#! /bin/sh
#
# Checks to see if the customized dracut scripts that are responsible
# for permitting unlocking LUKS volumes via a USB key, have changed.
# If so, this script will complain bitterly, presumably to root.
#
# This script should be placed in /etc/cron.daily
#
# Devin Reade <gdr@gno.org>
#

WATCHED_FILES="\
 /usr/share/dracut/modules.d/90crypt/cryptroot-ask.sh \
 /usr/share/dracut/modules.d/90crypt/install \
"

HASH_FILE=/var/lib/crypto-usb.md5

if [ -f "$HASH_FILE" ]; then
    md5sum -c --status "$HASH_FILE"
    if [ $? -ne 0 ]; then
	fmt <<EOF

WARNING WARNING WARNING

The MD5 checksum of one of the following files no longer matches what
is expected:
EOF

        for f in $WATCHED_FILES; do
	    echo "    $f"
	done

        fmt <<EOF
This probably means that dracut has been updated by the
system.  Since this machine needs custom dracut scripts, any
newly installed kernels or configurations may no longer make use
of the configured USB crypto key during boot, thus requiring 
manual intervention.

BEFORE YOU REBOOT YOUR MACHINE you should verify the state of 
the above files, and repatch them as necessary. After you have done so,
you can get rid of this message by deleting $HASH_FILE.

Finally, you will need to recreate the initial ram disk for your
kernel.  For the currently installed kernel this can be done via

	/usr/libexec/plymouth/plymouth-update-initrd

See
	http://www.gno.org/~gdr/sysadmin/centos/6/usb-crypto-key.html
for details.

If you have problems, you can try to reboot your machine with an older
configuration and do some diagnosis from there.

WARNING WARNING WARNING

EOF
    fi
else
    echo "Creating $HASH_FILE"
    md5sum $WATCHED_FILES > "$HASH_FILE"
fi