omarabdul3ziz/zosbuilder
1
0
Fork 0
forked from tfgrid/zosbuilder
Code Pull Requests Activity

fix: Switch to space-separated sources.conf format

Browse Source 
- Change from colon to space separation to avoid URL parsing issues
- Update sources.conf format: TYPE NAME URL VERSION BUILD_FUNCTION [EXTRA]
- Implement awk-based parsing for reliable field extraction
- Fix firmware package list (remove unavailable linux-firmware-marvell)
This commit is contained in:
Jan De Landtsheer
2025-08-31 13:26:05 +02:00
parent e8d0d486d8
commit ed98e24503
1103 changed files with 332715 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
initramfs/etc/alpine-release Normal file
View File

@@ -0,0 +1 @@
3.22.0

1
initramfs/etc/apk/arch Normal file
View File

@@ -0,0 +1 @@
x86_64

9
initramfs/etc/apk/keys/alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub Normal file
View File

@@ -0,0 +1,9 @@
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1yHJxQgsHQREclQu4Ohe
qxTxd1tHcNnvnQTu/UrTky8wWvgXT+jpveroeWWnzmsYlDI93eLI2ORakxb3gA2O
Q0Ry4ws8vhaxLQGC74uQR5+/yYrLuTKydFzuPaS1dK19qJPXB8GMdmFOijnXX4SA
jixuHLe1WW7kZVtjL7nufvpXkWBGjsfrvskdNA/5MfxAeBbqPgaq0QMEfxMAn6/R
L5kNepi/Vr4S39Xvf2DzWkTLEK8pcnjNkt9/aafhWqFVW7m3HCAII6h/qlQNQKSo
GuH34Q8GsFG30izUENV9avY7hSLq7nggsvknlNBZtFUcmGoQrtx3FmyYsIC8/R+B
ywIDAQAB
-----END PUBLIC KEY-----

9
initramfs/etc/apk/keys/alpine-devel@lists.alpinelinux.org-5243ef4b.rsa.pub Normal file
View File

@@ -0,0 +1,9 @@
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvNijDxJ8kloskKQpJdx+
mTMVFFUGDoDCbulnhZMJoKNkSuZOzBoFC94omYPtxnIcBdWBGnrm6ncbKRlR+6oy
DO0W7c44uHKCFGFqBhDasdI4RCYP+fcIX/lyMh6MLbOxqS22TwSLhCVjTyJeeH7K
aA7vqk+QSsF4TGbYzQDDpg7+6aAcNzg6InNePaywA6hbT0JXbxnDWsB+2/LLSF2G
mnhJlJrWB1WGjkz23ONIWk85W4S0XB/ewDefd4Ly/zyIciastA7Zqnh7p3Ody6Q0
sS2MJzo7p3os1smGjUF158s6m/JbVh4DN6YIsxwl2OjDOz9R0OycfJSDaBVIGZzg
cQIDAQAB
-----END PUBLIC KEY-----

9
initramfs/etc/apk/keys/alpine-devel@lists.alpinelinux.org-5261cecb.rsa.pub Normal file
View File

@@ -0,0 +1,9 @@
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwlzMkl7b5PBdfMzGdCT0
cGloRr5xGgVmsdq5EtJvFkFAiN8Ac9MCFy/vAFmS8/7ZaGOXoCDWbYVLTLOO2qtX
yHRl+7fJVh2N6qrDDFPmdgCi8NaE+3rITWXGrrQ1spJ0B6HIzTDNEjRKnD4xyg4j
g01FMcJTU6E+V2JBY45CKN9dWr1JDM/nei/Pf0byBJlMp/mSSfjodykmz4Oe13xB
Ca1WTwgFykKYthoLGYrmo+LKIGpMoeEbY1kuUe04UiDe47l6Oggwnl+8XD1MeRWY
sWgj8sF4dTcSfCMavK4zHRFFQbGp/YFJ/Ww6U9lA3Vq0wyEI6MCMQnoSMFwrbgZw
wwIDAQAB
-----END PUBLIC KEY-----

14
initramfs/etc/apk/keys/alpine-devel@lists.alpinelinux.org-6165ee59.rsa.pub Normal file
View File

@@ -0,0 +1,14 @@
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAutQkua2CAig4VFSJ7v54
ALyu/J1WB3oni7qwCZD3veURw7HxpNAj9hR+S5N/pNeZgubQvJWyaPuQDm7PTs1+
tFGiYNfAsiibX6Rv0wci3M+z2XEVAeR9Vzg6v4qoofDyoTbovn2LztaNEjTkB+oK
tlvpNhg1zhou0jDVYFniEXvzjckxswHVb8cT0OMTKHALyLPrPOJzVtM9C1ew2Nnc
3848xLiApMu3NBk0JqfcS3Bo5Y2b1FRVBvdt+2gFoKZix1MnZdAEZ8xQzL/a0YS5
Hd0wj5+EEKHfOd3A75uPa/WQmA+o0cBFfrzm69QDcSJSwGpzWrD1ScH3AK8nWvoj
v7e9gukK/9yl1b4fQQ00vttwJPSgm9EnfPHLAtgXkRloI27H6/PuLoNvSAMQwuCD
hQRlyGLPBETKkHeodfLoULjhDi1K2gKJTMhtbnUcAA7nEphkMhPWkBpgFdrH+5z4
Lxy+3ek0cqcI7K68EtrffU8jtUj9LFTUC8dERaIBs7NgQ/LfDbDfGh9g6qVj1hZl
k9aaIPTm/xsi8v3u+0qaq7KzIBc9s59JOoA8TlpOaYdVgSQhHHLBaahOuAigH+VI
isbC9vmqsThF2QdDtQt37keuqoda2E6sL7PUvIyVXDRfwX7uMDjlzTxHTymvq2Ck
htBqojBnThmjJQFgZXocHG8CAwEAAQ==
-----END PUBLIC KEY-----

14
initramfs/etc/apk/keys/alpine-devel@lists.alpinelinux.org-61666e3f.rsa.pub Normal file
View File

@@ -0,0 +1,14 @@
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAlEyxkHggKCXC2Wf5Mzx4
nZLFZvU2bgcA3exfNPO/g1YunKfQY+Jg4fr6tJUUTZ3XZUrhmLNWvpvSwDS19ZmC
IXOu0+V94aNgnhMsk9rr59I8qcbsQGIBoHzuAl8NzZCgdbEXkiY90w1skUw8J57z
qCsMBydAueMXuWqF5nGtYbi5vHwK42PffpiZ7G5Kjwn8nYMW5IZdL6ZnMEVJUWC9
I4waeKg0yskczYDmZUEAtrn3laX9677ToCpiKrvmZYjlGl0BaGp3cxggP2xaDbUq
qfFxWNgvUAb3pXD09JM6Mt6HSIJaFc9vQbrKB9KT515y763j5CC2KUsilszKi3mB
HYe5PoebdjS7D1Oh+tRqfegU2IImzSwW3iwA7PJvefFuc/kNIijfS/gH/cAqAK6z
bhdOtE/zc7TtqW2Wn5Y03jIZdtm12CxSxwgtCF1NPyEWyIxAQUX9ACb3M0FAZ61n
fpPrvwTaIIxxZ01L3IzPLpbc44x/DhJIEU+iDt6IMTrHOphD9MCG4631eIdB0H1b
6zbNX1CXTsafqHRFV9XmYYIeOMggmd90s3xIbEujA6HKNP/gwzO6CDJ+nHFDEqoF
SkxRdTkEqjTjVKieURW7Swv7zpfu5PrsrrkyGnsRrBJJzXlm2FOOxnbI2iSL1B5F
rO5kbUxFeZUIDq+7Yv4kLWcCAwEAAQ==
-----END PUBLIC KEY-----

2
initramfs/etc/apk/repositories Normal file
View File

@@ -0,0 +1,2 @@
https://dl-cdn.alpinelinux.org/alpine/v3.22/main
https://dl-cdn.alpinelinux.org/alpine/v3.22/community

30
initramfs/etc/apk/world Normal file
View File

@@ -0,0 +1,30 @@
alpine-baselayout
alpine-keys
alpine-release
apk-tools
bmon
btrfs-progs
busybox
dhcpcd
dosfstools
ethtool
eudev
eudev-hwids
eudev-libs
eudev-netifnames
haveged
iproute2
kmod
libc-utils
linux-firmware-bnx2
linux-firmware-e100
linux-firmware-intel
linux-firmware-mellanox
linux-firmware-qlogic
linux-firmware-realtek
musl
openssh-server
tcpdump
util-linux
zellij
zlib

304
initramfs/etc/busybox-paths.d/busybox Normal file
View File

@@ -0,0 +1,304 @@
usr/bin/[
usr/bin/[[
sbin/acpid
usr/sbin/add-shell
usr/sbin/addgroup
usr/sbin/adduser
sbin/adjtimex
bin/arch
sbin/arp
usr/sbin/arping
bin/ash
usr/bin/awk
bin/base64
usr/bin/basename
bin/bbconfig
usr/bin/bc
usr/bin/beep
usr/bin/blkdiscard
sbin/blkid
sbin/blockdev
usr/sbin/brctl
usr/bin/bunzip2
usr/bin/bzcat
usr/bin/bzip2
usr/bin/cal
bin/cat
bin/chattr
bin/chgrp
bin/chmod
bin/chown
usr/sbin/chpasswd
usr/sbin/chroot
usr/bin/chvt
usr/bin/cksum
usr/bin/clear
usr/bin/cmp
usr/bin/comm
bin/cp
usr/bin/cpio
usr/sbin/crond
usr/bin/crontab
usr/bin/cryptpw
usr/bin/cut
bin/date
usr/bin/dc
bin/dd
usr/bin/deallocvt
usr/sbin/delgroup
usr/sbin/deluser
sbin/depmod
bin/df
usr/bin/diff
usr/bin/dirname
bin/dmesg
bin/dnsdomainname
usr/bin/dos2unix
usr/bin/du
bin/dumpkmap
bin/echo
bin/egrep
usr/bin/eject
usr/bin/env
usr/sbin/ether-wake
usr/bin/expand
usr/bin/expr
usr/bin/factor
usr/bin/fallocate
bin/false
bin/fatattr
usr/sbin/fbset
sbin/fbsplash
bin/fdflush
sbin/fdisk
bin/fgrep
usr/bin/find
sbin/findfs
usr/bin/flock
usr/bin/fold
usr/bin/free
sbin/fsck
sbin/fstrim
bin/fsync
usr/bin/fuser
bin/getopt
sbin/getty
bin/grep
usr/bin/groups
bin/gunzip
bin/gzip
sbin/halt
usr/bin/hd
usr/bin/head
usr/bin/hexdump
usr/bin/hostid
bin/hostname
sbin/hwclock
usr/bin/id
sbin/ifconfig
sbin/ifdown
sbin/ifenslave
sbin/ifup
sbin/init
sbin/inotifyd
sbin/insmod
usr/bin/install
bin/ionice
bin/iostat
sbin/ip
sbin/ipaddr
bin/ipcalc
usr/bin/ipcrm
usr/bin/ipcs
sbin/iplink
sbin/ipneigh
sbin/iproute
sbin/iprule
sbin/iptunnel
bin/kbd_mode
bin/kill
usr/bin/killall
usr/sbin/killall5
sbin/klogd
usr/bin/last
usr/bin/less
bin/link
bin/linux32
bin/linux64
bin/ln
usr/sbin/loadfont
sbin/loadkmap
usr/bin/logger
bin/login
sbin/logread
sbin/losetup
bin/ls
bin/lsattr
sbin/lsmod
usr/bin/lsof
usr/bin/lsusb
usr/bin/lzcat
usr/bin/lzma
bin/lzop
usr/bin/lzopcat
bin/makemime
usr/bin/md5sum
sbin/mdev
usr/bin/mesg
usr/bin/microcom
bin/mkdir
sbin/mkdosfs
usr/bin/mkfifo
sbin/mkfs.vfat
bin/mknod
usr/bin/mkpasswd
sbin/mkswap
bin/mktemp
sbin/modinfo
sbin/modprobe
bin/more
bin/mount
bin/mountpoint
bin/mpstat
bin/mv
sbin/nameif
usr/sbin/nanddump
usr/sbin/nandwrite
usr/sbin/nbd-client
usr/bin/nc
bin/netstat
bin/nice
usr/bin/nl
usr/bin/nmeter
usr/bin/nohup
sbin/nologin
usr/bin/nproc
usr/bin/nsenter
usr/bin/nslookup
usr/sbin/ntpd
usr/bin/od
usr/bin/openvt
usr/sbin/partprobe
usr/bin/passwd
usr/bin/paste
usr/bin/pgrep
bin/pidof
bin/ping
bin/ping6
bin/pipe_progress
sbin/pivot_root
usr/bin/pkill
usr/bin/pmap
sbin/poweroff
bin/printenv
usr/bin/printf
bin/ps
usr/bin/pscan
usr/bin/pstree
bin/pwd
usr/bin/pwdx
sbin/raidautorun
usr/sbin/rdate
usr/sbin/rdev
usr/sbin/readahead
usr/bin/readlink
usr/bin/realpath
sbin/reboot
bin/reformime
usr/sbin/remove-shell
usr/bin/renice
usr/bin/reset
usr/bin/resize
bin/rev
usr/sbin/rfkill
bin/rm
bin/rmdir
sbin/rmmod
sbin/route
bin/run-parts
bin/sed
usr/sbin/sendmail
usr/bin/seq
sbin/setconsole
usr/sbin/setfont
usr/bin/setkeycodes
usr/sbin/setlogcons
bin/setpriv
bin/setserial
usr/bin/setsid
bin/sh
usr/bin/sha1sum
usr/bin/sha256sum
usr/bin/sha3sum
usr/bin/sha512sum
usr/bin/showkey
usr/bin/shred
usr/bin/shuf
sbin/slattach
bin/sleep
usr/bin/sort
usr/bin/split
bin/stat
usr/bin/strings
bin/stty
bin/su
usr/bin/sum
sbin/swapoff
sbin/swapon
sbin/switch_root
bin/sync
sbin/sysctl
sbin/syslogd
usr/bin/tac
usr/bin/tail
bin/tar
usr/bin/tee
usr/bin/test
usr/bin/time
usr/bin/timeout
usr/bin/top
bin/touch
usr/bin/tr
usr/bin/traceroute
usr/bin/traceroute6
usr/bin/tree
bin/true
usr/bin/truncate
usr/bin/tty
usr/bin/ttysize
sbin/tunctl
sbin/udhcpc
usr/bin/udhcpc6
bin/umount
bin/uname
usr/bin/unexpand
usr/bin/uniq
usr/bin/unix2dos
usr/bin/unlink
usr/bin/unlzma
usr/bin/unlzop
usr/bin/unshare
usr/bin/unxz
usr/bin/unzip
usr/bin/uptime
bin/usleep
usr/bin/uudecode
usr/bin/uuencode
sbin/vconfig
usr/bin/vi
usr/bin/vlock
usr/bin/volname
bin/watch
sbin/watchdog
usr/bin/wc
usr/bin/wget
usr/bin/which
usr/bin/who
usr/bin/whoami
usr/bin/whois
usr/bin/xargs
usr/bin/xxd
usr/bin/xzcat
usr/bin/yes
bin/zcat
sbin/zcip

8
initramfs/etc/crontabs/root Normal file
View File

@@ -0,0 +1,8 @@
# do daily/weekly/monthly maintenance
# min hour day month weekday command
*/15 * * * * run-parts /etc/periodic/15min
0 * * * * run-parts /etc/periodic/hourly
0 2 * * * run-parts /etc/periodic/daily
0 3 * * 6 run-parts /etc/periodic/weekly
0 5 1 * * run-parts /etc/periodic/monthly

43
initramfs/etc/dhcpcd.conf Normal file
View File

@@ -0,0 +1,43 @@
# A sample configuration for dhcpcd.
# See dhcpcd.conf(5) for details.
# Allow users of this group to interact with dhcpcd via the control socket.
#controlgroup wheel
# Inform the DHCP server of our hostname for DDNS.
#hostname
# Use the hardware address of the interface for the Client ID.
#clientid
# or
# Use the same DUID + IAID as set in DHCPv6 for DHCPv4 ClientID as per RFC4361.
# Some non-RFC compliant DHCP servers do not reply with this set.
# In this case, comment out duid and enable clientid above.
duid
# Persist interface configuration when dhcpcd exits.
persistent
# vendorclassid is set to blank to avoid sending the default of
# dhcpcd-<version>:<os>:<machine>:<platform>
vendorclassid
# A list of options to request from the DHCP server.
option domain_name_servers, domain_name, domain_search
option classless_static_routes
# Respect the network MTU. This is applied to DHCP routes.
option interface_mtu
# Request a hostname from the network
option host_name
# Most distributions have NTP support.
#option ntp_servers
# A ServerID is required by RFC2131.
require dhcp_server_identifier
# Generate SLAAC address using the Hardware Address of the interface
#slaac hwaddr
# OR generate Stable Private IPv6 Addresses based from the DUID
slaac private

5
initramfs/etc/environment Normal file
View File

@@ -0,0 +1,5 @@
#
# This file is parsed by pam_env module
#
# Syntax: simple "KEY=VAL" pairs on separate lines
#

2
initramfs/etc/fstab Normal file
View File

@@ -0,0 +1,2 @@
/dev/cdrom /media/cdrom iso9660 noauto,ro 0 0
/dev/usbdisk /media/usb vfat noauto,ro 0 0

35
initramfs/etc/group Normal file
View File

@@ -0,0 +1,35 @@
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin
adm:x:4:root,daemon
tty:x:5:
disk:x:6:root
lp:x:7:lp
kmem:x:9:
wheel:x:10:root
floppy:x:11:root
mail:x:12:mail
news:x:13:news
uucp:x:14:uucp
cron:x:16:cron
audio:x:18:
cdrom:x:19:
dialout:x:20:root
ftp:x:21:
sshd:x:22:
input:x:23:
tape:x:26:root
video:x:27:root
netdev:x:28:
kvm:x:34:kvm
games:x:35:
shadow:x:42:
www-data:x:82:
users:x:100:games
ntp:x:123:
abuild:x:300:
utmp:x:406:
ping:x:999:
nogroup:x:65533:
nobody:x:65534:

1
initramfs/etc/hostname Normal file
View File

@@ -0,0 +1 @@
zero-os

2
initramfs/etc/hosts Normal file
View File

@@ -0,0 +1,2 @@
127.0.0.1 localhost localhost.localdomain
::1 localhost localhost.localdomain

23
initramfs/etc/inittab Normal file
View File

@@ -0,0 +1,23 @@
# /etc/inittab
::sysinit:/sbin/openrc sysinit
::sysinit:/sbin/openrc boot
::wait:/sbin/openrc default
# Set up a couple of getty's
tty1::respawn:/sbin/getty 38400 tty1
tty2::respawn:/sbin/getty 38400 tty2
tty3::respawn:/sbin/getty 38400 tty3
tty4::respawn:/sbin/getty 38400 tty4
tty5::respawn:/sbin/getty 38400 tty5
tty6::respawn:/sbin/getty 38400 tty6
# Put a getty on the serial port
#ttyS0::respawn:/sbin/getty -L 115200 ttyS0 vt100
# Stuff to do for the 3-finger salute
::ctrlaltdel:/sbin/reboot
# Stuff to do before rebooting
::shutdown:/sbin/openrc shutdown

3
initramfs/etc/issue Normal file
View File

@@ -0,0 +1,3 @@
Welcome to Alpine Linux 3.22
Kernel \r on \m (\l)

45
initramfs/etc/libnl/classid Normal file
View File

@@ -0,0 +1,45 @@
###############################################################################
#
# ClassID <-> Name Translation Table
#
# This file can be used to assign names to classids for easier reference
# in all libnl tools.
#
# Format:
# <MAJ:> <NAME> # qdisc definition
# <MAJ:MIN> <NAME> # class deifnition
# <NAME:MIN> <NAME> # class definition referencing an
# existing qdisc definition.
#
# Example:
# 1: top # top -> 1:0
# top:1 interactive # interactive -> 1:1
# top:2 www # www -> 1:2
# top:3 bulk # bulk -> 1:3
# 2:1 test_class # test_class -> 2:1
#
# Illegal Example:
# 30:1 classD
# classD:2 invalidClass # classD refers to a class, not a qdisc
#
###############################################################################
# <CLASSID> <NAME>
# Reserved default classids
0:0 none
ffff:ffff root
ffff:fff1 ingress
#
# List your classid definitions here:
#
###############################################################################
# List of auto-generated classids
#
# DO NOT ADD CLASSID DEFINITIONS BELOW THIS LINE
#
# <CLASSID> <NAME>

76
initramfs/etc/libnl/pktloc Normal file
View File

@@ -0,0 +1,76 @@
#
# Location definitions for packet matching
#
# name alignment offset mask shift
ip.version u8 net+0 0xF0 4
ip.hdrlen u8 net+0 0x0F
ip.diffserv u8 net+1
ip.length u16 net+2
ip.id u16 net+4
ip.flag.res u8 net+6 0xff 7
ip.df u8 net+6 0x40 6
ip.mf u8 net+6 0x20 5
ip.offset u16 net+6 0x1FFF
ip.ttl u8 net+8
ip.proto u8 net+9
ip.chksum u16 net+10
ip.src u32 net+12
ip.dst u32 net+16
# if ip.ihl > 5
ip.opts u32 net+20
#
# IP version 6
#
# name alignment offset mask shift
ip6.version u8 net+0 0xF0 4
ip6.tc u16 net+0 0xFF0 4
ip6.flowlabel u32 net+0 0xFFFFF
ip6.length u16 net+4
ip6.nexthdr u8 net+6
ip6.hoplimit u8 net+7
ip6.src 16 net+8
ip6.dst 16 net+24
#
# Transmission Control Protocol (TCP)
#
# name alignment offset mask shift
tcp.sport u16 tcp+0
tcp.dport u16 tcp+2
tcp.seq u32 tcp+4
tcp.ack u32 tcp+8
# Data offset (4 bits)
tcp.off u8 tcp+12 0xF0 4
# Reserved [0 0 0] (3 bits)
tcp.reserved u8 tcp+12 0x04 1
# ECN [N C E] (3 bits)
tcp.ecn u16 tcp+12 0x01C00 6
# Individual TCP flags (0|1) (6 bits in total)
tcp.flag.urg u8 tcp+13 0x20 5
tcp.flag.ack u8 tcp+13 0x10 4
tcp.flag.psh u8 tcp+13 0x08 3
tcp.flag.rst u8 tcp+13 0x04 2
tcp.flag.syn u8 tcp+13 0x02 1
tcp.flag.fin u8 tcp+13 0x01
tcp.win u16 tcp+14
tcp.csum u16 tcp+16
tcp.urg u16 tcp+18
tcp.opts u32 tcp+20
#
# User Datagram Protocol (UDP)
#
# name alignment offset mask shift
udp.sport u16 tcp+0
udp.dport u16 tcp+2
udp.length u16 tcp+4
udp.csum u16 tcp+6

8
initramfs/etc/logrotate.d/acpid Normal file
View File

@@ -0,0 +1,8 @@
/var/log/acpid.log {
missingok
notifempty
sharedscripts
postrotate
/etc/init.d/acpid --quiet --ifstarted restart || true
endscript
}

57
initramfs/etc/modprobe.d/aliases.conf Normal file
View File

@@ -0,0 +1,57 @@
# Aliases to tell insmod/modprobe which modules to use
# Uncomment the network protocols you don't want loaded:
# alias net-pf-1 off # Unix
# alias net-pf-2 off # IPv4
# alias net-pf-3 off # Amateur Radio AX.25
# alias net-pf-4 off # IPX
# alias net-pf-5 off # DDP / appletalk
# alias net-pf-6 off # Amateur Radio NET/ROM
# alias net-pf-9 off # X.25
# alias net-pf-10 off # IPv6
# alias net-pf-11 off # ROSE / Amateur Radio X.25 PLP
# alias net-pf-19 off # Acorn Econet
alias char-major-10-175 agpgart
alias char-major-10-200 tun
alias char-major-81 bttv
alias char-major-108 ppp_generic
alias /dev/ppp ppp_generic
alias tty-ldisc-3 ppp_async
alias tty-ldisc-14 ppp_synctty
alias ppp-compress-21 bsd_comp
alias ppp-compress-24 ppp_deflate
alias ppp-compress-26 ppp_deflate
# Crypto modules (see http://www.kerneli.org/)
alias loop-xfer-gen-0 loop_gen
alias loop-xfer-3 loop_fish2
alias loop-xfer-gen-10 loop_gen
alias cipher-2 des
alias cipher-3 fish2
alias cipher-4 blowfish
alias cipher-6 idea
alias cipher-7 serp6f
alias cipher-8 mars6
alias cipher-11 rc62
alias cipher-15 dfc2
alias cipher-16 rijndael
alias cipher-17 rc5
# Support for i2c and lm_sensors
alias char-major-89 i2c-dev
# xfrm
alias xfrm-type-2-4 xfrm4_tunnel
alias xfrm-type-2-50 esp4
alias xfrm-type-2-51 ah4
alias xfrm-type-2-108 ipcomp
alias xfrm-type-10-41 xfrm6_tunnel
alias xfrm-type-10-50 esp6
alias xfrm-type-10-51 ah6
alias xfrm-type-10-108 ipcomp6
alias sha1 sha1-generic
# change to aes-i586 to boost performance
alias aes aes-generic

84
initramfs/etc/modprobe.d/blacklist.conf Normal file
View File

@@ -0,0 +1,84 @@
#
# Listing a module here prevents the hotplug scripts from loading it.
# Usually that'd be so that some other driver will bind it instead,
# no matter which driver happens to get probed first. Sometimes user
# mode tools can also control driver binding.
# tulip ... de4x5, xircom_tulip_cb, dmfe (...) handle same devices
blacklist de4x5
# At least 2.4.3 and later xircom_tulip doesn't have that conflict
# xircom_tulip_cb
blacklist dmfe
#evbug is a debug tool and should be loaded explicitly
blacklist evbug
# Alternate 8139 driver. Some 8139 cards need this specific driver,
# though...
# blacklist 8139cp
# Ethernet over IEEE1394 module. In too many cases this will load
# when there's no eth1394 device present (just an IEEE1394 port)
blacklist eth1394
# This module causes many Intel motherboards to crash and reboot.
blacklist i8xx-tco
# The kernel lists this as "experimental", but for now it's "broken"
blacklist via-ircc
# ALSA modules to support sound modems. These should be loaded manually
# if needed. For most people they just break sound support...
blacklist snd-atiixp-modem
blacklist snd-intel8x0m
blacklist snd-via82xx-modem
# we don't want use the pc speaker
blacklist snd-pcsp
# Alternative module to Orinoco Wireless Cards.
blacklist hostap
blacklist hostap_cs
# framebuffer drivers
blacklist aty128fb
blacklist atyfb
blacklist radeonfb
blacklist i810fb
blacklist cirrusfb
blacklist intelfb
blacklist kyrofb
blacklist i2c-matroxfb
blacklist hgafb
blacklist nvidiafb
blacklist rivafb
blacklist savagefb
blacklist sstfb
blacklist neofb
blacklist tridentfb
blacklist tdfxfb
blacklist viafb
blacklist virgefb
blacklist vga16fb
blacklist matroxfb_base
blacklist vt8623fb
# blacklist 1394 drivers
blacklist ohci1394
blacklist video1394
blacklist dv1394
# blacklist mISDN dirver by default as we prefer dahdi drivers
blacklist hfcmulti
blacklist hfcpci
blacklist hfcsusb
# blacklist C7 cpu freq. use acpi-cpufreq instead
blacklist e_powersaver
blacklist microcode
# needs init config, not compatible with acpid
# https://gitlab.alpinelinux.org/alpine/aports/-/issues/12999
blacklist tiny_power_button

4
initramfs/etc/modprobe.d/i386.conf Normal file
View File

@@ -0,0 +1,4 @@
alias parport_lowlevel parport_pc
alias char-major-10-144 nvram
alias binfmt-0064 binfmt_aout
alias char-major-10-135 rtc

2
initramfs/etc/modules Normal file
View File

@@ -0,0 +1,2 @@
af_packet
ipv6

10
initramfs/etc/motd Normal file
View File

@@ -0,0 +1,10 @@
Welcome to Alpine!
The Alpine Wiki contains a large amount of how-to guides and general
information about administrating Alpine systems.
See <https://wiki.alpinelinux.org/>.
You can setup the system with the command: setup-alpine
You may change this message by editing /etc/motd.

1
initramfs/etc/mtab Symbolic link
View File

@@ -0,0 +1 @@
../proc/mounts

16
initramfs/etc/network/if-up.d/dad Executable file
View File

@@ -0,0 +1,16 @@
#!/bin/sh
# Block ifup until DAD completion
# Copyright (c) 2016-2018 Kaarle Ritvanen
has_flag() {
ip address show dev $IFACE up | grep -q " $1 "
}
counter=100
while [ "$counter" -gt 0 ] &&
has_flag tentative &&
! has_flag dadfailed; do
sleep 0.2
counter=$((counter - 1))
done

5
initramfs/etc/nsswitch.conf Normal file
View File

@@ -0,0 +1,5 @@
# musl itself does not support NSS, however some third-party DNS
# implementations use the nsswitch.conf file to determine what
# policy to follow.
# Editing this file is not recommended.
hosts: files dns

1
initramfs/etc/os-release Symbolic link
View File

@@ -0,0 +1 @@
../usr/lib/os-release

17
initramfs/etc/passwd Normal file
View File

@@ -0,0 +1,17 @@
root:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin

5
initramfs/etc/profile Normal file
View File

@@ -0,0 +1,5 @@
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
export PS1='\h:\w\$ '
export HOME=/root
export TERM=xterm
umask 022

3
initramfs/etc/profile.d/20locale.sh Normal file
View File

@@ -0,0 +1,3 @@
export CHARSET=${CHARSET:-UTF-8}
export LANG=${LANG:-C.UTF-8}
export LC_COLLATE=${LC_COLLATE:-C}

6
initramfs/etc/profile.d/README Normal file
View File

@@ -0,0 +1,6 @@
This directory should contain shell scripts configuring system-wide
environment on users' shells.
Files with the .sh extension found in this directory are evaluated by
Bourne-compatible shells (like ash, bash or zsh) when started as a
login shell.

17
initramfs/etc/profile.d/color_prompt.sh.disabled Normal file
View File

@@ -0,0 +1,17 @@
# Setup a red prompt for root and a green one for users.
# Symlink this file to color_prompt.sh to actually enable it.
_normal=$'\e[0m'
if [ "$USER" = root ]; then
_color=$'\e[1;31m'
_symbol='#'
else
_color=$'\e[1;32m'
_symbol='$'
fi
if [ -n "$ZSH_VERSION" ]; then
PS1="%{$_color%}%m [%{$_normal%}%~%{$_color%}]$_symbol %{$_normal%}"
else
PS1="\[$_color\]\h [\[$_normal\]\w\[$_color\]]$_symbol \[$_normal\]"
fi
unset _normal _color _symbol

68
initramfs/etc/protocols Normal file
View File

@@ -0,0 +1,68 @@
# Internet (IP) protocols
#
# Updated from http://www.iana.org/assignments/protocol-numbers and other
# sources.
# New protocols will be added on request if they have been officially
# assigned by IANA and are not historical.
# If you need a huge list of used numbers please install the nmap package.
ip 0 IP # internet protocol, pseudo protocol number
hopopt 0 HOPOPT # IPv6 Hop-by-Hop Option [RFC1883]
icmp 1 ICMP # internet control message protocol
igmp 2 IGMP # Internet Group Management
ggp 3 GGP # gateway-gateway protocol
ipencap 4 IP-ENCAP # IP encapsulated in IP (officially ``IP'')
st 5 ST # ST datagram mode
tcp 6 TCP # transmission control protocol
egp 8 EGP # exterior gateway protocol
igp 9 IGP # any private interior gateway (Cisco)
pup 12 PUP # PARC universal packet protocol
udp 17 UDP # user datagram protocol
hmp 20 HMP # host monitoring protocol
xns-idp 22 XNS-IDP # Xerox NS IDP
rdp 27 RDP # "reliable datagram" protocol
iso-tp4 29 ISO-TP4 # ISO Transport Protocol class 4 [RFC905]
dccp 33 DCCP # Datagram Congestion Control Prot. [RFC4340]
xtp 36 XTP # Xpress Transfer Protocol
ddp 37 DDP # Datagram Delivery Protocol
idpr-cmtp 38 IDPR-CMTP # IDPR Control Message Transport
ipv6 41 IPv6 # Internet Protocol, version 6
ipv6-route 43 IPv6-Route # Routing Header for IPv6
ipv6-frag 44 IPv6-Frag # Fragment Header for IPv6
idrp 45 IDRP # Inter-Domain Routing Protocol
rsvp 46 RSVP # Reservation Protocol
gre 47 GRE # General Routing Encapsulation
esp 50 IPSEC-ESP # Encap Security Payload [RFC2406]
ah 51 IPSEC-AH # Authentication Header [RFC2402]
skip 57 SKIP # SKIP
ipv6-icmp 58 IPv6-ICMP # ICMP for IPv6
ipv6-nonxt 59 IPv6-NoNxt # No Next Header for IPv6
ipv6-opts 60 IPv6-Opts # Destination Options for IPv6
rspf 73 RSPF CPHB # Radio Shortest Path First (officially CPHB)
vmtp 81 VMTP # Versatile Message Transport
eigrp 88 EIGRP # Enhanced Interior Routing Protocol (Cisco)
ospf 89 OSPFIGP # Open Shortest Path First IGP
ax.25 93 AX.25 # AX.25 frames
ipip 94 IPIP # IP-within-IP Encapsulation Protocol
etherip 97 ETHERIP # Ethernet-within-IP Encapsulation [RFC3378]
encap 98 ENCAP # Yet Another IP encapsulation [RFC1241]
# 99 # any private encryption scheme
pim 103 PIM # Protocol Independent Multicast
ipcomp 108 IPCOMP # IP Payload Compression Protocol
vrrp 112 VRRP # Virtual Router Redundancy Protocol [RFC5798]
l2tp 115 L2TP # Layer Two Tunneling Protocol [RFC2661]
isis 124 ISIS # IS-IS over IPv4
sctp 132 SCTP # Stream Control Transmission Protocol
fc 133 FC # Fibre Channel
mobility-header 135 Mobility-Header # Mobility Support for IPv6 [RFC3775]
udplite 136 UDPLite # UDP-Lite [RFC3828]
mpls-in-ip 137 MPLS-in-IP # MPLS-in-IP [RFC4023]
manet 138 # MANET Protocols [RFC5498]
hip 139 HIP # Host Identity Protocol
shim6 140 Shim6 # Shim6 Protocol [RFC5533]
wesp 141 WESP # Wrapped Encapsulating Security Payload
rohc 142 ROHC # Robust Header Compression
ethernet 143 Ethernet # Ethernet encapsulation for SRv6 [RFC8986]
# The following entries have not been assigned by IANA but are used
# internally by the Linux kernel.
mptcp 262 MPTCP # Multipath TCP connection

2
initramfs/etc/resolv.conf Normal file
View File

@@ -0,0 +1,2 @@
nameserver 169.254.1.1
nameserver 192.168.64.254

2
initramfs/etc/secfixes.d/alpine Normal file
View File

@@ -0,0 +1,2 @@
https://secdb.alpinelinux.org/v3.22/main.json
https://secdb.alpinelinux.org/v3.22/community.json

25
initramfs/etc/securetty Normal file
View File

@@ -0,0 +1,25 @@
console
tty0
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
tty11
hvc0
ttyS0
ttyS1
ttyS2
ttyGS0
ttyAMA0
ttyAMA1
ttyTCU0
ttyTHS0
ttyTHS1
ttymxc0
ttymxc2

125
initramfs/etc/security/access.conf Normal file
View File

@@ -0,0 +1,125 @@
# Login access control table.
#
# Comment line must start with "#", no space at front.
# Order of lines is important.
#
# When someone logs in, the table is scanned for the first entry that
# matches the (user, host) combination, or, in case of non-networked
# logins, the first entry that matches the (user, tty) combination. The
# permissions field of that table entry determines whether the login will
# be accepted or refused.
#
# Format of the login access control table is three fields separated by a
# ":" character:
#
# [Note, if you supply a 'fieldsep=|' argument to the pam_access.so
# module, you can change the field separation character to be
# '|'. This is useful for configurations where you are trying to use
# pam_access with X applications that provide PAM_TTY values that are
# the display variable like "host:0".]
#
# permission:users:origins
#
# The first field should be a "+" (access granted) or "-" (access denied)
# character.
#
# The second field should be a list of one or more login names, group
# names, or ALL (always matches). A pattern of the form user@host is
# matched when the login name matches the "user" part, and when the
# "host" part matches the local machine name.
#
# The third field should be a list of one or more tty names (for
# non-networked logins), host names, domain names (begin with "."), host
# addresses, internet network numbers (end with "."), ALL (always
# matches), NONE (matches no tty on non-networked logins) or
# LOCAL (matches any string that does not contain a "." character).
#
# You can use @netgroupname in host or user patterns; this even works
# for @usergroup@@hostgroup patterns.
#
# The EXCEPT operator makes it possible to write very compact rules.
#
# The group file is searched only when a name does not match that of the
# logged-in user. Both the user's primary group is matched, as well as
# groups in which users are explicitly listed.
# To avoid problems with accounts, which have the same name as a group,
# you can use brackets around group names '(group)' to differentiate.
# In this case, you should also set the "nodefgroup" option.
#
# TTY NAMES: Must be in the form returned by ttyname(3) less the initial
# "/dev" (e.g. tty1 or vc/1)
#
##############################################################################
#
# Disallow non-root logins on tty1
#
#-:ALL EXCEPT root:tty1
#
# Disallow console logins to all but a few accounts.
#
#-:ALL EXCEPT wheel shutdown sync:LOCAL
#
# Same, but make sure that really the group wheel and not the user
# wheel is used (use nodefgroup argument, too):
#
#-:ALL EXCEPT (wheel) shutdown sync:LOCAL
#
# Disallow non-local logins to privileged accounts (group wheel).
#
#-:wheel:ALL EXCEPT LOCAL .win.tue.nl
#
# Some accounts are not allowed to login from anywhere:
#
#-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL
#
# All other accounts are allowed to login from anywhere.
#
##############################################################################
# All lines from here up to the end are building a more complex example.
##############################################################################
#
# User "root" should be allowed to get access via cron .. tty5 tty6.
#+:root:cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6
#
# User "root" should be allowed to get access from hosts with ip addresses.
#+:root:192.168.200.1 192.168.200.4 192.168.200.9
#+:root:127.0.0.1
#
# User "root" should get access from network 192.168.201.
# This term will be evaluated by string matching.
# comment: It might be better to use network/netmask instead.
# The same is 192.168.201.0/24 or 192.168.201.0/255.255.255.0
#+:root:192.168.201.
#
# User "root" should be able to have access from domain.
# Uses string matching also.
#+:root:.foo.bar.org
#
# User "root" should be denied to get access from all other sources.
#-:root:ALL
#
# User "foo" and members of netgroup "nis_group" should be
# allowed to get access from all sources.
# This will only work if netgroup service is available.
#+:@nis_group foo:ALL
#
# User "john" should get access from ipv4 net/mask
#+:john:127.0.0.0/24
#
# User "john" should get access from ipv4 as ipv6 net/mask
#+:john:::ffff:127.0.0.0/127
#
# User "john" should get access from ipv6 host address
#+:john:2001:4ca0:0:101::1
#
# User "john" should get access from ipv6 host address (same as above)
#+:john:2001:4ca0:0:101:0:0:0:1
#
# User "john" should get access from ipv6 local link host address
#+:john:fe80::de95:818c:1b55:7e42%eth0
#
# User "john" should get access from ipv6 net/mask
#+:john:2001:4ca0:0:101::/64
#
# All other users should be denied to get access from all sources.
#-:ALL:ALL

62
initramfs/etc/security/faillock.conf Normal file
View File

@@ -0,0 +1,62 @@
# Configuration for locking the user after multiple failed
# authentication attempts.
#
# The directory where the user files with the failure records are kept.
# The default is /var/run/faillock.
# dir = /var/run/faillock
#
# Will log the user name into the system log if the user is not found.
# Enabled if option is present.
# audit
#
# Don't print informative messages.
# Enabled if option is present.
# silent
#
# Don't log informative messages via syslog.
# Enabled if option is present.
# no_log_info
#
# Only track failed user authentications attempts for local users
# in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users.
# The `faillock` command will also no longer track user failed
# authentication attempts. Enabling this option will prevent a
# double-lockout scenario where a user is locked out locally and
# in the centralized mechanism.
# Enabled if option is present.
# local_users_only
#
# Deny access if the number of consecutive authentication failures
# for this user during the recent interval exceeds n tries.
# The default is 3.
# deny = 3
#
# The length of the interval during which the consecutive
# authentication failures must happen for the user account
# lock out is <replaceable>n</replaceable> seconds.
# The default is 900 (15 minutes).
# fail_interval = 900
#
# The access will be re-enabled after n seconds after the lock out.
# The value 0 has the same meaning as value `never` - the access
# will not be re-enabled without resetting the faillock
# entries by the `faillock` command.
# The default is 600 (10 minutes).
# unlock_time = 600
#
# Root account can become locked as well as regular accounts.
# Enabled if option is present.
# even_deny_root
#
# This option implies the `even_deny_root` option.
# Allow access after n seconds to root account after the
# account is locked. In case the option is not specified
# the value is the same as of the `unlock_time` option.
# root_unlock_time = 900
#
# If a group name is specified with this option, members
# of the group will be handled by this module the same as
# the root account (the options `even_deny_root>` and
# `root_unlock_time` will apply to them.
# By default, the option is not set.
# admin_group = <admin_group_name>

106
initramfs/etc/security/group.conf Normal file
View File

@@ -0,0 +1,106 @@
#
# This is the configuration file for the pam_group module.
#
#
# *** Please note that giving group membership on a session basis is
# *** NOT inherently secure. If a user can create an executable that
# *** is setgid a group that they are infrequently given membership
# *** of, they can basically obtain group membership any time they
# *** like. Example: games are allowed between the hours of 6pm and 6am
# *** user joe logs in at 7pm writes a small C-program toplay.c that
# *** invokes their favorite shell, compiles it and does
# *** "chgrp play toplay; chmod g+s toplay". They are basically able
# *** to play games any time... You have been warned. AGM
#
#
# The syntax of the lines is as follows:
#
# services;ttys;users;times;groups
#
# white space is ignored and lines maybe extended with '\\n' (escaped
# newlines). From reading these comments, it is clear that
# text following a '#' is ignored to the end of the line.
#
# the combination of individual users/terminals etc is a logic list
# namely individual tokens that are optionally prefixed with '!' (logical
# not) and separated with '&' (logical and) and '|' (logical or).
#
# services
# is a logic list of PAM service names that the rule applies to.
#
# ttys
# is a logic list of terminal names that this rule applies to.
#
# users
# is a logic list of users or a netgroup of users to whom this
# rule applies.
#
# NB. For these items the simple wildcard '*' may be used only once.
# With netgroups no wildcards or logic operators are allowed.
#
# times
# It is used to indicate "when" these groups are to be given to the
# user. The format here is a logic list of day/time-range
# entries the days are specified by a sequence of two character
# entries, MoTuSa for example is Monday Tuesday and Saturday. Note
# that repeated days are unset MoMo = no day, and MoWk = all weekdays
# bar Monday. The two character combinations accepted are
#
# Mo Tu We Th Fr Sa Su Wk Wd Al
#
# the last two being week-end days and all 7 days of the week
# respectively. As a final example, AlFr means all days except Friday.
#
# Each day/time-range can be prefixed with a '!' to indicate "anything
# but"
#
# The time-range part is two 24-hour times HHMM separated by a hyphen
# indicating the start and finish time (if the finish time is smaller
# than the start time it is deemed to apply on the following day).
#
# groups
# The (comma or space separated) list of groups that the user
# inherits membership of. These groups are added if the previous
# fields are satisfied by the user's request
#
# For a rule to be active, ALL of service+ttys+users must be satisfied
# by the applying process.
#
#
# Note, to get this to work as it is currently typed you need
#
# 1. to run an application as root
# 2. add the following groups to the /etc/group file:
# floppy, play, sound
#
#
# Here is a simple example: running 'xsh' on tty* (any ttyXXX device),
# the user 'us' is given access to the floppy (through membership of
# the floppy group)
#
#xsh;tty*&!ttyp*;us;Al0000-2400;floppy
#
# another example: running 'xsh' on tty* (any ttyXXX device),
# the user 'sword' is given access to games (through membership of
# the sound and play group) after work hours.
#
#xsh; tty* ;sword;!Wk0900-1800;sound, play
#xsh; tty* ;*;Al0900-1800;floppy
#
# yet another example: any member of the group 'admin' running
# 'xsh' on tty*, is granted access (at any time) to the group 'plugdev'
#
#xsh; tty* ;%admin;Al0000-2400;plugdev
#
# End of group.conf file
#

61
initramfs/etc/security/limits.conf Normal file
View File

@@ -0,0 +1,61 @@
# /etc/security/limits.conf
#
#This file sets the resource limits for the users logged in via PAM.
#It does not affect resource limits of the system services.
#
#Also note that configuration files in /etc/security/limits.d directory,
#which are read in alphabetical order, override the settings in this
#file in case the domain is the same or more specific.
#That means, for example, that setting a limit for wildcard domain here
#can be overridden with a wildcard setting in a config file in the
#subdirectory, but a user specific setting here can be overridden only
#with a user specific setting in the subdirectory.
#
#Each line describes a limit for a user in the form:
#
#<domain> <type> <item> <value>
#
#Where:
#<domain> can be:
# - a user name
# - a group name, with @group syntax
# - the wildcard *, for default entry
# - the wildcard %, can be also used with %group syntax,
# for maxlogin limit
#
#<type> can have the two values:
# - "soft" for enforcing the soft limits
# - "hard" for enforcing hard limits
#
#<item> can be one of the following:
# - core - limits the core file size (KB)
# - data - max data size (KB)
# - fsize - maximum filesize (KB)
# - memlock - max locked-in-memory address space (KB)
# - nofile - max number of open file descriptors
# - rss - max resident set size (KB)
# - stack - max stack size (KB)
# - cpu - max CPU time (MIN)
# - nproc - max number of processes
# - as - address space limit (KB)
# - maxlogins - max number of logins for this user
# - maxsyslogins - max number of logins on the system
# - priority - the priority to run user process with
# - locks - max number of file locks the user can hold
# - sigpending - max number of pending signals
# - msgqueue - max memory used by POSIX message queues (bytes)
# - nice - max nice priority allowed to raise to values: [-20, 19]
# - rtprio - max realtime priority
#
#<domain> <type> <item> <value>
#
#* soft core 0
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
#@student - maxlogins 4
# End of file

31
initramfs/etc/security/namespace.conf Normal file
View File

@@ -0,0 +1,31 @@
# /etc/security/namespace.conf
#
# See /usr/share/doc/pam-*/txts/README.pam_namespace for more information.
#
# Uncommenting the following three lines will polyinstantiate
# /tmp, /var/tmp and user's home directories. /tmp and /var/tmp will
# be polyinstantiated based on the MLS level part of the security context as well as user
# name, Polyinstantion will not be performed for user root and adm for directories
# /tmp and /var/tmp, whereas home directories will be polyinstantiated for all users.
# The user name and context is appended to the instance prefix.
#
# Note that instance directories do not have to reside inside the
# polyinstantiated directory. In the examples below, instances of /tmp
# will be created in /tmp-inst directory, where as instances of /var/tmp
# and users home directories will reside within the directories that
# are being polyinstantiated.
#
# Instance parent directories must exist for the polyinstantiation
# mechanism to work. By default, they should be created with the mode
# of 000. pam_namespace module will enforce this mode unless it
# is explicitly called with an argument to ignore the mode of the
# instance parent. System administrators should use this argument with
# caution, as it will reduce security and isolation achieved by
# polyinstantiation. The parent directories (except $HOME) are created
# at boot by pam_namespace_helper, but in a live system, system
# administrators should create the parent directories before enabling
# them here.
#
#/tmp /tmp-inst/ level root,adm
#/var/tmp /var/tmp/tmp-inst/ level root,adm
#$HOME $HOME/$USER.inst/ level

25
initramfs/etc/security/namespace.init Executable file
View File

@@ -0,0 +1,25 @@
#!/bin/sh
# It receives polydir path as $1, the instance path as $2,
# a flag whether the instance dir was newly created (0 - no, 1 - yes) in $3,
# and user name in $4.
#
# The following section will copy the contents of /etc/skel if this is a
# newly created home directory.
if [ "$3" = 1 ]; then
# This line will fix the labeling on all newly created directories
[ -x /sbin/restorecon ] && /sbin/restorecon "$1"
user="$4"
passwd=$(getent passwd "$user")
homedir=$(echo "$passwd" | cut -f6 -d":")
if [ "$1" = "$homedir" ]; then
gid=$(echo "$passwd" | cut -f4 -d":")
cp -rT /etc/skel "$homedir"
chown -R "$user":"$gid" "$homedir"
mask=$(sed -E -n 's/^UMASK[[:space:]]+([^#[:space:]]+).*/\1/p' /etc/login.defs)
mode=$(printf "%o" $((0777 & ~mask)))
chmod ${mode:-700} "$homedir"
[ -x /sbin/restorecon ] && /sbin/restorecon -R "$homedir"
fi
fi
exit 0

73
initramfs/etc/security/pam_env.conf Normal file
View File

@@ -0,0 +1,73 @@
#
# This is the configuration file for pam_env, a PAM module to load in
# a configurable list of environment variables for a
#
# The original idea for this came from Andrew G. Morgan ...
#<quote>
# Mmm. Perhaps you might like to write a pam_env module that reads a
# default environment from a file? I can see that as REALLY
# useful... Note it would be an "auth" module that returns PAM_IGNORE
# for the auth part and sets the environment returning PAM_SUCCESS in
# the setcred function...
#</quote>
#
# What I wanted was the REMOTEHOST variable set, purely for selfish
# reasons, and AGM didn't want it added to the SimpleApps login
# program (which is where I added the patch). So, my first concern is
# that variable, from there there are numerous others that might/would
# be useful to be set: NNTPSERVER, LESS, PATH, PAGER, MANPAGER .....
#
# Of course, these are a different kind of variable than REMOTEHOST in
# that they are things that are likely to be configured by
# administrators rather than set by logging in, how to treat them both
# in the same config file?
#
# Here is my idea:
#
# Each line starts with the variable name, there are then two possible
# options for each variable DEFAULT and OVERRIDE.
# DEFAULT allows an administrator to set the value of the
# variable to some default value, if none is supplied then the empty
# string is assumed. The OVERRIDE option tells pam_env that it should
# enter in its value (overriding the default value) if there is one
# to use. OVERRIDE is not used, "" is assumed and no override will be
# done.
#
# VARIABLE [DEFAULT=[value]] [OVERRIDE=[value]]
#
# (Possibly non-existent) environment variables may be used in values
# using the ${string} syntax and (possibly non-existent) PAM_ITEMs may
# be used in values using the @{string} syntax. Both the $ and @
# characters can be backslash escaped to be used as literal values
# values can be delimited with "", escaped " not supported.
# Note that many environment variables that you would like to use
# may not be set by the time the module is called.
# For example, HOME is used below several times, but
# many PAM applications don't make it available by the time you need it.
#
#
# First, some special variables
#
# Set the REMOTEHOST variable for any hosts that are remote, default
# to "localhost" rather than not being set at all
#REMOTEHOST DEFAULT=localhost OVERRIDE=@{PAM_RHOST}
#
# Set the DISPLAY variable if it seems reasonable
#DISPLAY DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY}
#
#
# Now some simple variables
#
#PAGER DEFAULT=less
#MANPAGER DEFAULT=less
#LESS DEFAULT="M q e h15 z23 b80"
#NNTPSERVER DEFAULT=localhost
#PATH DEFAULT=${HOME}/bin:/usr/local/bin:/bin\
#:/usr/bin:/usr/local/bin/X11:/usr/bin/X11
#
# silly examples of escaped variables, just to show how they work.
#
#DOLLAR DEFAULT=\$
#DOLLARDOLLAR DEFAULT= OVERRIDE=\$${DOLLAR}
#DOLLARPLUS DEFAULT=\${REMOTEHOST}${REMOTEHOST}
#ATSIGN DEFAULT="" OVERRIDE=\@

21
initramfs/etc/security/pwhistory.conf Normal file
View File

@@ -0,0 +1,21 @@
# Configuration for remembering the last passwords used by a user.
#
# Enable the debugging logs.
# Enabled if option is present.
# debug
#
# root account's passwords are also remembered.
# Enabled if option is present.
# enforce_for_root
#
# Number of passwords to remember.
# The default is 10.
# remember = 10
#
# Number of times to prompt for the password.
# The default is 1.
# retry = 1
#
# The file where the last passwords are kept.
# The default is /etc/security/opasswd.
# file = /etc/security/opasswd

65
initramfs/etc/security/time.conf Normal file
View File

@@ -0,0 +1,65 @@
# this is an example configuration file for the pam_time module. Its syntax
# was initially based heavily on that of the shadow package (shadow-960129).
#
# the syntax of the lines is as follows:
#
# services;ttys;users;times
#
# white space is ignored and lines maybe extended with '\\n' (escaped
# newlines). As should be clear from reading these comments,
# text following a '#' is ignored to the end of the line.
#
# the combination of individual users/terminals etc is a logic list
# namely individual tokens that are optionally prefixed with '!' (logical
# not) and separated with '&' (logical and) and '|' (logical or).
#
# services
# is a logic list of PAM service names that the rule applies to.
#
# ttys
# is a logic list of terminal names that this rule applies to.
#
# users
# is a logic list of users or a netgroup of users to whom this
# rule applies.
#
# NB. For these items the simple wildcard '*' may be used only once.
#
# times
# the format here is a logic list of day/time-range
# entries the days are specified by a sequence of two character
# entries, MoTuSa for example is Monday Tuesday and Saturday. Note
# that repeated days are unset MoMo = no day, and MoWk = all weekdays
# bar Monday. The two character combinations accepted are
#
# Mo Tu We Th Fr Sa Su Wk Wd Al
#
# the last two being week-end days and all 7 days of the week
# respectively. As a final example, AlFr means all days except Friday.
#
# each day/time-range can be prefixed with a '!' to indicate "anything
# but"
#
# The time-range part is two 24-hour times HHMM separated by a hyphen
# indicating the start and finish time (if the finish time is smaller
# than the start time it is deemed to apply on the following day).
#
# for a rule to be active, ALL of service+ttys+users must be satisfied
# by the applying process.
#
#
# Here is a simple example: running blank on tty* (any ttyXXX device),
# the users 'you' and 'me' are denied service all of the time
#
#blank;tty* & !ttyp*;you|me;!Al0000-2400
# Another silly example, user 'root' is denied xsh access
# from pseudo terminals at the weekend and on mondays.
#xsh;ttyp*;root;!WdMo0000-2400
#
# End of example file.
#

361
initramfs/etc/services Normal file
View File

@@ -0,0 +1,361 @@
# Network services, Internet style
#
# Updated from https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml .
#
# New ports will be added on request if they have been officially assigned
# by IANA and used in the real-world or are needed by a debian package.
# If you need a huge list of used numbers please install the nmap package.
tcpmux 1/tcp # TCP port service multiplexer
echo 7/tcp
echo 7/udp
discard 9/tcp sink null
discard 9/udp sink null
systat 11/tcp users
daytime 13/tcp
daytime 13/udp
netstat 15/tcp
qotd 17/tcp quote
chargen 19/tcp ttytst source
chargen 19/udp ttytst source
ftp-data 20/tcp
ftp 21/tcp
fsp 21/udp fspd
ssh 22/tcp # SSH Remote Login Protocol
telnet 23/tcp
smtp 25/tcp mail
time 37/tcp timserver
time 37/udp timserver
whois 43/tcp nicname
tacacs 49/tcp # Login Host Protocol (TACACS)
tacacs 49/udp
domain 53/tcp # Domain Name Server
domain 53/udp
bootps 67/udp
bootpc 68/udp
tftp 69/udp
gopher 70/tcp # Internet Gopher
finger 79/tcp
http 80/tcp www # WorldWideWeb HTTP
kerberos 88/tcp kerberos5 krb5 kerberos-sec # Kerberos v5
kerberos 88/udp kerberos5 krb5 kerberos-sec # Kerberos v5
iso-tsap 102/tcp tsap # part of ISODE
acr-nema 104/tcp dicom # Digital Imag. & Comm. 300
pop3 110/tcp pop-3 # POP version 3
sunrpc 111/tcp portmapper # RPC 4.0 portmapper
sunrpc 111/udp portmapper
auth 113/tcp authentication tap ident
nntp 119/tcp readnews untp # USENET News Transfer Protocol
ntp 123/udp # Network Time Protocol
epmap 135/tcp loc-srv # DCE endpoint resolution
netbios-ns 137/udp # NETBIOS Name Service
netbios-dgm 138/udp # NETBIOS Datagram Service
netbios-ssn 139/tcp # NETBIOS session service
imap2 143/tcp imap # Interim Mail Access P 2 and 4
snmp 161/tcp # Simple Net Mgmt Protocol
snmp 161/udp
snmp-trap 162/tcp snmptrap # Traps for SNMP
snmp-trap 162/udp snmptrap
cmip-man 163/tcp # ISO mgmt over IP (CMOT)
cmip-man 163/udp
cmip-agent 164/tcp
cmip-agent 164/udp
mailq 174/tcp # Mailer transport queue for Zmailer
xdmcp 177/udp # X Display Manager Control Protocol
bgp 179/tcp # Border Gateway Protocol
smux 199/tcp # SNMP Unix Multiplexer
qmtp 209/tcp # Quick Mail Transfer Protocol
z3950 210/tcp wais # NISO Z39.50 database
ipx 213/udp # IPX [RFC1234]
ptp-event 319/udp
ptp-general 320/udp
pawserv 345/tcp # Perf Analysis Workbench
zserv 346/tcp # Zebra server
rpc2portmap 369/tcp
rpc2portmap 369/udp # Coda portmapper
codaauth2 370/tcp
codaauth2 370/udp # Coda authentication server
clearcase 371/udp Clearcase
ldap 389/tcp # Lightweight Directory Access Protocol
ldap 389/udp
svrloc 427/tcp # Server Location
svrloc 427/udp
https 443/tcp # http protocol over TLS/SSL
https 443/udp # HTTP/3
snpp 444/tcp # Simple Network Paging Protocol
microsoft-ds 445/tcp # Microsoft Naked CIFS
kpasswd 464/tcp
kpasswd 464/udp
submissions 465/tcp ssmtp smtps urd # Submission over TLS [RFC8314]
saft 487/tcp # Simple Asynchronous File Transfer
isakmp 500/udp # IPSEC key management
rtsp 554/tcp # Real Time Stream Control Protocol
rtsp 554/udp
nqs 607/tcp # Network Queuing system
asf-rmcp 623/udp # ASF Remote Management and Control Protocol
qmqp 628/tcp
ipp 631/tcp # Internet Printing Protocol
ldp 646/tcp # Label Distribution Protocol
ldp 646/udp
#
# UNIX specific services
#
exec 512/tcp
biff 512/udp comsat
login 513/tcp
who 513/udp whod
shell 514/tcp cmd syslog # no passwords used
syslog 514/udp
printer 515/tcp spooler # line printer spooler
talk 517/udp
ntalk 518/udp
route 520/udp router routed # RIP
gdomap 538/tcp # GNUstep distributed objects
gdomap 538/udp
uucp 540/tcp uucpd # uucp daemon
klogin 543/tcp # Kerberized `rlogin' (v5)
kshell 544/tcp krcmd # Kerberized `rsh' (v5)
dhcpv6-client 546/udp
dhcpv6-server 547/udp
afpovertcp 548/tcp # AFP over TCP
nntps 563/tcp snntp # NNTP over SSL
submission 587/tcp # Submission [RFC4409]
ldaps 636/tcp # LDAP over SSL
ldaps 636/udp
tinc 655/tcp # tinc control port
tinc 655/udp
silc 706/tcp
kerberos-adm 749/tcp # Kerberos `kadmin' (v5)
#
domain-s 853/tcp # DNS over TLS [RFC7858]
domain-s 853/udp # DNS over DTLS [RFC8094]
rsync 873/tcp
ftps-data 989/tcp # FTP over SSL (data)
ftps 990/tcp
telnets 992/tcp # Telnet over SSL
imaps 993/tcp # IMAP over SSL
pop3s 995/tcp # POP-3 over SSL
#
# From ``Assigned Numbers'':
#
#> The Registered Ports are not controlled by the IANA and on most systems
#> can be used by ordinary user processes or programs executed by ordinary
#> users.
#
#> Ports are used in the TCP [45,106] to name the ends of logical
#> connections which carry long term conversations. For the purpose of
#> providing services to unknown callers, a service contact port is
#> defined. This list specifies the port used by the server process as its
#> contact port. While the IANA can not control uses of these ports it
#> does register or list uses of these ports as a convienence to the
#> community.
#
socks 1080/tcp # socks proxy server
proofd 1093/tcp
rootd 1094/tcp
openvpn 1194/tcp
openvpn 1194/udp
rmiregistry 1099/tcp # Java RMI Registry
lotusnote 1352/tcp lotusnotes # Lotus Note
ms-sql-s 1433/tcp # Microsoft SQL Server
ms-sql-m 1434/udp # Microsoft SQL Monitor
ingreslock 1524/tcp
datametrics 1645/tcp old-radius
datametrics 1645/udp old-radius
sa-msg-port 1646/tcp old-radacct
sa-msg-port 1646/udp old-radacct
kermit 1649/tcp
groupwise 1677/tcp
l2f 1701/udp l2tp
radius 1812/tcp
radius 1812/udp
radius-acct 1813/tcp radacct # Radius Accounting
radius-acct 1813/udp radacct
cisco-sccp 2000/tcp # Cisco SCCP
nfs 2049/tcp # Network File System
nfs 2049/udp # Network File System
gnunet 2086/tcp
gnunet 2086/udp
rtcm-sc104 2101/tcp # RTCM SC-104 IANA 1/29/99
rtcm-sc104 2101/udp
gsigatekeeper 2119/tcp
gris 2135/tcp # Grid Resource Information Server
cvspserver 2401/tcp # CVS client/server operations
venus 2430/tcp # codacon port
venus 2430/udp # Venus callback/wbc interface
venus-se 2431/tcp # tcp side effects
venus-se 2431/udp # udp sftp side effect
codasrv 2432/tcp # not used
codasrv 2432/udp # server port
codasrv-se 2433/tcp # tcp side effects
codasrv-se 2433/udp # udp sftp side effect
mon 2583/tcp # MON traps
mon 2583/udp
dict 2628/tcp # Dictionary server
f5-globalsite 2792/tcp
gsiftp 2811/tcp
gpsd 2947/tcp
gds-db 3050/tcp gds_db # InterBase server
icpv2 3130/udp icp # Internet Cache Protocol
isns 3205/tcp # iSNS Server Port
isns 3205/udp # iSNS Server Port
iscsi-target 3260/tcp
mysql 3306/tcp
ms-wbt-server 3389/tcp
nut 3493/tcp # Network UPS Tools
nut 3493/udp
distcc 3632/tcp # distributed compiler
daap 3689/tcp # Digital Audio Access Protocol
svn 3690/tcp subversion # Subversion protocol
suucp 4031/tcp # UUCP over SSL
sysrqd 4094/tcp # sysrq daemon
sieve 4190/tcp # ManageSieve Protocol
epmd 4369/tcp # Erlang Port Mapper Daemon
remctl 4373/tcp # Remote Authenticated Command Service
f5-iquery 4353/tcp # F5 iQuery
ntske 4460/tcp # Network Time Security Key Establishment
ipsec-nat-t 4500/udp # IPsec NAT-Traversal [RFC3947]
iax 4569/udp # Inter-Asterisk eXchange
mtn 4691/tcp # monotone Netsync Protocol
radmin-port 4899/tcp # RAdmin Port
sip 5060/tcp # Session Initiation Protocol
sip 5060/udp
sip-tls 5061/tcp
sip-tls 5061/udp
xmpp-client 5222/tcp jabber-client # Jabber Client Connection
xmpp-server 5269/tcp jabber-server # Jabber Server Connection
cfengine 5308/tcp
mdns 5353/udp # Multicast DNS
postgresql 5432/tcp postgres # PostgreSQL Database
freeciv 5556/tcp rptp # Freeciv gameplay
amqps 5671/tcp # AMQP protocol over TLS/SSL
amqp 5672/tcp
amqp 5672/sctp
x11 6000/tcp x11-0 # X Window System
x11-1 6001/tcp
x11-2 6002/tcp
x11-3 6003/tcp
x11-4 6004/tcp
x11-5 6005/tcp
x11-6 6006/tcp
x11-7 6007/tcp
gnutella-svc 6346/tcp # gnutella
gnutella-svc 6346/udp
gnutella-rtr 6347/tcp # gnutella
gnutella-rtr 6347/udp
redis 6379/tcp
sge-qmaster 6444/tcp sge_qmaster # Grid Engine Qmaster Service
sge-execd 6445/tcp sge_execd # Grid Engine Execution Service
mysql-proxy 6446/tcp # MySQL Proxy
babel 6696/udp # Babel Routing Protocol
ircs-u 6697/tcp # Internet Relay Chat via TLS/SSL
bbs 7000/tcp
afs3-fileserver 7000/udp
afs3-callback 7001/udp # callbacks to cache managers
afs3-prserver 7002/udp # users & groups database
afs3-vlserver 7003/udp # volume location database
afs3-kaserver 7004/udp # AFS/Kerberos authentication
afs3-volser 7005/udp # volume managment server
afs3-bos 7007/udp # basic overseer process
afs3-update 7008/udp # server-to-server updater
afs3-rmtsys 7009/udp # remote cache manager service
font-service 7100/tcp xfs # X Font Service
http-alt 8080/tcp webcache # WWW caching service
puppet 8140/tcp # The Puppet master service
bacula-dir 9101/tcp # Bacula Director
bacula-fd 9102/tcp # Bacula File Daemon
bacula-sd 9103/tcp # Bacula Storage Daemon
xmms2 9667/tcp # Cross-platform Music Multiplexing System
nbd 10809/tcp # Linux Network Block Device
zabbix-agent 10050/tcp # Zabbix Agent
zabbix-trapper 10051/tcp # Zabbix Trapper
amanda 10080/tcp # amanda backup services
dicom 11112/tcp
hkp 11371/tcp # OpenPGP HTTP Keyserver
db-lsp 17500/tcp # Dropbox LanSync Protocol
dcap 22125/tcp # dCache Access Protocol
gsidcap 22128/tcp # GSI dCache Access Protocol
wnn6 22273/tcp # wnn6
#
# Datagram Delivery Protocol services
#
rtmp 1/ddp # Routing Table Maintenance Protocol
nbp 2/ddp # Name Binding Protocol
echo 4/ddp # AppleTalk Echo Protocol
zip 6/ddp # Zone Information Protocol
#=========================================================================
# The remaining port numbers are not as allocated by IANA.
#=========================================================================
# Kerberos (Project Athena/MIT) services
kerberos4 750/udp kerberos-iv kdc # Kerberos (server)
kerberos4 750/tcp kerberos-iv kdc
kerberos-master 751/udp kerberos_master # Kerberos authentication
kerberos-master 751/tcp
passwd-server 752/udp passwd_server # Kerberos passwd server
krb-prop 754/tcp krb_prop krb5_prop hprop # Kerberos slave propagation
zephyr-srv 2102/udp # Zephyr server
zephyr-clt 2103/udp # Zephyr serv-hm connection
zephyr-hm 2104/udp # Zephyr hostmanager
iprop 2121/tcp # incremental propagation
supfilesrv 871/tcp # Software Upgrade Protocol server
supfiledbg 1127/tcp # Software Upgrade Protocol debugging
#
# Services added for the Debian GNU/Linux distribution
#
poppassd 106/tcp # Eudora
moira-db 775/tcp moira_db # Moira database
moira-update 777/tcp moira_update # Moira update protocol
moira-ureg 779/udp moira_ureg # Moira user registration
spamd 783/tcp # spamassassin daemon
skkserv 1178/tcp # skk jisho server port
predict 1210/udp # predict -- satellite tracking
rmtcfg 1236/tcp # Gracilis Packeten remote config server
xtel 1313/tcp # french minitel
xtelw 1314/tcp # french minitel
zebrasrv 2600/tcp # zebra service
zebra 2601/tcp # zebra vty
ripd 2602/tcp # ripd vty (zebra)
ripngd 2603/tcp # ripngd vty (zebra)
ospfd 2604/tcp # ospfd vty (zebra)
bgpd 2605/tcp # bgpd vty (zebra)
ospf6d 2606/tcp # ospf6d vty (zebra)
ospfapi 2607/tcp # OSPF-API
isisd 2608/tcp # ISISd vty (zebra)
fax 4557/tcp # FAX transmission service (old)
hylafax 4559/tcp # HylaFAX client-server protocol (new)
munin 4949/tcp lrrd # Munin
rplay 5555/udp # RPlay audio service
nrpe 5666/tcp # Nagios Remote Plugin Executor
nsca 5667/tcp # Nagios Agent - NSCA
canna 5680/tcp # cannaserver
syslog-tls 6514/tcp # Syslog over TLS [RFC5425]
sane-port 6566/tcp sane saned # SANE network scanner daemon
ircd 6667/tcp # Internet Relay Chat
zope-ftp 8021/tcp # zope management by ftp
tproxy 8081/tcp # Transparent Proxy
omniorb 8088/tcp # OmniORB
clc-build-daemon 8990/tcp # Common lisp build daemon
xinetd 9098/tcp
git 9418/tcp # Git Version Control System
zope 9673/tcp # zope server
webmin 10000/tcp
kamanda 10081/tcp # amanda backup services (Kerberos)
amandaidx 10082/tcp # amanda backup services
amidxtape 10083/tcp # amanda backup services
sgi-cmsd 17001/udp # Cluster membership services daemon
sgi-crsd 17002/udp
sgi-gcd 17003/udp # SGI Group membership daemon
sgi-cad 17004/tcp # Cluster Admin daemon
binkp 24554/tcp # binkp fidonet protocol
asp 27374/tcp # Address Search Protocol
asp 27374/udp
csync2 30865/tcp # cluster synchronization tool
dircproxy 57000/tcp # Detachable IRC Proxy
tfido 60177/tcp # fidonet EMSI over telnet
fido 60179/tcp # fidonet EMSI over TCP
# Local services

17
initramfs/etc/shadow Normal file
View File

@@ -0,0 +1,17 @@
root:*::0:::::
bin:!::0:::::
daemon:!::0:::::
lp:!::0:::::
sync:!::0:::::
shutdown:!::0:::::
halt:!::0:::::
mail:!::0:::::
news:!::0:::::
uucp:!::0:::::
cron:!::0:::::
ftp:!::0:::::
sshd:!::0:::::
games:!::0:::::
ntp:!::0:::::
guest:!::0:::::
nobody:!::0:::::

3
initramfs/etc/shells Normal file
View File

@@ -0,0 +1,3 @@
# valid login shells
/bin/sh
/bin/ash

123
initramfs/etc/ssh/sshd_config Normal file
View File

@@ -0,0 +1,123 @@
# $OpenBSD: sshd_config,v 1.105 2024/12/03 14:12:47 dtucker Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# Include configuration snippets before processing this file to allow the
# snippets to override directives set in this file.
Include /etc/ssh/sshd_config.d/*.conf
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to "no" here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to "no" to disable keyboard-interactive authentication. Depending on
# the system's configuration, this may involve passwords, challenge-response,
# one-time passwords or some combination of these and other methods.
#KbdInteractiveAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
#UsePAM no
#AllowAgentForwarding yes
# Feel free to re-enable these if your use case requires them.
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp internal-sftp
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

1
initramfs/etc/ssl/cert.pem Symbolic link
View File

@@ -0,0 +1 @@
certs/ca-certificates.crt

3813
initramfs/etc/ssl/certs/ca-certificates.crt Normal file
View File

File diff suppressed because it is too large Load Diff

9
initramfs/etc/ssl/ct_log_list.cnf Normal file
View File

@@ -0,0 +1,9 @@
# This file specifies the Certificate Transparency logs
# that are to be trusted.
# Google's list of logs can be found here:
# www.certificate-transparency.org/known-logs
# A Python program to convert the log list to OpenSSL's format can be
# found here:
# https://github.com/google/certificate-transparency/blob/master/python/utilities/log_list/print_log_list.py
# Use the "--openssl_output" flag.

9
initramfs/etc/ssl/ct_log_list.cnf.dist Normal file
View File

@@ -0,0 +1,9 @@
# This file specifies the Certificate Transparency logs
# that are to be trusted.
# Google's list of logs can be found here:
# www.certificate-transparency.org/known-logs
# A Python program to convert the log list to OpenSSL's format can be
# found here:
# https://github.com/google/certificate-transparency/blob/master/python/utilities/log_list/print_log_list.py
# Use the "--openssl_output" flag.

390
initramfs/etc/ssl/openssl.cnf Normal file
View File

@@ -0,0 +1,390 @@
#
# OpenSSL example configuration file.
# See doc/man5/config.pod for more info.
#
# This is mostly being used for generation of certificate requests,
# but may be used for auto loading of providers
# Note that you can include other files from the main configuration
# file using the .include directive.
#.include filename
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
# Use this in order to automatically load providers.
openssl_conf = openssl_init
# Comment out the next line to ignore configuration errors
config_diagnostics = 1
# Extra OBJECT IDENTIFIER info:
# oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
# For FIPS
# Optionally include a file that is generated by the OpenSSL fipsinstall
# application. This file contains configuration data required by the OpenSSL
# fips provider. It contains a named section e.g. [fips_sect] which is
# referenced from the [provider_sect] below.
# Refer to the OpenSSL security policy for more information.
# .include fipsmodule.cnf
[openssl_init]
providers = provider_sect
# List of providers to load
[provider_sect]
default = default_sect
# The fips section name should match the section name inside the
# included fipsmodule.cnf.
# fips = fips_sect
# If no providers are activated explicitly, the default one is activated implicitly.
# See man 7 OSSL_PROVIDER-default for more details.
#
# If you add a section explicitly activating any other provider(s), you most
# probably need to explicitly activate the default provider, otherwise it
# becomes unavailable in openssl. As a consequence applications depending on
# OpenSSL may not work correctly which could lead to significant system
# problems including inability to remotely access the system.
[default_sect]
# activate = 1
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem # The private key
x509_extensions = usr_cert # The extensions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
####################################################################
[ tsa ]
default_tsa = tsa_config1 # the default TSA section
[ tsa_config1 ]
# These are used by the TSA reply generation only.
dir = ./demoCA # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate
# (optional)
certs = $dir/cacert.pem # Certificate chain to include in reply
# (optional)
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
signer_digest = sha256 # Signing digest to use. (Optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?
# (optional, default: no)
tsa_name = yes # Must the TSA name be included in the reply?
# (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no)
ess_cert_id_alg = sha256 # algorithm to compute certificate
# identifier (optional, default: sha256)
[insta] # CMP using Insta Demo CA
# Message transfer
server = pki.certificate.fi:8700
# proxy = # set this as far as needed, e.g., http://192.168.1.1:8080
# tls_use = 0
path = pkix/
# Server authentication
recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer
ignore_keyusage = 1 # quirk needed to accept Insta CA cert not including digitalsignature
unprotected_errors = 1 # quirk needed to accept negative responses possibly not protected
extracertsout = insta.extracerts.pem
# Client authentication
ref = 3078 # user identification
secret = pass:insta # can be used for both client and server side
# Generic message options
cmd = ir # default operation, can be overridden on cmd line with, e.g., kur
# Certificate enrollment
subject = "/CN=openssl-cmp-test"
newkey = insta.priv.pem
out_trusted = apps/insta.ca.crt # does not include keyUsage digitalSignature
certout = insta.cert.pem
[pbm] # Password-based protection for Insta CA
# Server and client authentication
ref = $insta::ref # 3078
secret = $insta::secret # pass:insta
[signature] # Signature-based protection for Insta CA
# Server authentication
trusted = $insta::out_trusted # apps/insta.ca.crt
# Client authentication
secret = # disable PBM
key = $insta::newkey # insta.priv.pem
cert = $insta::certout # insta.cert.pem
[ir]
cmd = ir
[cr]
cmd = cr
[kur]
# Certificate update
cmd = kur
oldcert = $insta::certout # insta.cert.pem
[rr]
# Certificate revocation
cmd = rr
oldcert = $insta::certout # insta.cert.pem

390
initramfs/etc/ssl/openssl.cnf.dist Normal file
View File

@@ -0,0 +1,390 @@
#
# OpenSSL example configuration file.
# See doc/man5/config.pod for more info.
#
# This is mostly being used for generation of certificate requests,
# but may be used for auto loading of providers
# Note that you can include other files from the main configuration
# file using the .include directive.
#.include filename
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
# Use this in order to automatically load providers.
openssl_conf = openssl_init
# Comment out the next line to ignore configuration errors
config_diagnostics = 1
# Extra OBJECT IDENTIFIER info:
# oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
# For FIPS
# Optionally include a file that is generated by the OpenSSL fipsinstall
# application. This file contains configuration data required by the OpenSSL
# fips provider. It contains a named section e.g. [fips_sect] which is
# referenced from the [provider_sect] below.
# Refer to the OpenSSL security policy for more information.
# .include fipsmodule.cnf
[openssl_init]
providers = provider_sect
# List of providers to load
[provider_sect]
default = default_sect
# The fips section name should match the section name inside the
# included fipsmodule.cnf.
# fips = fips_sect
# If no providers are activated explicitly, the default one is activated implicitly.
# See man 7 OSSL_PROVIDER-default for more details.
#
# If you add a section explicitly activating any other provider(s), you most
# probably need to explicitly activate the default provider, otherwise it
# becomes unavailable in openssl. As a consequence applications depending on
# OpenSSL may not work correctly which could lead to significant system
# problems including inability to remotely access the system.
[default_sect]
# activate = 1
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem # The private key
x509_extensions = usr_cert # The extensions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
####################################################################
[ tsa ]
default_tsa = tsa_config1 # the default TSA section
[ tsa_config1 ]
# These are used by the TSA reply generation only.
dir = ./demoCA # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate
# (optional)
certs = $dir/cacert.pem # Certificate chain to include in reply
# (optional)
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
signer_digest = sha256 # Signing digest to use. (Optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?
# (optional, default: no)
tsa_name = yes # Must the TSA name be included in the reply?
# (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no)
ess_cert_id_alg = sha256 # algorithm to compute certificate
# identifier (optional, default: sha256)
[insta] # CMP using Insta Demo CA
# Message transfer
server = pki.certificate.fi:8700
# proxy = # set this as far as needed, e.g., http://192.168.1.1:8080
# tls_use = 0
path = pkix/
# Server authentication
recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer
ignore_keyusage = 1 # quirk needed to accept Insta CA cert not including digitalsignature
unprotected_errors = 1 # quirk needed to accept negative responses possibly not protected
extracertsout = insta.extracerts.pem
# Client authentication
ref = 3078 # user identification
secret = pass:insta # can be used for both client and server side
# Generic message options
cmd = ir # default operation, can be overridden on cmd line with, e.g., kur
# Certificate enrollment
subject = "/CN=openssl-cmp-test"
newkey = insta.priv.pem
out_trusted = apps/insta.ca.crt # does not include keyUsage digitalSignature
certout = insta.cert.pem
[pbm] # Password-based protection for Insta CA
# Server and client authentication
ref = $insta::ref # 3078
secret = $insta::secret # pass:insta
[signature] # Signature-based protection for Insta CA
# Server authentication
trusted = $insta::out_trusted # apps/insta.ca.crt
# Client authentication
secret = # disable PBM
key = $insta::newkey # insta.priv.pem
cert = $insta::certout # insta.cert.pem
[ir]
cmd = ir
[cr]
cmd = cr
[kur]
# Certificate update
cmd = kur
oldcert = $insta::certout # insta.cert.pem
[rr]
# Certificate revocation
cmd = rr
oldcert = $insta::certout # insta.cert.pem

1
initramfs/etc/ssl1.1/cert.pem Symbolic link
View File

@@ -0,0 +1 @@
/etc/ssl/cert.pem

1
initramfs/etc/ssl1.1/certs Symbolic link
View File

@@ -0,0 +1 @@
/etc/ssl/certs

1
initramfs/etc/sysctl.conf Normal file
View File

@@ -0,0 +1 @@
# content of this file will override /etc/sysctl.d/*

BIN
initramfs/etc/terminfo/a/alacritty Normal file
View File

Binary file not shown.

BIN
initramfs/etc/terminfo/a/ansi Normal file
View File

Binary file not shown.

BIN
initramfs/etc/terminfo/d/dumb Normal file
View File

Binary file not shown.

BIN
initramfs/etc/terminfo/g/gnome Normal file
View File

Binary file not shown.

BIN
initramfs/etc/terminfo/g/gnome-256color Normal file
View File

Binary file not shown.

BIN
initramfs/etc/terminfo/k/konsole Normal file
View File

Binary file not shown.

BIN
initramfs/etc/terminfo/k/konsole-256color Normal file
View File

Binary file not shown.

BIN
initramfs/etc/terminfo/k/konsole-linux Normal file
View File

Binary file not shown.

BIN
initramfs/etc/terminfo/l/linux Normal file
View File

Binary file not shown.

BIN
initramfs/etc/terminfo/p/putty Normal file
View File

Binary file not shown.

BIN
initramfs/etc/terminfo/p/putty-256color Normal file
View File

Binary file not shown.

BIN
initramfs/etc/terminfo/r/rxvt Normal file
View File

Binary file not shown.

BIN
initramfs/etc/terminfo/r/rxvt-256color Normal file
View File

Binary file not shown.

BIN
initramfs/etc/terminfo/s/screen Normal file
View File

Binary file not shown.

BIN
initramfs/etc/terminfo/s/screen-256color Normal file
View File

Binary file not shown.

BIN
initramfs/etc/terminfo/s/st-0.6 Normal file
View File

Binary file not shown.

BIN
initramfs/etc/terminfo/s/st-0.7 Normal file
View File

Binary file not shown.

BIN
initramfs/etc/terminfo/s/st-0.8 Normal file
View File

Binary file not shown.

BIN
initramfs/etc/terminfo/s/st-0.8.5 Normal file
View File

Binary file not shown.

BIN
initramfs/etc/terminfo/s/st-16color Normal file
View File

Binary file not shown.

BIN
initramfs/etc/terminfo/s/st-256color Normal file
View File

Binary file not shown.

BIN
initramfs/etc/terminfo/s/st-direct Normal file
View File

Binary file not shown.

BIN
initramfs/etc/terminfo/s/sun Normal file
View File

Binary file not shown.

BIN
initramfs/etc/terminfo/t/terminator Normal file
View File

Binary file not shown.

BIN
initramfs/etc/terminfo/t/terminology Normal file
View File

Binary file not shown.

BIN
initramfs/etc/terminfo/t/terminology-0.6.1 Normal file
View File

Binary file not shown.

BIN
initramfs/etc/terminfo/t/terminology-1.0.0 Normal file
View File

Binary file not shown.

BIN
initramfs/etc/terminfo/t/terminology-1.8.1 Normal file
View File

Binary file not shown.

BIN
initramfs/etc/terminfo/t/tmux Normal file
View File

Binary file not shown.

BIN
initramfs/etc/terminfo/t/tmux-256color Normal file
View File

Binary file not shown.

BIN
initramfs/etc/terminfo/v/vt100 Normal file
View File

Binary file not shown.

BIN
initramfs/etc/terminfo/v/vt102 Normal file
View File

Binary file not shown.

1
initramfs/etc/terminfo/v/vt200 Symbolic link
View File

@@ -0,0 +1 @@
vt220

BIN
initramfs/etc/terminfo/v/vt220 Normal file
View File

Binary file not shown.

BIN
initramfs/etc/terminfo/v/vt52 Normal file
View File

Binary file not shown.

BIN
initramfs/etc/terminfo/v/vte Normal file
View File

Binary file not shown.

BIN
initramfs/etc/terminfo/v/vte-256color Normal file
View File

Binary file not shown.

BIN
initramfs/etc/terminfo/x/xterm Normal file
View File

Binary file not shown.

Some files were not shown because too many files have changed in this diff Show More