Ubuntu will not boot into busybox for remote LUKS decryption using dropbear
I want to unlock an encrypted LVM at startup on a headless Ubuntu 16.04 server. This is a fairly fresh install. The only installs I have done are mate-desktop, xrdp, dropbear, and busybox. My client is PuTTY on a Windows machine. I am fairly new to Linux, but here is the progress I have made:
-
Installed dropbear and busybox
-
Used
puttygento generate a key pair -
Copied public key to
~/.ssh/authorized_keysand set proper permissions (700 on directory, 600 on file) -
Copied public key to
/etc/initramfs-tools/root/.ssh/authorized_keysand set proper permissions (700 on directory, 600 on file) -
Confirmed my keys are good by successfully connecting to normal user session via PuTTY using key authentication
-
Created the script and modified the config files as outlined at this link
(Note: I did not perform step 8, but my
/var/log/auth.logfile did not contain the errors showcased in the Troubleshoot section of that blogpost if step 8 is not performed.) -
Updated initramfs
When the system boots and shows the graphical LUKS unlock prompt, I get no response from the server when I try to connect via PuTTY. The connection times out. I have not been able to find any resources that deal with dropbear/busybox not running on boot. I am certain that if I could get a response, my key would work and I could unlock without problems.
How can I find out why dropbear/busybox isn't running at boot?
(For clarification, I can still unlock at the server and SSH into user session.)
After what feels like an eternity of deep diving into Google and trial and error, I finally got this figured out.
Here are the steps I took relative to the steps I outlined in the question:
- Removed the script in the blogpost referenced in the question
- In the crossfire of trial and error, ended up removing
ifconfig eth0 0.0.0.0 downfromusr/share/initramfs-tools/scripts/init-bottom/dropbearthat step 6 in the blogpost outlined; I never added it back but never needed it -
Modified and added the following scripts from this post:
# Comment lines in /usr/share/initramfs-tools/scripts/local-top/cryptroot as follows: # if [ -z "$cryptkeyscript" ]; then cryptkey="Unlocking the disk $cryptsource ($crypttarget)\nEnter passphrase: " #if [ -x /bin/plymouth ] && plymouth --ping; then # cryptkeyscript="plymouth ask-for-password --prompt" # cryptkey=$(echo -e "$cryptkey") #else cryptkeyscript="/lib/cryptsetup/askpass" #fi fi # Add /usr/share/initramfs-tools/hooks/cryptroot_unlock and make executable # # Prompt to unlock LUKS encrypted root partition remotely # # See linked post for sources and acknowledgements # #!/bin/sh PREREQ="" prereqs() { echo "$PREREQ" } case $1 in prereqs) prereqs exit 0 ;; esac . /usr/share/initramfs-tools/hook-functions # # Begin real processing # SCRIPTNAME=unlock # 1) Create script to unlock luks partitions cat > ${DESTDIR}/bin/${SCRIPTNAME} << '__EOF' #!/bin/sh /lib/cryptsetup/askpass "Enter volume password: " > /lib/cryptsetup/passfifo __EOF chmod 700 ${DESTDIR}/bin/${SCRIPTNAME} # 2) Enhance Message Of The Day (MOTD) with info how to unlock luks partition cat >> ${DESTDIR}/etc/motd << '__EOF' To unlock root-partition run "${SCRIPTNAME}" __EOF # Add /usr/share/initramfs-tools/scripts/local-bottom/dropbear_kill_clients and make executable # # # Kills all DropBear client sessions if InitRAMFS is left # # See linked post for sources and acknowledgements # #!/bin/sh PREREQ="" prereqs() { echo "$PREREQ" } case $1 in prereqs) prereqs exit 0 ;; esac # # Begin real processing # NAME=dropbear PROG=/sbin/dropbear # get all server pids that should be ignored ignore="" for server in `cat /var/run/${NAME}*.pid` do ignore="${ignore} ${server}" done # get all running pids and kill client connections for pid in `pidof "${NAME}"` do # check if correct program, otherwise process next pid grep -F -q -e "${PROG}" "/proc/${pid}/cmdline" || { continue } # check if pid should be ignored (servers) skip=0 for server in ${ignore} do if [ "${pid}" == "${server}" ] then skip=1 break fi done [ "${skip}" -ne 0 ] && continue # kill process echo "$0: Killing ${pid}..." kill -KILL ${pid} done
After modifying and adding those scripts, dropbear was able to start, but my network device was failing to connect to the network, so I was still unable to connect to the server.
I finally discovered by using ls /sys/class/net that my network adapter was not called eth0; apparently that is an old notation no longer used by recent versions of Ubuntu, and since all the posts I have found are old if not ancient, eth0 is all I found references to.
So, armed with that information and a few more snippets I found from other sources, I modified initramfs.conf as follows:
-
Modified the
DEVICE=portion of/etc/initramfs-tools/initramfs.confto read:DEVICE=<name of network adapter discovered using ls /sys/class/net> IP=<Static IP Address>::<Default Gateway>:<Subnet Mask>::<name of network adapter>:off Updated
initramfs(sudo update-initramfs -u)
Now dropbear connects to the network and I can connect to the server and unlock remotely.