feat(luks_ssh): Update with latest upstream changes

This includes a MOTD and some small adjustments for Fedora etc.

See a35fbc1ec4

roles/luks_ssh/files/module-setup.sh

@@ -12,10 +12,7 @@ check() {
 
 # called by dracut
 depends() {
-    # If systemd-networkd runs on the system, use it.
-    if systemctl -q is-active systemd-networkd; then
-        echo systemd-networkd
-    fi
+    return 0
 }
 
 # called by dracut
@@ -40,6 +37,7 @@ install() {
         return 1
     fi
 
+    # Modified to match the ansible install path used in tasks/main.yml
     authorized_keys="${moddir}/authorized_keys"
     #if [ -e /root/.ssh/dracut_authorized_keys ]; then
     #    authorized_keys=/root/.ssh/dracut_authorized_keys
@@ -66,22 +64,25 @@ install() {
     inst_simple "${moddir}/sshd.service" "$systemdsystemunitdir/sshd.service"
     inst_simple "${moddir}/sshd_config" /etc/ssh/sshd_config
 
-    grep '^sshd:' /etc/passwd >> "$initdir/etc/passwd"
-    grep '^sshd:' /etc/group  >> "$initdir/etc/group"
+    { grep '^sshd:' $dracutsysrootdir/etc/passwd || echo 'sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin'; } >> "$initdir/etc/passwd"
+    { grep '^sshd:' $dracutsysrootdir/etc/group  || echo 'sshd:x:74:'; } >> "$initdir/etc/group"
 
-    # Create privilege seperation directory
-    # /var/empty/sshd  -> Fedora, CentOS, RHEL
-    # /var/emtpy       -> Arch, OpenSSH upstream
-    # /var/lib/empty   -> Suse
-    # /run/sshd        -> Debian
-    # /var/chroot/ssh  -> Void Linux
+    # Create privilege separation directory
+    # /var/empty/sshd       -> Fedora, CentOS, RHEL
+    # /usr/share/empty.sshd -> Fedora >= 34
+    # /var/emtpy            -> Arch, OpenSSH upstream
+    # /var/lib/empty        -> Suse
+    # /var/chroot/ssh       -> Void Linux
     local d
-    for d in /var/empty/sshd /var/empty /var/lib/empty /run/sshd /var/chroot/ssh ; do
+    for d in /var/empty/sshd /usr/share/empty.sshd /var/empty /var/lib/empty /var/chroot/ssh ; do
         if [ -d "$d" ]; then
             mkdir -p -m 0755 "$initdir$d"
-            break
         fi
     done
+    # workaround for Silverblue (in general for ostree based os)
+    if grep ^OSTREE_VERSION= /etc/os-release > /dev/null; then
+        mkdir -p -m 0755 "$initdir/var/empty/sshd"
+    fi
 
     systemctl -q --root "$initdir" enable sshd
 
@@ -93,6 +94,8 @@ install() {
     mkdir -p -m 0755 "$initdir/var/log"
     touch "$initdir/var/log/lastlog"
 
+    inst_simple "${moddir}/motd" /etc/motd
+    inst_simple "${moddir}/profile" /root/.profile
+
     return 0
 }
-

roles/luks_ssh/files/motd

@@ -0,0 +1,8 @@
+Welcome to the early boot SSH environment. You may type
+
+    systemd-tty-ask-password-agent
+
+(or press "arrow up") to unlock your disks.
+
+This shell will terminate automatically a few seconds after the
+unlocking process has succeeded and when the boot proceeds.

roles/luks_ssh/files/profile

@@ -0,0 +1,7 @@
+if [ -n "$SSH_TTY" ]; then
+    export PS1='initramfs-ssh:${PWD}# '
+fi
+
+if [ -n "$TERM" ]; then
+    export TERM=vt220
+fi

roles/luks_ssh/files/sshd.service

@@ -28,5 +28,9 @@ KillMode=process
 Restart=on-failure
 RestartSec=42s
 
+# Create privilege separation directory /run/sshd for Debian/Ubuntu
+RuntimeDirectory=sshd
+RuntimeDirectoryMode=0755
+
 [Install]
 WantedBy=sysinit.target

roles/luks_ssh/tasks/main.yml

@@ -66,6 +66,8 @@
   become: true
   with_items:
     - "sshd.service"
+    - "profile"
+    - "motd"
   notify: Regenerate dracut
 
 - name: Copy templated module files
@@ -129,7 +131,7 @@
     masked: true
   become: true
   when:
-    - ansible_os_family == "RedHat" and not ansible_distribution == "Rocky"
+    - ansible_os_family == "RedHat" and ansible_distribution == "CentOS"
     - luks_ssh_disable_state_import
 
 - name: Disable import-state service, so that it doesn not overwrite ifcfg scripts.

roles/luks_ssh/templates/sshd_config

@@ -4,7 +4,6 @@ AuthorizedKeysFile              .ssh/authorized_keys
 AuthenticationMethods           publickey
 UsePAM                          no
 X11Forwarding                   no
-ForceCommand                    systemd-tty-ask-password-agent
 Port                            {{ luks_ssh_port }}
 
 AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES