Unlocking a LUKS encrypted root partition via ssh
Posted by wulf on Tue 5 Feb 2008 at 15:03
I'm running a Debian server with LUKS encrypted root partition and want to be able to enter the pass phrase local at the terminal or via ssh. This article describes how I achieved that.
To get remote access to my machine, via ssh, without the root filesystem being mounted I include dropbear in the initrd and some functionality for easy use. You may also combine this with RAID and LVM (as I do) but this is not relevant for this article.
We only need to hook in before the cryptosetup step of the initrd runs, and don't care what type of layer we're working with.
- LUKS
- RAID -> LUKS
- LUKS -> RAID (I never heard about that, but ...)
- RAID -> LVM-> LUKS
- RAID -> LUKS -> LVM
- LUKS -> LVM
- LVM -> LUKS
- ... Everything is possible
table of contents
- I don't care about background, just let me do it
- initrd, the big picture
- initramfs-tools, the big picture
- troubleshooting
- source
1. I don't care about background, just let me do it
- You have a running Debian system with LUKS encrypted disk (and whatever else you like, such as lvm and raid) which is booting via initrd while you enter the passphrase at the local terminal. Yes, this should work without trouble before you go on. It's really comfortable to set this up with the Debian installer if you run the installation in expert mode (just type expert at the boot prompt, and play around with manual partitioning at the partitioner step, which is only available in the installer not at a running Debian system). You may also set this up step by step on a already running system, therefore refer the multiple available relevant HOWTOs
- install busybox on the system ("apt-get install busybox")
- install dropbear on the system ("apt-get install dropbear")
- make sure dropbear will not be started at the ordinary boot process, if you use openssh-server. If you think dropbear is a god choice for your daily work, skip this step.
- copy the script (view/download) to /etc/initramfs-tools/hooks/ and change permissions to executable
- edit the network setup in /etc/initramfs-tools/hooks/dropbear
- create the initrd via:
prompt # mkinitramfs -o my_name_of_the_initrd - move the new initrd to /boot and edit your /boot/grub/menu.lst to use it. It's a god idea to double one entry and change only the clone, so you can still boot the original version, if anything failes.
#!/bin/sh # We add dropbear to the initrd to be able do mount crypto partitions from remote PREREQ="" prereqs() { echo "$PREREQ" } case $1 in prereqs) prereqs exit 0 ;; esac # Begin real processing below this line # copyright Wulf Coulmann # GNU GPL # http://www.gnu.org/licenses/gpl.html # # Download me here: http://gpl.coulmann.de/dropbear # get infos about this script here: # http://gpl.coulmann.de/ssh_luks_unlock.html # load the prepared functions of debians initramfs enviroment source /usr/share/initramfs-tools/hook-functions # build the directorys DIRS='/usr/sbin/ /proc/ /root/ /var/ /var/run/ /var/run/' for now in $DIRS ; do if [ ! -e ${DESTDIR}$now ] then mkdir -p ${DESTDIR}$now fi done # copy the main ssh-daemen including libarys copy_exec /usr/sbin/dropbear copy_exec /usr/bin/passwd copy_exec /bin/login # some libarys not autoincludet by copy_exec copy_exec /lib/libnss_compat.so.2 copy_exec /usr/lib/libz.so.1 copy_exec /etc/ld.so.cache copy_exec /lib/i686/cmov/libutil.so.1 # we copy config and key files cp -pr /etc/dropbear ${DESTDIR}/etc/ cp -pr /etc/passwd ${DESTDIR}/etc/ # quick and dirty, to keep file attributs cp -pr /etc/shadow ${DESTDIR}/etc/ cp -pr /etc/group ${DESTDIR}/etc/ cp -pr /root/.ssh ${DESTDIR}/root/ cp -pr /etc/nsswitch.conf ${DESTDIR}/etc/ cp -pr /etc/localtime ${DESTDIR}/etc/ # we don't have bash in our initrd # also we only add the root account cat /etc/passwd | grep root | sed s/\\/bash/\\/sh/ > ${DESTDIR}/etc/passwd # the blocker script to request input action befor running cryptroot # this let us run cryptroot on local terminal or inside ssh # dirty but effektive cat >${DESTDIR}/scripts/local-top/cryptroot_block << 'EOF' #!/bin/sh PREREQ="network_ssh" prereqs() { echo "$PREREQ" } case $1 in prereqs) prereqs exit 0 ;; esac # Begin real processing below this line echo Type "ok" and press enter to put in passphrase: INPUT='wait' while [ $INPUT != 'ok' ] ; do read INPUT done EOF chmod 700 ${DESTDIR}/scripts/local-top/cryptroot_block cat >${DESTDIR}/scripts/local-top/network_ssh << 'EOF' #!/bin/sh # we start the network and ssh-server PREREQ="" prereqs() { echo "$PREREQ" } case $1 in prereqs) prereqs exit 0 ;; esac # Begin real processing below this line # build up helpful enviroment [ -d /dev ] || mkdir -m 0755 /dev [ -d /root ] || mkdir --mode=0700 /root [ -d /sys ] || mkdir /sys [ -d /proc ] || mkdir /proc [ -d /tmp ] || mkdir /tmp mkdir -p /var/lock mount -t sysfs -o nodev,noexec,nosuid none /sys mount -t proc -o nodev,noexec,nosuid none /proc mkdir /dev/pts mount -t devpts -o gid=5,mode=620 /dev/pts /dev/pts # the Network setup edit ipaddres and gateway to your needs ifconfig eth0 192.168.1.10 netmask 255.255.255.0 route add default gw 192.168.1.100 # If you like to use dhcp make shure you include dhclient or pump in # /etc/initramfs-tools/hooks/dropbear via # copy_exec /sbin/dhclient # for debugging ssh-server you may run it in forgound # /usr/sbin/dropbear -E -F # for more debugging you may run it with strace # therfor you have to include strace and nc at top of # /etc/initramfs-tools/hooks/dropbear via # copy_exec /usr/bin/strace # copy_exec /usr/bin/nc # then start nc on an other host and run # /usr/sbin/dropbear -E -F 2>&1 | /bin/nc -vv <ip of other host> <nc port of other host> # e.g.: # /usr/sbin/dropbear -E -F 2>&1 | /bin/nc -vv 192.168.1.2 8888 /usr/sbin/dropbear -b /etc/dropbear/banner EOF chmod 700 ${DESTDIR}/scripts/local-top/network_ssh cat >${DESTDIR}/etc/dropbear/banner << 'EOF' To unlock root-partition run unlock EOF # script to unlock luks via ssh # dirty but effektive cat >${DESTDIR}/usr/bin/unlock << 'EOF' #!/bin/sh /bin/sh /scripts/local-top/cryptroot && mv /scripts/local-top/cryptroot /root && kill `ps | grep cryptroot_block|grep -v grep |awk '{ print $1 }'` EOF chmod 700 ${DESTDIR}/usr/bin/unlock # make shure we exit dropbear at the end of the startup process cat >${DESTDIR}/scripts/local-bottom/rm_dropbear << 'EOF' #!/bin/sh PREREQ="" prereqs() { echo "" } case $1 in prereqs) prereqs exit 0 ;; esac # Begin real processing below this line # we kill dropbear ssh-server killall dropbear EOF chmod 700 ${DESTDIR}/scripts/local-bottom/rm_dropbear
syntax highlighted by Code2HTML, v. 0.9.1
2. initrd, the big picture
The initrd image is nothing than a directory tree where you can include anything you like. So it is possible to build an arbitrarily complex Linux environment. The initrd is accessible along with the kernel z-image. So it's the workaround for hen-egg-problems. E.g. you need tools from the hard disk to mount the hard disk ...
If the kernel has initrd functionality built in (mostly they will have) and you provide an initrd with your grub/lilo configuration, the kernel unpack the initrd and mount it as a ramdisk to load provided modules and tools, then mount the harddisk partitions and after booting the kernel drops the initramfs.
3. initramfs-tools, the big picture
Debian offer a very convenient handlinng to generate initrds. Refer to man itramfs-tools and man mkinitramfs for details.4. troubleshooting
If you get trouble, try to to split your tasks in small steps, end evaluate them before you go on. Maybe these hints will help you :
trouble while build initrd
Check out, what's really include in your initrd: Go to a empty directory and run:prompt # export test=test1 \ && sh -x mkinitramfs -o $test 2> log \ && mkdir `echo -n $test |sed s/test/test_/` \ && mv $test $test.gz && gunzip $test.gz \ && cd `echo -n $test |sed s/test/test_/` \ && cpio -i <../$test && cd ..This will end up with a file test1 which is the initrd image and a directory test_1 which holds the unpacked initrdfs. So you can check out if everything is really included. Also you will find a file named log, where you find possible errors while processing mkinitramfs .trouble while booting
Trouble while booting is mostly in reason of missing files, or disorder of running scripts. To understand handling of script order you should read man initramfs-tools.
Include verbose output to your scripts, e.g. you may add a simple ifconfig after the network setup to check the output while booting. If you guess missing libraries or device nodes strace may be helpful. If you like to compare strace output while booting with strace from running dropbear in your already booted system, netcat is a choice to get output out of the box to check differences with diff or whatever. Yes, therefore your network setup must be already in function and you have to include netcat to your initrd.
5. source
The homepage for this howto is http://gpl.coulmann.de/ssh_luks_unlock.html. Maybe you like to check out http://gpl.coulmann.de
First, this is very cool.
But, I think I see a couple minor issues.
1: You filter DESTDIR/etc/passwd to just contain the line for the root account, but you leave the entire DESTDIR/etc/shadow file intact. Congratulations, you just gave up all your password hashes. Filter the group file as much as possible too.
2: You use the same root password as is used inside the encrypted container. What are the odds that many users will use the same password to encrypt/decrypt the container? While this password could be the same as the grub password, it shouldn't be the same as any password used on the inside.
3: You copy your /root/.ssh folder into the initrd. The only reason I can think of doing that is to make your authorized keys file available for passwordless logins. By default SSH stores the public and private keys in the .ssh folder. Including them outside the encrypted container means they could be stolen. I would make sure I was only copying the authorized_keys file and leave everything else behind.
Well that's the quick once over. Overall these issues are very easily addressed, and then I see major potential for this script. I've avoided running encrypted storage for the root partition on remote servers because of the reboot issues. This tool can make those a thing of the past.
But, I think I see a couple minor issues.
1: You filter DESTDIR/etc/passwd to just contain the line for the root account, but you leave the entire DESTDIR/etc/shadow file intact. Congratulations, you just gave up all your password hashes. Filter the group file as much as possible too.
2: You use the same root password as is used inside the encrypted container. What are the odds that many users will use the same password to encrypt/decrypt the container? While this password could be the same as the grub password, it shouldn't be the same as any password used on the inside.
3: You copy your /root/.ssh folder into the initrd. The only reason I can think of doing that is to make your authorized keys file available for passwordless logins. By default SSH stores the public and private keys in the .ssh folder. Including them outside the encrypted container means they could be stolen. I would make sure I was only copying the authorized_keys file and leave everything else behind.
Well that's the quick once over. Overall these issues are very easily addressed, and then I see major potential for this script. I've avoided running encrypted storage for the root partition on remote servers because of the reboot issues. This tool can make those a thing of the past.
[ Parent | Reply to this comment ]
thanks for review and improvement hints. I'll include them soon and let you know.
Best wishes Wulf++
[ Parent | Reply to this comment ]
Sorry if my question sounds naive, but what is the rationale behind encrypting the root partition of a remote system?
[ Parent | Reply to this comment ]
Well, If you don't have a resent, don't do it.
But if you don't want to give easy access to your Data to someone who has physical access to the machine, this may be usefull.
Regards Wulf++
[ Parent | Reply to this comment ]
Don't take me wrong: I do understand the need to encrypt a data partition.
I am just wondering if the extra effort required to encrypt the root partition is worth it. What is that you want to protect? The passwd file?
[ Parent | Reply to this comment ]
Posted by Anonymous (62.131.xx.xx) on Fri 8 Feb 2008 at 16:41
I have been thinking of implementing a non-root encrypted setup which encrypts only the most vital parts (the setup you are describing), but there are various things which must be available on boot which you might like encrypted. One of them is probably /var/log. In that situation you cannot simply move /var/log over to an encrypted partition since dmesg and other logs would fill over the unmounted empty directory when it is not yet mounted. Any solution other than a pre-boot environment would get really ugly in such ways, allthough it can be done.
Now all we need is some kind of trust profiler to detect tampering with the environment, so that when we log in over SSH, we can know for sure that nothing is sniffing our input (on the machine itself that is). It would be kind of easy to set up a trap for this by emulating the initrd environment in a virtual machine (since this is availabe with all private keys etc. unencrypted.) But this is too advanced and requires more work I guess.
Now all we need is some kind of trust profiler to detect tampering with the environment, so that when we log in over SSH, we can know for sure that nothing is sniffing our input (on the machine itself that is). It would be kind of easy to set up a trap for this by emulating the initrd environment in a virtual machine (since this is availabe with all private keys etc. unencrypted.) But this is too advanced and requires more work I guess.
[ Parent | Reply to this comment ]
1. /etc/ has a whole bunch of configuration details, maybe passwords in cfg files, firewall rules etc etc, that are better to be known only to you.
2. An unencrypted system means that while you're out of home, someone boots your machine with a live cd and plants you a trojan horse, a keylogger or something of this malicious nature. Then your data partition also is in danger.
3. If my laptop while traveling gets stolen, I feel much better to know that they just have a 3 year old laptop with a hard disk full of random garbage.
my ...3 cents :-P
2. An unencrypted system means that while you're out of home, someone boots your machine with a live cd and plants you a trojan horse, a keylogger or something of this malicious nature. Then your data partition also is in danger.
3. If my laptop while traveling gets stolen, I feel much better to know that they just have a 3 year old laptop with a hard disk full of random garbage.
my ...3 cents :-P
[ Parent | Reply to this comment ]
I may agree, to some extent. If you keep your gmail password in /etc/fetchmail.conf or the WEP key of your preferred wifi network in /etc/network/interfaces, then yes, an encrypted root disk can prevent disclosure of such sensible information.
However I can hardly imagine an attacker who wants to get past your firewall, while he already has physical access to your host!
Indeed, there is little you can do to protect yourself against someone who can play with your hardware while you're away. He can always tamper your initrd, or rewrite your grub code!
[ Parent | Reply to this comment ]
> Indeed, there is little you can do to protect yourself against someone who can > play with your hardware while you're away. He can always tamper your initrd, or > rewrite your grub code!
If you're completely paranoid, you don't have an unencrypted boot partition on your laptop, but you're booting from a flash drive which you always keep strapped to your neck :-P
If you're completely paranoid, you don't have an unencrypted boot partition on your laptop, but you're booting from a flash drive which you always keep strapped to your neck :-P
[ Parent | Reply to this comment ]
But if you're that paranoid, you shouldn't read this thread about booting via ssh! :-)
[ Parent | Reply to this comment ]
Posted by Anonymous (93.197.xx.xx) on Mon 9 Mar 2009 at 19:07
You can guard against tampering of the /boot partition by running tripwire against it from inside the secure installation (on bootup and in regular intervals). If you find that something dodgy has happened, take appropriate measures (depending on the degree of paranoia that is in order you could go so far as to overwrite the entire hard disk with zeroes, leaving no trace evidence whatsoever).
Know that a determined attacker with physical access to a running server can always run a "cold boot" attack (freezing the RAM modules and recovering the encryption key from another machine). Nothing can be done against that.
Know that a determined attacker with physical access to a running server can always run a "cold boot" attack (freezing the RAM modules and recovering the encryption key from another machine). Nothing can be done against that.
[ Parent | Reply to this comment ]
Posted by Anonymous (193.99.xx.xx) on Thu 7 Feb 2008 at 13:39
Very cool article, thank you.
Have you figured out a way to install all of this remotely?
I can boot a rescue system (completely in RAM-disk) to repartition the harddisk etc.
Have you figured out a way to install all of this remotely?
I can boot a rescue system (completely in RAM-disk) to repartition the harddisk etc.
[ Parent | Reply to this comment ]
If you only have remote access without serial console or something similar this is a little hassle.
One possibility may be to use a random PW for your LUKS partition while you set this up. If you are succeed, you change the passphrase. Other possibility may be to prepare the hole setup local and than you only copy the hole installation. But this is theory, I didn't tray, so some hidden traps may show up.
I build this up for a machine I have physical access, but I also use it from remote. I want to be able to reboot after electricity interruptions, ore other resents of shutdown.
For data processing centers I use a different solution:
My servers are running in xen vitualization and after small changes than you can use 'xm console' to type in your passphrase.
Best wishes Wulf++
[ Parent | Reply to this comment ]
Posted by Anonymous (130.126.xx.xx) on Thu 7 Feb 2008 at 16:54
Another method is to create a 3 partitions on the hard drive, one for /boot, one for swap, and one for the encrypted root luks,lvm combination.
Then install a minimal (unencrypted) debian to the swap space. Then log in to this debian, set up the luks partition, set up lvm, and use debootstrap to install a second copy of debian in the encrypted container.
Then boot into the encrypted container, then wipe the swap partition
dd if=/dev/urandom of=/dev/hda2 whatever...
and then set up an encrypted swap space in /etc/crypttab. Make the swap space use /dev/urandom as a key.
This way, everything is encrypted in the end, but you have an intermediate install that allows you to configure the encrypted root and boot drives before you actually boot into them for the first time.
Then install a minimal (unencrypted) debian to the swap space. Then log in to this debian, set up the luks partition, set up lvm, and use debootstrap to install a second copy of debian in the encrypted container.
Then boot into the encrypted container, then wipe the swap partition
dd if=/dev/urandom of=/dev/hda2 whatever...
and then set up an encrypted swap space in /etc/crypttab. Make the swap space use /dev/urandom as a key.
This way, everything is encrypted in the end, but you have an intermediate install that allows you to configure the encrypted root and boot drives before you actually boot into them for the first time.
[ Parent | Reply to this comment ]
Posted by Anonymous (79.2.xx.xx) on Sat 9 Feb 2008 at 13:45
hi
i am tring to do this in ubuntu 7.10 with encrypted root but i get this error
root@server:~# mkinitramfs -o my_init_name
/etc/initramfs-tools/hooks/dropbear: 31: source: not found
/etc/initramfs-tools/hooks/dropbear: 45: copy_exec: not found
/etc/initramfs-tools/hooks/dropbear: 46: copy_exec: not found
/etc/initramfs-tools/hooks/dropbear: 47: copy_exec: not found
/etc/initramfs-tools/hooks/dropbear: 50: copy_exec: not found
/etc/initramfs-tools/hooks/dropbear: 51: copy_exec: not found
/etc/initramfs-tools/hooks/dropbear: 52: copy_exec: not found
/etc/initramfs-tools/hooks/dropbear: 53: copy_exec: not found
/etc/initramfs-tools/hooks/dropbear: 172: cannot create /tmp/mkinitramfs_j12372/usr/bin/unlock: Directory nonexistent
chmod: impossibile accedere a `/tmp/mkinitramfs_j12372/usr/bin/unlock': Nessun file o directory
cpio: ./etc/dropbear/log/main: Cannot stat: Nessun file o directory
cpio: ./etc/dropbear/log/supervise: Cannot stat: Nessun file o directory
cpio: ./etc/dropbear/supervise: Cannot stat: Nessun file o directory
i have checked the line 31:
source /usr/share/initramfs-tools/hook-functions
after i have checked my path
root@server:~# cd /usr/share/initramfs-tools/
root@server:/usr/share/initramfs-tools# ls -al
drwxr-xr-x 7 root root 4096 2008-02-08 20:19 .
drwxr-xr-x 119 root root 4096 2008-02-08 22:10 ..
drwxr-xr-x 2 root root 4096 2007-10-04 16:59 conf.d
drwxr-xr-x 2 root root 4096 2008-02-08 20:19 conf-hooks.d
-rw-r--r-- 1 root root 7327 2007-10-02 14:39 hook-functions
drwxr-xr-x 2 root root 4096 2008-02-08 20:44 hooks
-rwxr-xr-x 1 root root 3295 2007-07-30 16:41 init
-rw-r--r-- 1 root root 191 2006-12-22 00:32 modules
drwxr-xr-x 2 root root 4096 2007-10-04 16:59 modules.d
drwxr-xr-x 12 root root 4096 2008-02-08 20:18 scripts
the file hook-functions exist!!
i am tring to do this in ubuntu 7.10 with encrypted root but i get this error
root@server:~# mkinitramfs -o my_init_name
/etc/initramfs-tools/hooks/dropbear: 31: source: not found
/etc/initramfs-tools/hooks/dropbear: 45: copy_exec: not found
/etc/initramfs-tools/hooks/dropbear: 46: copy_exec: not found
/etc/initramfs-tools/hooks/dropbear: 47: copy_exec: not found
/etc/initramfs-tools/hooks/dropbear: 50: copy_exec: not found
/etc/initramfs-tools/hooks/dropbear: 51: copy_exec: not found
/etc/initramfs-tools/hooks/dropbear: 52: copy_exec: not found
/etc/initramfs-tools/hooks/dropbear: 53: copy_exec: not found
/etc/initramfs-tools/hooks/dropbear: 172: cannot create /tmp/mkinitramfs_j12372/usr/bin/unlock: Directory nonexistent
chmod: impossibile accedere a `/tmp/mkinitramfs_j12372/usr/bin/unlock': Nessun file o directory
cpio: ./etc/dropbear/log/main: Cannot stat: Nessun file o directory
cpio: ./etc/dropbear/log/supervise: Cannot stat: Nessun file o directory
cpio: ./etc/dropbear/supervise: Cannot stat: Nessun file o directory
i have checked the line 31:
source /usr/share/initramfs-tools/hook-functions
after i have checked my path
root@server:~# cd /usr/share/initramfs-tools/
root@server:/usr/share/initramfs-tools# ls -al
drwxr-xr-x 7 root root 4096 2008-02-08 20:19 .
drwxr-xr-x 119 root root 4096 2008-02-08 22:10 ..
drwxr-xr-x 2 root root 4096 2007-10-04 16:59 conf.d
drwxr-xr-x 2 root root 4096 2008-02-08 20:19 conf-hooks.d
-rw-r--r-- 1 root root 7327 2007-10-02 14:39 hook-functions
drwxr-xr-x 2 root root 4096 2008-02-08 20:44 hooks
-rwxr-xr-x 1 root root 3295 2007-07-30 16:41 init
-rw-r--r-- 1 root root 191 2006-12-22 00:32 modules
drwxr-xr-x 2 root root 4096 2007-10-04 16:59 modules.d
drwxr-xr-x 12 root root 4096 2008-02-08 20:18 scripts
the file hook-functions exist!!
[ Parent | Reply to this comment ]
hoppala ...
Yes, I invoked /bin/sh, but it should be /bin/bash ...
On debian /bin/sh is a symlink to /bin/bash so it works. I don't know the handling in Ubuntu with that, but if you change the first line of the script from:
#!/bin/sh
to
#!/bin/bash
it should work. Don't change the invokings inside the script.
Also be aware, that
sudo -i
gives you full root environment while
sudo -s
only change to uid 0.
wishing succes
Wulf++
[ Parent | Reply to this comment ]
Posted by Anonymous (79.2.xx.xx) on Sun 10 Feb 2008 at 20:34
hey thanx!
now i have changed
#!/bin/sh
to
#!/bin/bash
and seem works!!
But i get now this error
root@server:~# mkinitramfs -o initrdssh
/etc/initramfs-tools/hooks/dropbear: line 171: /tmp/mkinitramfs_jH4674/usr/bin/unlock: Nessun file o directory
chmod: impossibile accedere a `/tmp/mkinitramfs_jH4674/usr/bin/unlock': Nessun file o directory
Seems Ubuntu don't have the file unlock on /usr/bin
root@server:~# cd /usr/bin/
root@server:/usr/bin# ls -al un*
-rwxr-xr-x 1 root root 18180 2007-09-29 14:51 unexpand
-rwxr-xr-x 1 root root 1538 2007-09-29 15:02 unicode_start
-rwxr-xr-x 1 root root 1003 2007-09-29 15:02 unicode_stop
-rwxr-xr-x 1 root root 20752 2007-09-29 14:51 uniq
-rwxr-xr-x 1 root root 12608 2007-09-29 14:51 unlink
i missed to install any package?
now i have changed
#!/bin/sh
to
#!/bin/bash
and seem works!!
But i get now this error
root@server:~# mkinitramfs -o initrdssh
/etc/initramfs-tools/hooks/dropbear: line 171: /tmp/mkinitramfs_jH4674/usr/bin/unlock: Nessun file o directory
chmod: impossibile accedere a `/tmp/mkinitramfs_jH4674/usr/bin/unlock': Nessun file o directory
Seems Ubuntu don't have the file unlock on /usr/bin
root@server:~# cd /usr/bin/
root@server:/usr/bin# ls -al un*
-rwxr-xr-x 1 root root 18180 2007-09-29 14:51 unexpand
-rwxr-xr-x 1 root root 1538 2007-09-29 15:02 unicode_start
-rwxr-xr-x 1 root root 1003 2007-09-29 15:02 unicode_stop
-rwxr-xr-x 1 root root 20752 2007-09-29 14:51 uniq
-rwxr-xr-x 1 root root 12608 2007-09-29 14:51 unlink
i missed to install any package?
[ Parent | Reply to this comment ]
Posted by Anonymous (88.70.xx.xx) on Wed 20 Feb 2008 at 21:11
/tmp/${DESTDIR}/usr/bin/unlock doesn't get created. I added /usr/bin to the DIRS variable to fix this.
[ Parent | Reply to this comment ]
Posted by Anonymous (89.245.xx.xx) on Thu 20 Mar 2008 at 14:31
First of all, the whole thing is very cool. I was looking for a solution to this for a long time.
But when I boot up, I get this output:
"
mount: Mounting none on /sys failed: Device or resource busy
mount: Mounting none on /proc failed: Device or resource busy
e100: eth0: e100_watchdog: link up, 100Mbps, full-duplex
/scipts/local-top/network_ssh: /scripts/local-top/network_ssh: 54: /usr/sbin/dropbear: not found
Type ok and press enter to put in passphrase:
"
I can ping the computer, so the network seems to work.
It might be a problem with dropbear, but I don't have any idea how to solve it.
But when I boot up, I get this output:
"
mount: Mounting none on /sys failed: Device or resource busy
mount: Mounting none on /proc failed: Device or resource busy
e100: eth0: e100_watchdog: link up, 100Mbps, full-duplex
/scipts/local-top/network_ssh: /scripts/local-top/network_ssh: 54: /usr/sbin/dropbear: not found
Type ok and press enter to put in passphrase:
"
I can ping the computer, so the network seems to work.
It might be a problem with dropbear, but I don't have any idea how to solve it.
[ Parent | Reply to this comment ]
Posted by Anonymous (85.177.xx.xx) on Tue 25 Mar 2008 at 21:18
Got exactly the same problem with debian etch
[ Parent | Reply to this comment ]
Posted by Anonymous (88.134.xx.xx) on Wed 11 Jun 2008 at 16:50
proc and sys seem to be there nevertheless. (on Etch)
I guess you can just ignore it or remove the appropriate mount commands from /etc/initramfs-tools/hooks/dropbear when creating the ramdisk.
I guess you can just ignore it or remove the appropriate mount commands from /etc/initramfs-tools/hooks/dropbear when creating the ramdisk.
[ Parent | Reply to this comment ]
Posted by Anonymous (84.115.xx.xx) on Thu 20 Mar 2008 at 20:21
I changed the script a little and got it working.
I'll do a few more changes tomorrow to improve the security of the whole thing.
The script is attached, i hope it works for you folks.
cheers,
sacred
I'll do a few more changes tomorrow to improve the security of the whole thing.
The script is attached, i hope it works for you folks.
cheers,
sacred
#!/bin/bash
# We add dropbear to the initrd&nbs p;to be able do mount crypto partit ions from remote
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
# Begin real processing below this line
# copyright Wulf Coulmann
# GNU GPL
# http://www.gnu.org/licenses/gpl.htmla
#
# Download me here: http://gpl.coulmann.de/dr opbear
# get infos about this script here:
# http://gpl.coulmann.de/ssh_luks_unlock.html
# load the prepared functions of de bians initramfs enviroment
source /usr/share/initramfs-tools/hook-functions
# build the directorys
DIRS='/usr/bin/ /usr/sbin/ /proc/ /root/ /var / /var/run/ /var/run/'
for now in $DIRS ; do
if [ ! -e ${DESTDIR}$now ]
then
mkdir -p ${DE STDIR}$now
fi
done
# copy the main ssh-daemen including&nbs p;libarys
copy_exec /usr/sbin/dropbear /usr/sbin/
copy_exec /usr/bin/passwd /usr/bin/
copy_exec /bin/login /bin/
copy_exec /usr/bin/killall /usr/bin/
copy_exec /sbin/route /sbin/
copy_exec /usr/bin/awk /usr/bin/
# some libarys not autoincludet by copy_exec
copy_exec /lib/libnss_compat.so.2 /lib/
copy_exec /usr/lib/libz.so.1 /usr/lib/
copy_exec /etc/ld.so.cache /etc/
copy_exec /lib/libutil.so.1 /lib/
# we copy config and key files
cp -pr /etc/dropbear ${DESTDIR}/etc/
cp -pr /etc/passwd ${DESTDIR}/etc/ &nbs p; # quick and dirty, to keep file attributs
cp -pr /etc/shadow ${DESTDIR}/etc/
cp -pr /etc/group ${DESTDIR}/etc/
cp -pr /root/.ssh ${DESTDIR}/root/
cp -pr /etc/nsswitch.conf ${DESTDIR}/etc/
cp -pr /etc/localtime ${DESTDIR}/etc/
# we don't have bash in our in itrd
# also we only add the root ac count
cat /etc/passwd | grep root | ;sed s/\\/bash/\\/sh/ > ${DESTDIR}/etc/pa sswd
cat /etc/shadow | grep root | ;sed s/\\/bash/\\/sh/ > ${DESTDIR}/etc/sh adow
cat /etc/group | grep root | sed s/\\/bash/\\/sh/ > ${DESTDIR}/etc/gro up
# the blocker script to request inp ut action befor running cryptroot
# this let us run cryptroot on ;local terminal or inside ssh
# dirty but effektive
cat >${DESTDIR}/scripts/local-top/cryptroot_block &l t;< 'EOF'
#!/bin/sh
PREREQ="network_ssh"
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
# Begin real processing below this line
echo Type "ok" and press enter to&n bsp;put in passphrase:
INPUT='wait'
while [ $INPUT != 'ok' ] ; do
read INPUT
done
EOF
chmod 700 ${DESTDIR}/scripts/local-top/cryptroot_block
cat >${DESTDIR}/scripts/local-top/network_ssh <&l t; 'EOF'
#!/bin/sh
# we start the network and ssh-serv er
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
# Begin real processing below this line
# build up helpful enviroment
[ -d /dev ] || mkd ir -m 0755 /dev
[ -d /root ] || mk dir --mode=0700 /root
[ -d /sys ] || mkd ir /sys
[ -d /proc ] || mk dir /proc
[ -d /tmp ] || mkd ir /tmp
mkdir -p /var/lock
mount -t sysfs -o nodev,noexec,nosuid no ne /sys
mount -t proc -o nodev,noexec,nosuid non e /proc
mkdir /dev/pts
mount -t devpts -o gid=5,mode=620 /dev/p ts /dev/pts
# the Network setup edit ipaddres a nd gateway to your needs
ifconfig eth0 10.17.201.212 netmask 255.255.2 55.0
/sbin/route add default gw 10.17.201.1
# If you like to use dhcp make shure you include dhclient or pump in
# /etc/initramfs-tools/hooks/dropbear via
# copy_exec /sbin/dhclient
# for debugging ssh-server you may run it in forgound
# /usr/sbin/dropbear -E&n bsp;-F
# for more debugging you may run&nb sp;it with strace
# therfor you have to include strac e and nc at top of
# /etc/initramfs-tools/hooks/dropbear via
# copy_exec /usr/bin/strace
# copy_exec /usr/bin/nc
# then start nc on an other ho st and run
# /usr/sbin/dropbear -E -F 2>&1 | /bin/nc -vv <ip ;of other host> <nc port of o ther host>
# e.g.:
# /usr/sbin/dropbear -E -F 2>&1 | /bin/nc -vv 192.168.1.2 8888
/usr/sbin/dropbear -b /etc/dropbear/banner
EOF
chmod 700 ${DESTDIR}/scripts/local-top/network_ssh
cat >${DESTDIR}/etc/dropbear/banner << 'E OF'
To unlock root-partition& nbsp;run
unlock
EOF
# script to unlock luks via ssh
# dirty but effektive
cat >${DESTDIR}/usr/bin/unlock << 'EOF'
#!/bin/sh
/bin/sh /scripts/local-top/cryptroot && mv /s cripts/local-top/cryptroot /root && kill `ps& nbsp;| grep cryptroot_block|grep -v grep ;| /usr/bin/awk '{ print $1 }'`
EOF
chmod 700 ${DESTDIR}/usr/bin/unlock
# make shure we exit dropbear at&nb sp;the end of the startup process
cat >${DESTDIR}/scripts/local-bottom/rm_dropbear < ;< 'EOF'
#!/bin/sh
PREREQ=""
prereqs()
{
echo ""
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
# Begin real processing below this line
# we kill dropbear ssh-server
/usr/bin/killall dropbear
EOF
chmod 700 ${DESTDIR}/scripts/local-bottom/rm_dropbear
[ Parent | Reply to this comment ]
Posted by Anonymous (89.245.xx.xx) on Fri 21 Mar 2008 at 10:51
Using parts of the script you posted, I finally solved my dropbear problem. However, I get those two errors while booting:
mount: Mounting none on /sys failed: Device or resource busy
mount: Mounting none on /proc failed: Device or resource busy
I dont know, what the problem might be.
Thanks.
mount: Mounting none on /sys failed: Device or resource busy
mount: Mounting none on /proc failed: Device or resource busy
I dont know, what the problem might be.
Thanks.
[ Parent | Reply to this comment ]
Posted by Anonymous (84.58.xx.xx) on Thu 27 Mar 2008 at 15:09
Using your script I get to errors when trying to create the initrd:
/usr/sbin/mkinitramfs: 241: /etc/initramfs-tools/hooks/dropbear: not found
/usr/sbin/mkinitramfs: 1: /etc/initramfs-tools/hooks/dropbear: not found
I can't figure out why.
Any ideas?
Best regards,
Georg
/usr/sbin/mkinitramfs: 241: /etc/initramfs-tools/hooks/dropbear: not found
/usr/sbin/mkinitramfs: 1: /etc/initramfs-tools/hooks/dropbear: not found
I can't figure out why.
Any ideas?
Best regards,
Georg
[ Parent | Reply to this comment ]
Posted by Anonymous (84.58.xx.xx) on Thu 27 Mar 2008 at 16:58
Ok, I had to change the standard shell from dash to bash. that solved my problem.
Now, I also have this errors:
mount: Mounting none on /sys failed: Device or resource busy
mount: Mounting none on /proc failed: Device or resource busy
Now, I also have this errors:
mount: Mounting none on /sys failed: Device or resource busy
mount: Mounting none on /proc failed: Device or resource busy
[ Parent | Reply to this comment ]
Posted by Anonymous (85.177.xx.xx) on Fri 28 Mar 2008 at 02:52
me too, fiddeling arround with this but couldn't solve it :/
[ Parent | Reply to this comment ]
Has anyone had any luck with this? I am using 7.10 Server of Ubuntu and I am getting the same /proc and /sys error:
But also right after that I am getting others.
mount: Mounting none on /sys failed: Device or resource busy
mount: Mounting none on /proc failed: Device or resource busy
SIOCSIFADDR: No such device
SIOCSIFNETMASK: No such device
SIOCSADDRT: No such process
Type ok and press enter to put in passphrase:
I can not ping the static IP I set in the dropbear or SSH to it. I'm guessing that SIOCSIFADDR is the network device and because it is not seen I am not able to set the IP. Any suggestions or help would be great. I am also crossposting in ubuntuforums.org's Server Platforms section since I am doing this on Ubuntu.
But also right after that I am getting others.
mount: Mounting none on /sys failed: Device or resource busy
mount: Mounting none on /proc failed: Device or resource busy
SIOCSIFADDR: No such device
SIOCSIFNETMASK: No such device
SIOCSADDRT: No such process
Type ok and press enter to put in passphrase:
I can not ping the static IP I set in the dropbear or SSH to it. I'm guessing that SIOCSIFADDR is the network device and because it is not seen I am not able to set the IP. Any suggestions or help would be great. I am also crossposting in ubuntuforums.org's Server Platforms section since I am doing this on Ubuntu.
[ Parent | Reply to this comment ]
hi everyone,
i am trying to set this up under ubuntu server (hardy 8.04) and I always get this error:
sudo mkinitramfs -o initrd.img-2.6.24-16-server
/etc/initramfs-tools/hooks/dropbear: line 40: ${DE STDIR}$now: bad substitution
ln: target `/tmp/mkinitramfs_O28885//usr/sbin/' is not a directory: No such file or directory
ln: target `/tmp/mkinitramfs_O28885//usr/bin/' is not a directory: No such file or directory
ln: target `/tmp/mkinitramfs_O28885//usr/bin/' is not a directory: No such file or directory
ln: target `/tmp/mkinitramfs_O28885//usr/bin/' is not a directory: No such file or directory
cp: cannot stat `/root/.ssh': No such file or directory
/etc/initramfs-tools/hooks/dropbear: line 69: syntax error near unexpected token `;'
/etc/initramfs-tools/hooks/dropbear: line 69: `cat /etc/passwd | grep root | ;sed s/\\/bash/\\/sh/ > ${DESTDIR}/etc/passwd'
cpio: ./etc/dropbear/log/main: Cannot stat: No such file or directory
cpio: ./etc/dropbear/log/supervise: Cannot stat: No such file or directory
I am really helpful for any help...or alternatives.
cheers,
eule
i am trying to set this up under ubuntu server (hardy 8.04) and I always get this error:
sudo mkinitramfs -o initrd.img-2.6.24-16-server
/etc/initramfs-tools/hooks/dropbear: line 40: ${DE STDIR}$now: bad substitution
ln: target `/tmp/mkinitramfs_O28885//usr/sbin/' is not a directory: No such file or directory
ln: target `/tmp/mkinitramfs_O28885//usr/bin/' is not a directory: No such file or directory
ln: target `/tmp/mkinitramfs_O28885//usr/bin/' is not a directory: No such file or directory
ln: target `/tmp/mkinitramfs_O28885//usr/bin/' is not a directory: No such file or directory
cp: cannot stat `/root/.ssh': No such file or directory
/etc/initramfs-tools/hooks/dropbear: line 69: syntax error near unexpected token `;'
/etc/initramfs-tools/hooks/dropbear: line 69: `cat /etc/passwd | grep root | ;sed s/\\/bash/\\/sh/ > ${DESTDIR}/etc/passwd'
cpio: ./etc/dropbear/log/main: Cannot stat: No such file or directory
cpio: ./etc/dropbear/log/supervise: Cannot stat: No such file or directory
I am really helpful for any help...or alternatives.
cheers,
eule
[ Parent | Reply to this comment ]
Ok i solved the dirs problem - it narrows down to this problem now:
cp: cannot stat `/root/.ssh': No such file or directory
/etc/initramfs-tools/hooks/dropbear: line 72: syntax error near unexpected token `;'
/etc/initramfs-tools/hooks/dropbear: line 72: `cat /etc/passwd | grep root | ;sed s/\\/bash/\\/sh/ > ${DESTDIR}/etc/passwd'
Thanks for your help,
eule
cp: cannot stat `/root/.ssh': No such file or directory
/etc/initramfs-tools/hooks/dropbear: line 72: syntax error near unexpected token `;'
/etc/initramfs-tools/hooks/dropbear: line 72: `cat /etc/passwd | grep root | ;sed s/\\/bash/\\/sh/ > ${DESTDIR}/etc/passwd'
Thanks for your help,
eule
[ Parent | Reply to this comment ]
ok it boiled down to:
cp: cannot stat `/root/.ssh': No such file or directory
--> the rest were just noob-mistakes ;-) i am pretty new to linux :-)
cp: cannot stat `/root/.ssh': No such file or directory
--> the rest were just noob-mistakes ;-) i am pretty new to linux :-)
[ Parent | Reply to this comment ]
me again :-)
It's booting but I got a major problem:
Server refused our key
xxxxxxxxxxxxx's password:
it says server refused key though it did work before and it also rejects my password.
the only thing i changed in the script that i pointed to home/user/.ssh/ because in /root there was no .ssh folder and all my keys and auth keys are in that folder...
It's booting but I got a major problem:
Server refused our key
xxxxxxxxxxxxx's password:
it says server refused key though it did work before and it also rejects my password.
the only thing i changed in the script that i pointed to home/user/.ssh/ because in /root there was no .ssh folder and all my keys and auth keys are in that folder...
[ Parent | Reply to this comment ]
Posted by Anonymous (91.156.xx.xx) on Fri 2 May 2008 at 18:00
Here is a little bit modified version of the script. /dev/random got blocked on my machine and that is the reason why dropbear didn't respond. I modified /dev/random to be a symlink pointing to /dev/urandom and now this script works at least in Debian Etch. Remote unlocking of cryptroot will probably be implemented in Lenny http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=465901
#!/bin/bash
# We add dropbear to the initrd&nbs p;to be able
# mount crypted partitions from remote
# copyright Wulf Coulmann
# GNU GPL
# http://www.gnu.org/licenses/gpl.html
#
# Download me here: http://gpl.coulmann.de/dr opbear
# get infos about this script here:
# http://gpl.coulmann.de/ssh_luks_unlock.html
#
# Modified by Anonymous 2008
### INSTRUCTIONS FOR DEBIAN ETCH ###
# 1. Install killall, busybox and d ropbear:
# ~# apt-get install psmisc busybox dropbear
# 2. Edit network configuration below&nb sp;and copy contents
# of this file to /etc /initramfs-tools/hooks/dropbear
# 3. Make it executable:
# ~# chmod +x /etc/initramf s-tools/hooks/dropbear
# 4. Create new initrd:
# ~# mkinitramfs -o /boot/m y_name_of_the_initrd
# 5. Edit /boot/grub/menu.lst and add&nb sp;your new initrd as the first ent ry
# 6. ???
# 7. Profit!
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
# Begin real processing below this line
# load the prepared functions of de bians initramfs enviroment
source /usr/share/initramfs-tools/hook-functions
# build the directories
DIRS='/usr/bin /usr/sbin/ /proc/ /root/.ssh/ /var/ /var/run/ /etc/dropbear/'
for now in $DIRS ; do
if [ ! -e ${DESTDIR}$now ]
then
mkdir -p ${DE STDIR}$now
fi
done
# copy the ssh-daemon and librarys
copy_exec /usr/sbin/dropbear /usr/sbin/
copy_exec /usr/bin/passwd /usr/bin/
copy_exec /bin/login /bin/
copy_exec /usr/bin/killall /usr/bin/
copy_exec /sbin/route /sbin/
copy_exec /usr/bin/awk /usr/bin/
# some librarys are not autoincluded&nbs p;by copy_exec
copy_exec /lib/libnss_compat.so.2 /lib/
copy_exec /usr/lib/libz.so.1 /usr/lib/
copy_exec /etc/ld.so.cache /etc/
copy_exec /lib/libutil.so.1 /lib/
# we copy config and key files
cp -pr /etc/dropbear/dropbear_dss_host_key ${DESTD IR}/etc/dropbear/
cp -pr /etc/dropbear/dropbear_rsa_host_key ${DESTD IR}/etc/dropbear/
cp -pr /etc/passwd ${DESTDIR}/etc/
cp -pr /etc/shadow ${DESTDIR}/etc/
cp -pr /etc/group ${DESTDIR}/etc/
if [ -e /root/.ssh/authorized_keys ;]
then
cp -pr /root/.ssh/authorized_keys ${DE STDIR}/root/.ssh/
fi
cp -pr /etc/nsswitch.conf ${DESTDIR}/etc/
cp -pr /etc/localtime ${DESTDIR}/etc/
# we don't have bash in our in itrd
# also we only add the root ac count
cat /etc/passwd | grep root | ;sed s/\\/bash/\\/sh/ > ${DESTDIR}/etc/passwd&n bsp;
cat /etc/shadow | grep root >&n bsp;${DESTDIR}/etc/shadow
cat /etc/group | grep root >&nb sp;${DESTDIR}/etc/group
cat >${DESTDIR}/scripts/local-top/network_ssh <&l t; 'EOF'
#!/bin/sh
# we start the network and ssh-serv er
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
# Begin real processing below this line
# build up helpful environment
[ -d /dev ] || mkd ir -m 0755 /dev
[ -d /root ] || mk dir --mode=0700 /root
[ -d /tmp ] || mkd ir /tmp
[ -d /sys ] || {
mkdir /sys
mount -t sysfs -o nodev,noexec,no suid none /sys
}
[ -d /proc ] || {
mkdir /proc
mount -t proc -o nodev,noexec,nos uid none /proc
}
mkdir -p /var/lock
mkdir -p /var/log
touch /var/log/lastlog
mkdir /dev/pts
mount -t devpts -o gid=5,mode=620 /dev/p ts /dev/pts
################# CHANGE THE LINES BELOW ;#################
# The network setup: edit ip addres s and gateway to match your needs&n bsp;
ifconfig eth0 192.168.0.5 netmask 255.255.255 .0
route add default gw 192.168.0.1
################# CHANGE THE LINES ABOVE ;#################
# If you like to use dhcp make sure you include dhclient or pump& nbsp;in
# /etc/initramfs-tools/hooks/dropbear via
# copy_exec /sbin/dhclient
# for debugging ssh-server you may run it in forgound
# /usr/sbin/dropbear -E&n bsp;-F
# for more debugging you may run&nb sp;it with strace
# therfor you have to include strac e and nc at top of
# /etc/initramfs-tools/hooks/dropbear via
# copy_exec /usr/bin/strace
# copy_exec /usr/bin/nc
# then start nc on an other ho st and run
# /usr/sbin/dropbear -E -F 2>&1 | /bin/nc -vv <ip ;of other host> <nc port of o ther host>
# e.g.:
# /usr/sbin/dropbear -E -F 2>&1 | /bin/nc -vv 192.168.1.2 8888
# We will use /dev/urandom because /dev/random gets easily blocked
mv /dev/random /dev/random.old
ln -s /dev/urandom /dev/random
/usr/sbin/dropbear -b /etc/dropbear/banner -d ;/etc/dropbear/dropbear_dss_host_key -r /etc/dropbear/d ropbear_rsa_host_key -p 22
rm -f /dev/random
mv /dev/random.old /dev/random
EOF
chmod 700 ${DESTDIR}/scripts/local-top/network_ssh
cat >${DESTDIR}/etc/dropbear/banner << 'E OF'
To unlock root-partition& nbsp;run
unlock
EOF
# script to unlock luks via ssh&nbs p;
# dirty but effektive
cat >${DESTDIR}/usr/bin/unlock << 'EOF'
#!/bin/sh
/bin/sh /scripts/local-top/cryptroot
# Kill processes locking boot process&nb sp;
[ `ls /dev/mapper/ | grep -v& nbsp;control| wc -l | awk '{print $ 1}'` -gt 0 ] && {
for i in `ps | grep -E& nbsp;"cryptroot|cryptsetup" | awk '{ print&nb sp;$1 }'`
do
kill $i
done
}
EOF
chmod 700 ${DESTDIR}/usr/bin/unlock
# make sure we exit dropbear at&nbs p;the end of the startup process
cat >${DESTDIR}/scripts/local-bottom/rm_dropbear < ;< 'EOF'
#!/bin/sh
PREREQ=""
prereqs()
{
echo ""
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
# Begin real processing below this line
# we kill dropbear ssh-server
/usr/bin/killall dropbear
EOF
chmod 700 ${DESTDIR}/scripts/local-bottom/rm_dropbear
[ Parent | Reply to this comment ]
Posted by Anonymous (91.156.xx.xx) on Fri 2 May 2008 at 18:12
I did use the code-tags but the source code got broken anyway. So here is the rapidshare of the modified script.
http://rapidshare.com/files/112034136/dropbear.html
http://rapidshare.com/files/112034136/dropbear.html
[ Parent | Reply to this comment ]
Posted by Anonymous (130.117.xx.xx) on Fri 23 May 2008 at 09:12
I've a problem auth myself in the dropbear shell.
It tells me that the root user doesn't exist, I 'cat' the /etc/passwd and the root's entry is here ... like for the /etc/passwd.
any idea ?
It tells me that the root user doesn't exist, I 'cat' the /etc/passwd and the root's entry is here ... like for the /etc/passwd.
any idea ?
[ Parent | Reply to this comment ]
Posted by Anonymous (130.117.xx.xx) on Mon 26 May 2008 at 10:33
I need to add the tls library to make the dropbear shell working.
cp -rp /lib/tls /lib/
cp -rp /lib/tls /lib/
[ Parent | Reply to this comment ]
Posted by Anonymous (130.117.xx.xx) on Mon 26 May 2008 at 11:00
Le script qui marche sur Debian :)
pour toutes question geoffroy {dot} rabouin (at] gmail dot ]com]
#!/bin/bash
# We add dropbear to the initrd to be able
# mount crypted partitions from remote
# copyright Wulf Coulmann
# GNU GPL
# http://www.gnu.org/licenses/gpl.html
#
# Download me here: http://gpl.coulmann.de/dropbear
# get infos about this script here:
# http://gpl.coulmann.de/ssh_luks_unlock.html
#
# Modified by Anonymous 2008
# Modified By Geoffroy RABOUIN 26/05/2008
### INSTRUCTIONS FOR DEBIAN ETCH ###
# 1. Install killall, busybox and dropbear:
# ~# apt-get install psmisc busybox dropbear
# 2. Edit network configuration below and copy contents
# of this file to /etc/initramfs-tools/hooks/dropbear
# 3. Make it executable:
# ~# chmod +x /etc/initramfs-tools/hooks/dropbear
# 4. Create new initrd:
# ~# mkinitramfs -o /boot/my_name_of_the_initrd
# 5. Edit /boot/grub/menu.lst and add your new initrd as the first entry
# 6. ???
# 7. Profit!
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
# Begin real processing below this line
# load the prepared functions of debians initramfs enviroment
source /usr/share/initramfs-tools/hook-functions
# build the directories
DIRS='/lib /bin /usr/bin /usr/sbin/ /proc/ /root/.ssh/ /var/ /var/run/ /etc/dropbear/'
for now in $DIRS ; do
if [ ! -e ${DESTDIR}$now ]
then
mkdir -p ${DESTDIR}$now
fi
done
# copy the ssh-daemon and librarys
copy_exec /usr/sbin/dropbear /usr/sbin/
copy_exec /usr/bin/passwd /usr/bin/
copy_exec /bin/login /bin/
copy_exec /usr/bin/killall /usr/bin/
copy_exec /sbin/route /sbin/
copy_exec /usr/bin/awk /usr/bin/
#copy_exec /usr/bin/strace /usr/bin/
#copy_exec /bin/nc /bin/
# some librarys are not autoincluded by copy_exec
copy_exec /lib/libnss_compat.so.2 /lib/
copy_exec /usr/lib/libz.so.1 /usr/lib/
copy_exec /etc/ld.so.cache /etc/
copy_exec /lib/libutil.so.1 /lib/
# we copy config and key files
cp -pr /etc/dropbear/dropbear_dss_host_key ${DESTDIR}/etc/dropbear/
cp -pr /etc/dropbear/dropbear_rsa_host_key ${DESTDIR}/etc/dropbear/
cp -pr /etc/passwd ${DESTDIR}/etc/
cp -pr /etc/shadow ${DESTDIR}/etc/
cp -pr /etc/group ${DESTDIR}/etc/
if [ -e /root/.ssh/authorized_keys ]
then
cp -pr /root/.ssh/authorized_keys ${DESTDIR}/root/.ssh/
fi
cp -pr /etc/nsswitch.conf ${DESTDIR}/etc/
cp -pr /etc/localtime ${DESTDIR}/etc/
cp -pr /lib/tls ${DESTDIR}/lib/
# we don't have bash in our initrd
# also we only add the root account
cat /etc/passwd | grep root | sed s/\\/bash/\\/sh/ > ${DESTDIR}/etc/passwd
cat /etc/shadow | grep root > ${DESTDIR}/etc/shadow
cat /etc/group | grep root > ${DESTDIR}/etc/group
cat >${DESTDIR}/scripts/local-top/network_ssh << 'EOF'
#!/bin/sh
# we start the network and ssh-server
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
# Begin real processing below this line
# build up helpful environment
[ -d /dev ] || mkdir -m 0755 /dev
[ -d /root ] || mkdir --mode=0700 /root
[ -d /tmp ] || mkdir /tmp
[ -d /sys ] || {
mkdir /sys
mount -t sysfs -o nodev,noexec,nosuid none /sys
}
[ -d /proc ] || {
mkdir /proc
mount -t proc -o nodev,noexec,nosuid none /proc
}
mkdir -p /var/lock
mkdir -p /var/log
touch /var/log/lastlog
mkdir /dev/pts
mount -t devpts -o gid=5,mode=620 /dev/pts /dev/pts
################# CHANGE THE LINES BELOW #################
# The network setup: edit ip address and gateway to match your needs
ifconfig eth0 192.168.17.133 netmask 255.255.255.0
route add default gw 192.168.17.1
################# CHANGE THE LINES ABOVE #################
# If you like to use dhcp make sure you include dhclient or pump in
# /etc/initramfs-tools/hooks/dropbear via
# copy_exec /sbin/dhclient
# for debugging ssh-server you may run it in forgound
# /usr/sbin/dropbear -E -F
# for more debugging you may run it with strace
# therfor you have to include strace and nc at top of
# /etc/initramfs-tools/hooks/dropbear via
# copy_exec /usr/bin/strace
# copy_exec /usr/bin/nc
# then start nc on an other host and run
# /usr/sbin/dropbear -E -F 2>&1 | /bin/nc -vv <ip of other host> <nc port of other host>
# e.g.:
# /usr/sbin/dropbear -E -F 2>&1 | /bin/nc -vv 192.168.1.2 8888
# We will use /dev/urandom because /dev/random gets easily blocked
mv /dev/random /dev/random.old
ln -s /dev/urandom /dev/random
/usr/sbin/dropbear -E -F -b /etc/dropbear/banner -d /etc/dropbear/dropbear_dss_host_key -r /etc/dropbear/dropbear_rsa_host_key -p 22
ls -al
rm -f /dev/random
mv /dev/random.old /dev/random
EOF
chmod 700 ${DESTDIR}/scripts/local-top/network_ssh
cat >${DESTDIR}/etc/dropbear/banner << 'EOF'
To unlock root-partition run
unlock
EOF
# script to unlock luks via ssh
# dirty but effektive
cat >${DESTDIR}/usr/bin/unlock << 'EOF'
#!/bin/sh
/bin/sh /scripts/local-top/cryptroot
# Kill processes locking boot process
[ `ls /dev/mapper/ | grep -v control| wc -l | awk '{print $1}'` -gt 0 ] && {
for i in `ps | grep -E "cryptroot|cryptsetup" | awk '{ print $1 }'`
do
kill $i
done
}
/bin/sh /scripts/local-bottom/rm_dropbear
EOF
chmod 700 ${DESTDIR}/usr/bin/unlock
# make sure we exit dropbear at the end of the startup process
cat >${DESTDIR}/scripts/local-bottom/rm_dropbear << 'EOF'
#!/bin/sh
PREREQ=""
prereqs()
{
echo ""
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
# Begin real processing below this line
# we kill dropbear ssh-server
/usr/bin/killall dropbear
EOF
chmod 700 ${DESTDIR}/scripts/local-bottom/rm_dropbear
pour toutes question geoffroy {dot} rabouin (at] gmail dot ]com]
#!/bin/bash
# We add dropbear to the initrd to be able
# mount crypted partitions from remote
# copyright Wulf Coulmann
# GNU GPL
# http://www.gnu.org/licenses/gpl.html
#
# Download me here: http://gpl.coulmann.de/dropbear
# get infos about this script here:
# http://gpl.coulmann.de/ssh_luks_unlock.html
#
# Modified by Anonymous 2008
# Modified By Geoffroy RABOUIN 26/05/2008
### INSTRUCTIONS FOR DEBIAN ETCH ###
# 1. Install killall, busybox and dropbear:
# ~# apt-get install psmisc busybox dropbear
# 2. Edit network configuration below and copy contents
# of this file to /etc/initramfs-tools/hooks/dropbear
# 3. Make it executable:
# ~# chmod +x /etc/initramfs-tools/hooks/dropbear
# 4. Create new initrd:
# ~# mkinitramfs -o /boot/my_name_of_the_initrd
# 5. Edit /boot/grub/menu.lst and add your new initrd as the first entry
# 6. ???
# 7. Profit!
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
# Begin real processing below this line
# load the prepared functions of debians initramfs enviroment
source /usr/share/initramfs-tools/hook-functions
# build the directories
DIRS='/lib /bin /usr/bin /usr/sbin/ /proc/ /root/.ssh/ /var/ /var/run/ /etc/dropbear/'
for now in $DIRS ; do
if [ ! -e ${DESTDIR}$now ]
then
mkdir -p ${DESTDIR}$now
fi
done
# copy the ssh-daemon and librarys
copy_exec /usr/sbin/dropbear /usr/sbin/
copy_exec /usr/bin/passwd /usr/bin/
copy_exec /bin/login /bin/
copy_exec /usr/bin/killall /usr/bin/
copy_exec /sbin/route /sbin/
copy_exec /usr/bin/awk /usr/bin/
#copy_exec /usr/bin/strace /usr/bin/
#copy_exec /bin/nc /bin/
# some librarys are not autoincluded by copy_exec
copy_exec /lib/libnss_compat.so.2 /lib/
copy_exec /usr/lib/libz.so.1 /usr/lib/
copy_exec /etc/ld.so.cache /etc/
copy_exec /lib/libutil.so.1 /lib/
# we copy config and key files
cp -pr /etc/dropbear/dropbear_dss_host_key ${DESTDIR}/etc/dropbear/
cp -pr /etc/dropbear/dropbear_rsa_host_key ${DESTDIR}/etc/dropbear/
cp -pr /etc/passwd ${DESTDIR}/etc/
cp -pr /etc/shadow ${DESTDIR}/etc/
cp -pr /etc/group ${DESTDIR}/etc/
if [ -e /root/.ssh/authorized_keys ]
then
cp -pr /root/.ssh/authorized_keys ${DESTDIR}/root/.ssh/
fi
cp -pr /etc/nsswitch.conf ${DESTDIR}/etc/
cp -pr /etc/localtime ${DESTDIR}/etc/
cp -pr /lib/tls ${DESTDIR}/lib/
# we don't have bash in our initrd
# also we only add the root account
cat /etc/passwd | grep root | sed s/\\/bash/\\/sh/ > ${DESTDIR}/etc/passwd
cat /etc/shadow | grep root > ${DESTDIR}/etc/shadow
cat /etc/group | grep root > ${DESTDIR}/etc/group
cat >${DESTDIR}/scripts/local-top/network_ssh << 'EOF'
#!/bin/sh
# we start the network and ssh-server
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
# Begin real processing below this line
# build up helpful environment
[ -d /dev ] || mkdir -m 0755 /dev
[ -d /root ] || mkdir --mode=0700 /root
[ -d /tmp ] || mkdir /tmp
[ -d /sys ] || {
mkdir /sys
mount -t sysfs -o nodev,noexec,nosuid none /sys
}
[ -d /proc ] || {
mkdir /proc
mount -t proc -o nodev,noexec,nosuid none /proc
}
mkdir -p /var/lock
mkdir -p /var/log
touch /var/log/lastlog
mkdir /dev/pts
mount -t devpts -o gid=5,mode=620 /dev/pts /dev/pts
################# CHANGE THE LINES BELOW #################
# The network setup: edit ip address and gateway to match your needs
ifconfig eth0 192.168.17.133 netmask 255.255.255.0
route add default gw 192.168.17.1
################# CHANGE THE LINES ABOVE #################
# If you like to use dhcp make sure you include dhclient or pump in
# /etc/initramfs-tools/hooks/dropbear via
# copy_exec /sbin/dhclient
# for debugging ssh-server you may run it in forgound
# /usr/sbin/dropbear -E -F
# for more debugging you may run it with strace
# therfor you have to include strace and nc at top of
# /etc/initramfs-tools/hooks/dropbear via
# copy_exec /usr/bin/strace
# copy_exec /usr/bin/nc
# then start nc on an other host and run
# /usr/sbin/dropbear -E -F 2>&1 | /bin/nc -vv <ip of other host> <nc port of other host>
# e.g.:
# /usr/sbin/dropbear -E -F 2>&1 | /bin/nc -vv 192.168.1.2 8888
# We will use /dev/urandom because /dev/random gets easily blocked
mv /dev/random /dev/random.old
ln -s /dev/urandom /dev/random
/usr/sbin/dropbear -E -F -b /etc/dropbear/banner -d /etc/dropbear/dropbear_dss_host_key -r /etc/dropbear/dropbear_rsa_host_key -p 22
ls -al
rm -f /dev/random
mv /dev/random.old /dev/random
EOF
chmod 700 ${DESTDIR}/scripts/local-top/network_ssh
cat >${DESTDIR}/etc/dropbear/banner << 'EOF'
To unlock root-partition run
unlock
EOF
# script to unlock luks via ssh
# dirty but effektive
cat >${DESTDIR}/usr/bin/unlock << 'EOF'
#!/bin/sh
/bin/sh /scripts/local-top/cryptroot
# Kill processes locking boot process
[ `ls /dev/mapper/ | grep -v control| wc -l | awk '{print $1}'` -gt 0 ] && {
for i in `ps | grep -E "cryptroot|cryptsetup" | awk '{ print $1 }'`
do
kill $i
done
}
/bin/sh /scripts/local-bottom/rm_dropbear
EOF
chmod 700 ${DESTDIR}/usr/bin/unlock
# make sure we exit dropbear at the end of the startup process
cat >${DESTDIR}/scripts/local-bottom/rm_dropbear << 'EOF'
#!/bin/sh
PREREQ=""
prereqs()
{
echo ""
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
# Begin real processing below this line
# we kill dropbear ssh-server
/usr/bin/killall dropbear
EOF
chmod 700 ${DESTDIR}/scripts/local-bottom/rm_dropbear
[ Parent | Reply to this comment ]
Posted by Anonymous (82.56.xx.xx) on Thu 17 Jul 2008 at 12:15
I run the script on a Debian System and this is what I receive at the prompt
: No such file or directory
: No such file or directory
The initrd is created and if I reboot using it it continue to ask fot the luks password
Any idea how I can debug this?
Thanks
: No such file or directory
: No such file or directory
The initrd is created and if I reboot using it it continue to ask fot the luks password
Any idea how I can debug this?
Thanks
[ Parent | Reply to this comment ]
Posted by Anonymous (24.108.xx.xx) on Mon 15 Sep 2008 at 14:40
Dont use this one verion of the script that this comment is under. I posted it and it is full of trailing spaces which will give you headaches because the EOF's won't be recognized. Sorry about that.
[ Parent | Reply to this comment ]
Posted by Anonymous (85.177.xx.xx) on Sun 25 May 2008 at 19:26
Thanks for sharing your modifications. Works great with Ubuntu 8.04 Server!
I only had to change the following things: "copy_exec /usr/bin/wc /usr/bin", to get wc working and "/bin/sleep 5" before the ifconfig setup, to get rid of the following errors:
SIOCSIFADDR: No such device
SIOCSIFNETMASK: No such device
SIOCSADDRT: No such process
I only had to change the following things: "copy_exec /usr/bin/wc /usr/bin", to get wc working and "/bin/sleep 5" before the ifconfig setup, to get rid of the following errors:
SIOCSIFADDR: No such device
SIOCSIFNETMASK: No such device
SIOCSADDRT: No such process
[ Parent | Reply to this comment ]
Posted by Anonymous (24.108.xx.xx) on Sat 30 Aug 2008 at 12:49
Unlocking a LUKS encrypted root partition via ssh
From:
http://www.debian-administration.org/articles/579
Which is based on:
http://gpl.coulmann.de/ssh_luks_unlock.html
Worked on:
Debian Lenny Beta2 -30Aug2008
/etc/initramfs-tools/hooks/dropbear script:
================================================================= =
#!/bin/bash
# We add dropbear to the initrd to be able
# mount crypted partitions from remote
# copyright Wulf Coulmann
# GNU GPL
# http://www.gnu.org/licenses/gpl.html
#
# Download me here: http://gpl.coulmann.de/dropbear
# get infos about this script here:
# http://gpl.coulmann.de/ssh_luks_unlock.html
#
# Modified by Anonymous 2008
# Modified By Geoffroy RABOUIN 26/05/2008
# Modified with poor formatting by Anonymous 30Aug2008 (please fix!)
# !!modified instructions
### INSTRUCTIONS FOR DEBIAN ETCH ###
# 1. Install killall, busybox and d ropbear:
# ~# aptitude install psmisc busybox dropbear linux-headers-`uname -r`
## make it not start automatically (openssh instead of this)
# ~#update-rc.d -f dropbear remove
# 2. Edit network configuration below (IP address, etc) and copy contents
# of this file to /etc /initramfs-tools/hooks/dropbear
# 3. Make it executable:
# ~# chmod +x /etc/initramf s-tools/hooks/dropbear
# 4. Create new initrd:
# ~# mkinitramfs -v -o /boot/m y_name_of_the_initrd
# !!check the output to make sure that the /lib/modules/`uname-r`/kernel/drivers/net network module(s) loaded
# if not, find your drivers in that directory, and do these things:
# edit /etc/initramfs-tools/initramfs.conf
# change MODULES= ? to MODULES=list
# change DEVICE= ? to DEVICE=eth0 ..or eth1, etc.
# ( you can check for the right 'ethX' in /etc/udev/rules.d/70-persistent-net.rules )
# 5. Edit /boot/grub/menu.lst and add your new initrd as the first entry
# 6. ???
# 7. Profit!
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
# Begin real processing below this line
# load the prepared functions of debians initramfs enviroment
source /usr/share/initramfs-tools/hook-functions
# build the directories
DIRS='/lib /bin /usr/bin /usr/sbin/ /proc/ /root/.ssh/ /var/ /var/run/ /etc/dropbear/'
for now in $DIRS ; do
if [ ! -e ${DESTDIR}$now ]
then
mkdir -p ${DESTDIR}$now
fi
done
# copy the ssh-daemon and librarys
copy_exec /usr/sbin/dropbear /usr/sbin/
copy_exec /usr/bin/passwd /usr/bin/
copy_exec /bin/login /bin/
copy_exec /usr/bin/killall /usr/bin/
copy_exec /sbin/route /sbin/
copy_exec /usr/bin/awk /usr/bin/
#copy_exec /usr/bin/strace /usr/bin/
#copy_exec /bin/nc /bin/
copy_exec /usr/bin/wc /usr/bin
# some librarys are not autoincluded by copy_exec
copy_exec /lib/libnss_compat.so.2 /lib/
copy_exec /usr/lib/libz.so.1 /usr/lib/
copy_exec /etc/ld.so.cache /etc/
copy_exec /lib/libutil.so.1 /lib/
# we copy config and key files
cp -pr /etc/dropbear/dropbear_dss_host_key ${DESTDIR}/etc/dropbear/
cp -pr /etc/dropbear/dropbear_rsa_host_key ${DESTDIR}/etc/dropbear/
cp -pr /etc/passwd ${DESTDIR}/etc/
cp -pr /etc/shadow ${DESTDIR}/etc/
cp -pr /etc/group ${DESTDIR}/etc/
if [ -e /root/.ssh/authorized_keys ]
then
cp -pr /root/.ssh/authorized_keys ${DESTDIR}/root/.ssh/
fi
cp -pr /etc/nsswitch.conf ${DESTDIR}/etc/
cp -pr /etc/localtime ${DESTDIR}/etc/
#cp -pr /usr/lib ${DESTDIR}/lib/
# we don't have bash in our initrd
# also we only add the root account
cat /etc/passwd | grep root | sed s/\\/bash/\\/sh/ > ${DESTDIR}/etc/passwd
cat /etc/shadow | grep root > ${DESTDIR}/etc/shadow
cat /etc/group | grep root > ${DESTDIR}/etc/group
cat >${DESTDIR}/scripts/local-top/network_ssh << 'EOF'
#!/bin/sh
# we start the network and ssh-server
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
# Begin real processing below this line
# build up helpful environment
[ -d /dev ] || mkdir -m 0755 /dev
[ -d /root ] || mkdir --mode=0700 /root
[ -d /tmp ] || mkdir /tmp
[ -d /sys ] || {
mkdir /sys
mount -t sysfs -o nodev,noexec,nosuid none /sys
}
[ -d /proc ] || {
mkdir /proc
mount -t proc -o nodev,noexec,nosuid none /proc
}
mkdir -p /var/lock
mkdir -p /var/log
touch /var/log/lastlog
mkdir /dev/pts
mount -t devpts -o gid=5,mode=620 /dev/pts /dev/pts
################# CHANGE THE LINES BELOW #################
# The network setup: edit ip address and gateway to match your needs
/bin/sleep 5
#ifconfig -a
ifconfig eth1 209.17.190.186 netmask 255.255.254.0
route add default gw 209.17.190.1
################# CHANGE THE LINES ABOVE #################
# If you like to use dhcp make sure you include dhclient or pump in
# /etc/initramfs-tools/hooks/dropbear via
# copy_exec /sbin/dhclient
# for debugging ssh-server you may run it in forgound
# /usr/sbin/dropbear -E -F
# for more debugging you may run it with strace
# therfor you have to include strace and nc at top of
# /etc/initramfs-tools/hooks/dropbear via
# copy_exec /usr/bin/strace
# copy_exec /usr/bin/nc
# then start nc on an other host and run
# /usr/sbin/dropbear -E -F 2>&1 | /bin/nc -vv <ip of other host> <nc port of other host>
# e.g.:
# /usr/sbin/dropbear -E -F 2>&1 | /bin/nc -vv 192.168.1.2 8888
# We will use /dev/urandom because /dev/random gets easily blocked
mv /dev/random /dev/random.old
ln -s /dev/urandom /dev/random
/usr/sbin/dropbear -b /etc/dropbear/banner -d /etc/dropbear/dropbear_dss_host_key -r /etc/dropbear/dropbear_rsa_host_key -p 22
ls -al
rm -f /dev/random
mv /dev/random.old /dev/random
EOF
chmod 700 ${DESTDIR}/scripts/local-top/network_ssh
cat >${DESTDIR}/etc/dropbear/banner << 'EOF'
To unlock root-partition run
unlock
EOF
# script to unlock luks via ssh
# dirty but effektive
cat >${DESTDIR}/usr/bin/unlock << 'EOF'
#!/bin/sh
/bin/sh /scripts/local-top/cryptroot
# Kill processes locking boot process
[ `ls /dev/mapper/ | grep -v control| wc -l | awk '{print $1}'` -gt 0 ] && {
for i in `ps | grep -E "cryptroot|cryptsetup" | awk '{ print $1 }'`
do
kill $i
done
}
/bin/sh /scripts/local-bottom/rm_dropbear
EOF
chmod 700 ${DESTDIR}/usr/bin/unlock
# make sure we exit dropbear at the end of the startup process
cat >${DESTDIR}/scripts/local-bottom/rm_dropbear << 'EOF'
#!/bin/sh
PREREQ=""
prereqs()
{
echo ""
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
# Begin real processing below this line
# we kill dropbear ssh-server
/usr/bin/killall dropbear
EOF
chmod 700 ${DESTDIR}/scripts/local-bottom/rm_dropbear
From:
http://www.debian-administration.org/articles/579
Which is based on:
http://gpl.coulmann.de/ssh_luks_unlock.html
Worked on:
Debian Lenny Beta2 -30Aug2008
/etc/initramfs-tools/hooks/dropbear script:
================================================================= =
#!/bin/bash
# We add dropbear to the initrd to be able
# mount crypted partitions from remote
# copyright Wulf Coulmann
# GNU GPL
# http://www.gnu.org/licenses/gpl.html
#
# Download me here: http://gpl.coulmann.de/dropbear
# get infos about this script here:
# http://gpl.coulmann.de/ssh_luks_unlock.html
#
# Modified by Anonymous 2008
# Modified By Geoffroy RABOUIN 26/05/2008
# Modified with poor formatting by Anonymous 30Aug2008 (please fix!)
# !!modified instructions
### INSTRUCTIONS FOR DEBIAN ETCH ###
# 1. Install killall, busybox and d ropbear:
# ~# aptitude install psmisc busybox dropbear linux-headers-`uname -r`
## make it not start automatically (openssh instead of this)
# ~#update-rc.d -f dropbear remove
# 2. Edit network configuration below (IP address, etc) and copy contents
# of this file to /etc /initramfs-tools/hooks/dropbear
# 3. Make it executable:
# ~# chmod +x /etc/initramf s-tools/hooks/dropbear
# 4. Create new initrd:
# ~# mkinitramfs -v -o /boot/m y_name_of_the_initrd
# !!check the output to make sure that the /lib/modules/`uname-r`/kernel/drivers/net network module(s) loaded
# if not, find your drivers in that directory, and do these things:
# edit /etc/initramfs-tools/initramfs.conf
# change MODULES= ? to MODULES=list
# change DEVICE= ? to DEVICE=eth0 ..or eth1, etc.
# ( you can check for the right 'ethX' in /etc/udev/rules.d/70-persistent-net.rules )
# 5. Edit /boot/grub/menu.lst and add your new initrd as the first entry
# 6. ???
# 7. Profit!
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
# Begin real processing below this line
# load the prepared functions of debians initramfs enviroment
source /usr/share/initramfs-tools/hook-functions
# build the directories
DIRS='/lib /bin /usr/bin /usr/sbin/ /proc/ /root/.ssh/ /var/ /var/run/ /etc/dropbear/'
for now in $DIRS ; do
if [ ! -e ${DESTDIR}$now ]
then
mkdir -p ${DESTDIR}$now
fi
done
# copy the ssh-daemon and librarys
copy_exec /usr/sbin/dropbear /usr/sbin/
copy_exec /usr/bin/passwd /usr/bin/
copy_exec /bin/login /bin/
copy_exec /usr/bin/killall /usr/bin/
copy_exec /sbin/route /sbin/
copy_exec /usr/bin/awk /usr/bin/
#copy_exec /usr/bin/strace /usr/bin/
#copy_exec /bin/nc /bin/
copy_exec /usr/bin/wc /usr/bin
# some librarys are not autoincluded by copy_exec
copy_exec /lib/libnss_compat.so.2 /lib/
copy_exec /usr/lib/libz.so.1 /usr/lib/
copy_exec /etc/ld.so.cache /etc/
copy_exec /lib/libutil.so.1 /lib/
# we copy config and key files
cp -pr /etc/dropbear/dropbear_dss_host_key ${DESTDIR}/etc/dropbear/
cp -pr /etc/dropbear/dropbear_rsa_host_key ${DESTDIR}/etc/dropbear/
cp -pr /etc/passwd ${DESTDIR}/etc/
cp -pr /etc/shadow ${DESTDIR}/etc/
cp -pr /etc/group ${DESTDIR}/etc/
if [ -e /root/.ssh/authorized_keys ]
then
cp -pr /root/.ssh/authorized_keys ${DESTDIR}/root/.ssh/
fi
cp -pr /etc/nsswitch.conf ${DESTDIR}/etc/
cp -pr /etc/localtime ${DESTDIR}/etc/
#cp -pr /usr/lib ${DESTDIR}/lib/
# we don't have bash in our initrd
# also we only add the root account
cat /etc/passwd | grep root | sed s/\\/bash/\\/sh/ > ${DESTDIR}/etc/passwd
cat /etc/shadow | grep root > ${DESTDIR}/etc/shadow
cat /etc/group | grep root > ${DESTDIR}/etc/group
cat >${DESTDIR}/scripts/local-top/network_ssh << 'EOF'
#!/bin/sh
# we start the network and ssh-server
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
# Begin real processing below this line
# build up helpful environment
[ -d /dev ] || mkdir -m 0755 /dev
[ -d /root ] || mkdir --mode=0700 /root
[ -d /tmp ] || mkdir /tmp
[ -d /sys ] || {
mkdir /sys
mount -t sysfs -o nodev,noexec,nosuid none /sys
}
[ -d /proc ] || {
mkdir /proc
mount -t proc -o nodev,noexec,nosuid none /proc
}
mkdir -p /var/lock
mkdir -p /var/log
touch /var/log/lastlog
mkdir /dev/pts
mount -t devpts -o gid=5,mode=620 /dev/pts /dev/pts
################# CHANGE THE LINES BELOW #################
# The network setup: edit ip address and gateway to match your needs
/bin/sleep 5
#ifconfig -a
ifconfig eth1 209.17.190.186 netmask 255.255.254.0
route add default gw 209.17.190.1
################# CHANGE THE LINES ABOVE #################
# If you like to use dhcp make sure you include dhclient or pump in
# /etc/initramfs-tools/hooks/dropbear via
# copy_exec /sbin/dhclient
# for debugging ssh-server you may run it in forgound
# /usr/sbin/dropbear -E -F
# for more debugging you may run it with strace
# therfor you have to include strace and nc at top of
# /etc/initramfs-tools/hooks/dropbear via
# copy_exec /usr/bin/strace
# copy_exec /usr/bin/nc
# then start nc on an other host and run
# /usr/sbin/dropbear -E -F 2>&1 | /bin/nc -vv <ip of other host> <nc port of other host>
# e.g.:
# /usr/sbin/dropbear -E -F 2>&1 | /bin/nc -vv 192.168.1.2 8888
# We will use /dev/urandom because /dev/random gets easily blocked
mv /dev/random /dev/random.old
ln -s /dev/urandom /dev/random
/usr/sbin/dropbear -b /etc/dropbear/banner -d /etc/dropbear/dropbear_dss_host_key -r /etc/dropbear/dropbear_rsa_host_key -p 22
ls -al
rm -f /dev/random
mv /dev/random.old /dev/random
EOF
chmod 700 ${DESTDIR}/scripts/local-top/network_ssh
cat >${DESTDIR}/etc/dropbear/banner << 'EOF'
To unlock root-partition run
unlock
EOF
# script to unlock luks via ssh
# dirty but effektive
cat >${DESTDIR}/usr/bin/unlock << 'EOF'
#!/bin/sh
/bin/sh /scripts/local-top/cryptroot
# Kill processes locking boot process
[ `ls /dev/mapper/ | grep -v control| wc -l | awk '{print $1}'` -gt 0 ] && {
for i in `ps | grep -E "cryptroot|cryptsetup" | awk '{ print $1 }'`
do
kill $i
done
}
/bin/sh /scripts/local-bottom/rm_dropbear
EOF
chmod 700 ${DESTDIR}/usr/bin/unlock
# make sure we exit dropbear at the end of the startup process
cat >${DESTDIR}/scripts/local-bottom/rm_dropbear << 'EOF'
#!/bin/sh
PREREQ=""
prereqs()
{
echo ""
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
# Begin real processing below this line
# we kill dropbear ssh-server
/usr/bin/killall dropbear
EOF
chmod 700 ${DESTDIR}/scripts/local-bottom/rm_dropbear
[ Parent | Reply to this comment ]
Posted by Anonymous (24.108.xx.xx) on Sat 30 Aug 2008 at 12:53
you need the 'driver modules' instead of headers
replace:
# ~# aptitude install psmisc busybox dropbear linux-headers-`uname -r`
with:
# ~# aptitude install psmisc busybox dropbear linux-modules-`uname -r`
replace:
# ~# aptitude install psmisc busybox dropbear linux-headers-`uname -r`
with:
# ~# aptitude install psmisc busybox dropbear linux-modules-`uname -r`
[ Parent | Reply to this comment ]
Posted by Anonymous (88.134.xx.xx) on Wed 11 Jun 2008 at 16:55
See also
http://www.heise.de/kiosk/archiv/ct/2008/12/188_Verschluesselte_R oot-Partition_fuer_Linux-Systeme
:D
http://www.heise.de/kiosk/archiv/ct/2008/12/188_Verschluesselte_R oot-Partition_fuer_Linux-Systeme
:D
[ Parent | Reply to this comment ]
Posted by Anonymous (88.134.xx.xx) on Thu 12 Jun 2008 at 18:04
oh and BTW
while [ $INPUT != 'ok' ] ; do
has to be
while [ x$INPUT != 'xok' ] ; do
otherwise you can just press enter, it will give an error message but continue anyhow
while [ $INPUT != 'ok' ] ; do
has to be
while [ x$INPUT != 'xok' ] ; do
otherwise you can just press enter, it will give an error message but continue anyhow
[ Parent | Reply to this comment ]
Posted by Anonymous (83.171.xx.xx) on Fri 27 Jun 2008 at 12:05
hi,
ok dropbear works but what next ?
How could I boot the system from the busybox ?
ssh root@192.168.1.100
To unlock root-partition run
unlock
root@192.168.1.100's password:
BusyBox v1.1.3 (Debian 1:1.1.3-5ubuntu12) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
ok dropbear works but what next ?
How could I boot the system from the busybox ?
ssh root@192.168.1.100
To unlock root-partition run
unlock
root@192.168.1.100's password:
BusyBox v1.1.3 (Debian 1:1.1.3-5ubuntu12) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
[ Parent | Reply to this comment ]
Posted by Anonymous (85.178.xx.xx) on Fri 27 Jun 2008 at 13:41
> To unlock root-partition run
> unlock
maybe you try what's written on the ssh-banner ...
> unlock
maybe you try what's written on the ssh-banner ...
[ Parent | Reply to this comment ]
Posted by Anonymous (124.78.xx.xx) on Tue 22 Jul 2008 at 23:48
is it possible to map encrypted root partition of remote system which have dropbear running from user's desktop by using a keyfile stored in user's desktop system?
use something similar
I hope not to type in my password or to store keyfile on a unencrypted partition when mapping encrypted root partition, so I want to use keyfile on desktop system to open the root partition on server. This is good security solution and also can achieve the automatically copy/rsync file between server and desktop with encrypted partition.
But Now I haven't find a solution how to use local keyfile. Anyone can help will be greatly appriciated!
use something similar
ssh username@192.168.0.100 cryptsetup luksOpen&nbs p;/dev/sdb1 sdb1 --key-file remote system's&n bsp;keyfile
I hope not to type in my password or to store keyfile on a unencrypted partition when mapping encrypted root partition, so I want to use keyfile on desktop system to open the root partition on server. This is good security solution and also can achieve the automatically copy/rsync file between server and desktop with encrypted partition.
But Now I haven't find a solution how to use local keyfile. Anyone can help will be greatly appriciated!
[ Parent | Reply to this comment ]
Posted by Anonymous (171.64.xx.xx) on Wed 24 Dec 2008 at 03:16
Here is another version, based on everything I could find here and under http://ubuntuforums.org/archive/index.php/t-829768.html . The script does not need to be edited, it reads an external configuration file and decides which files to include in the initramfs, which network setup to do and how to start dropbear based on that. The script can be found under http://www.debian.mandel.name/template/etc/initramfs-tools/hooks/ dropbear .
Another small trick: you can unlock the partition from a script like this:
cat key.txt | ssh -i "id_dsa" root@ip.to.server \
"cat > /lib/cryptsetup/passfifo; sleep 3"
Hope you like this version of the script,
Olaf
Another small trick: you can unlock the partition from a script like this:
cat key.txt | ssh -i "id_dsa" root@ip.to.server \
"cat > /lib/cryptsetup/passfifo; sleep 3"
Hope you like this version of the script,
Olaf
[ Parent | Reply to this comment ]
Posted by Anonymous (193.11.xx.xx) on Mon 9 Mar 2009 at 05:33
If you want to have completely unattended reboots, I suggest you look at the "mandos" and "mandos-client" packages (now in unstable and Ubunty Jaunty).
Yes, it's secure. At least, it's just as secure as having to type in the password at boot - see the FAQ.
[ Parent | Reply to this comment ]
Posted by Anonymous (208.67.xx.xx) on Fri 22 May 2009 at 21:37
In Ubuntu (tested with 8.04.2) you need to disable the splash screen in /boot/grub/menu.lst
-Kenneth Degel
-Kenneth Degel
[ Parent | Reply to this comment ]
Posted by Anonymous (217.230.xx.xx) on Mon 22 Feb 2010 at 11:58
Another good improvement would be to include support for multiple encrypted partitions.
For example my crypttab looks like this:
sda3_crypt /dev/sda3 none luks # root-partition
sda4_crypt /dev/sda4 /dev/urandom cipher=aes-cbc-essiv:sha256,size=256,swap # swap
sdb1_crypt /dev/sdb1 none luks # another data-partition
After I implement the script the root partition gets unlocked, but the system hangs at the sdb1-Partition because the ssh-Daemon has already been shutdown.
And I do not want to use a keyfile for the 2nd partition...
For example my crypttab looks like this:
sda3_crypt /dev/sda3 none luks # root-partition
sda4_crypt /dev/sda4 /dev/urandom cipher=aes-cbc-essiv:sha256,size=256,swap # swap
sdb1_crypt /dev/sdb1 none luks # another data-partition
After I implement the script the root partition gets unlocked, but the system hangs at the sdb1-Partition because the ssh-Daemon has already been shutdown.
And I do not want to use a keyfile for the 2nd partition...
[ Parent | Reply to this comment ]
> Another good improvement would be to include
> support for multiple encrypted partitions.
why? If your system is up, you can ordinary log in
vi ssh and manage the rest.
> For example my crypttab looks like this:
>
> sda3_crypt /dev/sda3 none luks # root-partition
> sda4_crypt /dev/sda4 /dev/urandom
> cipher=aes-cbc-essiv:sha256,size=256,swap # swap
> sdb1_crypt /dev/sdb1 none luks # another
> data-partition
>
> After I implement the script the root partition
> gets unlocked,
great, isn't it?
> but the system hangs at the sdb1-Partition
> because the ssh-Daemon has already been
> shutdown. And I do not want to use a keyfile
> for the 2nd partition...
simple add option noauto to your /etc/fstab.
If you do not need differences in the passphrases
you should think about one crypto-partition
holding a lvm includ root, swap what ever. Than
you only have to unlock once.
Of course you can insert your special needed
unlocks before "killall dropbear", but I would
recommend to keep it as simple as possible.
Make sure you use the actual version from:
http://gpl.coulmann.de/dropbear
(http://gpl.coulmann.de/ssh_luks_unlock.html)
[ Parent | Reply to this comment ]
Posted by Anonymous (217.82.xx.xx) on Tue 23 Feb 2010 at 12:00
>why? If your system is up, you can ordinary log in
>vi ssh and manage the rest.
Thats the problem; since sdb1 is in /etc/crypttab and the init-script is in rcS.d (S26cryptdisks-early) and not in rc2.d (S16ssh) the ssh-daemon does not get started at all.
>simple add option noauto to your /etc/fstab.
Thus a change to noauto in fstab does not change a thing.
I could of course comment out the line in /etc/crypttab, but since various daemons depend on the mount of sdb1 I cannot start the normal init-process without it.
>Of course you can insert your special needed
>unlocks before "killall dropbear", but I would
>recommend to keep it as simple as possible.
Also did not work due to the crypttab-file. It just hangs there with no output on the dropbear-ssh-console...
Would there be a way to implement the early cryptodisks in the unlock-script?
>Make sure you use the actual version from:
>http://gpl.coulmann.de/dropbear
>(http://gpl.coulmann.de/ssh_luks_unlock.html)
Yep. I am using the latest version which still does not include the "ok"-fix...
>vi ssh and manage the rest.
Thats the problem; since sdb1 is in /etc/crypttab and the init-script is in rcS.d (S26cryptdisks-early) and not in rc2.d (S16ssh) the ssh-daemon does not get started at all.
>simple add option noauto to your /etc/fstab.
Thus a change to noauto in fstab does not change a thing.
I could of course comment out the line in /etc/crypttab, but since various daemons depend on the mount of sdb1 I cannot start the normal init-process without it.
>Of course you can insert your special needed
>unlocks before "killall dropbear", but I would
>recommend to keep it as simple as possible.
Also did not work due to the crypttab-file. It just hangs there with no output on the dropbear-ssh-console...
Would there be a way to implement the early cryptodisks in the unlock-script?
>Make sure you use the actual version from:
>http://gpl.coulmann.de/dropbear
>(http://gpl.coulmann.de/ssh_luks_unlock.html)
Yep. I am using the latest version which still does not include the "ok"-fix...
[ Parent | Reply to this comment ]
> Would there be a way to implement the early cryptodisks in the unlock-script?
Yes, there is. Feel free to do it, but as I mentioned I do not have an
interest on that. This should be managed by reorganize the boot process. The
intention of initramfs is to bring up a root system, not to start all
conceivable sub systems. I do not like to take care of that unnecessary feature
in future, therefore I'll not put that in my code.
> Yep. I am using the latest version which still does not include the "ok"-fix...
hmm, thats unwarrantably. I add some quotes now.
FYI
The stupid "ok" setup is to prevent cryptsetup form grapping ahad STDOUT as passphrase.
[ Parent | Reply to this comment ]