0

I'm trying to have dropbear remote ssh boot on a debian system which is encrypted with lvm crypto luks.

I can get it work on my raspberry pi but not on my regular system

steps: 1 install debian with encrypted LVM

ls -l /lib/modules/ |awk -F" " '{print $9}'
mkinitramfs -o /boot/initramfs.gz
echo initramfs initramfs.gz >> /boot/config.txt

then create an rsa ssh key with the following line in front and save it to /etc/dropbear-initramfs/authorized_keys: command="/scripts/local-top/cryptroot && kill -9 `ps | grep -m 1 'cryptroot' | cut -d ' ' -f 3`" ssh...

then: 

mkinitramfs -o /boot/initramfs.gz 
reboot

i can type the password and decrypt with a keyboard but when i login with ssh I get :

/scripts/local-top/cryptroot: line 218: modprobe: not found
/scripts/local-top/cryptroot: line 378: blkid: not found
/scripts/local-top/cryptroot: line 378: blkid: not found
/scripts/local-top/cryptroot: line 378: blkid: not found
/scripts/local-top/cryptroot: line 378: blkid: not found
/scripts/local-top/cryptroot: line 378: blkid: not found
...

please help?

extra info:
my blkid

/dev/sda1: UUID="42a9ca50-b757-4e11-985f-8fc75323b598" TYPE="ext2" PARTUUID="38de37f0-01"
/dev/sda5: UUID="3448b157-a1f9-4f6a-a1ea-37e6362cdea8" TYPE="crypto_LUKS" PARTUUID="38de37f0-05"       
/dev/mapper/sda5_crypt: UUID="nzAaP7-Ocx9-BJzO-BM7S-SQcY-BHqp-tbgvH6" TYPE="LVM2_member"
/dev/mapper/deb--vg-root: UUID="f8ec5b07-75fe-4870-9fb6-9e9035d21a20" TYPE="ext4"               
/dev/mapper/deb--vg-swap_1: UUID="ff915ae6-210f-4bbb-8988-b30aacae3dea" TYPE="swap"

my /etc/fstab

/dev/sda1: UUID="42a9ca50-b757-4e11-985f-8fc75323b598" TYPE="ext2" PARTUUID="38de37f0-01"
/dev/sda5: UUID="3448b157-v4a5-4f6a-a1ea-28e6362cdea9" TYPE="crypto_LUKS" PARTUUID="38de37f0-05"
/dev/sdb1: UUID="CC55-BAFE" TYPE="vfat" PARTUUID="0000370e-01"                                          /dev/mapper/sda5_crypt: UUID="nzAaP7-Ocx9-BJzO-BM7S-SQcY-BHqp-tbgvH6" TYPE="LVM2_member"
/dev/mapper/theproject1--vg-root: UUID="f8ec5b07-75fe-4870-9fb6-9e9035d21a20" TYPE="ext4"
/dev/mapper/theproject1--vg-swap_1: UUID="ff915ae6-210f-4bbb-8988-b30aacae3dea" TYPE="swap"

my /etc/crypttab

sda5_crypt UUID=3448b157-v4a5-4f6a-a1ea-28e6362cdea9 none luks,discard
soroush
  • 1

1 Answers1

1

I had a similar issue, but different resolution.

I have a encrypted Kali Linux computer and use the dropbear-initramfs package to unlock the root disk at boot remotely over the dropbear ssh session using cryptroot-unlock.

This worked fine for a long time, but after some update it stopped working. I could SSH to the initramfs disk dropbear session but when I did "cryptroot-unlock" it would hang and I would get the error "Error: Timeout reached while waiting for askpass."

Eventually I found the solution:- https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1687842.html Basically to fix I uninstalled "cryptsetup-nuke-password" package "apt remove cryptsetup-nuke-password". Then rebooted and then I could successfully open the encrypted /root partition remotely via the dropbear-initramfs.

If you are getting the error "Error: Timeout reached while waiting for askpass." when ssh'ed to your dropbear-initramfs at boot, trying to cryptroot-unlock the drive. To confirm if the issue is the same as mine then do a "ps" and look through the processes running. If see something similar to "/lib/cryptsetup/askpass.cryptsetup Please unlock disk .." then I suggest logging on via the console and removing "cryptsetup-nuke-password", to resolve the issue.

Russell Arnold
  • 11
  • 1
  • i'll try it right away, but might not be useful if you wanna have nuk keys on your drive. hope the developers are on it to fix the problem asap – soroush Oct 20 '19 at 15:05