我打算在云服务器上设置加密的 LUKS arch linux 系统。我将最新的 arch linux 版本安装到 LUKS 加密分区上,配置 initramfs(安装构建钩子),然后安装 grub 引导加载程序并将其配置为解密 cryptroot。我使用了本手册来自 Arch Linux 官方 wiki。现在我可以使用云提供商的控制台输入加密分区的密码来启动加密系统。一切运行良好,我也可以按预期通过 SSH 连接到服务器。
现在我希望能够远程解锁根分区,而不是使用云提供商的控制台,而是使用 SSH。我在这里遇到了问题。我按照本手册。我执行的具体步骤如下:
已安装的软件包:
pacman -S busybox dropbear mkinitcpio-dropbear mkinitcpio-utils mkinitcpio-netconf在客户端生成用于 LUKS 解锁的密钥对:
ssh-keygen -t rsa -f unlock_luks将公钥(
unlock_luks.pub)上传到服务器并将其移动到/etc/dropbear/root_key以 PEM 格式重新生成 OpenSSH 密钥。
[root@host ~]# rm /etc/ssh/ssh_host_* [root@host ~]# ssh-keygen -A -m PEM ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519将 OpenSSH rsa 密钥转换为 dropbear SSH 密钥:
[root@host ~]# dropbearconvert openssh dropbear /etc/ssh/ssh_host_rsa_key /etc/dropbear/dropbear_rsa_host_key Key is a ssh-rsa key Wrote key to '/etc/dropbear/dropbear_rsa_host_key' [root@host ~]# dropbearconvert openssh dropbear /etc/ssh/ssh_host_ed25519_key /etc/dropbear/dropbear_ed25519_host_key Key is a ssh-ed25519 key Wrote key to '/etc/dropbear/dropbear_ed25519_host_key' [root@host ~]# dropbearconvert openssh dropbear /etc/ssh/ssh_host_ecdsa_key /etc/dropbear/dropbear_ecdsa_host_key Key is a ecdsa-sha2-nistp256 key Wrote key to '/etc/dropbear/dropbear_ecdsa_host_key' [root@host ~]# dropbearconvert openssh dropbear /etc/ssh/ssh_host_dsa_key /etc/dropbear/dropbear_dsa_host_key Error: unable to create key structure Error reading key from '/etc/ssh/ssh_host_dsa_key'在
netconf dropbear encryptssh之前插入钩子。现在它看起来像:filesystemsHOOKS/etc/mkinitcpio.confHOOKS=(base udev autodetect modconf block mdadm_udev lvm2 netconf dropbear encryptssh filesystems keyboard fsck)安装并配置 GRUB:
pacman -S grub grub-install /dev/sda/etc/default/grub在(/dev/sda3是 LUKS 加密分区 )中设置这些选项:GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda3:cryptroot ip=dhcp" GRUB_ENABLE_CRYPTODISK=y
我的服务器上的网络配置使用 DHCP,因此我ip=dhcp也使用。
生成的 grub 配置文件:
grub-mkconfig -o /boot/grub/grub.cfg
echo "cryptroot /dev/sda3 none luks" >> /etc/crypttab(/dev/sda3是LUKS加密分区)重新生成的 initramfs:
mkinitcpio -p linux。输出:==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'default' -> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux.img ==> Starting build: 5.18.16-arch1-1 -> Running build hook: [base] -> Running build hook: [udev] -> Running build hook: [autodetect] -> Running build hook: [modconf] -> Running build hook: [block] ==> WARNING: Possibly missing firmware for module: xhci_pci -> Running build hook: [mdadm_udev] -> Running build hook: [lvm2] -> Running build hook: [netconf] -> Running build hook: [dropbear] Key is a ssh-rsa key Wrote key to '/etc/dropbear/dropbear_rsa_host_key' Error: unable to create key structure Error reading key from '/etc/ssh/ssh_host_dsa_key' Key is a ecdsa-sha2-nistp256 key Wrote key to '/etc/dropbear/dropbear_ecdsa_host_key' dropbear_rsa_host_key : SHA256:J9v2M8Lso02myd7Ah5Gk2itcNOq0dWVyARVSpBzx8R0 dropbear_ecdsa_host_key : SHA256:1c9URey3Z3JnUAWXKGFIVruzcWnhBtiqiQsEe/TdLXM -> Running build hook: [encryptssh] ==> WARNING: Possibly missing firmware for module: qat_4xxx -> Running build hook: [filesystems] -> Running build hook: [keyboard] -> Running build hook: [fsck] ==> Generating module dependencies ==> Creating zstd-compressed initcpio image: /boot/initramfs-linux.img ==> Image generation successful ==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'fallback' -> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-fallback.img -S autodetect ==> Starting build: 5.18.16-arch1-1 -> Running build hook: [base] -> Running build hook: [udev] -> Running build hook: [modconf] -> Running build hook: [block] ==> WARNING: Possibly missing firmware for module: qed ==> WARNING: Possibly missing firmware for module: qla2xxx ==> WARNING: Possibly missing firmware for module: bfa ==> WARNING: Possibly missing firmware for module: qla1280 ==> WARNING: Possibly missing firmware for module: wd719x ==> WARNING: Possibly missing firmware for module: aic94xx ==> WARNING: Possibly missing firmware for module: xhci_pci -> Running build hook: [mdadm_udev] -> Running build hook: [lvm2] -> Running build hook: [netconf] ==> WARNING: Possibly missing firmware for module: cfg80211 ==> WARNING: Possibly missing firmware for module: wcn36xx ==> WARNING: Possibly missing firmware for module: mt7603e ==> WARNING: Possibly missing firmware for module: rsi_usb ==> WARNING: Possibly missing firmware for module: rsi_sdio ==> WARNING: Possibly missing firmware for module: mwl8k ==> WARNING: Possibly missing firmware for module: usb8xxx ==> WARNING: Possibly missing firmware for module: libertas_sdio ==> WARNING: Possibly missing firmware for module: libertas_spi ==> WARNING: Possibly missing firmware for module: libertas_cs ==> WARNING: Possibly missing firmware for module: mwifiex_sdio ==> WARNING: Possibly missing firmware for module: mwifiex_usb ==> WARNING: Possibly missing firmware for module: zd1201 ==> WARNING: Possibly missing firmware for module: zd1211rw ==> WARNING: Possibly missing firmware for module: p54spi ==> WARNING: Possibly missing firmware for module: p54pci ==> WARNING: Possibly missing firmware for module: p54usb ==> WARNING: Possibly missing firmware for module: orinoco_usb ==> WARNING: Possibly missing firmware for module: rtl8723ae ==> WARNING: Possibly missing firmware for module: b43 ==> WARNING: Possibly missing firmware for module: b43legacy ==> WARNING: Possibly missing firmware for module: ipw2200 ==> WARNING: Possibly missing firmware for module: ipw2100 ==> WARNING: Possibly missing firmware for module: atmel ==> WARNING: Possibly missing firmware for module: at76c50x_usb ==> WARNING: Possibly missing firmware for module: mlxsw_spectrum ==> WARNING: Possibly missing firmware for module: nfp ==> WARNING: Possibly missing firmware for module: liquidio ==> WARNING: Possibly missing firmware for module: bnx2x ==> WARNING: Possibly missing firmware for module: bna ==> WARNING: Possibly missing firmware for module: softing_cs -> Running build hook: [dropbear] Key is a ssh-rsa key Wrote key to '/etc/dropbear/dropbear_rsa_host_key' Error: unable to create key structure Error reading key from '/etc/ssh/ssh_host_dsa_key' Key is a ecdsa-sha2-nistp256 key Wrote key to '/etc/dropbear/dropbear_ecdsa_host_key' dropbear_rsa_host_key : SHA256:J9v2M8Lso02myd7Ah5Gk2itcNOq0dWVyARVSpBzx8R0 dropbear_ecdsa_host_key : SHA256:1c9URey3Z3JnUAWXKGFIVruzcWnhBtiqiQsEe/TdLXM -> Running build hook: [encryptssh] ==> WARNING: Possibly missing firmware for module: qat_4xxx -> Running build hook: [filesystems] -> Running build hook: [keyboard] -> Running build hook: [fsck] ==> Generating module dependencies ==> Creating zstd-compressed initcpio image: /boot/initramfs-linux-fallback.img ==> Image generation successful
这里你可以看到一个奇怪的 dropbear 错误:
Error: unable to create key structure
Error reading key from '/etc/ssh/ssh_host_dsa_key'
我不知道为什么会发生这种情况,如果这可能是我的问题,为什么我无法连接到 dropbear SSH,因为我使用 RSA 密钥而不是 DSA 来建立 dropbear SSH 连接,但无论如何我附上了一些更多详细信息。
[root@host ~]# ls -l /etc/dropbear
total 16
-rw------- 1 root root 140 Aug 11 14:01 dropbear_ecdsa_host_key
-rw------- 1 root root 83 Aug 11 14:00 dropbear_ed25519_host_key
-rw------- 1 root root 1189 Aug 11 13:13 dropbear_rsa_host_key
-rw-r--r-- 1 root root 563 Aug 11 11:15 root_key
[root@host ~]# ls -l /etc/ssh
total 536
-rw-r--r-- 1 root root 505489 Apr 8 14:34 moduli
-rw-r--r-- 1 root root 1531 Apr 8 14:34 ssh_config
-rw-r--r-- 1 root root 3131 Aug 11 09:50 sshd_config
-rw------- 1 root root 668 Aug 11 12:57 ssh_host_dsa_key
-rw-r--r-- 1 root root 599 Aug 11 12:57 ssh_host_dsa_key.pub
-rw------- 1 root root 227 Aug 11 12:57 ssh_host_ecdsa_key
-rw-r--r-- 1 root root 171 Aug 11 12:57 ssh_host_ecdsa_key.pub
-rw------- 1 root root 399 Aug 11 12:57 ssh_host_ed25519_key
-rw-r--r-- 1 root root 91 Aug 11 12:57 ssh_host_ed25519_key.pub
-rw------- 1 root root 2459 Aug 11 12:57 ssh_host_rsa_key
-rw-r--r-- 1 root root 563 Aug 11 12:57 ssh_host_rsa_key.pub
[root@host ~]# cat /etc/ssh/ssh_host_dsa_key
-----BEGIN DSA PRIVATE KEY-----
MIIBuwIBAAKBgQDrcndi0o+A7wKsoc5jL57HgEOJwxKSYBMJWC5314/e3vJ3ADz9
8L4fYbRSmpJrSYvkQsHjALYJsAz7P3KsD6a1NqFlrgX/3aUeEaxQ6yGH1OdX7QeB
GwXSxHnGt07PgbkuQPulASu+d0XLXciCg65d+7HxNw+EKrf+h5qMh8tOHwIVAJD2
2Js/dX/DOC7GTO5EkRMZ9WcBAoGAedXP6N5g2LPh5NuT6dLZA6FMmSkS6RZ+/ofN
5gC1g/zDUcX1xctZzPcaQt94fY+lVLERyBb8kf1/nAFpoHTSEyzmlbw16DsFYYjG
T5E1cOd2NGnmR+mPyQJCkW95HvFdjQreomA1k7QKdndnIwIkjcyWCrZyMw4xydnT
WOUF+aYCgYEAlcX9jnnKzfUmP2bF5MkBeKsMzEYG8/SvECblhuM4J6+wCR5pOhSg
owToGa6pPIsIsLR/DXsHpd8xij+D0oRbKtc2Al3c8HbPJ8tcPfnPPjOpsSMd8YUv
dkj0zg5sIh6ujTcWM5BbDvGKpU+5eW0HHvHU6E/G9tet76/HKpgQtl0CFA/0lVMi
J5VrlqWYS/T94pZqwL8B
-----END DSA PRIVATE KEY-----
重启。
服务器已启动并等待密码。来自云提供商控制台的屏幕截图截屏
我将我的输出与本教程。看来唯一的区别是我的输出包含一行:SIOCADDRT: Network is unreachable尝试从客户端连接到 dropbear SSH 服务器:
$ eval $(ssh-agent) Agent pid 20578 $ ssh-add unlock_luks Identity added: unlock_luks (<USER>) $ ssh -v root@<SERVERIP>
输出:
$ ssh -v root@<SERVERIP>
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to <SERVERIP> [<SERVERIP>] port 22.
永远无法连接。Nmap 表示 SSH 端口已被过滤:
$ nmap <SERVERIP> -p 22
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.08 seconds
$ nmap <SERVERIP> -p 22 -Pn
Nmap scan report for <HOST> (<SERVERIP>)
Host is up.
PORT STATE SERVICE
22/tcp filtered ssh
Nmap done: 1 IP address (1 host up) scanned in 2.12 seconds
nmap 的跟踪路由 ( sudo nmap <SERVERIP> -p 22 -Pn --traceroute) 显示数据包未到达我的服务器,而是到达了其他服务器。但是,当磁盘解锁并且系统完全启动时,数据包按预期到达我的服务器,并且 nmap 表示 SSH 端口已打开。
希望得到你的帮助!