Luks, ssh unlock, Strange behaviour, Invalid authorized_keys file
Solution 1
I finally found a solution thanks to some help on #debian. On recent debian, the procedure seems to be quite different. Here is the new one:
First make sure that dropbear
and dropbear-initramfs
are installed
sudo apt install busybox dropbear*
then add your public key (most of the time ~/.ssh/id_rsa.pub
) in the file /etc/dropbear-initramfs/authorized_keys
.
Update then initramfs
to take into account the changes:
: update-initramfs -u
That's all!
Note, if you want to avoid to have clash between the keys between dropbear
and openssh
(they share the same ip, but use a different key), you may want to put in your client ~/.ssh/config
something like that:
Host myserver_luks_unlock
User root
Hostname <myserver>
# The next line is useful to avoid ssh conflict with IP
HostKeyAlias <myserver>_luks_unlock
Port 22
PreferredAuthentications publickey
IdentityFile ~/.ssh/id_rsa
Then, you just connect using:
ssh myserver_luks_unlock
and once you get a prompt, type as suggested by the busybox text :
cryptroot-unlock
Enjoy!
Solution 2
Just some further details.
First, if your ssh client does not have a private/public key pair yet, you need to generate it with ssh-keygen
, as shown here.
Second, I would specify that you need to:
add your client's public key (most of the time ~/.ssh/id_rsa.pub) in the file /etc/dropbear-initramfs/authorized_keys on the server
Here's how. On client:
c_user@client:~$ scp .ssh/id_rsa.pub s_user@server:id_rsa.pub
On server:
s_user@server:~$ sudo sh -c "cat id_rsa.pub >> /etc/dropbear-initramfs/authorized_keys"
s_user@server:~$ rm id_rsa.pub
Finally, it's very important that you connect to the server as root (even if the root account is disabled).
Related videos on Youtube
tobiasBora
Updated on September 18, 2022Comments
-
tobiasBora over 1 year
I don't know why, but I can't manage to follow these instructions on my debian stable. After installing dropbear and busybox, I tried to run
initramfs -u
. I got here a strange warning:# update-initramfs -u update-initramfs: Generating /boot/initrd.img-4.9.0-4-amd64 dropbear: WARNING: Invalid authorized_keys file, remote unlocking of cryptroot via SSH won't work!
Then, I tried to look in the file
/etc/initramfs-tools/root/.ssh/id_rsa
, but there is no folderroot
in the initramfs folder. I also tried to rundropbearkey -t dss -f /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key
but there is no folder
/etc/initramfs-tools/etc/
, so this command also fails. Of course, I can create these folders, but I'm afraid that this strange behaviour does not come from a deeper error. If it can help, here is the content of the initramfs folder:me@server:/etc/initramfs-tools# ls conf.d hooks initramfs.conf modules scripts update-initramfs.conf
Thank you!
-
SilentVoid over 3 yearsThis may not have been the issue here, but I was receiving the same error and it turns out that it was because I use an ed25519 key and dropbear just merged in support for this key type a few months ago and it is not yet supported by the version in the Ubuntu 20.04 package at least. I had to create an RSA key to use in the initramfs.
-