Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: dropb...@packages.debian.org Control: affects -1 + src:dropbear
[ Reason ] dropbear 2020.81-3 is vulnerable to CVE-2021-36369 and CVE-2023-48795 (terrapin attack). The security team argued these issues didn't warrant a CVE, and suggested to go via s-pu instead. [ Impact ] Bullseye users will remain vulnerable to CVE-2021-36369 and CVE-2023-48795. For the latter, details about what that entails has been discussed on the upstream bug tracker at https://github.com/mkj/dropbear/issues/270 , where one the terrapin finders wrote that | While it is true that not sending server-sig-algs does not prevent the | client from trying SHA2-based RSA signatures, we observed the suggested | behavior (preferring SHA-1 over SHA-2 when server-sig-algs is missing) | in a wide variety of SSH clients. Also, the order of algorithms in | server-sig-algs is used by some clients in case multiple private keys | are present, potentially leading to downgrades as well. | | However, we do not consider this application of the Terrapin attack to | have a significant impact. Instead, our main concern is the combination | of Terrapin with implementation bugs, as seen in AsyncSSH. We evaluated | only a handful of SSH implementations, where one already allowed for | in-session man-in-the-middle attacks. Given the wide variety of SSH | implementations, one can estimate with sufficient probability that other | implementations face similar issues. [ Tests ] I manually checked the updated dropbear SSHd/dbclient against the Terrapin scanner, and also the new -oDisableTrivialAuth=yes option on the client. [ Risks ] Risk is low: all patches come from upstream and applied cleanly. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] * Add option -oDisableTrivialAuth=yes to mitigate CVE-2021-36369. * Implement Strict KEX mode to fix CVE-2023-48795 (terrapin attack). * d/t/on-lvm-and-luks: Target bullseye not sid. * d/t/on-lvm-and-luks: Bump disk image size to 4G as the previous size was too small for bullseye-security updates (kernel etc.). * Salsa CI: Target bullseye and disable lintian job. -- Guilhem.
diffstat for dropbear-2020.81 dropbear-2020.81 changelog | 18 +++ patches/CVE-2021-36369.patch | 182 +++++++++++++++++++++++++++++++++ patches/CVE-2023-48795.patch | 232 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 2 salsa-ci.yml | 8 + tests/on-lvm-and-luks | 16 +- 6 files changed, 448 insertions(+), 10 deletions(-) diff -Nru dropbear-2020.81/debian/changelog dropbear-2020.81/debian/changelog --- dropbear-2020.81/debian/changelog 2021-01-14 21:14:26.000000000 +0100 +++ dropbear-2020.81/debian/changelog 2024-01-26 12:00:26.000000000 +0100 @@ -1,3 +1,21 @@ +dropbear (2020.81-3+deb11u1) bullseye; urgency=medium + + * Fix CVE-2021-36369: Due to a non-RFC-compliant check of the available + authentication methods in the client-side SSH code, it is possible for an + SSH server to change the login process in its favor. + * Fix CVE-2023-48795 (terrapin attack): The SSH transport protocol with + certain OpenSSH extensions allows remote attackers to bypass integrity + checks such that some packets are omitted (from the extension negotiation + message), and a client and server may consequently end up with a + connection for which some security features have been downgraded or + disabled, aka a Terrapin attack. (Closes: #1059001) + * d/t/on-lvm-and-luks: Target bullseye not sid. + * d/t/on-lvm-and-luks: Bump disk image size to 4G as the previous size was + too small for bullseye-security updates (kernel etc.). + * Salsa CI: Target bullseye and disable lintian job. + + -- Guilhem Moulin <guil...@debian.org> Fri, 26 Jan 2024 12:00:26 +0100 + dropbear (2020.81-3) unstable; urgency=medium * Initramfs: Use 10 placeholders in ~root template. diff -Nru dropbear-2020.81/debian/patches/CVE-2021-36369.patch dropbear-2020.81/debian/patches/CVE-2021-36369.patch --- dropbear-2020.81/debian/patches/CVE-2021-36369.patch 1970-01-01 01:00:00.000000000 +0100 +++ dropbear-2020.81/debian/patches/CVE-2021-36369.patch 2024-01-26 12:00:26.000000000 +0100 @@ -0,0 +1,182 @@ +From: Manfred Kaiser <37737811+manfred-kai...@users.noreply.github.com> +Date: Thu, 19 Aug 2021 17:37:14 +0200 +Subject: Added option to disable trivial auth methods + +* added option to disable trivial auth methods + +* rename argument to match with other ssh clients + +* fixed trivial auth detection for pubkeys + +Origin: https://github.com/mkj/dropbear/commit/210a9833496ed2a93b8da93924874938127ce0b5 +Origin: https://github.com/mkj/dropbear/commit/b2b94acc97254c7fffcb375120eea26c42c65292 +Bug: https://github.com/mkj/dropbear/pull/128 +Debian-Bug: https://security-tracker.debian.org/tracker/CVE-2021-36369 +--- + cli-auth.c | 3 +++ + cli-authinteract.c | 1 + + cli-authpasswd.c | 2 +- + cli-authpubkey.c | 1 + + cli-runopts.c | 7 +++++++ + cli-session.c | 1 + + dbclient.1 | 20 +++++++++++++++++++- + runopts.h | 1 + + session.h | 1 + + 9 files changed, 35 insertions(+), 2 deletions(-) + +diff --git a/cli-auth.c b/cli-auth.c +index 2e509e5..6f04495 100644 +--- a/cli-auth.c ++++ b/cli-auth.c +@@ -267,6 +267,9 @@ void recv_msg_userauth_success() { + if DROPBEAR_CLI_IMMEDIATE_AUTH is set */ + + TRACE(("received msg_userauth_success")) ++ if (cli_opts.disable_trivial_auth && cli_ses.is_trivial_auth) { ++ dropbear_exit("trivial authentication not allowed"); ++ } + /* Note: in delayed-zlib mode, setting authdone here + * will enable compression in the transport layer */ + ses.authstate.authdone = 1; +diff --git a/cli-authinteract.c b/cli-authinteract.c +index e1cc9a1..f7128ee 100644 +--- a/cli-authinteract.c ++++ b/cli-authinteract.c +@@ -114,6 +114,7 @@ void recv_msg_userauth_info_request() { + m_free(instruction); + + for (i = 0; i < num_prompts; i++) { ++ cli_ses.is_trivial_auth = 0; + unsigned int response_len = 0; + prompt = buf_getstring(ses.payload, NULL); + cleantext(prompt); +diff --git a/cli-authpasswd.c b/cli-authpasswd.c +index 00fdd8b..a24d43e 100644 +--- a/cli-authpasswd.c ++++ b/cli-authpasswd.c +@@ -155,7 +155,7 @@ void cli_auth_password() { + + encrypt_packet(); + m_burn(password, strlen(password)); +- ++ cli_ses.is_trivial_auth = 0; + TRACE(("leave cli_auth_password")) + } + #endif /* DROPBEAR_CLI_PASSWORD_AUTH */ +diff --git a/cli-authpubkey.c b/cli-authpubkey.c +index 42c4e3f..fa01807 100644 +--- a/cli-authpubkey.c ++++ b/cli-authpubkey.c +@@ -176,6 +176,7 @@ static void send_msg_userauth_pubkey(sign_key *key, enum signature_type sigtype, + buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len); + cli_buf_put_sign(ses.writepayload, key, sigtype, sigbuf); + buf_free(sigbuf); /* Nothing confidential in the buffer */ ++ cli_ses.is_trivial_auth = 0; + } + + encrypt_packet(); +diff --git a/cli-runopts.c b/cli-runopts.c +index 3654b9a..255b47e 100644 +--- a/cli-runopts.c ++++ b/cli-runopts.c +@@ -152,6 +152,7 @@ void cli_getopts(int argc, char ** argv) { + #if DROPBEAR_CLI_ANYTCPFWD + cli_opts.exit_on_fwd_failure = 0; + #endif ++ cli_opts.disable_trivial_auth = 0; + #if DROPBEAR_CLI_LOCALTCPFWD + cli_opts.localfwds = list_new(); + opts.listen_fwd_all = 0; +@@ -889,6 +890,7 @@ static void add_extendedopt(const char* origstr) { + #if DROPBEAR_CLI_ANYTCPFWD + "\tExitOnForwardFailure\n" + #endif ++ "\tDisableTrivialAuth\n" + #ifndef DISABLE_SYSLOG + "\tUseSyslog\n" + #endif +@@ -916,5 +918,10 @@ static void add_extendedopt(const char* origstr) { + return; + } + ++ if (match_extendedopt(&optstr, "DisableTrivialAuth") == DROPBEAR_SUCCESS) { ++ cli_opts.disable_trivial_auth = parse_flag_value(optstr); ++ return; ++ } ++ + dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr); + } +diff --git a/cli-session.c b/cli-session.c +index 5e5af22..afb54a1 100644 +--- a/cli-session.c ++++ b/cli-session.c +@@ -165,6 +165,7 @@ static void cli_session_init(pid_t proxy_cmd_pid) { + /* Auth */ + cli_ses.lastprivkey = NULL; + cli_ses.lastauthtype = 0; ++ cli_ses.is_trivial_auth = 1; + + /* For printing "remote host closed" for the user */ + ses.remoteclosed = cli_remoteclosed; +diff --git a/dbclient.1 b/dbclient.1 +index 1516e7c..0f6828a 100644 +--- a/dbclient.1 ++++ b/dbclient.1 +@@ -94,7 +94,18 @@ is performed at all, this is usually undesirable. + .B \-A + Forward agent connections to the remote host. dbclient will use any + OpenSSH-style agent program if available ($SSH_AUTH_SOCK will be set) for +-public key authentication. Forwarding is only enabled if -A is specified. ++public key authentication. Forwarding is only enabled if \fI-A\fR is specified. ++ ++Beware that a forwarded agent connection will allow the remote server to have ++the same authentication credentials as you have used locally. A compromised ++remote server could use that to log in to other servers. ++ ++In many situations Dropbear's multi-hop mode is a better and more secure alternative ++to agent forwarding, avoiding having to trust the intermediate server. ++ ++If the SSH agent program is set to prompt when a key is used, the ++\fI-o DisableTrivialAuth\fR option can prevent UI confusion. ++ + .TP + .B \-W \fIwindowsize + Specify the per-channel receive window buffer size. Increasing this +@@ -153,6 +164,13 @@ Specifies whether dbclient should terminate the connection if it cannot set up a + .TP + .B UseSyslog + Send dbclient log messages to syslog in addition to stderr. ++.TP ++.B DisableTrivialAuth ++Disallow a server immediately ++giving successful authentication (without presenting any password/pubkey prompt). ++This avoids a UI confusion issue where it may appear that the user is accepting ++a SSH agent prompt from their local machine, but are actually accepting a prompt ++sent immediately by the remote server. + .RE + .TP + .B \-s +diff --git a/runopts.h b/runopts.h +index 6a4a94c..01201d2 100644 +--- a/runopts.h ++++ b/runopts.h +@@ -159,6 +159,7 @@ typedef struct cli_runopts { + #if DROPBEAR_CLI_ANYTCPFWD + int exit_on_fwd_failure; + #endif ++ int disable_trivial_auth; + #if DROPBEAR_CLI_REMOTETCPFWD + m_list * remotefwds; + #endif +diff --git a/session.h b/session.h +index fb5b8cb..6706592 100644 +--- a/session.h ++++ b/session.h +@@ -316,6 +316,7 @@ struct clientsession { + + int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD, + for the last type of auth we tried */ ++ int is_trivial_auth; + int ignore_next_auth_response; + #if DROPBEAR_CLI_INTERACT_AUTH + int auth_interact_failed; /* flag whether interactive auth can still diff -Nru dropbear-2020.81/debian/patches/CVE-2023-48795.patch dropbear-2020.81/debian/patches/CVE-2023-48795.patch --- dropbear-2020.81/debian/patches/CVE-2023-48795.patch 1970-01-01 01:00:00.000000000 +0100 +++ dropbear-2020.81/debian/patches/CVE-2023-48795.patch 2024-01-26 12:00:26.000000000 +0100 @@ -0,0 +1,232 @@ +From: Matt Johnston <m...@ucc.asn.au> +Date: Mon, 20 Nov 2023 14:02:47 +0800 +Subject: Implement Strict KEX mode + +As specified by OpenSSH with kex-strict-c-...@openssh.com and +kex-strict-s-...@openssh.com. + +Origin: https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-48795 +Bug-Debian: https://bugs.debian.org/1059001 +--- + cli-session.c | 11 +++++++++++ + common-algo.c | 6 ++++++ + common-kex.c | 26 +++++++++++++++++++++++++- + kex.h | 3 +++ + process-packet.c | 34 +++++++++++++++++++--------------- + ssh.h | 4 ++++ + svr-session.c | 3 +++ + 7 files changed, 71 insertions(+), 16 deletions(-) + +diff --git a/cli-session.c b/cli-session.c +index afb54a1..a2e4e3f 100644 +--- a/cli-session.c ++++ b/cli-session.c +@@ -46,6 +46,7 @@ static void cli_finished(void) ATTRIB_NORETURN; + static void recv_msg_service_accept(void); + static void cli_session_cleanup(void); + static void recv_msg_global_request_cli(void); ++static void cli_algos_initialise(void); + + struct clientsession cli_ses; /* GLOBAL */ + +@@ -114,6 +115,7 @@ void cli_session(int sock_in, int sock_out, struct dropbear_progress_connection + } + + chaninitialise(cli_chantypes); ++ cli_algos_initialise(); + + /* Set up cli_ses vars */ + cli_session_init(proxy_cmd_pid); +@@ -473,3 +475,12 @@ void cli_dropbear_log(int priority, const char* format, va_list param) { + fflush(stderr); + } + ++static void cli_algos_initialise(void) { ++ algo_type *algo; ++ for (algo = sshkex; algo->name; algo++) { ++ if (strcmp(algo->name, SSH_STRICT_KEX_S) == 0) { ++ algo->usable = 0; ++ } ++ } ++} ++ +diff --git a/common-algo.c b/common-algo.c +index f3961c2..c71b52c 100644 +--- a/common-algo.c ++++ b/common-algo.c +@@ -332,6 +332,12 @@ algo_type sshkex[] = { + /* Set unusable by svr_algos_initialise() */ + {SSH_EXT_INFO_C, 0, NULL, 1, NULL}, + #endif ++#endif ++#if DROPBEAR_CLIENT ++ {SSH_STRICT_KEX_C, 0, NULL, 1, NULL}, ++#endif ++#if DROPBEAR_SERVER ++ {SSH_STRICT_KEX_S, 0, NULL, 1, NULL}, + #endif + {NULL, 0, NULL, 0, NULL} + }; +diff --git a/common-kex.c b/common-kex.c +index 39d916b..e041348 100644 +--- a/common-kex.c ++++ b/common-kex.c +@@ -183,6 +183,10 @@ void send_msg_newkeys() { + gen_new_keys(); + switch_keys(); + ++ if (ses.kexstate.strict_kex) { ++ ses.transseq = 0; ++ } ++ + TRACE(("leave send_msg_newkeys")) + } + +@@ -193,7 +197,11 @@ void recv_msg_newkeys() { + + ses.kexstate.recvnewkeys = 1; + switch_keys(); +- ++ ++ if (ses.kexstate.strict_kex) { ++ ses.recvseq = 0; ++ } ++ + TRACE(("leave recv_msg_newkeys")) + } + +@@ -551,6 +559,10 @@ void recv_msg_kexinit() { + + ses.kexstate.recvkexinit = 1; + ++ if (ses.kexstate.strict_kex && !ses.kexstate.donefirstkex && ses.recvseq != 1) { ++ dropbear_exit("First packet wasn't kexinit"); ++ } ++ + TRACE(("leave recv_msg_kexinit")) + } + +@@ -861,6 +873,18 @@ static void read_kex_algos() { + } + #endif + ++ if (!ses.kexstate.donefirstkex) { ++ const char* strict_name; ++ if (IS_DROPBEAR_CLIENT) { ++ strict_name = SSH_STRICT_KEX_S; ++ } else { ++ strict_name = SSH_STRICT_KEX_C; ++ } ++ if (buf_has_algo(ses.payload, strict_name) == DROPBEAR_SUCCESS) { ++ ses.kexstate.strict_kex = 1; ++ } ++ } ++ + algo = buf_match_algo(ses.payload, sshkex, kexguess2, &goodguess); + allgood &= goodguess; + if (algo == NULL || algo->data == NULL) { +diff --git a/kex.h b/kex.h +index 77cf21a..7fcc3c2 100644 +--- a/kex.h ++++ b/kex.h +@@ -83,6 +83,9 @@ struct KEXState { + + unsigned our_first_follows_matches : 1; + ++ /* Boolean indicating that strict kex mode is in use */ ++ unsigned int strict_kex; ++ + time_t lastkextime; /* time of the last kex */ + unsigned int datatrans; /* data transmitted since last kex */ + unsigned int datarecv; /* data received since last kex */ +diff --git a/process-packet.c b/process-packet.c +index 9454160..133a152 100644 +--- a/process-packet.c ++++ b/process-packet.c +@@ -44,6 +44,7 @@ void process_packet() { + + unsigned char type; + unsigned int i; ++ unsigned int first_strict_kex = ses.kexstate.strict_kex && !ses.kexstate.donefirstkex; + time_t now; + + TRACE2(("enter process_packet")) +@@ -54,22 +55,24 @@ void process_packet() { + now = monotonic_now(); + ses.last_packet_time_keepalive_recv = now; + +- /* These packets we can receive at any time */ +- switch(type) { + +- case SSH_MSG_IGNORE: +- goto out; +- case SSH_MSG_DEBUG: +- goto out; ++ if (type == SSH_MSG_DISCONNECT) { ++ /* Allowed at any time */ ++ dropbear_close("Disconnect received"); ++ } + +- case SSH_MSG_UNIMPLEMENTED: +- /* debugging XXX */ +- TRACE(("SSH_MSG_UNIMPLEMENTED")) +- goto out; +- +- case SSH_MSG_DISCONNECT: +- /* TODO cleanup? */ +- dropbear_close("Disconnect received"); ++ /* These packets may be received at any time, ++ except during first kex with strict kex */ ++ if (!first_strict_kex) { ++ switch(type) { ++ case SSH_MSG_IGNORE: ++ goto out; ++ case SSH_MSG_DEBUG: ++ goto out; ++ case SSH_MSG_UNIMPLEMENTED: ++ TRACE(("SSH_MSG_UNIMPLEMENTED")) ++ goto out; ++ } + } + + /* Ignore these packet types so that keepalives don't interfere with +@@ -98,7 +101,8 @@ void process_packet() { + if (type >= 1 && type <= 49 + && type != SSH_MSG_SERVICE_REQUEST + && type != SSH_MSG_SERVICE_ACCEPT +- && type != SSH_MSG_KEXINIT) ++ && type != SSH_MSG_KEXINIT ++ && !first_strict_kex) + { + TRACE(("unknown allowed packet during kexinit")) + recv_unimplemented(); +diff --git a/ssh.h b/ssh.h +index ee4a960..44acd51 100644 +--- a/ssh.h ++++ b/ssh.h +@@ -100,6 +100,10 @@ + #define SSH_EXT_INFO_C "ext-info-c" + #define SSH_SERVER_SIG_ALGS "server-sig-algs" + ++/* OpenSSH strict KEX feature */ ++#define SSH_STRICT_KEX_S "kex-strict-s-...@openssh.com" ++#define SSH_STRICT_KEX_C "kex-strict-c-...@openssh.com" ++ + /* service types */ + #define SSH_SERVICE_USERAUTH "ssh-userauth" + #define SSH_SERVICE_USERAUTH_LEN 12 +diff --git a/svr-session.c b/svr-session.c +index 6c3147f..ca2178c 100644 +--- a/svr-session.c ++++ b/svr-session.c +@@ -342,6 +342,9 @@ static void svr_algos_initialise(void) { + algo->usable = 0; + } + #endif ++ if (strcmp(algo->name, SSH_STRICT_KEX_C) == 0) { ++ algo->usable = 0; ++ } + } + } + diff -Nru dropbear-2020.81/debian/patches/series dropbear-2020.81/debian/patches/series --- dropbear-2020.81/debian/patches/series 2021-01-14 21:14:26.000000000 +0100 +++ dropbear-2020.81/debian/patches/series 2024-01-26 12:00:26.000000000 +0100 @@ -1 +1,3 @@ local-options.patch +CVE-2021-36369.patch +CVE-2023-48795.patch diff -Nru dropbear-2020.81/debian/salsa-ci.yml dropbear-2020.81/debian/salsa-ci.yml --- dropbear-2020.81/debian/salsa-ci.yml 2021-01-14 21:14:26.000000000 +0100 +++ dropbear-2020.81/debian/salsa-ci.yml 2024-01-26 12:00:26.000000000 +0100 @@ -1,4 +1,8 @@ --- include: - - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml + +variables: + RELEASE: 'bullseye' + SALSA_CI_DISABLE_REPROTEST: 1 + SALSA_CI_DISABLE_LINTIAN: 1 diff -Nru dropbear-2020.81/debian/tests/on-lvm-and-luks dropbear-2020.81/debian/tests/on-lvm-and-luks --- dropbear-2020.81/debian/tests/on-lvm-and-luks 2021-01-14 21:14:26.000000000 +0100 +++ dropbear-2020.81/debian/tests/on-lvm-and-luks 2024-01-26 12:00:26.000000000 +0100 @@ -88,12 +88,12 @@ --customize-hook='echo host > "$1/etc/hostname"' \ --customize-hook='echo "127.0.0.1 localhost host" > "$1/etc/hosts"' \ --customize-hook='echo "/dev/vda1 / auto errors=remount-ro 0 1" > "$1/etc/fstab"' \ - unstable debian-unstable-setup.tar + bullseye debian-bullseye-setup.tar # we prepare a second tarball now instead of later inside qemu because # running mmdebstrap without kvm just wastes cpu cycles crypt_pkgs="$common_pkgs,mount,console-setup,cryptsetup-initramfs,dropbear-initramfs,grub2" -mmdebstrap --mode=$MODE --variant=apt --include=$crypt_pkgs unstable debian-unstable-crypt.tar +mmdebstrap --mode=$MODE --variant=apt --include=$crypt_pkgs bullseye debian-bullseye-crypt.tar # extlinux config to boot from /dev/vda1 with predictable network interface # naming and a serial console for logging @@ -139,13 +139,13 @@ part-disk /dev/sda mbr : \ mkfs ext2 /dev/sda1 : \ mount /dev/sda1 / : \ - tar-in debian-unstable-setup.tar / : \ + tar-in debian-bullseye-setup.tar / : \ mkdir /root/.ssh : \ upload id_rsa.pub /root/.ssh/authorized_keys : \ chown 0 0 /root/.ssh/authorized_keys : \ copy-in extlinux.conf / : \ copy-in interfaces /etc/network : \ - copy-in debian-unstable-crypt.tar / : \ + copy-in debian-bullseye-crypt.tar / : \ upload /usr/lib/SYSLINUX/mbr.bin /mbr.bin : \ copy-file-to-device /mbr.bin /dev/sda size:440 : \ rm /mbr.bin : \ @@ -156,7 +156,7 @@ shutdown # an empty disk image for the crypt system -fallocate -l 2G crypt.img +fallocate -l 4G crypt.img # certain qemu options remain the same for when we run the setup system as well # as the crypt system @@ -291,7 +291,7 @@ mkswap /dev/myvg/swap swapon /dev/myvg/swap # A volume group for the system -lvcreate --name root --size 1G myvg +lvcreate --name root --size 3G myvg # Create ext4 filesystem on the root volume group and ext2 for /boot mkfs.ext4 /dev/myvg/root mkfs.ext2 /dev/vdb2 @@ -305,7 +305,7 @@ mount /dev/myvg/root /mnt # ...and unpack the tarball we created initially into it -tar -C /mnt -xf /debian-unstable-crypt.tar +tar -C /mnt -xf /debian-bullseye-crypt.tar # Set grub defaults # The ip option takes care of acquiring an ip address from dhcp for the @@ -471,6 +471,6 @@ trap - EXIT # remove all temporary files -for f in crypt.img setup.img debian-unstable-setup.tar debian-unstable-crypt.tar extlinux.conf id_rsa id_rsa.pub interfaces qemu1.log qemu2.log; do +for f in crypt.img setup.img debian-bullseye-setup.tar debian-bullseye-crypt.tar extlinux.conf id_rsa id_rsa.pub interfaces qemu1.log qemu2.log; do rm "$f" done
signature.asc
Description: PGP signature
