Unlocking a LUKS encrypted root partition via ssh

Posted by wulf on Tue 5 Feb 2008 at 15:03

I'm running a Debian server with LUKS encrypted root partition and want to be able to enter the pass phrase local at the terminal or via ssh. This article describes how I achieved that.

To get remote access to my machine, via ssh, without the root filesystem being mounted I include dropbear in the initrd and some functionality for easy use. You may also combine this with RAID and LVM (as I do) but this is not relevant for this article.

We only need to hook in before the cryptosetup step of the initrd runs, and don't care what type of layer we're working with.

  • LUKS
  • RAID -> LUKS
  • LUKS -> RAID (I never heard about that, but ...)
  • RAID -> LVM-> LUKS
  • RAID -> LUKS -> LVM
  • LUKS -> LVM
  • LVM -> LUKS
  • ... Everything is possible

table of contents

  1. I don't care about background, just let me do it
  2. initrd, the big picture
  3. initramfs-tools, the big picture
  4. troubleshooting
  5. source

1. I don't care about background, just let me do it

  • You have a running Debian system with LUKS encrypted disk (and whatever else you like, such as lvm and raid) which is booting via initrd while you enter the passphrase at the local terminal. Yes, this should work without trouble before you go on. It's really comfortable to set this up with the Debian installer if you run the installation in expert mode (just type expert at the boot prompt, and play around with manual partitioning at the partitioner step, which is only available in the installer not at a running Debian system). You may also set this up step by step on a already running system, therefore refer the multiple available relevant HOWTOs
  • install busybox on the system ("apt-get install busybox")
  • install dropbear on the system ("apt-get install dropbear")
  • make sure dropbear will not be started at the ordinary boot process, if you use openssh-server. If you think dropbear is a god choice for your daily work, skip this step.
  • copy the script (view/download) to /etc/initramfs-tools/hooks/ and change permissions to executable
  • edit the network setup in /etc/initramfs-tools/hooks/dropbear
  • create the initrd via:
    prompt # mkinitramfs -o my_name_of_the_initrd
  • move the new initrd to /boot and edit your /boot/grub/menu.lst to use it. It's a god idea to double one entry and change only the clone, so you can still boot the original version, if anything failes.
That's it! If you build your next kernel.deb via make-kpkg kernel_image --initrd the initrd will still hold the added functionality. If you didn't compile the kernel yourself, you have to run mkinitramfs and copy the initrd to /boot manually after every kernel update. The initrd will hold the root pw and ssh-pub-key from the day you build it.


#!/bin/sh

# We add dropbear to the initrd to be able do mount crypto partitions from remote


PREREQ=""
prereqs()
{
     echo "$PREREQ"

}

case $1 in
prereqs)
     prereqs
     exit 0
     ;;
esac

# Begin real processing below this line

# copyright Wulf Coulmann
# GNU GPL
# http://www.gnu.org/licenses/gpl.html
#
# Download me here: http://gpl.coulmann.de/dropbear
# get infos about this script here:
# http://gpl.coulmann.de/ssh_luks_unlock.html


# load the prepared functions of debians initramfs enviroment
source /usr/share/initramfs-tools/hook-functions



# build the directorys
DIRS='/usr/sbin/ /proc/ /root/ /var/ /var/run/ /var/run/' 

for now in $DIRS ; do
    if [ ! -e ${DESTDIR}$now ] 
    then
       mkdir -p ${DESTDIR}$now

    fi
done

# copy the main ssh-daemen including libarys
copy_exec /usr/sbin/dropbear 
copy_exec /usr/bin/passwd 
copy_exec /bin/login 

# some libarys not autoincludet by copy_exec
copy_exec /lib/libnss_compat.so.2 
copy_exec /usr/lib/libz.so.1  
copy_exec /etc/ld.so.cache  
copy_exec /lib/i686/cmov/libutil.so.1



# we copy config and key files
cp -pr /etc/dropbear ${DESTDIR}/etc/
cp -pr /etc/passwd ${DESTDIR}/etc/          # quick and dirty, to keep file attributs  
cp -pr /etc/shadow ${DESTDIR}/etc/

cp -pr /etc/group ${DESTDIR}/etc/                        
cp -pr /root/.ssh ${DESTDIR}/root/
cp -pr /etc/nsswitch.conf  ${DESTDIR}/etc/                         

cp -pr /etc/localtime  ${DESTDIR}/etc/                         

# we don't have bash in our initrd 
# also we only add the root account
cat  /etc/passwd | grep root | sed s/\\/bash/\\/sh/  > ${DESTDIR}/etc/passwd   


# the blocker script to request input action befor running cryptroot
# this let us run cryptroot on local terminal or inside ssh
# dirty but effektive 
cat >${DESTDIR}/scripts/local-top/cryptroot_block << 'EOF'
#!/bin/sh
PREREQ="network_ssh"
prereqs()

{
     echo "$PREREQ"
}

case $1 in
prereqs)
     prereqs
     exit 0
     ;;
esac


# Begin real processing below this line

echo Type "ok" and press enter to put in passphrase:

INPUT='wait'

while [ $INPUT != 'ok' ] ; do

 read INPUT
done

EOF
chmod 700 ${DESTDIR}/scripts/local-top/cryptroot_block


cat >${DESTDIR}/scripts/local-top/network_ssh << 'EOF'

#!/bin/sh

# we start the network and ssh-server


PREREQ=""
prereqs()
{
     echo "$PREREQ"
}

case $1 in
prereqs)

     prereqs
     exit 0
     ;;
esac

# Begin real processing below this line


# build up helpful enviroment
[ -d /dev ] || mkdir -m 0755 /dev
[ -d /root ] || mkdir --mode=0700 /root

[ -d /sys ] || mkdir /sys
[ -d /proc ] || mkdir /proc
[ -d /tmp ] || mkdir /tmp

mkdir -p /var/lock
mount -t sysfs -o nodev,noexec,nosuid none /sys
mount -t proc -o nodev,noexec,nosuid none /proc

mkdir /dev/pts
mount -t devpts -o gid=5,mode=620 /dev/pts /dev/pts

# the Network setup edit ipaddres and gateway to your needs 

ifconfig eth0 192.168.1.10 netmask 255.255.255.0
route add default gw 192.168.1.100
# If you like to use dhcp make shure you include dhclient or pump in 
# /etc/initramfs-tools/hooks/dropbear via
#     copy_exec /sbin/dhclient


# for debugging ssh-server you may run it in forgound  
#      /usr/sbin/dropbear -E -F
# for more debugging you may run it with strace
# therfor you have to include strace and nc at top of 
# /etc/initramfs-tools/hooks/dropbear via
#     copy_exec /usr/bin/strace
#     copy_exec /usr/bin/nc
# then start nc on an other host and run
#     /usr/sbin/dropbear -E -F  2>&1 | /bin/nc -vv <ip of other host> <nc port of other host>   
#     e.g.: 
#     /usr/sbin/dropbear -E -F  2>&1 | /bin/nc -vv 192.168.1.2 8888   
/usr/sbin/dropbear  -b /etc/dropbear/banner
EOF
chmod 700 ${DESTDIR}/scripts/local-top/network_ssh


cat >${DESTDIR}/etc/dropbear/banner << 'EOF'

     To unlock root-partition run
        unlock

     
EOF


# script to unlock luks via ssh 
# dirty but effektive 
cat >${DESTDIR}/usr/bin/unlock << 'EOF'
#!/bin/sh

/bin/sh /scripts/local-top/cryptroot && mv /scripts/local-top/cryptroot /root && kill `ps | grep cryptroot_block|grep -v grep |awk '{ print $1 }'`

EOF

chmod 700 ${DESTDIR}/usr/bin/unlock

# make shure we exit dropbear at the end of the startup process
cat >${DESTDIR}/scripts/local-bottom/rm_dropbear << 'EOF'
#!/bin/sh
PREREQ=""

prereqs()
{
     echo ""
}

case $1 in
prereqs)

     prereqs
     exit 0
     ;;
esac

# Begin real processing below this line
# we kill dropbear ssh-server 

killall dropbear

EOF
chmod 700 ${DESTDIR}/scripts/local-bottom/rm_dropbear





syntax highlighted by Code2HTML, v. 0.9.1

2. initrd, the big picture

The initrd image is nothing than a directory tree where you can include anything you like. So it is possible to build an arbitrarily complex Linux environment. The initrd is accessible along with the kernel z-image. So it's the workaround for hen-egg-problems. E.g. you need tools from the hard disk to mount the hard disk ...

If the kernel has initrd functionality built in (mostly they will have) and you provide an initrd with your grub/lilo configuration, the kernel unpack the initrd and mount it as a ramdisk to load provided modules and tools, then mount the harddisk partitions and after booting the kernel drops the initramfs.

3. initramfs-tools, the big picture

Debian offer a very convenient handlinng to generate initrds. Refer to man itramfs-tools and man mkinitramfs for details.

4. troubleshooting

If you get trouble, try to to split your tasks in small steps, end evaluate them before you go on. Maybe these hints will help you :

  • trouble while build initrd

    Check out, what's really include in your initrd:
    Go to a empty directory and run:
        prompt # export test=test1 \
           && sh -x mkinitramfs -o $test 2> log \
           && mkdir  `echo -n $test |sed s/test/test_/` \
           && mv $test $test.gz  && gunzip $test.gz \
           && cd `echo -n $test |sed s/test/test_/` \
           &&  cpio -i <../$test && cd ..
          
    
    
    This will end up with a file test1 which is the initrd image and a directory test_1 which holds the unpacked initrdfs. So you can check out if everything is really included. Also you will find a file named log, where you find possible errors while processing mkinitramfs .
  • trouble while booting

    Trouble while booting is mostly in reason of missing files, or disorder of running scripts. To understand handling of script order you should read man initramfs-tools.
    Include verbose output to your scripts, e.g. you may add a simple ifconfig after the network setup to check the output while booting. If you guess missing libraries or device nodes strace may be helpful. If you like to compare strace output while booting with strace from running dropbear in your already booted system, netcat is a choice to get output out of the box to check differences with diff or whatever. Yes, therefore your network setup must be already in function and you have to include netcat to your initrd.

5. source

The homepage for this howto is http://gpl.coulmann.de/ssh_luks_unlock.html. Maybe you like to check out http://gpl.coulmann.de

 

 


Posted by DaveV (75.166.xx.xx) on Wed 6 Feb 2008 at 01:09
First, this is very cool.

But, I think I see a couple minor issues.

1: You filter DESTDIR/etc/passwd to just contain the line for the root account, but you leave the entire DESTDIR/etc/shadow file intact. Congratulations, you just gave up all your password hashes. Filter the group file as much as possible too.

2: You use the same root password as is used inside the encrypted container. What are the odds that many users will use the same password to encrypt/decrypt the container? While this password could be the same as the grub password, it shouldn't be the same as any password used on the inside.

3: You copy your /root/.ssh folder into the initrd. The only reason I can think of doing that is to make your authorized keys file available for passwordless logins. By default SSH stores the public and private keys in the .ssh folder. Including them outside the encrypted container means they could be stolen. I would make sure I was only copying the authorized_keys file and leave everything else behind.

Well that's the quick once over. Overall these issues are very easily addressed, and then I see major potential for this script. I've avoided running encrypted storage for the root partition on remote servers because of the reboot issues. This tool can make those a thing of the past.

[ Parent | Reply to this comment ]

Posted by wulf (85.178.xx.xx) on Thu 7 Feb 2008 at 13:50

thanks for review and improvement hints. I'll include them soon and let you know.

Best wishes Wulf++

[ Parent | Reply to this comment ]

Posted by mcortese (213.70.xx.xx) on Wed 6 Feb 2008 at 17:18
[ View Weblogs ]

Sorry if my question sounds naive, but what is the rationale behind encrypting the root partition of a remote system?

[ Parent | Reply to this comment ]

Posted by wulf (85.178.xx.xx) on Thu 7 Feb 2008 at 13:57

Well, If you don't have a resent, don't do it.

But if you don't want to give easy access to your Data to someone who has physical access to the machine, this may be usefull.

Regards Wulf++

[ Parent | Reply to this comment ]

Posted by mcortese (213.70.xx.xx) on Fri 8 Feb 2008 at 13:56
[ View Weblogs ]

Don't take me wrong: I do understand the need to encrypt a data partition.

I am just wondering if the extra effort required to encrypt the root partition is worth it. What is that you want to protect? The passwd file?

[ Parent | Reply to this comment ]

Posted by Anonymous (62.131.xx.xx) on Fri 8 Feb 2008 at 16:41
I have been thinking of implementing a non-root encrypted setup which encrypts only the most vital parts (the setup you are describing), but there are various things which must be available on boot which you might like encrypted. One of them is probably /var/log. In that situation you cannot simply move /var/log over to an encrypted partition since dmesg and other logs would fill over the unmounted empty directory when it is not yet mounted. Any solution other than a pre-boot environment would get really ugly in such ways, allthough it can be done.

Now all we need is some kind of trust profiler to detect tampering with the environment, so that when we log in over SSH, we can know for sure that nothing is sniffing our input (on the machine itself that is). It would be kind of easy to set up a trap for this by emulating the initrd environment in a virtual machine (since this is availabe with all private keys etc. unencrypted.) But this is too advanced and requires more work I guess.

[ Parent | Reply to this comment ]

Posted by gpall (155.207.xx.xx) on Wed 9 Jul 2008 at 10:45
[ View Weblogs ]
1. /etc/ has a whole bunch of configuration details, maybe passwords in cfg files, firewall rules etc etc, that are better to be known only to you.
2. An unencrypted system means that while you're out of home, someone boots your machine with a live cd and plants you a trojan horse, a keylogger or something of this malicious nature. Then your data partition also is in danger.
3. If my laptop while traveling gets stolen, I feel much better to know that they just have a 3 year old laptop with a hard disk full of random garbage.

my ...3 cents :-P

[ Parent | Reply to this comment ]

Posted by mcortese (213.70.xx.xx) on Fri 11 Jul 2008 at 09:13
[ View Weblogs ]

I may agree, to some extent. If you keep your gmail password in /etc/fetchmail.conf or the WEP key of your preferred wifi network in /etc/network/interfaces, then yes, an encrypted root disk can prevent disclosure of such sensible information.

However I can hardly imagine an attacker who wants to get past your firewall, while he already has physical access to your host!

Indeed, there is little you can do to protect yourself against someone who can play with your hardware while you're away. He can always tamper your initrd, or rewrite your grub code!

[ Parent | Reply to this comment ]

Posted by gpall (155.207.xx.xx) on Fri 11 Jul 2008 at 09:17
[ View Weblogs ]
> Indeed, there is little you can do to protect yourself against someone who can > play with your hardware while you're away. He can always tamper your initrd, or > rewrite your grub code!

If you're completely paranoid, you don't have an unencrypted boot partition on your laptop, but you're booting from a flash drive which you always keep strapped to your neck :-P

[ Parent | Reply to this comment ]

Posted by mcortese (213.70.xx.xx) on Fri 11 Jul 2008 at 12:10
[ View Weblogs ]

But if you're that paranoid, you shouldn't read this thread about booting via ssh! :-)

[ Parent | Reply to this comment ]

Posted by Anonymous (93.197.xx.xx) on Mon 9 Mar 2009 at 19:07
You can guard against tampering of the /boot partition by running tripwire against it from inside the secure installation (on bootup and in regular intervals). If you find that something dodgy has happened, take appropriate measures (depending on the degree of paranoia that is in order you could go so far as to overwrite the entire hard disk with zeroes, leaving no trace evidence whatsoever).

Know that a determined attacker with physical access to a running server can always run a "cold boot" attack (freezing the RAM modules and recovering the encryption key from another machine). Nothing can be done against that.

[ Parent | Reply to this comment ]

Posted by Anonymous (85.179.xx.xx) on Tue 11 Sep 2012 at 22:16
Unless you've got a machine that will go down hard when opened. As IBM zSeries and SUN Blades used to do.
Don't know if you still can get that sort of case somewhere, but it might be...

[ Parent | Reply to this comment ]

Posted by kroshka (212.110.xx.xx) on Tue 18 Mar 2014 at 20:06
[ View Weblogs ]
If you decide to have encrypted partitions then you need to encrypt them all, including the swap partition and excluding /boot so you can boot. The reasons should be obvious, the root partition just has too much information and the swap partition could contain the actual key/passphrase you used to decrypt the partitions. Anything less and you could just as well not encrypt anything because you'd have lulled yourself into a false sense of security.

[ Parent | Reply to this comment ]

Posted by Anonymous (85.158.xx.xx) on Thu 20 Mar 2014 at 16:38

I take it that you are describing your own setup, although your wording seems to imply that it should be valid for everybody.

While I might agree with you about the swap, I wonder what it exactly is, all this "too much information" that you hold in your root partition. The shadow file? PAP/CHAP secrets in /etc/ppp?

Does breaking into your root partition give a hacker so much more advantage than, for example, tampering with your initrd, that you leave unencrypted in /boot?

[ Parent | Reply to this comment ]

Posted by kroshka (143.232.xx.xx) on Thu 20 Mar 2014 at 19:45
[ View Weblogs ]
It's a minor effort to include the root partition when using encryoted partitions. So, why not? Also as previously mentioned it can have all kinds of valuable information such as logs and configuration files, ssh keys (root account), certificates... A person who breaks in remotely is not what you protect against wtih encryption, you use this kind of encryption to protect against data being read and (ab)used. Just encrypting /home defeates that purpose. If you're going through the trouble to encrypt partitions it's just best to encrypt every partition possible.

[ Parent | Reply to this comment ]

Posted by Anonymous (193.99.xx.xx) on Thu 7 Feb 2008 at 13:39
Very cool article, thank you.
Have you figured out a way to install all of this remotely?
I can boot a rescue system (completely in RAM-disk) to repartition the harddisk etc.

[ Parent | Reply to this comment ]

Posted by wulf (85.178.xx.xx) on Thu 7 Feb 2008 at 14:17

If you only have remote access without serial console or something similar this is a little hassle.

One possibility may be to use a random PW for your LUKS partition while you set this up. If you are succeed, you change the passphrase. Other possibility may be to prepare the hole setup local and than you only copy the hole installation. But this is theory, I didn't tray, so some hidden traps may show up.

I build this up for a machine I have physical access, but I also use it from remote. I want to be able to reboot after electricity interruptions, ore other resents of shutdown.

For data processing centers I use a different solution:
My servers are running in xen vitualization and after small changes than you can use 'xm console' to type in your passphrase.

Best wishes Wulf++

[ Parent | Reply to this comment ]

Posted by Anonymous (130.126.xx.xx) on Thu 7 Feb 2008 at 16:54
Another method is to create a 3 partitions on the hard drive, one for /boot, one for swap, and one for the encrypted root luks,lvm combination.

Then install a minimal (unencrypted) debian to the swap space. Then log in to this debian, set up the luks partition, set up lvm, and use debootstrap to install a second copy of debian in the encrypted container.

Then boot into the encrypted container, then wipe the swap partition
dd if=/dev/urandom of=/dev/hda2 whatever...
and then set up an encrypted swap space in /etc/crypttab. Make the swap space use /dev/urandom as a key.

This way, everything is encrypted in the end, but you have an intermediate install that allows you to configure the encrypted root and boot drives before you actually boot into them for the first time.

[ Parent | Reply to this comment ]

Posted by Anonymous (79.2.xx.xx) on Sat 9 Feb 2008 at 13:45
hi
i am tring to do this in ubuntu 7.10 with encrypted root but i get this error

root@server:~# mkinitramfs -o my_init_name
/etc/initramfs-tools/hooks/dropbear: 31: source: not found
/etc/initramfs-tools/hooks/dropbear: 45: copy_exec: not found
/etc/initramfs-tools/hooks/dropbear: 46: copy_exec: not found
/etc/initramfs-tools/hooks/dropbear: 47: copy_exec: not found
/etc/initramfs-tools/hooks/dropbear: 50: copy_exec: not found
/etc/initramfs-tools/hooks/dropbear: 51: copy_exec: not found
/etc/initramfs-tools/hooks/dropbear: 52: copy_exec: not found
/etc/initramfs-tools/hooks/dropbear: 53: copy_exec: not found
/etc/initramfs-tools/hooks/dropbear: 172: cannot create /tmp/mkinitramfs_j12372/usr/bin/unlock: Directory nonexistent
chmod: impossibile accedere a `/tmp/mkinitramfs_j12372/usr/bin/unlock': Nessun file o directory
cpio: ./etc/dropbear/log/main: Cannot stat: Nessun file o directory
cpio: ./etc/dropbear/log/supervise: Cannot stat: Nessun file o directory
cpio: ./etc/dropbear/supervise: Cannot stat: Nessun file o directory

i have checked the line 31:
source /usr/share/initramfs-tools/hook-functions

after i have checked my path
root@server:~# cd /usr/share/initramfs-tools/
root@server:/usr/share/initramfs-tools# ls -al
drwxr-xr-x 7 root root 4096 2008-02-08 20:19 .
drwxr-xr-x 119 root root 4096 2008-02-08 22:10 ..
drwxr-xr-x 2 root root 4096 2007-10-04 16:59 conf.d
drwxr-xr-x 2 root root 4096 2008-02-08 20:19 conf-hooks.d
-rw-r--r-- 1 root root 7327 2007-10-02 14:39 hook-functions
drwxr-xr-x 2 root root 4096 2008-02-08 20:44 hooks
-rwxr-xr-x 1 root root 3295 2007-07-30 16:41 init
-rw-r--r-- 1 root root 191 2006-12-22 00:32 modules
drwxr-xr-x 2 root root 4096 2007-10-04 16:59 modules.d
drwxr-xr-x 12 root root 4096 2008-02-08 20:18 scripts

the file hook-functions exist!!


[ Parent | Reply to this comment ]

Posted by wulf (85.178.xx.xx) on Sat 9 Feb 2008 at 23:06

hoppala ...

Yes, I invoked /bin/sh, but it should be /bin/bash ...
On debian /bin/sh is a symlink to /bin/bash so it works. I don't know the handling in Ubuntu with that, but if you change the first line of the script from:
#!/bin/sh
to
#!/bin/bash
it should work. Don't change the invokings inside the script.

Also be aware, that
sudo -i
gives you full root environment while
sudo -s
only change to uid 0.

wishing succes
Wulf++

[ Parent | Reply to this comment ]

Posted by Anonymous (79.2.xx.xx) on Sun 10 Feb 2008 at 20:34
hey thanx!
now i have changed
#!/bin/sh
to
#!/bin/bash

and seem works!!
But i get now this error
root@server:~# mkinitramfs -o initrdssh
/etc/initramfs-tools/hooks/dropbear: line 171: /tmp/mkinitramfs_jH4674/usr/bin/unlock: Nessun file o directory
chmod: impossibile accedere a `/tmp/mkinitramfs_jH4674/usr/bin/unlock': Nessun file o directory

Seems Ubuntu don't have the file unlock on /usr/bin
root@server:~# cd /usr/bin/
root@server:/usr/bin# ls -al un*
-rwxr-xr-x 1 root root 18180 2007-09-29 14:51 unexpand
-rwxr-xr-x 1 root root 1538 2007-09-29 15:02 unicode_start
-rwxr-xr-x 1 root root 1003 2007-09-29 15:02 unicode_stop
-rwxr-xr-x 1 root root 20752 2007-09-29 14:51 uniq
-rwxr-xr-x 1 root root 12608 2007-09-29 14:51 unlink

i missed to install any package?


[ Parent | Reply to this comment ]

Posted by Anonymous (88.70.xx.xx) on Wed 20 Feb 2008 at 21:11
/tmp/${DESTDIR}/usr/bin/unlock doesn't get created. I added /usr/bin to the DIRS variable to fix this.

[ Parent | Reply to this comment ]

Posted by Anonymous (89.245.xx.xx) on Thu 20 Mar 2008 at 14:31
First of all, the whole thing is very cool. I was looking for a solution to this for a long time.

But when I boot up, I get this output:

"
mount: Mounting none on /sys failed: Device or resource busy
mount: Mounting none on /proc failed: Device or resource busy

e100: eth0: e100_watchdog: link up, 100Mbps, full-duplex

/scipts/local-top/network_ssh: /scripts/local-top/network_ssh: 54: /usr/sbin/dropbear: not found

Type ok and press enter to put in passphrase:
"


I can ping the computer, so the network seems to work.
It might be a problem with dropbear, but I don't have any idea how to solve it.

[ Parent | Reply to this comment ]

Posted by Anonymous (85.177.xx.xx) on Tue 25 Mar 2008 at 21:18
Got exactly the same problem with debian etch

[ Parent | Reply to this comment ]

Posted by Anonymous (88.134.xx.xx) on Wed 11 Jun 2008 at 16:50
proc and sys seem to be there nevertheless. (on Etch)

I guess you can just ignore it or remove the appropriate mount commands from /etc/initramfs-tools/hooks/dropbear when creating the ramdisk.

[ Parent | Reply to this comment ]

Posted by Anonymous (84.115.xx.xx) on Thu 20 Mar 2008 at 20:21
I changed the script a little and got it working.
I'll do a few more changes tomorrow to improve the security of the whole thing.

The script is attached, i hope it works for you folks.

cheers,
sacred

#!/bin/bash

# We add dropbear to the initrd&nbs p;to be able do mount crypto partit ions from remote


PREREQ=""
prereqs()
{
     echo "$PREREQ"
}

case $1 in
prereqs)
     prereqs
     exit 0
     ;;
esac

# Begin real processing below this  line

# copyright Wulf Coulmann
# GNU GPL
http://www.gnu.org/licenses/gpl.htmla
#
# Download me here: http://gpl.coulmann.de/dr opbear
# get infos about this script here:
http://gpl.coulmann.de/ssh_luks_unlock.html


# load the prepared functions of de bians initramfs enviroment
source /usr/share/initramfs-tools/hook-functions


# build the directorys
DIRS='/usr/bin/ /usr/sbin/ /proc/ /root/ /var / /var/run/ /var/run/'

for now in $DIRS ; do
    if  [ ! -e  ${DESTDIR}$now ] 
    then
       mkdir -p ${DE STDIR}$now
    fi
done

# copy the main ssh-daemen including&nbs p;libarys
copy_exec /usr/sbin/dropbear /usr/sbin/
copy_exec /usr/bin/passwd /usr/bin/
copy_exec /bin/login /bin/
copy_exec /usr/bin/killall /usr/bin/
copy_exec /sbin/route /sbin/
copy_exec /usr/bin/awk /usr/bin/


# some libarys not autoincludet by  copy_exec
copy_exec /lib/libnss_compat.so.2  /lib/
copy_exec /usr/lib/libz.so.1   /usr/lib/
copy_exec /etc/ld.so.cache  /etc/
copy_exec /lib/libutil.so.1 /lib/


# we copy config and key files
cp -pr /etc/dropbear ${DESTDIR}/etc/
cp -pr /etc/passwd ${DESTDIR}/etc/  &nbs p;       # quick and  dirty, to keep file attributs
cp -pr /etc/shadow ${DESTDIR}/etc/
cp -pr /etc/group ${DESTDIR}/etc/
cp -pr /root/.ssh ${DESTDIR}/root/
cp -pr /etc/nsswitch.conf  ${DESTDIR}/etc/
cp -pr /etc/localtime  ${DESTDIR}/etc/

# we don't have bash in our in itrd
# also we only add the root ac count
cat  /etc/passwd | grep root |  ;sed s/\\/bash/\\/sh/  > ${DESTDIR}/etc/pa sswd
cat  /etc/shadow | grep root |  ;sed s/\\/bash/\\/sh/  > ${DESTDIR}/etc/sh adow
cat  /etc/group | grep root |  sed s/\\/bash/\\/sh/  > ${DESTDIR}/etc/gro up


# the blocker script to request inp ut action befor running cryptroot
# this let us run cryptroot on  ;local terminal or inside ssh
# dirty but effektive
cat >${DESTDIR}/scripts/local-top/cryptroot_block &l t;< 'EOF'
#!/bin/sh
PREREQ="network_ssh"
prereqs()
{
     echo "$PREREQ"
}

case $1 in
prereqs)
     prereqs
     exit 0
     ;;
esac

# Begin real processing below this  line

echo Type "ok" and press enter to&n bsp;put in passphrase:

INPUT='wait'

while  [ $INPUT != 'ok' ]   ; do
 read INPUT
done

EOF
chmod 700 ${DESTDIR}/scripts/local-top/cryptroot_block


cat >${DESTDIR}/scripts/local-top/network_ssh <&l t; 'EOF'
#!/bin/sh

# we start the network and ssh-serv er


PREREQ=""
prereqs()
{
     echo "$PREREQ"
}

case $1 in
prereqs)
     prereqs
     exit 0
     ;;
esac

# Begin real processing below this  line


# build up helpful enviroment
 [ -d /dev ]  || mkd ir -m 0755 /dev
 [ -d /root ]  || mk dir --mode=0700 /root
 [ -d /sys ]  || mkd ir /sys
 [ -d /proc ]  || mk dir /proc
 [ -d /tmp ]  || mkd ir /tmp
mkdir -p /var/lock
mount -t sysfs -o nodev,noexec,nosuid no ne /sys
mount -t proc -o nodev,noexec,nosuid non e /proc

mkdir /dev/pts
mount -t devpts -o gid=5,mode=620 /dev/p ts /dev/pts

# the Network setup edit ipaddres a nd gateway to your needs
ifconfig eth0 10.17.201.212 netmask 255.255.2 55.0
/sbin/route add default gw 10.17.201.1
# If you like to use dhcp make  shure you include dhclient or pump  in
# /etc/initramfs-tools/hooks/dropbear via
#     copy_exec /sbin/dhclient


# for debugging ssh-server you may  run it in forgound
#      /usr/sbin/dropbear -E&n bsp;-F
# for more debugging you may run&nb sp;it with strace
# therfor you have to include strac e and nc at top of
# /etc/initramfs-tools/hooks/dropbear via
#     copy_exec /usr/bin/strace
#     copy_exec /usr/bin/nc
# then start nc on an other ho st and run
#     /usr/sbin/dropbear -E -F   2>&1 | /bin/nc -vv <ip  ;of other host> <nc port of o ther host>
#     e.g.:
#     /usr/sbin/dropbear -E -F   2>&1 | /bin/nc -vv 192.168.1.2  8888
/usr/sbin/dropbear  -b /etc/dropbear/banner
EOF
chmod 700 ${DESTDIR}/scripts/local-top/network_ssh


cat >${DESTDIR}/etc/dropbear/banner << 'E OF'

     To unlock root-partition& nbsp;run
        unlock


EOF


# script to unlock luks via ssh
# dirty but effektive
cat >${DESTDIR}/usr/bin/unlock << 'EOF'
#!/bin/sh

/bin/sh /scripts/local-top/cryptroot && mv /s cripts/local-top/cryptroot /root && kill `ps& nbsp;| grep cryptroot_block|grep -v grep  ;| /usr/bin/awk '{ print $1 }'`

EOF
chmod 700 ${DESTDIR}/usr/bin/unlock

# make shure we exit dropbear at&nb sp;the end of the startup process
cat >${DESTDIR}/scripts/local-bottom/rm_dropbear < ;< 'EOF'
#!/bin/sh
PREREQ=""
prereqs()
{
     echo ""
}

case $1 in
prereqs)
     prereqs
     exit 0
     ;;
esac

# Begin real processing below this  line
# we kill dropbear ssh-server

/usr/bin/killall dropbear

EOF
chmod 700 ${DESTDIR}/scripts/local-bottom/rm_dropbear

[ Parent | Reply to this comment ]

Posted by Anonymous (89.245.xx.xx) on Fri 21 Mar 2008 at 10:51
Using parts of the script you posted, I finally solved my dropbear problem. However, I get those two errors while booting:

mount: Mounting none on /sys failed: Device or resource busy
mount: Mounting none on /proc failed: Device or resource busy

I dont know, what the problem might be.

Thanks.

[ Parent | Reply to this comment ]

Posted by Anonymous (84.58.xx.xx) on Thu 27 Mar 2008 at 15:09
Using your script I get to errors when trying to create the initrd:

/usr/sbin/mkinitramfs: 241: /etc/initramfs-tools/hooks/dropbear: not found
/usr/sbin/mkinitramfs: 1: /etc/initramfs-tools/hooks/dropbear: not found

I can't figure out why.
Any ideas?

Best regards,
Georg

[ Parent | Reply to this comment ]

Posted by Anonymous (84.58.xx.xx) on Thu 27 Mar 2008 at 16:58
Ok, I had to change the standard shell from dash to bash. that solved my problem.
Now, I also have this errors:

mount: Mounting none on /sys failed: Device or resource busy
mount: Mounting none on /proc failed: Device or resource busy

[ Parent | Reply to this comment ]

Posted by Anonymous (85.177.xx.xx) on Fri 28 Mar 2008 at 02:52
me too, fiddeling arround with this but couldn't solve it :/

[ Parent | Reply to this comment ]

Posted by synapseattack (66.95.xx.xx) on Thu 24 Apr 2008 at 01:45
Has anyone had any luck with this? I am using 7.10 Server of Ubuntu and I am getting the same /proc and /sys error:
But also right after that I am getting others.

mount: Mounting none on /sys failed: Device or resource busy
mount: Mounting none on /proc failed: Device or resource busy
SIOCSIFADDR: No such device
SIOCSIFNETMASK: No such device
SIOCSADDRT: No such process
Type ok and press enter to put in passphrase:

I can not ping the static IP I set in the dropbear or SSH to it. I'm guessing that SIOCSIFADDR is the network device and because it is not seen I am not able to set the IP. Any suggestions or help would be great. I am also crossposting in ubuntuforums.org's Server Platforms section since I am doing this on Ubuntu.

[ Parent | Reply to this comment ]

Posted by eule (62.154.xx.xx) on Thu 15 May 2008 at 12:51
hi everyone,

i am trying to set this up under ubuntu server (hardy 8.04) and I always get this error:

sudo mkinitramfs -o initrd.img-2.6.24-16-server
/etc/initramfs-tools/hooks/dropbear: line 40: ${DE STDIR}$now: bad substitution
ln: target `/tmp/mkinitramfs_O28885//usr/sbin/' is not a directory: No such file or directory
ln: target `/tmp/mkinitramfs_O28885//usr/bin/' is not a directory: No such file or directory
ln: target `/tmp/mkinitramfs_O28885//usr/bin/' is not a directory: No such file or directory
ln: target `/tmp/mkinitramfs_O28885//usr/bin/' is not a directory: No such file or directory
cp: cannot stat `/root/.ssh': No such file or directory
/etc/initramfs-tools/hooks/dropbear: line 69: syntax error near unexpected token `;'
/etc/initramfs-tools/hooks/dropbear: line 69: `cat /etc/passwd | grep root | ;sed s/\\/bash/\\/sh/ > ${DESTDIR}/etc/passwd'
cpio: ./etc/dropbear/log/main: Cannot stat: No such file or directory
cpio: ./etc/dropbear/log/supervise: Cannot stat: No such file or directory


I am really helpful for any help...or alternatives.

cheers,

eule

[ Parent | Reply to this comment ]

Posted by eule (62.154.xx.xx) on Thu 15 May 2008 at 13:19
Ok i solved the dirs problem - it narrows down to this problem now:


cp: cannot stat `/root/.ssh': No such file or directory
/etc/initramfs-tools/hooks/dropbear: line 72: syntax error near unexpected token `;'
/etc/initramfs-tools/hooks/dropbear: line 72: `cat /etc/passwd | grep root | ;sed s/\\/bash/\\/sh/ > ${DESTDIR}/etc/passwd'



Thanks for your help,

eule

[ Parent | Reply to this comment ]

Posted by eule (62.154.xx.xx) on Thu 15 May 2008 at 13:36
ok it boiled down to:

cp: cannot stat `/root/.ssh': No such file or directory


--> the rest were just noob-mistakes ;-) i am pretty new to linux :-)

[ Parent | Reply to this comment ]

Posted by eule (62.154.xx.xx) on Thu 15 May 2008 at 14:29
me again :-)

It's booting but I got a major problem:


Server refused our key
xxxxxxxxxxxxx's password:

it says server refused key though it did work before and it also rejects my password.

the only thing i changed in the script that i pointed to home/user/.ssh/ because in /root there was no .ssh folder and all my keys and auth keys are in that folder...

[ Parent | Reply to this comment ]

Posted by Anonymous (91.156.xx.xx) on Fri 2 May 2008 at 18:00
Here is a little bit modified version of the script. /dev/random got blocked on my machine and that is the reason why dropbear didn't respond. I modified /dev/random to be a symlink pointing to /dev/urandom and now this script works at least in Debian Etch. Remote unlocking of cryptroot will probably be implemented in Lenny http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=465901


#!/bin/bash

# We add dropbear to the initrd&nbs p;to be able
# mount crypted partitions from remote

# copyright Wulf Coulmann
# GNU GPL
http://www.gnu.org/licenses/gpl.html
#
# Download me here: http://gpl.coulmann.de/dr opbear
# get infos about this script here:
http://gpl.coulmann.de/ssh_luks_unlock.html
#
# Modified by Anonymous 2008

### INSTRUCTIONS FOR DEBIAN ETCH ###
# 1. Install killall, busybox and d ropbear:
#    ~# apt-get install psmisc  busybox dropbear
# 2. Edit network configuration below&nb sp;and copy contents 
#    of this file to /etc /initramfs-tools/hooks/dropbear
# 3. Make it executable:
#    ~# chmod +x /etc/initramf s-tools/hooks/dropbear
# 4. Create new initrd:
#    ~# mkinitramfs -o /boot/m y_name_of_the_initrd
# 5. Edit /boot/grub/menu.lst and add&nb sp;your new initrd as the first ent ry
# 6. ???
# 7. Profit!


PREREQ=""
prereqs()
{
     echo "$PREREQ"
}

case $1 in
prereqs)
     prereqs
     exit 0
     ;;
esac

# Begin real processing below this  line

# load the prepared functions of de bians initramfs enviroment
source /usr/share/initramfs-tools/hook-functions

# build the directories
DIRS='/usr/bin /usr/sbin/ /proc/ /root/.ssh/  /var/ /var/run/ /etc/dropbear/' 

for now in $DIRS ; do
    if  [ ! -e  ${DESTDIR}$now ]  
    then
       mkdir -p ${DE STDIR}$now
    fi
done

# copy the ssh-daemon and librarys
copy_exec /usr/sbin/dropbear /usr/sbin/
copy_exec /usr/bin/passwd /usr/bin/
copy_exec /bin/login /bin/
copy_exec /usr/bin/killall /usr/bin/
copy_exec /sbin/route /sbin/
copy_exec /usr/bin/awk /usr/bin/

# some librarys are not autoincluded&nbs p;by copy_exec
copy_exec /lib/libnss_compat.so.2 /lib/
copy_exec /usr/lib/libz.so.1 /usr/lib/
copy_exec /etc/ld.so.cache /etc/
copy_exec /lib/libutil.so.1 /lib/

# we copy config and key files
cp -pr /etc/dropbear/dropbear_dss_host_key ${DESTD IR}/etc/dropbear/
cp -pr /etc/dropbear/dropbear_rsa_host_key ${DESTD IR}/etc/dropbear/
cp -pr /etc/passwd ${DESTDIR}/etc/  
cp -pr /etc/shadow ${DESTDIR}/etc/
cp -pr /etc/group ${DESTDIR}/etc/
if  [ -e /root/.ssh/authorized_keys  ;] 
then
  cp -pr /root/.ssh/authorized_keys ${DE STDIR}/root/.ssh/
fi
cp -pr /etc/nsswitch.conf  ${DESTDIR}/etc/
cp -pr /etc/localtime  ${DESTDIR}/etc/

# we don't have bash in our in itrd 
# also we only add the root ac count
cat  /etc/passwd | grep root |  ;sed s/\\/bash/\\/sh/ > ${DESTDIR}/etc/passwd&n bsp;  
cat  /etc/shadow | grep root >&n bsp;${DESTDIR}/etc/shadow   
cat  /etc/group | grep root >&nb sp;${DESTDIR}/etc/group  

cat >${DESTDIR}/scripts/local-top/network_ssh <&l t; 'EOF'
#!/bin/sh

# we start the network and ssh-serv er

PREREQ=""
prereqs()
{
     echo "$PREREQ"
}

case $1 in
prereqs)

     prereqs
     exit 0
     ;;
esac

# Begin real processing below this  line

# build up helpful environment
 [ -d /dev ]  || mkd ir -m 0755 /dev
 [ -d /root ]  || mk dir --mode=0700 /root
 [ -d /tmp ]  || mkd ir /tmp
 [ -d /sys ]  || {
  mkdir /sys
  mount -t sysfs -o nodev,noexec,no suid none /sys
}
 [ -d /proc ]  || {
  mkdir /proc
  mount -t proc -o nodev,noexec,nos uid none /proc

}

mkdir -p /var/lock
mkdir -p /var/log
touch /var/log/lastlog
mkdir /dev/pts
mount -t devpts -o gid=5,mode=620 /dev/p ts /dev/pts


################# CHANGE THE LINES BELOW  ;#################
# The network setup: edit ip addres s and gateway to match your needs&n bsp;
ifconfig eth0 192.168.0.5 netmask 255.255.255 .0
route add default gw 192.168.0.1
################# CHANGE THE LINES ABOVE  ;#################


# If you like to use dhcp make  sure you include dhclient or pump& nbsp;in 
# /etc/initramfs-tools/hooks/dropbear via
#     copy_exec /sbin/dhclient


# for debugging ssh-server you may  run it in forgound  
#      /usr/sbin/dropbear -E&n bsp;-F
# for more debugging you may run&nb sp;it with strace
# therfor you have to include strac e and nc at top of 
# /etc/initramfs-tools/hooks/dropbear via
#     copy_exec /usr/bin/strace
#     copy_exec /usr/bin/nc
# then start nc on an other ho st and run
#     /usr/sbin/dropbear -E -F   2>&1 | /bin/nc -vv <ip  ;of other host> <nc port of o ther host>   
#     e.g.: 
#     /usr/sbin/dropbear -E -F   2>&1 | /bin/nc -vv 192.168.1.2  8888   

# We will use /dev/urandom because  /dev/random gets easily blocked
mv /dev/random /dev/random.old
ln -s /dev/urandom /dev/random
/usr/sbin/dropbear -b /etc/dropbear/banner -d  ;/etc/dropbear/dropbear_dss_host_key -r /etc/dropbear/d ropbear_rsa_host_key -p 22
rm -f /dev/random
mv /dev/random.old /dev/random
EOF
chmod 700 ${DESTDIR}/scripts/local-top/network_ssh

cat >${DESTDIR}/etc/dropbear/banner << 'E OF'

     To unlock root-partition& nbsp;run
        unlock

     
EOF

# script to unlock luks via ssh&nbs p;
# dirty but effektive 
cat >${DESTDIR}/usr/bin/unlock << 'EOF'
#!/bin/sh

/bin/sh /scripts/local-top/cryptroot

# Kill processes locking boot process&nb sp;
 [ `ls /dev/mapper/ | grep -v& nbsp;control| wc -l | awk '{print $ 1}'` -gt 0 ]  && {
  for i in `ps | grep -E& nbsp;"cryptroot|cryptsetup" | awk '{ print&nb sp;$1 }'`
  do
    kill $i
  done
}
EOF

chmod 700 ${DESTDIR}/usr/bin/unlock

# make sure we exit dropbear at&nbs p;the end of the startup process
cat >${DESTDIR}/scripts/local-bottom/rm_dropbear < ;< 'EOF'
#!/bin/sh
PREREQ=""

prereqs()
{
     echo ""
}

case $1 in
prereqs)

     prereqs
     exit 0
     ;;
esac

# Begin real processing below this  line
# we kill dropbear ssh-server 

/usr/bin/killall dropbear

EOF
chmod 700 ${DESTDIR}/scripts/local-bottom/rm_dropbear

[ Parent | Reply to this comment ]

Posted by Anonymous (91.156.xx.xx) on Fri 2 May 2008 at 18:12
I did use the code-tags but the source code got broken anyway. So here is the rapidshare of the modified script.
http://rapidshare.com/files/112034136/dropbear.html

[ Parent | Reply to this comment ]

Posted by Anonymous (130.117.xx.xx) on Fri 23 May 2008 at 09:12
I've a problem auth myself in the dropbear shell.
It tells me that the root user doesn't exist, I 'cat' the /etc/passwd and the root's entry is here ... like for the /etc/passwd.

any idea ?

[ Parent | Reply to this comment ]

Posted by Anonymous (130.117.xx.xx) on Mon 26 May 2008 at 10:33
I need to add the tls library to make the dropbear shell working.
cp -rp /lib/tls /lib/

[ Parent | Reply to this comment ]

Posted by Anonymous (130.117.xx.xx) on Mon 26 May 2008 at 11:00
Le script qui marche sur Debian :)
pour toutes question geoffroy {dot} rabouin (at] gmail dot ]com]

#!/bin/bash

# We add dropbear to the initrd to be able
# mount crypted partitions from remote

# copyright Wulf Coulmann
# GNU GPL
# http://www.gnu.org/licenses/gpl.html
#
# Download me here: http://gpl.coulmann.de/dropbear
# get infos about this script here:
# http://gpl.coulmann.de/ssh_luks_unlock.html
#
# Modified by Anonymous 2008
# Modified By Geoffroy RABOUIN 26/05/2008

### INSTRUCTIONS FOR DEBIAN ETCH ###
# 1. Install killall, busybox and dropbear:
# ~# apt-get install psmisc busybox dropbear
# 2. Edit network configuration below and copy contents
# of this file to /etc/initramfs-tools/hooks/dropbear
# 3. Make it executable:
# ~# chmod +x /etc/initramfs-tools/hooks/dropbear
# 4. Create new initrd:
# ~# mkinitramfs -o /boot/my_name_of_the_initrd
# 5. Edit /boot/grub/menu.lst and add your new initrd as the first entry
# 6. ???
# 7. Profit!


PREREQ=""
prereqs()
{
echo "$PREREQ"
}

case $1 in
prereqs)
prereqs
exit 0
;;
esac

# Begin real processing below this line

# load the prepared functions of debians initramfs enviroment
source /usr/share/initramfs-tools/hook-functions

# build the directories
DIRS='/lib /bin /usr/bin /usr/sbin/ /proc/ /root/.ssh/ /var/ /var/run/ /etc/dropbear/'
for now in $DIRS ; do
if [ ! -e ${DESTDIR}$now ]
then
mkdir -p ${DESTDIR}$now
fi
done

# copy the ssh-daemon and librarys
copy_exec /usr/sbin/dropbear /usr/sbin/
copy_exec /usr/bin/passwd /usr/bin/
copy_exec /bin/login /bin/
copy_exec /usr/bin/killall /usr/bin/
copy_exec /sbin/route /sbin/
copy_exec /usr/bin/awk /usr/bin/
#copy_exec /usr/bin/strace /usr/bin/
#copy_exec /bin/nc /bin/

# some librarys are not autoincluded by copy_exec
copy_exec /lib/libnss_compat.so.2 /lib/
copy_exec /usr/lib/libz.so.1 /usr/lib/
copy_exec /etc/ld.so.cache /etc/
copy_exec /lib/libutil.so.1 /lib/

# we copy config and key files
cp -pr /etc/dropbear/dropbear_dss_host_key ${DESTDIR}/etc/dropbear/
cp -pr /etc/dropbear/dropbear_rsa_host_key ${DESTDIR}/etc/dropbear/
cp -pr /etc/passwd ${DESTDIR}/etc/
cp -pr /etc/shadow ${DESTDIR}/etc/
cp -pr /etc/group ${DESTDIR}/etc/
if [ -e /root/.ssh/authorized_keys ]
then
cp -pr /root/.ssh/authorized_keys ${DESTDIR}/root/.ssh/
fi
cp -pr /etc/nsswitch.conf ${DESTDIR}/etc/
cp -pr /etc/localtime ${DESTDIR}/etc/
cp -pr /lib/tls ${DESTDIR}/lib/
# we don't have bash in our initrd
# also we only add the root account
cat /etc/passwd | grep root | sed s/\\/bash/\\/sh/ > ${DESTDIR}/etc/passwd
cat /etc/shadow | grep root > ${DESTDIR}/etc/shadow
cat /etc/group | grep root > ${DESTDIR}/etc/group

cat >${DESTDIR}/scripts/local-top/network_ssh << 'EOF'
#!/bin/sh

# we start the network and ssh-server

PREREQ=""
prereqs()
{
echo "$PREREQ"
}

case $1 in
prereqs)

prereqs
exit 0
;;
esac

# Begin real processing below this line

# build up helpful environment
[ -d /dev ] || mkdir -m 0755 /dev
[ -d /root ] || mkdir --mode=0700 /root
[ -d /tmp ] || mkdir /tmp
[ -d /sys ] || {
mkdir /sys
mount -t sysfs -o nodev,noexec,nosuid none /sys
}
[ -d /proc ] || {
mkdir /proc
mount -t proc -o nodev,noexec,nosuid none /proc

}

mkdir -p /var/lock
mkdir -p /var/log
touch /var/log/lastlog
mkdir /dev/pts
mount -t devpts -o gid=5,mode=620 /dev/pts /dev/pts


################# CHANGE THE LINES BELOW #################
# The network setup: edit ip address and gateway to match your needs
ifconfig eth0 192.168.17.133 netmask 255.255.255.0
route add default gw 192.168.17.1
################# CHANGE THE LINES ABOVE #################


# If you like to use dhcp make sure you include dhclient or pump in
# /etc/initramfs-tools/hooks/dropbear via
# copy_exec /sbin/dhclient


# for debugging ssh-server you may run it in forgound
# /usr/sbin/dropbear -E -F
# for more debugging you may run it with strace
# therfor you have to include strace and nc at top of
# /etc/initramfs-tools/hooks/dropbear via
# copy_exec /usr/bin/strace
# copy_exec /usr/bin/nc
# then start nc on an other host and run
# /usr/sbin/dropbear -E -F 2>&1 | /bin/nc -vv <ip of other host> <nc port of other host>
# e.g.:
# /usr/sbin/dropbear -E -F 2>&1 | /bin/nc -vv 192.168.1.2 8888

# We will use /dev/urandom because /dev/random gets easily blocked
mv /dev/random /dev/random.old
ln -s /dev/urandom /dev/random
/usr/sbin/dropbear -E -F -b /etc/dropbear/banner -d /etc/dropbear/dropbear_dss_host_key -r /etc/dropbear/dropbear_rsa_host_key -p 22
ls -al
rm -f /dev/random
mv /dev/random.old /dev/random
EOF
chmod 700 ${DESTDIR}/scripts/local-top/network_ssh

cat >${DESTDIR}/etc/dropbear/banner << 'EOF'

To unlock root-partition run
unlock


EOF

# script to unlock luks via ssh
# dirty but effektive
cat >${DESTDIR}/usr/bin/unlock << 'EOF'
#!/bin/sh

/bin/sh /scripts/local-top/cryptroot

# Kill processes locking boot process
[ `ls /dev/mapper/ | grep -v control| wc -l | awk '{print $1}'` -gt 0 ] && {
for i in `ps | grep -E "cryptroot|cryptsetup" | awk '{ print $1 }'`
do
kill $i
done
}
/bin/sh /scripts/local-bottom/rm_dropbear
EOF

chmod 700 ${DESTDIR}/usr/bin/unlock

# make sure we exit dropbear at the end of the startup process
cat >${DESTDIR}/scripts/local-bottom/rm_dropbear << 'EOF'
#!/bin/sh
PREREQ=""

prereqs()
{
echo ""
}

case $1 in
prereqs)

prereqs
exit 0
;;
esac

# Begin real processing below this line
# we kill dropbear ssh-server

/usr/bin/killall dropbear

EOF
chmod 700 ${DESTDIR}/scripts/local-bottom/rm_dropbear

[ Parent | Reply to this comment ]

Posted by Anonymous (82.56.xx.xx) on Thu 17 Jul 2008 at 12:15
I run the script on a Debian System and this is what I receive at the prompt

: No such file or directory
: No such file or directory

The initrd is created and if I reboot using it it continue to ask fot the luks password

Any idea how I can debug this?

Thanks

[ Parent | Reply to this comment ]

Posted by Anonymous (24.108.xx.xx) on Mon 15 Sep 2008 at 14:40
Dont use this one verion of the script that this comment is under. I posted it and it is full of trailing spaces which will give you headaches because the EOF's won't be recognized. Sorry about that.

[ Parent | Reply to this comment ]

Posted by Anonymous (85.177.xx.xx) on Sun 25 May 2008 at 19:26
Thanks for sharing your modifications. Works great with Ubuntu 8.04 Server!
I only had to change the following things: "copy_exec /usr/bin/wc /usr/bin", to get wc working and "/bin/sleep 5" before the ifconfig setup, to get rid of the following errors:

SIOCSIFADDR: No such device
SIOCSIFNETMASK: No such device
SIOCSADDRT: No such process

[ Parent | Reply to this comment ]

Posted by Anonymous (24.108.xx.xx) on Sat 30 Aug 2008 at 12:49
Unlocking a LUKS encrypted root partition via ssh

From:
http://www.debian-administration.org/articles/579

Which is based on:
http://gpl.coulmann.de/ssh_luks_unlock.html

Worked on:
Debian Lenny Beta2 -30Aug2008

/etc/initramfs-tools/hooks/dropbear script:
================================================================= =

#!/bin/bash

# We add dropbear to the initrd to be able
# mount crypted partitions from remote

# copyright Wulf Coulmann
# GNU GPL
# http://www.gnu.org/licenses/gpl.html
#
# Download me here: http://gpl.coulmann.de/dropbear
# get infos about this script here:
# http://gpl.coulmann.de/ssh_luks_unlock.html
#
# Modified by Anonymous 2008
# Modified By Geoffroy RABOUIN 26/05/2008
# Modified with poor formatting by Anonymous 30Aug2008 (please fix!)

# !!modified instructions
### INSTRUCTIONS FOR DEBIAN ETCH ###
# 1. Install killall, busybox and d ropbear:
# ~# aptitude install psmisc busybox dropbear linux-headers-`uname -r`
## make it not start automatically (openssh instead of this)
# ~#update-rc.d -f dropbear remove
# 2. Edit network configuration below (IP address, etc) and copy contents
# of this file to /etc /initramfs-tools/hooks/dropbear
# 3. Make it executable:
# ~# chmod +x /etc/initramf s-tools/hooks/dropbear
# 4. Create new initrd:
# ~# mkinitramfs -v -o /boot/m y_name_of_the_initrd
# !!check the output to make sure that the /lib/modules/`uname-r`/kernel/drivers/net network module(s) loaded
# if not, find your drivers in that directory, and do these things:
# edit /etc/initramfs-tools/initramfs.conf
# change MODULES= ? to MODULES=list
# change DEVICE= ? to DEVICE=eth0 ..or eth1, etc.
# ( you can check for the right 'ethX' in /etc/udev/rules.d/70-persistent-net.rules )
# 5. Edit /boot/grub/menu.lst and add your new initrd as the first entry
# 6. ???
# 7. Profit!


PREREQ=""
prereqs()
{
echo "$PREREQ"
}

case $1 in
prereqs)
prereqs
exit 0
;;
esac

# Begin real processing below this line

# load the prepared functions of debians initramfs enviroment
source /usr/share/initramfs-tools/hook-functions

# build the directories
DIRS='/lib /bin /usr/bin /usr/sbin/ /proc/ /root/.ssh/ /var/ /var/run/ /etc/dropbear/'
for now in $DIRS ; do
if [ ! -e ${DESTDIR}$now ]
then
mkdir -p ${DESTDIR}$now
fi
done

# copy the ssh-daemon and librarys
copy_exec /usr/sbin/dropbear /usr/sbin/
copy_exec /usr/bin/passwd /usr/bin/
copy_exec /bin/login /bin/
copy_exec /usr/bin/killall /usr/bin/
copy_exec /sbin/route /sbin/
copy_exec /usr/bin/awk /usr/bin/
#copy_exec /usr/bin/strace /usr/bin/
#copy_exec /bin/nc /bin/
copy_exec /usr/bin/wc /usr/bin

# some librarys are not autoincluded by copy_exec
copy_exec /lib/libnss_compat.so.2 /lib/
copy_exec /usr/lib/libz.so.1 /usr/lib/
copy_exec /etc/ld.so.cache /etc/
copy_exec /lib/libutil.so.1 /lib/

# we copy config and key files
cp -pr /etc/dropbear/dropbear_dss_host_key ${DESTDIR}/etc/dropbear/
cp -pr /etc/dropbear/dropbear_rsa_host_key ${DESTDIR}/etc/dropbear/
cp -pr /etc/passwd ${DESTDIR}/etc/
cp -pr /etc/shadow ${DESTDIR}/etc/
cp -pr /etc/group ${DESTDIR}/etc/
if [ -e /root/.ssh/authorized_keys ]
then
cp -pr /root/.ssh/authorized_keys ${DESTDIR}/root/.ssh/
fi
cp -pr /etc/nsswitch.conf ${DESTDIR}/etc/
cp -pr /etc/localtime ${DESTDIR}/etc/
#cp -pr /usr/lib ${DESTDIR}/lib/
# we don't have bash in our initrd
# also we only add the root account
cat /etc/passwd | grep root | sed s/\\/bash/\\/sh/ > ${DESTDIR}/etc/passwd
cat /etc/shadow | grep root > ${DESTDIR}/etc/shadow
cat /etc/group | grep root > ${DESTDIR}/etc/group

cat >${DESTDIR}/scripts/local-top/network_ssh << 'EOF'
#!/bin/sh

# we start the network and ssh-server

PREREQ=""
prereqs()
{
echo "$PREREQ"
}

case $1 in
prereqs)

prereqs
exit 0
;;
esac

# Begin real processing below this line

# build up helpful environment
[ -d /dev ] || mkdir -m 0755 /dev
[ -d /root ] || mkdir --mode=0700 /root
[ -d /tmp ] || mkdir /tmp
[ -d /sys ] || {
mkdir /sys
mount -t sysfs -o nodev,noexec,nosuid none /sys
}
[ -d /proc ] || {
mkdir /proc
mount -t proc -o nodev,noexec,nosuid none /proc

}

mkdir -p /var/lock
mkdir -p /var/log
touch /var/log/lastlog
mkdir /dev/pts
mount -t devpts -o gid=5,mode=620 /dev/pts /dev/pts


################# CHANGE THE LINES BELOW #################
# The network setup: edit ip address and gateway to match your needs
/bin/sleep 5
#ifconfig -a
ifconfig eth1 209.17.190.186 netmask 255.255.254.0
route add default gw 209.17.190.1
################# CHANGE THE LINES ABOVE #################


# If you like to use dhcp make sure you include dhclient or pump in
# /etc/initramfs-tools/hooks/dropbear via
# copy_exec /sbin/dhclient


# for debugging ssh-server you may run it in forgound
# /usr/sbin/dropbear -E -F
# for more debugging you may run it with strace
# therfor you have to include strace and nc at top of
# /etc/initramfs-tools/hooks/dropbear via
# copy_exec /usr/bin/strace
# copy_exec /usr/bin/nc
# then start nc on an other host and run
# /usr/sbin/dropbear -E -F 2>&1 | /bin/nc -vv <ip of other host> <nc port of other host>
# e.g.:
# /usr/sbin/dropbear -E -F 2>&1 | /bin/nc -vv 192.168.1.2 8888

# We will use /dev/urandom because /dev/random gets easily blocked
mv /dev/random /dev/random.old
ln -s /dev/urandom /dev/random
/usr/sbin/dropbear -b /etc/dropbear/banner -d /etc/dropbear/dropbear_dss_host_key -r /etc/dropbear/dropbear_rsa_host_key -p 22
ls -al
rm -f /dev/random
mv /dev/random.old /dev/random
EOF
chmod 700 ${DESTDIR}/scripts/local-top/network_ssh

cat >${DESTDIR}/etc/dropbear/banner << 'EOF'

To unlock root-partition run
unlock


EOF

# script to unlock luks via ssh
# dirty but effektive
cat >${DESTDIR}/usr/bin/unlock << 'EOF'
#!/bin/sh

/bin/sh /scripts/local-top/cryptroot

# Kill processes locking boot process
[ `ls /dev/mapper/ | grep -v control| wc -l | awk '{print $1}'` -gt 0 ] && {
for i in `ps | grep -E "cryptroot|cryptsetup" | awk '{ print $1 }'`
do
kill $i
done
}
/bin/sh /scripts/local-bottom/rm_dropbear
EOF

chmod 700 ${DESTDIR}/usr/bin/unlock

# make sure we exit dropbear at the end of the startup process
cat >${DESTDIR}/scripts/local-bottom/rm_dropbear << 'EOF'
#!/bin/sh
PREREQ=""

prereqs()
{
echo ""
}

case $1 in
prereqs)

prereqs
exit 0
;;
esac

# Begin real processing below this line
# we kill dropbear ssh-server

/usr/bin/killall dropbear

EOF
chmod 700 ${DESTDIR}/scripts/local-bottom/rm_dropbear

[ Parent | Reply to this comment ]

Posted by Anonymous (24.108.xx.xx) on Sat 30 Aug 2008 at 12:53
you need the 'driver modules' instead of headers

replace:
# ~# aptitude install psmisc busybox dropbear linux-headers-`uname -r`
with:
# ~# aptitude install psmisc busybox dropbear linux-modules-`uname -r`

[ Parent | Reply to this comment ]

Posted by Anonymous (88.134.xx.xx) on Thu 12 Jun 2008 at 18:04
oh and BTW
while [ $INPUT != 'ok' ] ; do
has to be
while [ x$INPUT != 'xok' ] ; do

otherwise you can just press enter, it will give an error message but continue anyhow

[ Parent | Reply to this comment ]

Posted by Anonymous (83.171.xx.xx) on Fri 27 Jun 2008 at 12:05
hi,
ok dropbear works but what next ?
How could I boot the system from the busybox ?

ssh root@192.168.1.100
To unlock root-partition run
unlock
root@192.168.1.100's password:


BusyBox v1.1.3 (Debian 1:1.1.3-5ubuntu12) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

[ Parent | Reply to this comment ]

Posted by Anonymous (85.178.xx.xx) on Fri 27 Jun 2008 at 13:41
> To unlock root-partition run
> unlock

maybe you try what's written on the ssh-banner ...


[ Parent | Reply to this comment ]

Posted by Anonymous (124.78.xx.xx) on Tue 22 Jul 2008 at 23:48
is it possible to map encrypted root partition of remote system which have dropbear running from user's desktop by using a keyfile stored in user's desktop system?

use something similar

ssh username@192.168.0.100 cryptsetup luksOpen&nbs p;/dev/sdb1 sdb1 --key-file remote system's&n bsp;keyfile


I hope not to type in my password or to store keyfile on a unencrypted partition when mapping encrypted root partition, so I want to use keyfile on desktop system to open the root partition on server. This is good security solution and also can achieve the automatically copy/rsync file between server and desktop with encrypted partition.

But Now I haven't find a solution how to use local keyfile. Anyone can help will be greatly appriciated!

[ Parent | Reply to this comment ]

Posted by Anonymous (171.64.xx.xx) on Wed 24 Dec 2008 at 03:16
Here is another version, based on everything I could find here and under http://ubuntuforums.org/archive/index.php/t-829768.html . The script does not need to be edited, it reads an external configuration file and decides which files to include in the initramfs, which network setup to do and how to start dropbear based on that. The script can be found under http://www.debian.mandel.name/template/etc/initramfs-tools/hooks/ dropbear .

Another small trick: you can unlock the partition from a script like this:
cat key.txt | ssh -i "id_dsa" root@ip.to.server \
"cat > /lib/cryptsetup/passfifo; sleep 3"

Hope you like this version of the script,
Olaf

[ Parent | Reply to this comment ]

Posted by Anonymous (193.11.xx.xx) on Mon 9 Mar 2009 at 05:33
If you want to have completely unattended reboots, I suggest you look at the "mandos" and "mandos-client" packages (now in unstable and Ubunty Jaunty).

Yes, it's secure. At least, it's just as secure as having to type in the password at boot - see the FAQ.

[ Parent | Reply to this comment ]

Posted by Anonymous (208.67.xx.xx) on Fri 22 May 2009 at 21:37
In Ubuntu (tested with 8.04.2) you need to disable the splash screen in /boot/grub/menu.lst
-Kenneth Degel

[ Parent | Reply to this comment ]

Posted by Anonymous (217.230.xx.xx) on Mon 22 Feb 2010 at 11:58
Another good improvement would be to include support for multiple encrypted partitions.
For example my crypttab looks like this:

sda3_crypt /dev/sda3 none luks # root-partition
sda4_crypt /dev/sda4 /dev/urandom cipher=aes-cbc-essiv:sha256,size=256,swap # swap
sdb1_crypt /dev/sdb1 none luks # another data-partition

After I implement the script the root partition gets unlocked, but the system hangs at the sdb1-Partition because the ssh-Daemon has already been shutdown.
And I do not want to use a keyfile for the 2nd partition...

[ Parent | Reply to this comment ]

Posted by wulf (81.233.xx.xx) on Mon 22 Feb 2010 at 12:44

> Another good improvement would be to include
> support for multiple encrypted partitions.
why? If your system is up, you can ordinary log in
vi ssh and manage the rest.

> For example my crypttab looks like this:
>
> sda3_crypt /dev/sda3 none luks # root-partition
> sda4_crypt /dev/sda4 /dev/urandom
> cipher=aes-cbc-essiv:sha256,size=256,swap # swap
> sdb1_crypt /dev/sdb1 none luks # another
> data-partition
>
> After I implement the script the root partition
> gets unlocked,
great, isn't it?

> but the system hangs at the sdb1-Partition
> because the ssh-Daemon has already been
> shutdown. And I do not want to use a keyfile
> for the 2nd partition...
simple add option noauto to your /etc/fstab.

If you do not need differences in the passphrases
you should think about one crypto-partition
holding a lvm includ root, swap what ever. Than
you only have to unlock once.

Of course you can insert your special needed
unlocks before "killall dropbear", but I would
recommend to keep it as simple as possible.

Make sure you use the actual version from:
http://gpl.coulmann.de/dropbear
(http://gpl.coulmann.de/ssh_luks_unlock.html)

[ Parent | Reply to this comment ]

Posted by Anonymous (217.82.xx.xx) on Tue 23 Feb 2010 at 12:00
>why? If your system is up, you can ordinary log in
>vi ssh and manage the rest.

Thats the problem; since sdb1 is in /etc/crypttab and the init-script is in rcS.d (S26cryptdisks-early) and not in rc2.d (S16ssh) the ssh-daemon does not get started at all.

>simple add option noauto to your /etc/fstab.
Thus a change to noauto in fstab does not change a thing.

I could of course comment out the line in /etc/crypttab, but since various daemons depend on the mount of sdb1 I cannot start the normal init-process without it.

>Of course you can insert your special needed
>unlocks before "killall dropbear", but I would
>recommend to keep it as simple as possible.

Also did not work due to the crypttab-file. It just hangs there with no output on the dropbear-ssh-console...
Would there be a way to implement the early cryptodisks in the unlock-script?

>Make sure you use the actual version from:
>http://gpl.coulmann.de/dropbear
>(http://gpl.coulmann.de/ssh_luks_unlock.html)
Yep. I am using the latest version which still does not include the "ok"-fix...

[ Parent | Reply to this comment ]

Posted by wulf (85.178.xx.xx) on Tue 23 Feb 2010 at 18:46

> Would there be a way to implement the early cryptodisks in the unlock-script?
Yes, there is. Feel free to do it, but as I mentioned I do not have an
interest on that. This should be managed by reorganize the boot process. The
intention of initramfs is to bring up a root system, not to start all
conceivable sub systems. I do not like to take care of that unnecessary feature
in future, therefore I'll not put that in my code.

> Yep. I am using the latest version which still does not include the "ok"-fix...
hmm, thats unwarrantably. I add some quotes now.

FYI
The stupid "ok" setup is to prevent cryptsetup form grapping ahad STDOUT as passphrase.

[ Parent | Reply to this comment ]

Posted by mindless (85.196.xx.xx) on Wed 24 Mar 2010 at 11:34
Has anyone managed this to work with vlan support?
busybox binary contained to current debian dont have vlan support (AKA vconfig)

[ Parent | Reply to this comment ]

Posted by Anonymous (95.211.xx.xx) on Thu 29 Apr 2010 at 11:16
For those of you using Centos here is a patch to mkinitrd
adds a new switch --with-dropbear
edit variable extratools="" to add/remove more tools

--- /sbin/mkinitrd 2009-09-03 19:58:30.000000000 -0400
+++ ./mkinitrd 2010-04-28 02:27:07.000000000 -0400
@@ -119,7 +119,7 @@
cmd=error
fi

- $cmd "usage: `basename $0` [--version] [--help] [-v] [-f] [--preload <module>]"
+ $cmd "usage: `basename $0` [--version] [--help] [-v] [-f] [--preload <module>] [--with-dropbear]"
$cmd " [--force-ide-probe] [--force-scsi-probe | --omit-scsi-modules]"
$cmd " [--image-version] [--force-raid-probe | --omit-raid-modules]"
$cmd " [--with=<module>] [--force-lvm-probe | --omit-lvm-modules]"
@@ -921,6 +921,10 @@
withfips=1
;;

+ --with-dropbear)
+ dropbear=1
+ ;;
+
--with-usb*)
if [ "$1" != "${1##--with-usb=}" ]; then
usbmodule=${1##--with-usb=}
@@ -1024,6 +1028,7 @@
--net-dev*)
if [ "$1" != "${1##--net-dev=}" ]; then
PREINTERFACES="$PREINTERFACES ${1##--net-dev=}"
+ dropbear_int=1
else
PREINTERFACES="$PREINTERFACES $2"
shift
@@ -1133,6 +1138,12 @@
exit 1
fi

+if [ -n "$dropbear" -a -z "$dropbear_int" ]; then
+ error "Can't enable dropbear without specifying: [--net-dev=<interface>]"
+ exit 1
+fi
+
+
if [ ! -d /lib/modules/$kernel ]; then
error 'No modules available for kernel "'${kernel}'".'
exit 1
@@ -1383,6 +1394,11 @@
echo $NONL "$@" >> $RCFILE
}

+emitdropbear()
+{
+ echo "$@" >> $MNTIMAGE/bin/unlock
+}
+
use_multipath=0
use_emc=0
use_xdr=0
@@ -1714,6 +1730,7 @@
set +e
fi

+
echo -n >| $RCFILE
cemit << EOF
#!/bin/nash
@@ -1827,37 +1844,128 @@
emit "cryptsetup luksOpen $1 $2"
}

+emitcryptodb()
+{
+ emitdropbear "echo Setting up disk encryption: $1"
+ emitdropbear "cryptsetup luksOpen $1 $2"
+}
+
+
if [ -n "$KEYMAP" -a -n "$LOADKEYS" ]; then
emit "echo Loading keymap."
emit "$LOADKEYS $KEYMAP"
fi

-for cryptdev in ${!cryptopart@} ; do
- emitcrypto `eval echo '$'$cryptdev`
-done
-
-if [ -n "$raiddevices" ]; then
- for dev in $raiddevices; do
- cp -a /dev/${dev} $MNTIMAGE/dev
- emit "raidautorun /dev/${dev}"
- done
-fi
+cryptoblock()
+{
+ catfun1="$1"
+ catfun2="$2"
+ for cryptdev in ${!cryptopart@} ; do
+ "$catfun2" `eval echo '$'$cryptdev`
+ done
+
+ if [ -n "$raiddevices" ]; then
+ for dev in $raiddevices; do
+ cp -a /dev/${dev} $MNTIMAGE/dev
+ "$catfun1" "raidautorun /dev/${dev}"
+ done
+ fi
+
+ for cryptdev in ${!cryptoraid@} ; do
+ "$catfun2" `eval echo '$'$cryptdev`
+ done
+
+ if [ -n "$vg_list" ]; then
+ "$catfun1" "echo Scanning logical volumes"
+ "$catfun1" "lvm vgscan --ignorelockingfailure"
+ "$catfun1" "echo Activating logical volumes"
+ "$catfun1" "lvm vgchange -ay --ignorelockingfailure $vg_list"
+ fi
+
+ for cryptdev in ${!cryptolv@} ; do
+ "$catfun2" `eval echo '$'$cryptdev`
+ done
+}

-for cryptdev in ${!cryptoraid@} ; do
- emitcrypto `eval echo '$'$cryptdev`
-done
+if [ "$dropbear" = 1 ]; then
+ set -e
+ echo "#!/bin/ash" > $MNTIMAGE/bin/unlock
+ chmod +x $MNTIMAGE/bin/unlock
+ cryptoblock "emitdropbear" "emitcryptodb"
+ dropbearconvert openssh dropbear /etc/ssh/ssh_host_rsa_key /etc/dropbear/dropbear_rsa_host_key 2>/dev/null
+ dropbearconvert openssh dropbear /etc/ssh/ssh_host_dsa_key /etc/dropbear/dropbear_dss_host_key 2>/dev/null
+ mkdir -p $MNTIMAGE/etc/dropbear
+ cat > $MNTIMAGE/etc/dropbear/banner << 'EOF'
+
+ To unlock root-partition run
+ unlock
+ 'killall cryptopause' to resume loading the system...

-if [ -n "$vg_list" ]; then
- emit "echo Scanning logical volumes"
- emit "lvm vgscan --ignorelockingfailure"
- emit "echo Activating logical volumes"
- emit "lvm vgchange -ay --ignorelockingfailure $vg_list"
+EOF
+ cat > $MNTIMAGE/bin/cryptopause << 'EOF'
+#!/bin/ash
+echo Type "unlock" and press enter to put in passphrase:
+/bin/ash
+EOF
+ extratools="/usr/bin/shred /sbin/badblocks /usr/bin/rsync /usr/bin/scp /usr/bin/ssh"
+ chmod +x $MNTIMAGE/bin/cryptopause
+ inst /usr/sbin/dropbear $MNTIMAGE/bin/dropbear
+ inst /sbin/busybox $MNTIMAGE/bin/busybox
+ inst /bin/login $MNTIMAGE/bin/login
+ inst /usr/bin/passwd $MNTIMAGE/usr/bin/passwd
+ inst /sbin/rmmod $MNTIMAGE/bin/rmmod
+ inst /etc/dropbear/dropbear_dss_host_key $MNTIMAGE/etc/dropbear/dropbear_dss_host_key
+ inst /etc/dropbear/dropbear_rsa_host_key $MNTIMAGE/etc/dropbear/dropbear_rsa_host_key
+ inst /etc/nsswitch.conf $MNTIMAGE/etc/nsswitch.conf
+ inst /etc/localtime $MNTIMAGE/etc/localtime
+ inst /etc/resolv.conf $MNTIMAGE/etc/resolv.conf
+ inst /etc/host.conf $MNTIMAGE/etc/host.conf
+ inst /etc/hosts $MNTIMAGE/etc/hosts
+ cp -pr /etc/passwd $MNTIMAGE/etc/passwd
+ cp -pr /etc/shadow $MNTIMAGE/etc/shadow
+ cp -pr /etc/group $MNTIMAGE/etc/group
+ grep ^root /etc/passwd | sed s/\\/bash/\\/ash/ > $MNTIMAGE/etc/passwd
+ grep ^root /etc/shadow > $MNTIMAGE/etc/shadow
+ grep ^root /etc/group > $MNTIMAGE/etc/group
+ echo /bin/ash > $MNTIMAGE/etc/shells
+ [ -d /root ] || mkdir --mode=0700 /root
+ [ -f /root/.ssh/authorized_keys ] && inst /root/.ssh/authorized_keys $MNTIMAGE/root/.ssh/authorized_keys
+ for tools in ifconfig route killall ash hostname mv rm; do
+ ln -s /sbin/busybox $MNTIMAGE/sbin/$tools
+ done
+ for tool in $extratools; do
+ inst $tool ${MNTIMAGE}${tool}
+ done
+ for i in $(ldd /usr/sbin/dropbear $extratools| awk '{if (NF==4) print $3; if (NF==2) print $1}') ; do
+ grep -q $i <<<$libs && continue
+ libs="$libs $i"
+ done
+ if echo "$libs" | grep -q lib64; then
+ libdir="lib64"
+ else
+ libdir="lib"
+ fi
+ for i in /${libdir}/{libnss_compat.so.2,libnss_files.so.2,libnss_dns.so.2, libresolv.so.2,libtermcap.so.2,libdl.so.2} ; do
+ grep -q $i <<<$libs && continue
+ libs="$libs $i"
+ done
+ for lib in $libs; do
+ basename=$(basename $lib)
+ while [ -L $lib ]; do
+ lib=$(readlink $lib)
+ done
+ inst $lib $MNTIMAGE${lib%/*}/$basename
+ done
+ inst /etc/ld.so.cache $MNTIMAGE/etc/ld.so.cache
+ emit "echo Starting dropbear"
+ emit "/bin/dropbear -b /etc/dropbear/banner"
+ emit "/bin/cryptopause"
+ emit "killall dropbear"
+ set +e
+else
+ cryptoblock "emit" "emitcrypto"
fi

-for cryptdev in ${!cryptolv@} ; do
- emitcrypto `eval echo '$'$cryptdev`
-done
-
if [ -z "$noresume" -a -n "$swsuspdev" ]; then
emit "resume $swsuspdev"
fi

[ Parent | Reply to this comment ]

Posted by gijs (109.128.xx.xx) on Thu 16 Sep 2010 at 14:59
I find that, testing this on Debian testing, I need a few tweaks

in the script I added:
copy_exec /lib/libnsl.so.1 /lib/

otherwise, I could not ssh into the machine at all.

Then, I find that upon ssh'in into the machine, I need:

export PATH=$PATH:/sbin

otherwise the scripts can't find lvm, for instance. But, even at this point, booting fails.

I can run the scripts in /scripts/local-top/ manually, which will unlock the partition. But I have not completely grasped how to make the machine continue booting...

[ Parent | Reply to this comment ]

Posted by gijs (109.128.xx.xx) on Fri 17 Sep 2010 at 11:11
Here is a work around that will make this work on Debian Testing...

taking into account that you need to add
copy_exec /lib/libnsl.so.1 /lib/

to the script

you can then ssh into the machine

then do

export PATH=$PATH:/sbin

and then do this
/bin/sh /scripts/local-top/cryptroot && mv /scripts/local-top/cryptroot /root

and then kill /bin/sh /scripts/local-top/cryptroot
which is a matter of doing a 'ps', finding the correct pid and then 'kill $pid'

[ Parent | Reply to this comment ]

Posted by gijs (109.128.xx.xx) on Fri 17 Sep 2010 at 16:18
Some more experimenting later, I find that "copy_exec /lib/libnsl.so.1 /lib/" and "export PATH=$PATH:/sbin" are all that is needed at the moment. Somehow, I ended up with errors in the unlock file.

[ Parent | Reply to this comment ]

Posted by wulf (85.178.xx.xx) on Mon 20 Sep 2010 at 14:37

Please send comments and questions direct at the scripts home.
Also make shure you downloade the last current version from:

http://gpl.coulmann.de/ssh_luks_unlock.html

[ Parent | Reply to this comment ]

Posted by wulf (85.178.xx.xx) on Sat 20 Nov 2010 at 16:15
this script is deprecated, see:
/usr/share/doc/cryptsetup/README.remote.gz

[ Parent | Reply to this comment ]

Posted by Anonymous (93.240.xx.xx) on Thu 17 Feb 2011 at 07:55
Is there a way to use the root-password from /etc/shadow for the "new method" instead of the key-file?

[ Parent | Reply to this comment ]

Posted by Anonymous (91.64.xx.xx) on Wed 30 Mar 2011 at 12:51
also want this!!!

[ Parent | Reply to this comment ]

Posted by Anonymous (79.224.xx.xx) on Fri 31 Aug 2012 at 23:12
Still no solution?

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

What do you use for configuration management?








( 123 votes ~ 0 comments )