Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: Problems unlocking LUKS encrypted LVM via SSH

  1. #1
    Join Date
    Jul 2006
    Beans
    45

    Problems unlocking LUKS encrypted LVM via SSH

    I'm trying to unlock a LUKS encrypted LVM, on which the system resides, via SSH. I am following instructions found in the file "/usr/share/doc/cryptsetup/README.remote.gz" but I'm not having any success.

    Code:
    unlocking rootfs via ssh login in initramfs
    -------------------------------------------
    
    You can unlock your rootfs on bootup from remote, using ssh to log in to the
    booting system while it's running with the initramfs mounted.
    
    
    Setup
    -----
    
    For remote unlocking to work, the following packages have to be installed
    before building the initramfs: dropbear busybox
    
    The file /etc/initramfs-tools/initramfs.conf holds the configuration options
    used when building the initramfs. It should contain BUSYBOX=y (this is set as
    the default when the busybox package is installed) to have busybox installed
    into the initramfs, and should not contain DROPBEAR=n, which would disable
    installation of dropbear to initramfs. If set to DROPBEAR=y, dropbear will
    beinstalled in any case; if DROPBEAR isn't set at all, then dropbear will only
    be installed in case of an existing cryptroot setup.
    
    The host keys used for the initramfs are dropbear_dss_host_key and
    dropbear_rsa_host_key, both located in/etc/initramfs-tools/etc/dropbear/.
    If they do not exist when the initramfs is compiled, they will be created
    automatically. Following are the commands to create them manually:
    
    # dropbearkey -t dss -f /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key
    # dropbearkey -t rsa -f /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
    
    As the initramfs will not be encrypted, publickey authentication is assumed.
    The key(s) used for that will be taken from
    /etc/initramfs-tools/root/.ssh/authorized_keys.
    If this file doesn't exist when the initramfs is compiled, it will be created
    and /etc/initramfs-tools/root/.ssh/id_rsa.pub will be added to it.
    If the latter file doesn't exist either, it will be generated automatically -
    you will find the matching private key which you will later need to log in to
    the initramfs under /etc/initramfs-tools/root/.ssh/id_rsa (or id_rsa.dropbear
    in case you need it in dropbear format). Following are the commands to do the
    respective steps manually:
    
    To create a key (in dropbear format):
    
    # dropbearkey -t rsa -f /etc/initramfs-tools/root/.ssh/id_rsa.dropbear
    
    To convert the key from dropbear format to openssh format:
    
    # /usr/lib/dropbear/dropbearconvert dropbear openssh \
            /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
            /etc/initramfs-tools/root/.ssh/id_rsa
    
    To extract the public key:
    
    # dropbearkey -y -f /etc/initramfs-tools/root/.ssh/id_rsa.dropbear | \
            grep "^ssh-rsa " > /etc/initramfs-tools/root/.ssh/id_rsa.pub
    
    To add the public key to the authorized_keys file:
    
    # cat /etc/initramfs-tools/root/.ssh/id_rsa.pub >> /etc/initramfs-tools/root/.ssh/authorized_keys
    
    In case you want some interface to get configured using dhcp, setting DEVICE= in
    /etc/initramfs-tools/initramfs.conf should be sufficient.  The initramfs should
    also honour the ip= kernel parameter.
    In case you use grub, you probably might want to set it in /boot/grub/menu.lst,
    either in the '# kopt=' line or appended to specific 'kernel' line(s).
    The ip= kernel parameter is documented in Documentation/nfsroot.txt in the
    kernel source tree.
    
    
    Issues
    ------
    
    Don't forget to run update-initramfs when you changed the config to make it
    effective!
    
    Collecting enough entropy for the ssh daemon sometimes seems to be an issue.
    Startup of the ssh daemon might be delayed until enough entropy has been
    retrieved. This is non-blocking for the startup process, so when you are at the
    console you won't have to wait for the sshd to complete its startup.
    
    
    Unlocking procedure
    -------------------
    
    To unlock from remote, you could do something like this:
    
    # ssh -o "UserKnownHostsFile=~/.ssh/known_hosts.initramfs" \
            -i "~/id_rsa.initramfs" root@initramfshost.example.com \
            "echo -ne \"secret\" >/lib/cryptsetup/passfifo"
    
    This example assumes that you have an extra known_hosts file
    "~/.ssh/known_hosts.initramfs" which hold's the cryptroot system's host-key,
    that you have a file "~/id_rsa.initramfs" which holds the authorized-key for
    the cryptroot system, that the cryptroot system's name is
    "initramfshost.example.com", and that the cryptroot passphrase is "secret"
    
    -- <debian@x.ray.net>, Wed, 30 Sep 2009
    I'm trying to unlock using this method, but I get "Permission denied (publickey,password)".
    Code:
    # ssh -o "UserKnownHostsFile=~/.ssh/known_hosts.initramfs" \
            -i "/home/darkbabar/id_rsa.initramfs" root@192.168.1.121 \
            "echo -ne \"encryptionpassphrase\" >/lib/cryptsetup/passfifo"
    The file "/home/darkbabar/id_rsa.initramfs" is a copy of the file "/etc/initramfs-tools/root/.ssh/id_rsa.pub" from the host. The root account has a password set. Could somebody please help me figure out what I'm doing wrong?

  2. #2
    Join Date
    Jul 2006
    Beans
    45

    Re: Problems unlocking LUKS encrypted LVM via SSH

    Somebody must know a solution to my problem. I can't be the only one wanting to do this.

  3. #3
    Join Date
    Feb 2006
    Location
    uk
    Beans
    Hidden!

    Re: Problems unlocking LUKS encrypted LVM via SSH

    have you made sure root is allowed to login via ssh? i dont know if just setting a root password in ubuntu allows this or whether you'll have to specify it in dropbear or whatever. normally you'd do it with /etc/ssh/sshd_config with 'PermitRootLogin yes', but it may be different since you're using dropbear and most system stuff is encrypted at that point.

  4. #4
    Join Date
    May 2010
    Beans
    72

    Re: Problems unlocking LUKS encrypted LVM via SSH

    Does your initramfs set up networking at all? And/or do you have supplied the necessary kernel parameters so the kernel sets up networking by itself? (Can you ping the machine when it's supposedly waiting for SSH connection?) Otherwise you may have SSH installed in your initramfs but no network... which is not entirely useful.

  5. #5
    Join Date
    Jul 2006
    Beans
    45

    Re: Problems unlocking LUKS encrypted LVM via SSH

    Quote Originally Posted by frostschutz View Post
    Does your initramfs set up networking at all? And/or do you have supplied the necessary kernel parameters so the kernel sets up networking by itself? (Can you ping the machine when it's supposedly waiting for SSH connection?) Otherwise you may have SSH installed in your initramfs but no network... which is not entirely useful.
    Yes, the the network is functioning correctly and the server is pingable.

  6. #6
    Join Date
    Jul 2006
    Beans
    45

    Re: Problems unlocking LUKS encrypted LVM via SSH

    Quote Originally Posted by aeiah View Post
    have you made sure root is allowed to login via ssh? i dont know if just setting a root password in ubuntu allows this or whether you'll have to specify it in dropbear or whatever. normally you'd do it with /etc/ssh/sshd_config with 'PermitRootLogin yes', but it may be different since you're using dropbear and most system stuff is encrypted at that point.
    Root login is permitted. I can login as root with Dropbear after the boot process is complete.

  7. #7
    Join Date
    Nov 2007
    Beans
    6

    Re: Problems unlocking LUKS encrypted LVM via SSH

    Quote Originally Posted by DarkBabar View Post
    The file "/home/darkbabar/id_rsa.initramfs" is a copy of the file "/etc/initramfs-tools/root/.ssh/id_rsa.pub" from the host.
    I'm not sure, but shouldn't it be a copy of the *private* key /etc/initramfs-tools/root/.ssh/id_rsa?

    I hope, this helps. Just found this possibility, so it's more guessing than knowing

    Merry Christmas
    Flo

  8. #8
    Join Date
    Aug 2007
    Beans
    5

    Re: Problems unlocking LUKS encrypted LVM via SSH

    Hi
    I'm not sure, but shouldn't it be a copy of the *private* key /etc/initramfs-tools/root/.ssh/id_rsa?
    Yes "-i "/home/darkbabar/id_rsa.initramfs"" is a copy of "/etc/initramfs-tools/root/.ssh/id_rsa"

    I have a problem to.

    I have followed this one "/usr/share/doc/cryptsetup/README.remote.gz"

    Done this
    Code:
    #nano /etc/initramfs-tools/initramfs.conf
        add DROPBEAR=y and chek BUSYBOX=y
    
    #apt-get install dropbear busybox
    #cp /etc/initramfs-tools/root/.ssh/id_rsa to remote machine
    #update-initramfs -u
    #reboot
    On console it says Enter passphrase: _

    ---Remote machine-----
    Code:
    #touch known_hosts.initramfs    
    #ssh -o "UserKnownHostsFile=known_hosts.initramfs" -i "id_rsa" root@192.168.58.131
    This works and I am logged in

    Code:
    #ssh -o "UserKnownHostsFile=known_hosts.initramfs" -i "id_rsa" root@192.168.58.131 "echo -ne \"testpassword\" >/lib/cryptsetup/passfifo"
    I file with the password is in /lib/cryptsetup/passfifo but nothing happens.

    I am running Ubuntu 10.04 LTS server

  9. #9
    Join Date
    Nov 2007
    Beans
    6

    Re: Problems unlocking LUKS encrypted LVM via SSH

    Hello

    Quote Originally Posted by Lusen View Post
    Yes "-i "/home/darkbabar/id_rsa.initramfs"" is a copy of "/etc/initramfs-tools/root/.ssh/id_rsa"
    okay, good. Because in the original post is says to be a copy of the pub-Key. So if this is not a typing mistake, it could be the reason for the problem...


    Quote Originally Posted by Lusen View Post
    Code:
    #ssh -o "UserKnownHostsFile=known_hosts.initramfs" -i "id_rsa" root@192.168.58.131 "echo -ne \"testpassword\" >/lib/cryptsetup/passfifo"
    I file with the password is in /lib/cryptsetup/passfifo but nothing happens.
    There shouldn't be a *file* there, but a (fifo) queue. This means, the input isn't stored there, but passed to the promt awaiting the password to decrypt the drive. Therefor, a cat /lib/cryptsetup/passfifo shouldn't return anything.

    If you can already log into your machine, try decrypting it manually:
    Code:
    echo -ne yourpassword > /lib/cryptsetup/passfifo
    This is what should be done automatically with your stated commandline, but maybe there are some special characters that need to be escaped.

    Greetings,
    Flo

  10. #10
    Join Date
    Jul 2006
    Beans
    45

    Re: Problems unlocking LUKS encrypted LVM via SSH

    Quote Originally Posted by olF23 View Post
    I'm not sure, but shouldn't it be a copy of the *private* key /etc/initramfs-tools/root/.ssh/id_rsa?

    I hope, this helps. Just found this possibility, so it's more guessing than knowing

    Merry Christmas
    Flo
    Thank you very much! This solved part of my problem. Unfortunately, now I have the same problem as Lusen. I can log in now, but the volume stays locked even with "echo -ne yourpassword > /lib/cryptsetup/passfifo". My password doesn't contain any special characters.
    Last edited by DarkBabar; December 28th, 2010 at 11:01 PM.

Page 1 of 3 123 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •