{"id":28522811,"url":"https://github.com/kale-ko/initramfs-scripts","last_synced_at":"2026-04-26T08:38:27.757Z","repository":{"id":292252242,"uuid":"964009120","full_name":"Kale-Ko/initramfs-scripts","owner":"Kale-Ko","description":"Start up an OpenSSH server over WiFi during initramfs for remote unlocking","archived":false,"fork":false,"pushed_at":"2026-04-21T17:45:51.000Z","size":36713,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-04-21T19:43:45.420Z","etag":null,"topics":["debian","debian-package","initramfs","initramfs-tools","openssh","remote-access","ssh","tpm","tpm2","wifi","wireless"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Kale-Ko.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-04-10T14:49:37.000Z","updated_at":"2026-04-21T17:46:04.000Z","dependencies_parsed_at":"2025-08-05T04:23:23.170Z","dependency_job_id":null,"html_url":"https://github.com/Kale-Ko/initramfs-scripts","commit_stats":null,"previous_names":["kale-ko/initramfs-scripts"],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/Kale-Ko/initramfs-scripts","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kale-Ko%2Finitramfs-scripts","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kale-Ko%2Finitramfs-scripts/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kale-Ko%2Finitramfs-scripts/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kale-Ko%2Finitramfs-scripts/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Kale-Ko","download_url":"https://codeload.github.com/Kale-Ko/initramfs-scripts/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kale-Ko%2Finitramfs-scripts/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32291327,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-26T08:29:33.829Z","status":"ssl_error","status_checked_at":"2026-04-26T08:29:18.366Z","response_time":129,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["debian","debian-package","initramfs","initramfs-tools","openssh","remote-access","ssh","tpm","tpm2","wifi","wireless"],"created_at":"2025-06-09T09:37:50.500Z","updated_at":"2026-04-26T08:38:27.752Z","avatar_url":"https://github.com/Kale-Ko.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# OpenSSH over Wifi for initramfs-tools\n\n## OpenSSH-initramfs\n\nOpenSSH-initramfs starts up an OpenSSH server during initram for remote unlocking of cryptroot (Or other activities, it can be configured).\n\n### Configuration\n\nIn `/etc/initramfs-tools/conf.d/openssh` you will find 5 values.\n\n- `OPENSSH_PORTS` - A comma separated list of ports to listen on. This overrides the `sshd_config`.\n\n- `OPENSSH_CONFIG_DIRECTORY` - The directory where the rest of the configuration resides.\n- `OPENSSH_GENERATE_SERVER_KEYS` - Whether or not to automatically generate new server keys if they do not exist already. Can be `true`, `false`, `standard`, or `tpm` (if ssh-tpm-agent is installed).\n\n- `OPENSSH_AUTHORIZED_USER` - The username that will be used to login. **NOTE:** If the user is not `root` a small suid helper program (See [cryptroot-unlock-suid.cpp](https://github.com/Kale-Ko/initramfs-scripts/blob/main/openssh-initramfs/cryptroot-unlock-suid.cpp)) is required to allow the user to unlock the disk, while I am fairly certain it is safe I can not be 100% sure.\n- `OPENSSH_AUTHORIZED_KEYS_FILE` - The `authorized_keys` file to be copied into the initramfs.\n\n#### `sshd_config`\n\nThe `sshd_config` is stored at `{OPENSSH_CONFIG_DIRECTORY}/sshd_config`, if it does not exist it will be created with some default (recommended) values.\n\n#### `ssh_host_keys`\n\nSSH host keys are stored in `{OPENSSH_CONFIG_DIRECTORY}` and must match one of the following patterns.\n\n- `ssh_host*_key` - Standard SSH host keys (RSA, ECDSA, ED25519). **Note:** These are not encrypted in any way, someone with with access to the boot partition can read them.\n- `ssh_tpm_host*_key*` - SSH TPM host keys (if ssh-tpm-agent is installed). When a TPM host key is present ssh-tpm-agent will be copied onto the initramfs and ran to unlock the host key. This has the advantage of not requiring you to potentially expose your SSH host key to someone with access to your device. Note that both the `{key}.tpm` and `{key}.pub` must be present for these to work.\n\n## Wireless-initramfs\n\nMade with help from the great tutorial at [https://www.marcfargas.com/](https://www.marcfargas.com/2017/12/enable-wireless-networks-in-debian-initramfs/)\n\nWireless-initramfs will connect your computer to a specified WiFi network during initram.\n\nWireless-initramfs requires configuration before it can be used.\n\n### Configuration\n\nIn `/etc/initramfs-tools/conf.d/wireless` you will find 4 values.\n\n- `WIRELESS_INTERFACE` - The interface name of your WiFi card (Check `ip link`).\n- `WIRELESS_MODULES` - The kernel modules that need to be loaded for your WiFi card to work (See [https://wireless.docs.kernel.org/](https://wireless.docs.kernel.org/en/latest/en/users/drivers.html)).\n\n- `WIRELESS_SSID` - The name/SSID of your WiFi network.\n- `WIRELESS_PASSWORD` - The password of your WiFi network. Leave blank for open WiFi networks. **Note:** This is not encrypted in any way, someone with with access to the boot partition can read it.\n\nIf your network uses a security type other than WPA-PSK/WPA2-PSK then you will need to edit `/usr/share/initramfs-tools/hooks/wireless` to accommodate.\n\n## ssh-tpm-agent\n\nssh-tpm-agent is just an optional packaging of [Foxboron/ssh-tpm-agent](https://github.com/Foxboron/ssh-tpm-agent) along with 4 basic services to run it.\n\nIt has 2 user services and 2 system services.\n\n- `ssh-agent.service` - A user service that runs the default ssh-agent.\n- `ssh-tpm-agent.service` - A user service that runs the ssh-tpm-agent with the default ssh-agent as a fallback.\n\n- `sshd-agent.service` - A system service like `ssh-agent.service` but for sshd host keys.\n- `sshd-tpm-agent.service` - A system service like `ssh-tpm-agent.service` but for sshd host keys.\n\nUsers with `ssh-agent.service` or `ssh-tpm-agent.service` enabled will have their `SSH_AUTH_SOCK` variable set automatically. The sshd `HostKeyAgent` option is also set automatically upon installation.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkale-ko%2Finitramfs-scripts","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkale-ko%2Finitramfs-scripts","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkale-ko%2Finitramfs-scripts/lists"}