Ubuntu不会使用dropbear启动进入busybox进行远程LUKS解密
我想在无头Ubuntu 16.04服务器上启动时解锁加密的LVM。 这是一个相当新鲜的安装。 我所做的唯一安装是mate-desktop,xrdp,dropbear和busybox。 我的客户端是Windows机器上的PuTTY。 我对Linux很新,但这是我取得的进步:
-
安装了dropbear和busybox
-
使用
puttygen生成密钥对 -
将
~/.ssh/authorized_keys复制到~/.ssh/authorized_keys并设置适当的权限(目录为700,文件为600) -
将公钥复制到
/etc/initramfs-tools/root/.ssh/authorized_keys并设置适当的权限(目录为700,文件为600) -
通过使用密钥身份validation通过PuTTY成功连接到普通用户会话,确认我的密钥是好的
-
创建脚本并修改此链接中概述的配置文件
(注意:我没有执行第8步,但我的
/var/log/auth.log文件未包含该博客文章的“疑难解答”部分中显示的错误,如果未执行第8步。) -
更新了initramfs
当系统启动并显示图形LUKS解锁提示时,当我尝试通过PuTTY连接时,我得不到服务器的响应。 连接超时。 我无法找到任何处理dropbear / busybox没有在启动时运行的资源。 我确信如果我能得到回复,我的钥匙就可以工作,我可以毫无问题地解锁。
我怎样才能找出为什么dropbear / busybox没有在启动时运行?
(为了澄清,我仍然可以在服务器上解锁并通过SSH进入用户会话。)
在感觉像是深深潜入谷歌并经历了反复试验的永恒之后,我终于明白了这一点。
以下是我采取的相对于我在问题中概述的步骤的步骤:
- 删除了问题中引用的博客post中的脚本
- 在试验和错误的交火中,最终从
usr/share/initramfs-tools/scripts/init-bottom/dropbear中删除了ifconfig eth0 0.0.0.0 down这是博客文章中的第6步; 我从未添加过它但从未需要它 -
修改并添加了以下脚本:
# Comment lines in /usr/share/initramfs-tools/scripts/local-top/cryptroot as follows: # if [ -z "$cryptkeyscript" ]; then cryptkey="Unlocking the disk $cryptsource ($crypttarget)\nEnter passphrase: " #if [ -x /bin/plymouth ] && plymouth --ping; then # cryptkeyscript="plymouth ask-for-password --prompt" # cryptkey=$(echo -e "$cryptkey") #else cryptkeyscript="/lib/cryptsetup/askpass" #fi fi # Add /usr/share/initramfs-tools/hooks/cryptroot_unlock and make executable # # Prompt to unlock LUKS encrypted root partition remotely # # See linked post for sources and acknowledgements # #!/bin/sh PREREQ="" prereqs() { echo "$PREREQ" } case $1 in prereqs) prereqs exit 0 ;; esac . /usr/share/initramfs-tools/hook-functions # # Begin real processing # SCRIPTNAME=unlock # 1) Create script to unlock luks partitions cat > ${DESTDIR}/bin/${SCRIPTNAME} << '__EOF' #!/bin/sh /lib/cryptsetup/askpass "Enter volume password: " > /lib/cryptsetup/passfifo __EOF chmod 700 ${DESTDIR}/bin/${SCRIPTNAME} # 2) Enhance Message Of The Day (MOTD) with info how to unlock luks partition cat >> ${DESTDIR}/etc/motd << '__EOF' To unlock root-partition run "${SCRIPTNAME}" __EOF # Add /usr/share/initramfs-tools/scripts/local-bottom/dropbear_kill_clients and make executable # # # Kills all DropBear client sessions if InitRAMFS is left # # See linked post for sources and acknowledgements # #!/bin/sh PREREQ="" prereqs() { echo "$PREREQ" } case $1 in prereqs) prereqs exit 0 ;; esac # # Begin real processing # NAME=dropbear PROG=/sbin/dropbear # get all server pids that should be ignored ignore="" for server in `cat /var/run/${NAME}*.pid` do ignore="${ignore} ${server}" done # get all running pids and kill client connections for pid in `pidof "${NAME}"` do # check if correct program, otherwise process next pid grep -F -q -e "${PROG}" "/proc/${pid}/cmdline" || { continue } # check if pid should be ignored (servers) skip=0 for server in ${ignore} do if [ "${pid}" == "${server}" ] then skip=1 break fi done [ "${skip}" -ne 0 ] && continue # kill process echo "$0: Killing ${pid}..." kill -KILL ${pid} done
修改并添加这些脚本后,dropbear能够启动,但我的网络设备无法连接到网络,因此我仍然无法连接到服务器。
我终于通过使用ls /sys/class/net发现我的网络适配器没有被称为eth0 ; 显然这是最近版本的Ubuntu不再使用的旧符号,并且因为我发现的所有post都是旧的,如果不是古老的,那么eth0就是我所发现的。
因此,我从其他来源获得了这些信息以及更多的片段,我修改了initramfs.conf ,如下所示:
-
将
/etc/initramfs-tools/initramfs.conf的DEVICE=部分修改为:DEVICE=IP= :: : :: :off -
更新了
initramfs(sudo update-initramfs -u)
现在,dropbear连接到网络,我可以连接到服务器并远程解锁。
我差不多用了一个星期就把所有不好的信息都打到了这里(就像安装dropbear-initramfs一样)。
这是我为16.0.4自动设置和配置dropbear的脚本。
请务必阅读代码注释并为您的系统定制脚本!
#!/bin/bash ## LUKS remote decrypt for Ubuntu 16.04.1 - by BinaryShrub # NOTES: # Tailor lines 67 - 69 to your system before running! # Use at your own risk! # Safety Check if [ "$EUID" -ne 0 ] then echo "You must run this as root" exit fi # Install Dropbear apt -y install dropbear # Setup authorized keys mkdir -p /etc/initramfs-tools/root/.ssh echo "Insert client id_rsa.pub (Leave empty to use ~/.ssh/authorized_keys):" read -er if [[ -z "$r" ]]; then cp ~/.ssh/authorized_keys /etc/initramfs-tools/root/.ssh/authorized_keys else echo "$r" >> /etc/initramfs-tools/root/.ssh/authorized_keys fi # Add hook to create unlocker script f=/usr/share/initramfs-tools/hooks/dropbear-unlocker cat <<\END > "$f" #!/bin/sh PREREQ="dropbear" prereqs() { echo "$PREREQ" } case "$1" in prereqs) prereqs exit 0 ;; esac . "$CONFDIR/initramfs.conf" . /usr/share/initramfs-tools/hook-functions # Copy dropbear if explicitly enabled, or in case of a cryptroot setup if not explicitly disabled [ "$DROPBEAR" = y ] || [ "$DROPBEAR" != n -a -r /etc/crypttab ] || exit 0 if [ ! -x "/usr/sbin/dropbear" ]; then if [ "$DROPBEAR" = y ]; then echo "dropbear-unlock: FAILURE: Dropbear not found, script wont start!" >&2 else echo "dropbear-unlock: WARNING: Dropbear not found, script wont start" >&2 fi exit 0 fi # Copy the unlock script s="$DESTDIR/$(ls $DESTDIR | grep root)/unlocker" echo "#!/bin/sh # Ask for decrypt key with one disk # /scripts/local-top/cryptroot # With Multiple Disks /sbin/cryptsetup luksOpen /dev/sda3 sda3_crypt /sbin/cryptsetup luksOpen /dev/sdb3 sdb3_crypt /sbin/cryptsetup luksOpen /dev/sdc3 sdc3_crypt # Hack to address https://goo.gl/2fGjCY mknod /dev/btrfs-control c 10 234 btrfs device scan # Kill these programs to keep 'init' moving. echo "Loading OS..." kill -9 \$(ps | grep cryptsetup | grep askpass | awk '{print \$1}') > /dev/null kill -9 \$(ps | grep /bin/sh | grep cryptroot | awk '{print \$1}') > /dev/null exit 0 " > "$s" chmod +x "$s" echo "unlocker: loaded" END chmod +x "$f" # Rebuild initramfs update-initramfs -u echo "Done! Reboot to initramfs and run ~/unlocker"
https://gist.github.com/BinaryShrub/0587b170dc22b1e7ff7b435c92b53093