Page 1 of 8 123 ... LastLast
Results 1 to 10 of 73

Thread: HOWTO: Unlock a LUKS encrypted root partition via ssh

  1. #1
    Join Date
    Jun 2006
    Location
    Switzerland
    Beans
    Hidden!
    Distro
    Kubuntu Jaunty Jackalope (testing)

    HOWTO: Unlock a LUKS encrypted root partition via ssh

    HOWTO: Unlock a LUKS encrypted root partition via ssh

    Introduction

    Fully encrypted systems prevent others from getting your data from physical access. The rationale behind the encryption of a complete system is that you don't have worry about what you encrypt and what not, because everything (except for the /boot) partition will be encrypted.

    However the problem I have encountered so far is, how could I reboot my computer from afar? I would be required to be in front of the computer and enter the password. I have wondered this far how I could reboot the computer remotely.

    On Debian Administrator I found then an article written by Wulf (Wolfram Coulmann) in which he creates an initrd with dropbear as lightweight ssh server and an unlock script. However that script has still a few bugs and is not suited for Ubuntu. In the comments however, there are a few modifications (especially comment #31 and #29) which will make it also work on ubuntu.

    The Script

    Well, here's the script: dropbear
    Code:
    #!/bin/bash
    
    # We add dropbear to the initrd to be able
    # mount crypted partitions from remote
    
    # copyright Wulf Coulmann
    # GNU GPL
    # http://www.gnu.org/licenses/gpl.html
    #
    # Download me here: http://gpl.coulmann.de/dropbear
    # get infos about this script here:
    # http://gpl.coulmann.de/ssh_luks_unlock.html
    
    # Modified by Anonymous 2008
    # Modified By Geoffroy RABOUIN 26/05/2008
    # Modified by hyper_ch 15/06/2008
    
    ### INSTRUCTIONS FOR UBUNTU ###
    # 0. Enable root login
    # 1. Install killall, busybox and dropbear:
    #    ~# sudo apt-get install psmisc busybox dropbear
    # 2. Edit network configuration below and copy contents
    #    of this file to /etc/initramfs-tools/hooks/dropbear
    # 3. Save the script and make it executable:
    #    ~# sudo chmod +x /etc/initramfs-tools/hooks/dropbear
    # 4. Create new initrd:
    #    ~# sudo mkinitramfs -o /boot/netboot
    # 5. Edit /boot/grub/menu.lst and add your new initrd as the first entry
    # 6. Delete the dropbear script the hooks folder
    #    ~# sudo rm /etc/initramfs-tools/hooks/dropbear
    # 7. Profit!
    
    PREREQ=""
    prereqs()
    {
    echo "$PREREQ"
    }
    
    case $1 in
    prereqs)
    prereqs
    exit 0
    ;;
    esac
    
    # Begin real processing below this line
    
    # load the prepared functions of debians initramfs enviroment
    source /usr/share/initramfs-tools/hook-functions
    
    # build the directories
    DIRS='/lib /bin /usr/bin /usr/sbin/ /proc/ /root/.ssh/ /var/ /var/run/ /etc/dropbear/'
    for now in $DIRS ; do
    if [ ! -e ${DESTDIR}$now ]
    then
    mkdir -p ${DESTDIR}$now
    fi
    done
    
    # copy the ssh-daemon and librarys
    copy_exec /usr/sbin/dropbear /usr/sbin/
    copy_exec /usr/bin/passwd /usr/bin/
    copy_exec /bin/login /bin/
    copy_exec /usr/bin/killall /usr/bin/
    copy_exec /sbin/route /sbin/
    copy_exec /usr/bin/awk /usr/bin/
    #copy_exec /usr/bin/strace /usr/bin/
    #copy_exec /bin/nc /bin/
    copy_exec /usr/bin/wc /usr/bin/
    
    # some librarys are not autoincluded by copy_exec
    copy_exec /lib/libnss_compat.so.2 /lib/
    copy_exec /usr/lib/libz.so.1 /usr/lib/
    copy_exec /etc/ld.so.cache /etc/
    copy_exec /lib/libutil.so.1 /lib/
    
    # we copy config and key files
    cp -pr /etc/dropbear/dropbear_dss_host_key ${DESTDIR}/etc/dropbear/
    cp -pr /etc/dropbear/dropbear_rsa_host_key ${DESTDIR}/etc/dropbear/
    cp -pr /etc/passwd ${DESTDIR}/etc/
    cp -pr /etc/shadow ${DESTDIR}/etc/
    cp -pr /etc/group ${DESTDIR}/etc/
    if [ -e /root/.ssh/authorized_keys ]
    then
    cp -pr /root/.ssh/authorized_keys ${DESTDIR}/root/.ssh/
    fi
    cp -pr /etc/nsswitch.conf ${DESTDIR}/etc/
    cp -pr /etc/localtime ${DESTDIR}/etc/
    cp -pr /lib/tls ${DESTDIR}/lib/
    
    # we don't have bash in our initrd
    # also we only add the root account
    cat /etc/passwd | grep root | sed s/\\/bash/\\/sh/ > ${DESTDIR}/etc/passwd
    cat /etc/shadow | grep root > ${DESTDIR}/etc/shadow
    cat /etc/group | grep root > ${DESTDIR}/etc/group
    
    cat >${DESTDIR}/scripts/local-top/network_ssh << 'EOF'
    #!/bin/sh
    
    # we start the network and ssh-server
    
    PREREQ=""
    prereqs()
    {
    echo "$PREREQ"
    }
    
    case $1 in
    prereqs)
    
    prereqs
    exit 0
    ;;
    esac
    
    # Begin real processing below this line
    
    # build up helpful environment
    [ -d /dev ] || mkdir -m 0755 /dev
    [ -d /root ] || mkdir --mode=0700 /root
    [ -d /tmp ] || mkdir /tmp
    [ -d /sys ] || {
    mkdir /sys
    mount -t sysfs -o nodev,noexec,nosuid none /sys
    }
    [ -d /proc ] || {
    mkdir /proc
    mount -t proc -o nodev,noexec,nosuid none /proc
    
    }
    
    mkdir -p /var/lock
    mkdir -p /var/log
    touch /var/log/lastlog
    mkdir /dev/pts
    mount -t devpts -o gid=5,mode=620 /dev/pts /dev/pts
    
    /bin/sleep 5
    
    ################# CHANGE THE LINES BELOW #################
    # The network setup: edit ip address and gateway to match your needs
    ifconfig eth0 172.16.2.128 netmask 255.255.255.0
    route add default gw 172.16.2.2
    ################# CHANGE THE LINES ABOVE #################
    
    # display the network settings for double check
    ifconfig
    
    # If you like to use dhcp make sure you include dhclient or pump in
    # /etc/initramfs-tools/hooks/dropbear via
    # copy_exec /sbin/dhclient
    
    
    # for debugging ssh-server you may run it in forgound
    # /usr/sbin/dropbear -E -F
    # for more debugging you may run it with strace
    # therfor you have to include strace and nc at top of
    # /etc/initramfs-tools/hooks/dropbear via
    # copy_exec /usr/bin/strace
    # copy_exec /usr/bin/nc
    # then start nc on an other host and run
    # /usr/sbin/dropbear -E -F 2>&1 | /bin/nc -vv <ip of other host> <nc port of other host>
    # e.g.:
    # /usr/sbin/dropbear -E -F 2>&1 | /bin/nc -vv 192.168.1.2 8888
    
    # We will use /dev/urandom because /dev/random gets easily blocked
    mv /dev/random /dev/random.old
    ln -s /dev/urandom /dev/random
    # /usr/sbin/dropbear -E -F -b /etc/dropbear/banner -d /etc/dropbear/dropbear_dss_host_key -r /etc/dropbear/dropbear_rsa_host_key -p 22
    /usr/sbin/dropbear -b /etc/dropbear/banner -d /etc/dropbear/dropbear_dss_host_key -r /etc/dropbear/dropbear_rsa_host_key -p 22
    #ls -al
    rm -f /dev/random
    mv /dev/random.old /dev/random
    EOF
    chmod 700 ${DESTDIR}/scripts/local-top/network_ssh
    
    cat >${DESTDIR}/etc/dropbear/banner << 'EOF'
    
    To unlock root-partition run
    unlock
    
    
    EOF
    
    # script to unlock luks via ssh
    # dirty but effektive
    cat >${DESTDIR}/usr/bin/unlock << 'EOF'
    #!/bin/sh
    
    /bin/sh /scripts/local-top/cryptroot
    
    # Kill processes locking boot process
    [ `ls /dev/mapper/ | grep -v control| wc -l | awk '{print $1}'` -gt 0 ] && {
    for i in `ps | grep -E "cryptroot|cryptsetup" | awk '{ print $1 }'`
    do
    kill $i
    done
    }
    /bin/sh /scripts/local-bottom/rm_dropbear
    EOF
    
    chmod 700 ${DESTDIR}/usr/bin/unlock
    
    # make sure we exit dropbear at the end of the startup process
    cat >${DESTDIR}/scripts/local-bottom/rm_dropbear << 'EOF'
    #!/bin/sh
    PREREQ=""
    
    prereqs()
    {
    echo ""
    }
    
    case $1 in
    prereqs)
    
    prereqs
    exit 0
    ;;
    esac
    
    # Begin real processing below this line
    # we kill dropbear ssh-server
    
    /usr/bin/killall dropbear
    
    EOF
    chmod 700 ${DESTDIR}/scripts/local-bottom/rm_dropbear
    Step 0: Enable root login

    Well, forum policies say, that no root login tutorials must be given (see here). However there's plenty or resources out there on the net on how to do that.

    The reason why I say that root must be enabled is, because I couldn't work out how to get the whole sudo permission stuff into the initrd. I'm sure there must be a way and if someone is willing to take up the challenge, please go ahead. However you can enable root login only during the creation of the initrd. Once it's created then the according stuff is saved in there and you can remove root login from the actual installation again. The root login is only required to log into dropbear and then run the unlock script. It's not used for anything else.

    Step 1: Install required packages

    Install those packages:
    Code:
    sudo apt-get install psmisc busybox dropbear
    Step 2: Configure network

    In the script change the network configuration to your needs. I have sofar only used static ips. The script itself provides also option for dhcp - however I did not try those.
    Code:
    ################# CHANGE THE LINES BELOW #################
    # The network setup: edit ip address and gateway to match your needs
    ifconfig eth0 172.16.2.128 netmask 255.255.255.0
    route add default gw 172.16.2.2
    ################# CHANGE THE LINES ABOVE #################
    The above settings are just the values from my vmware machine on where I tested it.

    Step 3: Save the script and make it executable:

    Save the altered script to /etc/initramfs-tools/hooks/dropbear and make it then executable:
    Code:
    sudo chmod +x /etc/initramfs-tools/hooks/dropbear
    Step 4: Create new initrd

    Run this command to create a new initrd with the name of "netboot". Of course you can rename "netboot" to anything you like.
    Code:
    sudo mkinitramfs -o /boot/netboot
    Step 5: Edit /boot/grub/menu.lst and add your new initrd as the first entry

    Now you have to edit grub's menu list to add the new init.rd.
    Run:
    Code:
    sudo nano /boot/grub/menu.lst
    to edit the menu.lst in nano.
    Go to the end (or almost) and copy an existing kernel entry e.g.
    Code:
    title           Ubuntu 8.04.1, kernel 2.6.24-19-generic
    root            (hd0,1)
    kernel          /vmlinuz-2.6.24-19-generic root=/dev/mapper/sda4_crypt ro quiet splash
    initrd          /initrd.img-2.6.24-19-generic
    Change it to something like:
    Code:
    title           Netboot
    root            (hd0,1)
    kernel          /vmlinuz-2.6.24-19-generic root=/dev/mapper/sda4_crypt ro quiet splash
    initrd          /netboot
    Don't copy my example directly but use yours. That way the root hd entry and the mapper name are correct.

    Finally, at the top of the menu.lst also change the default boot entry accordingly. If you have 7 kernel entries, then you will put a "6" there because it starts with 0 and you add the netboot one at the bottom.

    Step 6: Delete the dropbear script the hooks folder

    When I tried it on my machine, after a kernel upgrade there were some problems (which may have resulted from my earlier tries with a buggy script). Just to make sure, delete the dropbear script from the folder.
    Code:
    sudo rm /etc/initramfs-tools/hooks/dropbear
    Step 7: Profit!

    That's it... it should be working now.

    A few things to mention

    - Well, in the script I currently call a ifconfig after the network configuration. I did that for bugtracing. You can of course delete that from the script.

    - After you have now created the netboot initrd you can either change the root password again or disable root login. As the initrd is not encrypted it is possible to get the hash of the root password and so you want to use a different one from remote unlocking the crypto drives. I highly recommend changing the password or disabling root login in the actual machine.

    - Although the system is fully encrypted, there are still two possible attacks left to gain access to the data:
    (1) ColdBoot Attack by reading the crypto password from the ram blocks (not much you can't do against that without special hardware, see here)
    (2) The created initrd can be manipulated so that it logs the crypto password somewhere. As /boot is not encrypted an attacker may gain this way the password for the LUKS-devices. You could, to prevent that, make a bootable cd with the according kernels and initrds and implement some kind of hash check... maybe there are other methods... feedback is welcomed here.

    - Most of this tutorial is not from me, just a few adapations and explanations. So thanks goes to Wolfram Coulmann and the others who modified the original script.
    Attached Files Attached Files

  2. #2
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,918
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: HOWTO: Unlock a LUKS encrypted root partition via ssh

    I will try this out this weekend, however, is networking services up, prior to booting into the encrypted partition -- this could potentially be a problem for me -- particularly if a wireless connection isnt up and running.

  3. #3
    Join Date
    Jun 2006
    Location
    Switzerland
    Beans
    Hidden!
    Distro
    Kubuntu Jaunty Jackalope (testing)

    Re: HOWTO: Unlock a LUKS encrypted root partition via ssh

    yes, networking will be up priot to booting into the encrypted partition. You'll have to set this up in the initrd.... good luck with it

  4. #4
    Join Date
    Mar 2006
    Beans
    194

    Re: HOWTO: Unlock a LUKS encrypted root partition via ssh

    Quote Originally Posted by hyper_ch View Post
    HOWTO: Unlock a LUKS encrypted root partition via ssh
    Thanks a lot for your howto. I hope to ask if it is possible for adsl user.
    What files which is related with pppoe should be put into initrd.img and how send the IP to remote user. I think these are two questions, is there a ready resolution to them.

    BTW, where you get the ubuntu 8.04.1 version? I haven't find it is out.
    Last edited by say2sky; June 16th, 2008 at 01:13 AM.

  5. #5
    Join Date
    Jun 2006
    Location
    Switzerland
    Beans
    Hidden!
    Distro
    Kubuntu Jaunty Jackalope (testing)

    Re: HOWTO: Unlock a LUKS encrypted root partition via ssh

    I have no clue about pppoe....

    But for the ip, you can use dynamic ip client such as dyndns or no-ip... however you'd have to integrate that also into your initrd image. dyndns and no-ip shouldn't be to hard... that's one binary and a config file (or something like that) that you can easily copy to the according dirs and have it run in the script after the network is setup...

  6. #6
    Join Date
    Mar 2006
    Beans
    194

    Re: HOWTO: Unlock a LUKS encrypted root partition via ssh

    Quote Originally Posted by hyper_ch View Post
    I have no clue about pppoe....

    But for the ip, you can use dynamic ip client such as dyndns or no-ip... however you'd have to integrate that also into your initrd image. dyndns and no-ip shouldn't be to hard... that's one binary and a config file (or something like that) that you can easily copy to the according dirs and have it run in the script after the network is setup...
    thanks a lot for help. I will do it and will also try to setup pppoe for adsl so I can access all my files from anywhere through security connection at any time.

  7. #7
    Join Date
    Jun 2006
    Location
    Switzerland
    Beans
    Hidden!
    Distro
    Kubuntu Jaunty Jackalope (testing)

    Re: HOWTO: Unlock a LUKS encrypted root partition via ssh

    well, last time I used a dial-up modem was like 8 years ago... and using modems was bad in w2k also... no clue about linux.

  8. #8
    Join Date
    Apr 2006
    Beans
    14

    Re: HOWTO: Unlock a LUKS encrypted root partition via ssh

    Thanks! This works like a charm...

    But I got one problem:

    After mounting the root partition early crypto disks are mounted (I have a 2nd HDD that is mounted before sshd starts)

    is there a way to load sshd before the mounting or keeping beardrop alive until the 2nd password for the 2nd harddrive has been entered?

    Cheers,

    Eule

  9. #9
    Join Date
    Jun 2006
    Location
    Switzerland
    Beans
    Hidden!
    Distro
    Kubuntu Jaunty Jackalope (testing)

    Re: HOWTO: Unlock a LUKS encrypted root partition via ssh

    well, there is the unlock script you can modify that... but why not auto-mounting the other partitions with a key that is on the root partition?

  10. #10
    Join Date
    Apr 2006
    Beans
    14

    Re: HOWTO: Unlock a LUKS encrypted root partition via ssh

    hi there,

    to tell you the truth, i would love to do that - but i actually have no clue how to do that - they have the same password anyway...

    my setup is as following:

    i have on lvm partition on hdd1 that includes the encrypted root, home and swap partitions
    and i have one second hdd that has only one encrypted ext3 partition.
    ubuntu server (hardy) is running and the system...

    I really thankful for any help,

    thanks

    EuleLL

Page 1 of 8 123 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •