因此,我尝试设置一台全新的 Ubuntu 15.04 无头服务器,该服务器具有全盘加密和远程解锁功能。我已经在运行 Raspbian-Wheezy 的树莓派和另一台无头 Ubuntu 14.04 服务器上成功完成了此操作。
无论是成功的尝试还是最近失败的尝试,我都是按照本指南。
安装 Dropbear/busybox:
sudo apt-get install busybox dropbear
将生成的 ssh 密钥复制到客户端:
sudo cp /etc/initramfs-tools/root/.ssh/id_rsa ~/id_rsa_dropbear
sudo scp ~/id_rsa_dropbear client@client:~/.ssh/id_rsa_dropbear
由于我的客户端是运行 cygwin 的 Windows 客户端,因此更改新密钥的权限:
chgrp Users ~/.ssh/id_rsa_dropbear
chmod 600 ~/.ssh/id_rsa_dropbear
Dropbear 在密钥生成时自动将公钥附加到 authorized_keys 文件中。如上述链接所述创建 crypt_unlock.sh 脚本,并使其可执行:
sudo vi /etc/initramfs-tools/hooks/crypt_unlock.sh
sudo chmod +x /etc/initramfs-tools/hooks/crypt_unlock.sh
更新 initramfs:
sudo initramfs-update -u
重启服务器,尝试 SSH root@serverip 要求输入密钥密码,然后输入 root 用户的密码。此密钥没有密码,我以为 dropbear 不支持加密密钥?应该发生的是密钥应该被识别,我应该处于 busybox 提示符下,在那里我可以输入“unlock”,然后输入加密密码以解锁服务器上的根磁盘。
我可以在本地输入加密密码(当服务器直接连接到键盘/显示器时),服务器将正确启动。我无法弄清楚为什么 dropbear 不能很好地处理私钥。我甚至多次尝试使用 cryptsetup 自述文件中的说明手动重新创建私钥/公钥。Dropbear 已成功启动 initramfs,可以在本地密码提示符下看到它。
如果有人有任何建议,我将不胜感激。我真的很慌乱,就像我说的,我之前已经做过两次了,没有出现任何问题。我尝试搜索是否可能是 15.04 的问题,但什么也没找到。
编辑:
ssh -vv root@serverip 的输出:
$ ssh -vv alphabot_dropbear
OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014
debug1: Reading configuration data /home/Pete/.ssh/config
debug1: /home/Pete/.ssh/config line 2: Applying options for alphabot_dropbear
debug1: Hostname has changed; re-reading configuration
debug1: Reading configuration data /home/Pete/.ssh/config
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.82.125 [192.168.82.125] port 22.
debug1: Connection established.
debug1: read_keyfile_line: /home/Pete/.ssh/id_rsa_dropbear line 3 exceeds size limit
debug1: read_keyfile_line: /home/Pete/.ssh/id_rsa_dropbear line 3 exceeds size limit
debug1: key_load_public: No such file or directory
debug1: identity file /home/Pete/.ssh/id_rsa_dropbear type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/Pete/.ssh/id_rsa_dropbear-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7
debug1: Remote protocol version 2.0, remote software version dropbear_2014.65
debug1: no match: dropbear_2014.65
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],ssh-rsa,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected],arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected],arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1,[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1,[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,[email protected]
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,3des-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc
debug2: kex_parse_kexinit: aes128-ctr,3des-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc
debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-512,hmac-sha1-96,hmac-sha1,hmac-md5
debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-512,hmac-sha1-96,hmac-sha1,hmac-md5
debug2: kex_parse_kexinit: zlib,[email protected],none
debug2: kex_parse_kexinit: zlib,[email protected],none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: setup hmac-sha2-256
debug1: kex: server->client aes128-ctr hmac-sha2-256 none
debug2: mac_setup: setup hmac-sha2-256
debug1: kex: client->server aes128-ctr hmac-sha2-256 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: RSA ea:e6:df:5a:82:d6:db:20:3e:c9:5b:93:ad:f5:3b:3a
debug1: Host '192.168.82.125' is known and matches the RSA host key.
debug1: Found key in /home/Pete/.ssh/known_hosts.initramfs:1
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/Pete/.ssh/id_rsa_dropbear (0x0), explicit
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/Pete/.ssh/id_rsa_dropbear
debug1: key_load_private_type: incorrect passphrase supplied to decrypt private key
Enter passphrase for key '/home/Pete/.ssh/id_rsa_dropbear':
debug2: no passphrase given, try next key
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
[email protected]'s password:
答案1
我真的不知道问题出在哪里;我尝试使用另一个已知有效的 dropbear id_rsa 密钥,但仍然不起作用。我最终完全重新安装了全新的 15.04,并再次按照所有步骤操作,并且能够毫无问题地进行远程解锁。
答案2
我刚刚遇到了同样的问题。发生的事情是密钥以旧格式存储:
cat /etc/ssh/ssh_host_rsa_key
SSH PRIVATE KEY FILE FORMAT 1.1
<encoded private key here>
然而,较新的 sshd 需要较新的 base64 编码密钥。
cat /etc/ssh/ssh_host_rsa_key
-----BEGIN RSA PRIVATE KEY-----
<base64 encoding here>
-----END RSA PRIVATE KEY-----
可能有一种方法可以复制私钥和公钥数字,然后重新格式化为 base64。但是最简单的选择是使用最新的 ssh-keygen 重新生成密钥