Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 22

Thread: Problems unlocking LUKS encrypted LVM via SSH

  1. #11
    Join Date
    Nov 2007
    Beans
    6

    Re: Problems unlocking LUKS encrypted LVM via SSH

    Hi,

    Quote Originally Posted by DarkBabar View Post
    the volume stays locked even with "echo -ne yourpassword > /lib/cryptsetup/passfifo".
    I just found, that if you enter a wrong password you get the same output (on an attached monitor) as if you entered it on the keyboard. Do you receive any messages on your monitor indicating something like that?

    If not, try passing an invalid password to provoke such a message.

    Greetings,
    Flo

  2. #12
    Join Date
    Jul 2006
    Beans
    45

    Re: Problems unlocking LUKS encrypted LVM via SSH

    Quote Originally Posted by olF23 View Post
    Hi,



    I just found, that if you enter a wrong password you get the same output (on an attached monitor) as if you entered it on the keyboard. Do you receive any messages on your monitor indicating something like that?

    If not, try passing an invalid password to provoke such a message.

    Greetings,
    Flo
    I'm not getting any output on the monitor, regardless if I enter the correct password or an incorrect one.

    I just noticed that there is no "/lib/cryptsetup/passfifo", so issuing "echo -ne yourpassword > /lib/cryptsetup/passfifo" creates a regular file with that name.
    Last edited by DarkBabar; December 29th, 2010 at 11:45 AM.

  3. #13
    Join Date
    Nov 2007
    Beans
    6

    Re: Problems unlocking LUKS encrypted LVM via SSH

    Hi,

    Quote Originally Posted by DarkBabar View Post
    I just noticed that there is no "/lib/cryptsetup/passfifo", so issuing "echo -ne yourpassword > /lib/cryptsetup/passfifo" creates a regular file with that name.
    hm, that is pretty bad^^

    I just found a bug report[1] that makes Plymouth responsible for all the mess. There's a workaroung stated (don't forget to update your initramfs). The other option would be uninstalling Plymouth..

    Unfortunately, I cannot verify this, as my machine is running debian, but maybe it still helps.

    Greetings
    Flo

    [1] https://bugs.launchpad.net/ubuntu/+s...up/+bug/595648
    Last edited by olF23; December 29th, 2010 at 04:58 PM.

  4. #14
    Join Date
    Jul 2006
    Beans
    45

    Re: Problems unlocking LUKS encrypted LVM via SSH

    Quote Originally Posted by olF23 View Post
    Hi,



    hm, that is pretty bad^^

    I just found a bug report[1] that makes Plymouth responsible for all the mess. There's a workaroung stated (don't forget to update your initramfs). The other option would be uninstalling Plymouth..

    Unfortunately, I cannot verify this, as my machine is running debian, but maybe it still helps.

    Greetings
    Flo

    [1] https://bugs.launchpad.net/ubuntu/+s...up/+bug/595648
    Finally it works! The workaround did the trick. Thank you very, very much for your help!

  5. #15
    Join Date
    Jul 2006
    Beans
    45

    Re: Problems unlocking LUKS encrypted LVM via SSH

    Now I can't enter the encryption password locally anymore, since I applied the hack described earlier.
    Never mind, I seldom want to do that anyway.

  6. #16
    Join Date
    Apr 2011
    Beans
    1

    Re: Problems unlocking LUKS encrypted LVM via SSH

    how do I set IP?
    can not figure it out, it keeps on running DHCP
    I attempted many possible configurations of /etc/initramfs-tools/initramfs.conf
    Divice=eth0
    ip=192.168.0.22

    anything i try is ignored, adding ifconfig command to
    somewhere in /usr/share/initramfs-tools/scripts doesn't do it ether.
    Running ubuntu server 10.10....

    other than that, i can connect and remotely unlock.
    This fix helped me

    comment the lines in /usr/share/initramfs-tools/scripts/local-top/cryptroot like this:
    if [ -z "$cryptkeyscript" ]; then
    cryptkey="Unlocking the disk $cryptsource ($crypttarget)\nEnter passphrase: "
    #if [ -x /bin/plymouth ] && plymouth --ping; then
    # cryptkeyscript="plymouth ask-for-password --prompt"
    # cryptkey=$(echo -e "$cryptkey")
    #else
    cryptkeyscript="/lib/cryptsetup/askpass"
    #fi
    fi




    DarkBabar - where you able to overcome that local-console password problem?
    it has to do with the fix poster above, but I am not much of a coder, never figure a way to get it to allow both.




    also these scripts worked like a charm:


    1st:
    #!/bin/sh
    #
    # This InitRAMFS hook provides:
    # Simple script to easily unlock LUKS encrypted root partition from remote (SSH, Telnet)
    # Intended for Debian 6.0 Squeeze
    #
    # Copyright: Matthias Bücher, see http://www.maddes.net/
    # License: GNU GPL v2 or later, see http://www.gnu.org/licenses/gpl.html
    #
    # Adopted from http://www.howtoforge.com/unlock-a-l...#comment-25990
    #
    # Thanks to:
    # - Wulf Coulmann; http://gpl.coulmann.de/ssh_luks_unlock.html
    # for his tremendeous effort to unlock LUKS root parititon remotely on Debian 5.0 Lenny and before
    #
    # How to use:
    # - Copy this hook script as /usr/share/initramfs-tools/hooks/cryptroot_unlock
    # - chmod +x /usr/share/initramfs-tools/hooks/cryptroot_unlock
    # - update-initramfs -u
    #
    # History:
    # v1.0 - 2011-02-15
    # initial release
    #

    PREREQ=""
    prereqs()
    {
    echo "$PREREQ"
    }

    case $1 in
    prereqs)
    prereqs
    exit 0
    ;;
    esac

    . /usr/share/initramfs-tools/hook-functions
    #
    # Begin real processing
    #

    SCRIPTNAME=unlock
    # 1) Create script to unlock luks partitions
    cat > ${DESTDIR}/bin/${SCRIPTNAME} << '__EOF'
    #!/bin/sh
    /lib/cryptsetup/askpass "Enter volume password: " > /lib/cryptsetup/passfifo
    __EOF
    chmod 700 ${DESTDIR}/bin/${SCRIPTNAME}

    # 2) Enhance Message Of The Day (MOTD) with info how to unlock luks partition
    cat >> ${DESTDIR}/etc/motd << '__EOF'

    To unlock root-partition run "${SCRIPTNAME}"
    __EOF




    2nd:
    #!/bin/sh
    #
    # This InitRAMFS script provides:
    # Simple script to kill all DropBear client sessions if the InitRAMFS is left
    # Intended for Debian 6.0 Squeeze
    #
    # Copyright: Matthias Bücher, see http://www.maddes.net/
    # License: GNU GPL v2 or later, see http://www.gnu.org/licenses/gpl.html
    #
    # Adopted from http://www.howtoforge.com/unlock-a-l...#comment-25990
    #
    # Thanks to:
    # - Wulf Coulmann; http://gpl.coulmann.de/ssh_luks_unlock.html
    # for his tremendeous effort to unlock LUKS root parititon remotely on Debian 5.0 Lenny and before
    #
    # How to use:
    # - Copy this hook script as /usr/share/initramfs-tools/scripts/local-bottom/dropbear_kill_clients
    # - chmod +x /usr/share/initramfs-tools/scripts/local-bottom/dropbear_kill_clients
    # - update-initramfs -u
    #
    # History:
    # v1.0 - 2011-02-15
    # initial release
    #

    PREREQ=""
    prereqs()
    {
    echo "$PREREQ"
    }

    case $1 in
    prereqs)
    prereqs
    exit 0
    ;;
    esac

    #
    # Begin real processing
    #

    NAME=dropbear
    PROG=/sbin/dropbear

    # get all server pids that should be ignored
    ignore=""
    for server in `cat /var/run/${NAME}*.pid`
    do
    ignore="${ignore} ${server}"
    done

    # get all running pids and kill client connections
    for pid in `pidof "${NAME}"`
    do
    # check if correct program, otherwise process next pid
    grep -F -q -e "${PROG}" "/proc/${pid}/cmdline" || {
    continue
    }

    # check if pid should be ignored (servers)
    skip=0
    for server in ${ignore}
    do
    if [ "${pid}" == "${server}" ]
    then
    skip=1
    break
    fi
    done
    [ "${skip}" -ne 0 ] && continue

    # kill process
    echo "$0: Killing ${pid}..."
    kill -KILL ${pid}
    done




    Thank for all the help in here, especially DarkBabar!!!
    not much info about this technique out there. I couldn't have done it without this thread!

  7. #17
    Join Date
    Jan 2010
    Beans
    1

    Re: Problems unlocking LUKS encrypted LVM via SSH

    Quote Originally Posted by haroldx View Post
    how do I set IP?
    can not figure it out, it keeps on running DHCP
    I attempted many possible configurations of /etc/initramfs-tools/initramfs.conf
    Divice=eth0
    ip=192.168.0.22
    the syntax for what you want is:

    Code:
    ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>
    as of where you can ignore the server-ip part, it's there cause of usage in nfsmounting the root partition

    i just tested it on Ubuntu 10.10 with this line:

    Code:
    IP=192.168.1.150::192.168.1.1:255.255.255.0:testmachine:eth0:off
    and it works just fine

    a deeper explanation of all the paramaters in the ip line can be found here

    Best Regards
    Martin

  8. #18
    Join Date
    Oct 2010
    Beans
    5

    Re: Problems unlocking LUKS encrypted LVM via SSH

    Hi.

    I have followed all the guides described above in this post on a new Virtual Box ubuntu server 10.04 LTS for testing.

    I have made both script files and correctly used chmod +x and updated the initramfs image with update-initramfs -u

    I have also fixed the splash screen issue with:
    /etc/default/grub

    - GRUB_CMDLINE_LINUX_DEFAULT=”quiet splash”

    + GRUB_CMDLINE_LINUX_DEFAULT=”"

    And copyed the keys from the server to my laptop

    scp /etc/initramfs-tools/root/.ssh/id_rsa root@192.168.1.2:/root/.ssh/id_rsa

    etc..etc...

    I still don't get ssh login, and no decryption over ssh what so ever!


    I also don't get a static ip -- still stuck with DHCP..which is not good for a headless server on my network.

    HOW IS THIS CODE APPLIED in /etc/initramfs-tools/initramfs.conf?

    IP=192.168.1.150::192.168.1.1:255.255.255.0:testma chine:eth0 off

    It appears that everything now works natively in Debian, but not in Ubuntu.

    I tested it with virtual box on debian 6.0, and it worked on my first try?

    HOW CAN THIS BE? THIS IS UBUNTU 10.04 LTS....??????

    There must be a guide that shows how this is done precisely for ubuntu!

    Please help...I cannot be the only one in the world who would like an encrypted ubuntu server! ...could I?

    Im stress for time...need to chose on monday for the server setup..and as I see it, only option left is to change over to debian...which sux because I have everything else on ubuntu, and like it that way.

    TK
    Last edited by tue.kyndal; April 29th, 2011 at 10:29 AM. Reason: code edit:

  9. #19
    Join Date
    Jun 2011
    Beans
    2

    Re: Problems unlocking LUKS encrypted LVM via SSH

    Sorry for the thread resurrection but this thread comes up quite often when searching for problems relating to unlocking a LUKS encrypted partition via SSH from inside initramfs.

    If you are unable to connect as root to the dropbear instance after following the instructions in the original post you are most likely running a recent version of Ubuntu and have been bitten by a bug in the dropbear hook script in initramfs-tools. Recent versions of Ubuntu seem to have reorganized the /lib directory and moved some files needed by dropbear without which it'll not be able to find "root" as a valid user.

    First, run the following command to determine where the files you need are located:

    find /lib -name libnss_files.so.2

    On my system, I get the following:

    /lib/i386-linux-gnu/libnss_files.so.2

    The part you are interested in is the "i386-linux-gnu" part.

    Now, edit (as root) /usr/share/initramfs-toosl/hooks/dropbear. Look around line 30 for the following:

    cp /lib/libnss_* "${DESTDIR}/lib/"

    Replace that with:

    cp /lib/i386-linux-gnu/libnss_* "${DESTDIR}/lib/"

    As root, run the following:
    update-initramfs -u

    You should now at least be able to connect to the dropbear instance with the dropbear key that was automagically generated.

    Now, reboot your system and check to make sure you can connect to the dropbear instance. To unlock your LUKS partition, use the steps below to work-around the plymouth issue (tested on Natty 11.04). This work-around will at least guarantee that plymouth is still able to unlock the LUKS root volume at the console instead of being rendered non-functional like most of the other work-arounds I've tried.

    1) run "ps aux" and located the process id for the /scripts/local-top/cryptroot script
    2) run "kill -9 pid" replacing pid with the process id you found in step 1
    3) run "ps aux" again and look for a wait-for-root script and note the timeout on the command line
    4) twiddle you thumbs for that many seconds - what will happen is that script will exit and start an initramfs shell
    5) run "/scripts/local-top/cryptroot" and wait for it to prompt for your unlock passphrase
    6) enter the unlock passphrase and wait for it to return you to the busybox shell prompt
    7) run "ps aux" again and locate the process id of "/bin/sh -i"
    8) run "kill -9 pid" using the process id you found from step 7

    initramfs should be continuing the boot process at this point with your mounted root volume. You'll know this is happening because dropbear just had "/" yanked out from underneath it and you'll not be able to run any more commands in your ssh session as /bin no longer is available. Go ahead and disconnect and wait an appropriate amount of time for your system to finish starting up. After your system has finished booting, you should now be able to connect to it remotely just as if you had typed your unlock passphrase into the console.

    If someone more knowledgeable than me with the inner workings of initramfs-tools and plymouth wants to step up and file a proper bug report along with streamlining the work-around for plymouth I've listed.
    Last edited by alyandon; June 20th, 2011 at 06:23 PM.

  10. #20
    Join Date
    May 2011
    Beans
    2

    Re: Problems unlocking LUKS encrypted LVM via SSH

    A big thank u to you alyandon, this stupid change in the location of the libnss was driving me cray since my boot was not working anymore after my server update...!
    There should be a clear guide/warning about all this procedure of booting remotely via ssh an encrypted LVM in the official ubuntu pages.

    FYI, regarding the booting procedure I used the following procedure:

    1) Replace the script cryptroot in /usr/share/initramfs-tools/hooks/ with the one provided here (in german):
    http://forum.ubuntuusers.de/topic/sc...a-ssh-freisch/

    2) In file /usr/share/initramfs-tools/hooks/plymouth, replace the line
    Code:
    echo 'root:x:0:0:root:/root:/bin/bash' >${DESTDIR}/etc/passwd
    with
    Code:
    echo 'root:x:0:0:root:/root:/bin/sh' >${DESTDIR}/etc/passwd
    3) when booting via ssh use the ssh key and when you are in the prompt enter:
    Code:
    echo -n "Passphrase" > /lib/cryptsetup/passfifo
    where Passphrase is the one which decrypts the LVM (keep quotes "" around passphrase).

    4) Finally, run the command:
    Code:
    unlock
    This will trigger the decryption process. Wait 10-15 seconds and boot as usual.

    Dunno if it is the optimal security stuff but it works

    BR

Page 2 of 3 FirstFirst 123 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •