我想在无头 Ubuntu 16.04 服务器上启动时解锁加密的 LVM。这是一个相当新的安装。我安装的唯一软件是 mate-desktop、xrdp、dropbear 和 busybox。我的客户端是 Windows 机器上的 PuTTY。我对 Linux 还不太熟悉,但我取得了以下进展:
安装 dropbear 和 busybox
用于
puttygen生成密钥对复制公钥
~/.ssh/authorized_keys并设置适当的权限(目录为 700,文件为 600)复制公钥
/etc/initramfs-tools/root/.ssh/authorized_keys并设置适当的权限(目录为 700,文件为 600)通过使用密钥认证,成功通过 PuTTY 连接到正常用户会话,确认我的密钥有效
创建脚本并修改配置文件,如下所述此链接
(注意:我没有执行步骤 8,但
/var/log/auth.log如果未执行步骤 8,我的文件将不包含该博文的故障排除部分中展示的错误。)更新了 initramfs
当系统启动并显示图形 LUKS 解锁提示时,我尝试通过 PuTTY 连接时没有收到服务器的响应。连接超时。我找不到任何处理 dropbear/busybox 在启动时不运行的资源。我确信,如果我能得到响应,我的密钥就会起作用,我就可以毫无问题地解锁。
我如何才能找出为什么 dropbear/busybox 没有在启动时运行?
(为了澄清起见,我仍然可以在服务器上解锁并通过 SSH 进入用户会话。)
答案1
在对 Google 进行深入研究并反复尝试了无数次之后,我终于弄明白了这一点。
以下是我根据问题中概述的步骤所采取的步骤:
- 删除了问题中引用的博客文章中的脚本
- 在反复试验中,最终从博客文章中概述的第 6 步
ifconfig eth0 0.0.0.0 down中删除了它usr/share/initramfs-tools/scripts/init-bottom/dropbear;我从未将其添加回去,但从来不需要它 修改并添加了以下脚本这个帖子:
# Comment lines in /usr/share/initramfs-tools/scripts/local-top/cryptroot as follows: # if [ -z "$cryptkeyscript" ]; then cryptkey="Unlocking the disk $cryptsource ($crypttarget)\nEnter passphrase: " #if [ -x /bin/plymouth ] && plymouth --ping; then # cryptkeyscript="plymouth ask-for-password --prompt" # cryptkey=$(echo -e "$cryptkey") #else cryptkeyscript="/lib/cryptsetup/askpass" #fi fi # Add /usr/share/initramfs-tools/hooks/cryptroot_unlock and make executable # # Prompt to unlock LUKS encrypted root partition remotely # # See linked post for sources and acknowledgements # #!/bin/sh PREREQ="" prereqs() { echo "$PREREQ" } case $1 in prereqs) prereqs exit 0 ;; esac . /usr/share/initramfs-tools/hook-functions # # Begin real processing # SCRIPTNAME=unlock # 1) Create script to unlock luks partitions cat > ${DESTDIR}/bin/${SCRIPTNAME} << '__EOF' #!/bin/sh /lib/cryptsetup/askpass "Enter volume password: " > /lib/cryptsetup/passfifo __EOF chmod 700 ${DESTDIR}/bin/${SCRIPTNAME} # 2) Enhance Message Of The Day (MOTD) with info how to unlock luks partition cat >> ${DESTDIR}/etc/motd << '__EOF' To unlock root-partition run "${SCRIPTNAME}" __EOF # Add /usr/share/initramfs-tools/scripts/local-bottom/dropbear_kill_clients and make executable # # # Kills all DropBear client sessions if InitRAMFS is left # # See linked post for sources and acknowledgements # #!/bin/sh PREREQ="" prereqs() { echo "$PREREQ" } case $1 in prereqs) prereqs exit 0 ;; esac # # Begin real processing # NAME=dropbear PROG=/sbin/dropbear # get all server pids that should be ignored ignore="" for server in `cat /var/run/${NAME}*.pid` do ignore="${ignore} ${server}" done # get all running pids and kill client connections for pid in `pidof "${NAME}"` do # check if correct program, otherwise process next pid grep -F -q -e "${PROG}" "/proc/${pid}/cmdline" || { continue } # check if pid should be ignored (servers) skip=0 for server in ${ignore} do if [ "${pid}" == "${server}" ] then skip=1 break fi done [ "${skip}" -ne 0 ] && continue # kill process echo "$0: Killing ${pid}..." kill -KILL ${pid} done
修改并添加这些脚本之后,dropbear 可以启动了,但是我的网络设备无法连接网络,所以仍然无法连接到服务器。
我最终通过使用发现ls /sys/class/net我的网络适配器没有被调用eth0;显然这是一个旧的符号,不再被最近的 Ubuntu 版本使用,而且由于我找到的所有帖子都很旧,甚至很古老,eth0所以我只找到了相关的参考。
因此,利用这些信息以及从其他来源找到的一些片段,我进行了initramfs.conf如下修改:
修改了
DEVICE=部分/etc/initramfs-tools/initramfs.conf内容如下:DEVICE=<name of network adapter discovered using ls /sys/class/net> IP=<Static IP Address>::<Default Gateway>:<Subnet Mask>::<name of network adapter>:off更新
initramfs(sudo update-initramfs -u)
现在dropbear连接到网络,我可以连接到服务器并远程解锁。
答案2
我花了将近一个星期的时间思考这个问题,因为那里有各种各样的错误信息(例如刚刚安装 dropbear-initramfs)。
这是我编写的用于为 16.0.4 自动设置和配置 dropbear 的脚本。
请务必阅读代码注释并根据您的系统定制脚本!
#!/bin/bash
## LUKS remote decrypt for Ubuntu 16.04.1 - by BinaryShrub
# NOTES:
# Tailor lines 67 - 69 to your system before running!
# Use at your own risk!
# Safety Check
if [ "$EUID" -ne 0 ]
then echo "You must run this as root"
exit
fi
# Install Dropbear
apt -y install dropbear
# Setup authorized keys
mkdir -p /etc/initramfs-tools/root/.ssh
echo "Insert client id_rsa.pub (Leave empty to use ~/.ssh/authorized_keys):"
read -e r
if [[ -z "$r" ]]; then
cp ~/.ssh/authorized_keys /etc/initramfs-tools/root/.ssh/authorized_keys
else
echo "$r" >> /etc/initramfs-tools/root/.ssh/authorized_keys
fi
# Add hook to create unlocker script
f=/usr/share/initramfs-tools/hooks/dropbear-unlocker
cat <<\END > "$f"
#!/bin/sh
PREREQ="dropbear"
prereqs() {
echo "$PREREQ"
}
case "$1" in
prereqs)
prereqs
exit 0
;;
esac
. "$CONFDIR/initramfs.conf"
. /usr/share/initramfs-tools/hook-functions
# Copy dropbear if explicitly enabled, or in case of a cryptroot setup if not explicitly disabled
[ "$DROPBEAR" = y ] || [ "$DROPBEAR" != n -a -r /etc/crypttab ] || exit 0
if [ ! -x "/usr/sbin/dropbear" ]; then
if [ "$DROPBEAR" = y ]; then
echo "dropbear-unlock: FAILURE: Dropbear not found, script wont start!" >&2
else
echo "dropbear-unlock: WARNING: Dropbear not found, script wont start" >&2
fi
exit 0
fi
# Copy the unlock script
s="$DESTDIR/$(ls $DESTDIR | grep root)/unlocker"
echo "#!/bin/sh
# Ask for decrypt key with one disk
# /scripts/local-top/cryptroot
# With Multiple Disks
/sbin/cryptsetup luksOpen /dev/sda3 sda3_crypt
/sbin/cryptsetup luksOpen /dev/sdb3 sdb3_crypt
/sbin/cryptsetup luksOpen /dev/sdc3 sdc3_crypt
# Hack to address https://goo.gl/2fGjCY
mknod /dev/btrfs-control c 10 234
btrfs device scan
# Kill these programs to keep 'init' moving.
echo "Loading OS..."
kill -9 \$(ps | grep cryptsetup | grep askpass | awk '{print \$1}') > /dev/null
kill -9 \$(ps | grep /bin/sh | grep cryptroot | awk '{print \$1}') > /dev/null
exit 0
" > "$s"
chmod +x "$s"
echo "unlocker: loaded"
END
chmod +x "$f"
# Rebuild initramfs
update-initramfs -u
echo "Done! Reboot to initramfs and run ~/unlocker"
https://gist.github.com/BinaryShrub/0587b170dc22b1e7ff7b435c92b53093