Luks, ssh unlock, Strange behaviour, Invalid authorized_keys file

debian ssh initramfs dropbear

10,697

Solution 1

I finally found a solution thanks to some help on #debian. On recent debian, the procedure seems to be quite different. Here is the new one:

First make sure that dropbear and dropbear-initramfs are installed

sudo apt install busybox dropbear*

then add your public key (most of the time ~/.ssh/id_rsa.pub) in the file /etc/dropbear-initramfs/authorized_keys.

Update then initramfs to take into account the changes: : update-initramfs -u

That's all!

Note, if you want to avoid to have clash between the keys between dropbear and openssh (they share the same ip, but use a different key), you may want to put in your client ~/.ssh/config something like that:

Host myserver_luks_unlock
     User root
     Hostname <myserver>
     # The next line is useful to avoid ssh conflict with IP
     HostKeyAlias <myserver>_luks_unlock
     Port 22
     PreferredAuthentications publickey
     IdentityFile ~/.ssh/id_rsa

Then, you just connect using:

ssh myserver_luks_unlock

and once you get a prompt, type as suggested by the busybox text :

cryptroot-unlock

Enjoy!

Solution 2

Just some further details.

First, if your ssh client does not have a private/public key pair yet, you need to generate it with ssh-keygen, as shown here.

Second, I would specify that you need to:

add your client's public key (most of the time ~/.ssh/id_rsa.pub) in the file /etc/dropbear-initramfs/authorized_keys on the server

Here's how. On client:

c_user@client:~$ scp .ssh/id_rsa.pub s_user@server:id_rsa.pub

On server:

s_user@server:~$ sudo sh -c "cat id_rsa.pub >> /etc/dropbear-initramfs/authorized_keys"
s_user@server:~$ rm id_rsa.pub

Finally, it's very important that you connect to the server as root (even if the root account is disabled).

10,697

tobiasBora

Updated on September 18, 2022

Comments

tobiasBora over 1 year
I don't know why, but I can't manage to follow these instructions on my debian stable. After installing dropbear and busybox, I tried to run initramfs -u. I got here a strange warning:
```
# update-initramfs -u
update-initramfs: Generating /boot/initrd.img-4.9.0-4-amd64
dropbear: WARNING: Invalid authorized_keys file, remote unlocking of cryptroot via SSH won't work!
```
Then, I tried to look in the file /etc/initramfs-tools/root/.ssh/id_rsa, but there is no folder root in the initramfs folder. I also tried to run
```
dropbearkey -t dss -f /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key
```
but there is no folder /etc/initramfs-tools/etc/, so this command also fails. Of course, I can create these folders, but I'm afraid that this strange behaviour does not come from a deeper error. If it can help, here is the content of the initramfs folder:
```
me@server:/etc/initramfs-tools# ls
conf.d  hooks  initramfs.conf  modules  scripts  update-initramfs.conf
```
Thank you!
- SilentVoid over 3 years
  
  This may not have been the issue here, but I was receiving the same error and it turns out that it was because I use an ed25519 key and dropbear just merged in support for this key type a few months ago and it is not yet supported by the version in the Ubuntu 20.04 package at least. I had to create an RSA key to use in the initramfs.