cryptsetup/askpass)" != /lib/cryptsetup/askpass; then
dpkg-divert --no-rename --package cryptsetup-nuke-password \
--divert /lib/cryptsetup/askpass.cryptsetup.usr-is-merged \
--remove /lib/cryptsetup/askpass
fi
db_get cryptsetup-nuke-password/already-configured || true
what="$RET"
case "$what" in
keep)
# Nothing to do, move on
if [ -e "$password_hash_path" ]; then
log "INFO: Keeping current nuke password."
fi
;;
remove)
if [ -e "$password_hash_path" ]; then
echo "INFO: Removing current nuke password."
rm -f "$password_hash_path"
fi
update_initramfs
;;
overwrite)
store_password_hash
update_initramfs
;;
*)
echo "WARNING: unexpected value in debconf's cryptsetup-nuke-password/already-configured: '$what'" >&2
;;
esac
# Reset to default value for next time we reconfigure
db_reset cryptsetup-nuke-password/already-configured || true
}
case "$1" in
configure)
configure_nuke_password
;;
esac
#DEBHELPER#
|