now qemu and ssh use local configurations

cbox-build.sh

@@ -41,23 +41,25 @@ CONFIG="dfs.cbox.conf"
 # the build directory (will be ERASED without warning)
 BUILDDIR="_builddir/cd1"
 # image directory created by dfsbuild
-IMAGEDIR_ORIG="$BUILDDIR/image"
+IMAGE_DIR_ORIG="$BUILDDIR/image"
 # a working copy of the image directory
-IMAGEDIR="$BUILDDIR/image-working"
+IMAGE_DIR="$BUILDDIR/image-working"
 # template directory for cryptobox specific configuration
-TEMPLATEDIR="cryptobox.conf.d"
+TEMPLATE_DIR="cryptobox.conf.d"
 # the iso image
-IMAGEFILE="$BUILDDIR/cryptobox.iso"
+IMAGE_FILE="$BUILDDIR/cryptobox.iso"
 # temporary directory
-TMPDIR="/tmp/`basename $0`-$$"
+TMP_DIR="/tmp/`basename $0`-$$"
 HD_IMAGE="/tmp/`basename $0`-testplatte.img"
 # mkisofs options (the option "-U" is not clean, but it prevents long filenames from getting mapped)
 MKISOFS_OPTIONS="-allow-multidot -U -D -iso-level 3 -b boot/grub/stage2_eltorito -no-emul-boot -boot-load-size 1 -boot-info-table -pad -R"
 CHROOTSTART="/usr/lib/cryptobox/chroot-start.sh"
 CDWRITER="0,0,0"
+LOCALCONF_DIR=local.conf.d
 # for development diffs and merges from a running cryptobox
-REMOTE_COMMAND="ssh -l root `cat \"$TEMPLATEDIR/usr/share/cryptobox/defaults/ip\"` /usr/lib/cryptobox/devel-features.sh"
+SSH_CONFIG_FILE="$LOCALCONF_DIR/ssh-options"
-REMOTE_COPY_DEST="root@`cat \"$TEMPLATEDIR/usr/share/cryptobox/defaults/ip\"`:/tmp/mirror/"
+SSH_HOST=cryptobox
+REMOTE_COMMAND="/usr/lib/cryptobox/devel-features.sh"
 
 
 
@@ -71,63 +73,80 @@ function run_dfsbuild()
 function create_iso()
 {
 	echo "Creating the iso ..."
-	mkisofs $MKISOFS_OPTIONS -o "$IMAGEFILE" "$IMAGEDIR"
+	mkisofs $MKISOFS_OPTIONS -o "$IMAGE_FILE" "$IMAGE_DIR"
 }
 
 
 function qemu_boot()
 {
+	# create a virtual harddisk image file
 	if [ ! -e "$HD_IMAGE" ]
 		then	echo "Creating temporary harddisk image ..."
 			dd if=/dev/zero of="$HD_IMAGE" bs=1M count=20
 	  fi
+	# create default qemu-ifup
+	if [ ! -e "$LOCALCONF_DIR/qemu-ifup" ]
+		then	[ ! -d "$LOCALCONF_DIR" ] && mkdir "$LOCALCONF_DIR"
+			cp "misc/qemu-ifup.default" "$LOCALCONF_DIR/qemu-ifup"
+	  fi
 	echo "Starting qemu ..."
-	qemu -cdrom "$IMAGEFILE" -m 64 -hda "$IMAGEFILE" -boot d -n misc/qemu-ifup || true
+	qemu -cdrom "$IMAGE_FILE" -m 64 -hda "$IMAGE_FILE" -boot d -n "$LOCALCONF_DIR/qemu-ifup" || true
 	# remove iptables rules
-	misc/qemu-ifup stop
+	"$LOCALCONF_DIR/qemu-ifup" stop
 }
 
 
 function init_working_directory()
 {
-	cat /proc/mounts | grep -q "`basename $IMAGEDIR`/proc" && umount "$IMAGEDIR/proc"
+	cat /proc/mounts | grep -q "`basename $IMAGE_DIR`/proc" && umount "$IMAGE_DIR/proc"
-	[ -e "$IMAGEDIR" ] && echo "Removing old image dir ..." && rm -r "$IMAGEDIR"
+	[ -e "$IMAGE_DIR" ] && echo "Removing old image dir ..." && rm -r "$IMAGE_DIR"
 	echo "Copying the dfsbuild-image ..."
-	cp -a "$IMAGEDIR_ORIG" "$IMAGEDIR"
+	cp -a "$IMAGE_DIR_ORIG" "$IMAGE_DIR"
 }
 
 
 function configure_cb()
 {
-	if [ ! -e "$IMAGEDIR" ]; then 
+	if [ ! -e "$IMAGE_DIR" ]; then 
-		echo -e "Directory \"$IMAGEDIR\" not found!"
+		echo -e "Directory \"$IMAGE_DIR\" not found!"
 		echo -e "Did you run \"$0 dfsbuild\"?" 
 		echo -e "Otherwise try \"$0 revert\" to fix this."
 		exit
 	fi
 
 	echo "Copying files into the box ..."
-		[ -e "$TMPDIR" ] && rm -rf "$TMPDIR"
+		[ -e "$TMP_DIR" ] && rm -rf "$TMP_DIR"
-		cp -dr "$TEMPLATEDIR/." "$TMPDIR"
+		cp -dr "$TEMPLATE_DIR/." "$TMP_DIR"
-		rm -rf `find "$TMPDIR" -type d -name ".svn"`
+		rm -rf `find "$TMP_DIR" -type d -name ".svn"`
-		cp -dr "$TMPDIR/." "$IMAGEDIR"
+		cp -dr "$TMP_DIR/." "$IMAGE_DIR"
-		rm -rf "$TMPDIR"
+		rm -rf "$TMP_DIR"
 
 	echo "Configuring the cryptobox ..."
 		# "harden" removes /etc/issue ...
-		if [ -e "$IMAGEDIR/etc/issue" ]
+		if [ -e "$IMAGE_DIR/etc/issue" ]
-		  then	sed -i "s/^Version:.*/Revision: $(fetch_revision)/" "$IMAGEDIR/etc/issue"
+		  then	sed -i "s/^Version:.*/Revision: $(fetch_revision)/" "$IMAGE_DIR/etc/issue"
-		  else	echo "Version:.*/Revision: $(fetch_revision)" >"$IMAGEDIR/etc/issue"
+		  else	echo "Version:.*/Revision: $(fetch_revision)" >"$IMAGE_DIR/etc/issue"
 		 fi
-		fetch_revision >"$IMAGEDIR/etc/cryptobox/revision"
+		fetch_revision >"$IMAGE_DIR/etc/cryptobox/revision"
-		chroot "$IMAGEDIR" "$CHROOTSTART" /usr/lib/cryptobox/configure-cryptobox.sh normal
+		chroot "$IMAGE_DIR" "$CHROOTSTART" /usr/lib/cryptobox/configure-cryptobox.sh normal
 }
 
+
 function fetch_revision()
 {
 	svn -R info| grep ^Revision| cut -f2 -d " " | sort | tail -1
 }
 
+
+function check_ssh_defaults()
+{
+	if [ ! -e "$SSH_CONFIG_FILE" ]
+		then	[ ! -d "$LOCALCONF_DIR" ] && mkdir "$LOCALCONF_DIR"
+			cp misc/ssh-options.default "$SSH_CONFIG_FILE"
+	  fi
+}
+
+
 function upload2devel()
 # upload local files to a development cryptobox
 # this is necessary to use an "old" development cd with
@@ -137,18 +156,19 @@ function upload2devel()
 # of course, only the directories that are mapped to tmpfs can
 # be updated this way
 {
+	check_ssh_defaults
 	local DIRS="var/www usr/share/cryptobox usr/lib/cryptobox"
-	[ -e "$TMPDIR" ] || mkdir -p "$TMPDIR"
+	[ -e "$TMP_DIR" ] || mkdir -p "$TMP_DIR"
 	for a in $DIRS
-		do	mkdir -p "$TMPDIR/$a"
+		do	mkdir -p "$TMP_DIR/$a"
-			cp -r "$TEMPLATEDIR/$a/." "$TMPDIR/$a"
+			cp -r "$TEMPLATE_DIR/$a/." "$TMP_DIR/$a"
 	  done
-	find "$TMPDIR" -type d -name '\.svn' | while read a
+	find "$TMP_DIR" -type d -name '\.svn' | while read a
 		do	rm -rf "$a"
 	  done
-	scp -rpq "$TMPDIR/." "$REMOTE_COPY_DEST"
+	scp -F "$SSH_CONFIG_FILE" -rpq "$TMP_DIR/." cryptobox:/tmp/mirror
-	rm -rf "$TMPDIR"
+	rm -rf "$TMP_DIR"
-	$REMOTE_COMMAND set_diff_base
+	ssh -F "$SSH_CONFIG_FILE" $SSH_HOST $REMOTE_COMMAND set_diff_base
 }
  
 
@@ -156,14 +176,14 @@ function merge_from_devel()
 # merge a diff from a running development cryptobox into
 # this working directory
 {
-	cd "$TEMPLATEDIR"
+	check_ssh_defaults
 	echo "Check for collisions ... (dry-run)"
-	if $REMOTE_COMMAND diff | patch --dry-run -p1
+	if ssh -F "$SSH_CONFIG_FILE" $SSH_HOST $REMOTE_COMMAND diff | patch --dry-run -p1 -d "$TEMPLATE_DIR"
 	  then	echo
 	  	echo "Applying diff ..."
-		$REMOTE_COMMAND diff | patch -p1
+		ssh -F "$SSH_CONFIG_FILE" $SSH_HOST $REMOTE_COMMAND diff | patch -p1 -d "$TEMPLATE_DIR"
 		# set the base for the next diff to present state
-		$REMOTE_COMMAND set_diff_base
+		ssh -F "$SSH_CONFIG_FILE" $SSH_HOST $REMOTE_COMMAND set_diff_base
 	  else	echo "Merging will fail - do it manually!"
 	 fi
 }
@@ -172,7 +192,7 @@ function merge_from_devel()
 function blanknburn_cdrw()
 {
 	cdrecord -v dev=$CDWRITER blank=fast
-	cdrecord -v dev=$CDWRITER $IMAGEFILE
+	cdrecord -v dev=$CDWRITER $IMAGE_FILE
 }
 ################ do it! ######################
 
@@ -198,22 +218,23 @@ while [ $# -gt 0 ]
 		;;
 	    diff )
 	    	# get a diff from a running development cryptobox
-		$REMOTE_COMMAND diff
+		check_ssh_defaults
+		ssh -F "$SSH_CONFIG_FILE" $SSH_HOST $REMOTE_COMMAND diff
 		;;
 	    merge )
 	 	merge_from_devel
 		;;
 	    harden )
-		chroot "$IMAGEDIR" "$CHROOTSTART" /usr/lib/cryptobox/configure-cryptobox.sh secure
+		chroot "$IMAGE_DIR" "$CHROOTSTART" /usr/lib/cryptobox/configure-cryptobox.sh secure
 	    	;;
 	    upload )
 	 	upload2devel
 		;;
 	    chroot )
-		if [ ! -x "$IMAGEDIR/$CHROOTSTART" ]
+		if [ ! -x "$IMAGE_DIR/$CHROOTSTART" ]
-		   then	echo "the chroot init script ("$IMAGEDIR/$CHROOTSTART") is not executable"
+		   then	echo "the chroot init script ("$IMAGE_DIR/$CHROOTSTART") is not executable"
 		    	echo "maybe you should run '`basename $0` cb-config' first"
-		   else	chroot "$IMAGEDIR" "$CHROOTSTART"
+		   else	chroot "$IMAGE_DIR" "$CHROOTSTART"
 		  fi
 		;;
 	    burn )

misc/makeCert.sh

@@ -1,92 +0,0 @@
-#!/bin/sh
-set -u
-
-## http://www2.goldfisch.at/knowledge/142 beschreibt's recht gut
-
-
-CA_DIR="CA/"
-# enthaelt das Verzeichnis "demoCA" (siehe unten: CA-Erzeugung)
-
-KEYSIZE=1024
-CONFIG="openssl.conf"
-TIME="365"
-
-TMPREQ="/tmp/mein-apache-cert.req"
-TMPRAN="/tmp/mein-apache-cert.random"
-CSR_FILE=$1.csr
-KEY_FILE1=$1-temp.key
-KEY_FILE2=$1.key
-CRT_FILE=$1.crt
-
-
-if test -z "$1";
-       then    echo "Syntax: $0 ZERTIFIKATS-DATEI [CA-Datei]"
-               echo "  (die Dateienedungen (key, csr, crt) werden automatisch angefuegt)"     
-               exit 1
-  fi
-
-echo "Erzeuge Zufallszahlen ..."
-echo "-----------------------------------------------"
-# erzeugt eine große menge an zufallszahlen abhängig von keysize
-dd if=/dev/urandom of=$TMPRAN bs=$KEYSIZE count=$KEYSIZE || exit 2
-sleep 1
-
-echo -e "\nErzeuge den Schluessel ..."
-echo "-----------------------------------------------"
-openssl genrsa -rand $TMPRAN $KEYSIZE > $KEY_FILE1 || exit 3
-# z.B.: -des3 um Verschluesselung des Zertifikats zu aktivieren
-
-# found that way in http://www.rpatrick.com/tech/makecert/
-openssl rsa -in $KEY_FILE1 -out $KEY_FILE2
-chmod go-rwx $KEY_FILE2
-
-echo -e "\nErzeuge die X509-Informationen ..."
-echo "-----------------------------------------------"
-# wichtige parameter werden aus der config gelesen
-openssl req -new -x509 -key $KEY_FILE2 -config $CONFIG > $TMPREQ || exit 4
-#openssl req -new -x509 -key $KEY_FILE -config $CONFIG > $TMPREQ || exit 4
-chmod go-rwx $TMPREQ
-
-echo -e "\nFuege das Zertifikat zusammen ..."
-echo "-----------------------------------------------"
-cat $TMPREQ $KEY_FILE2 >$CSR_FILE || exit 5
-chmod go-rwx $CSR_FILE
-
-echo -e "\nLoesche temporaere Dateien ..."
-echo "-----------------------------------------------"
-rm $TMPRAN $TMPREQ $KEY_FILE1
-
-echo -e "\nDie Signierungsanforderung $CSR_FILE wurde erzeugt!"
-
-test -e "$CA_DIR" || exit 0
-
-# nun wird per CA zertifiziert ...
-# die CA wird erstmalig durch das Skript CA.sh mit dem Parameter "-newca" erstellt
-
-AKT_DIR=`pwd`
-
-echo -e "\nDiese wird nun von der CA signiert ...\n"
-
-echo "--kopiere"
-cp $CSR_FILE ${CA_DIR}newreq.pem
-
-[ -f newcert.pem ] && rm newcert.pem
-echo "--signiere"
-openssl x509 -x509toreq -in ${CA_DIR}newreq.pem -days $TIME -signkey ${CA_DIR}newreq.pem -out ${CA_DIR}tmp.pem || exit 6
-echo "-signiere"
-openssl ca -config $CONFIG -policy policy_anything -days $TIME -out ${CA_DIR}newcert.pem -infiles ${CA_DIR}tmp.pem || exit 7
-echo "foo"
-[ -f tmp.pem ] && rm tmp.pem && echo "tmp.pem gloescht"
-
-if [ ! -s newcert.pem ];
-	then	echo "Fehler: das neue Zertifikat wurde nicht erstellt!"
-		exit 8
-  fi
-
-rm newreq.pem
-echo $AKT_DIR
-mv newcert.pem ${AKT_DIR}/$CRT_FILE || echo "fehla 9" && exit 9
-cd $AKT_DIR
-rm $CSR_FILE
-
-echo -e "\nFertig!"

misc/ssh-options.default

@@ -0,0 +1,13 @@
+Host cryptobox
+
+# change this part according to your needs
+HostName 192.168.0.23
+Port 22
+
+# this should be valid for everyone
+User root
+CheckHostIP no
+StrictHostKeyChecking no
+
+# nice for frequently changing server key due to a rebuild of the base system
+UserKnownHostsFile /tmp/cryptobox-ssh-known_hosts