Bug#464410: cryptoroot remote unlocking: network configuration without nfs, sshd

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#464410: cryptoroot remote unlocking: network configuration without nfs, sshd
From: debian@x.ray.net
Date: Wed, 06 Feb 2008 18:59:14 +0100
Message-id: <[🔎] 47A9F572.5030108@x.ray.net>
Reply-to: debian@x.ray.net, 464410@bugs.debian.org

Package: initramfs-tools
Version: 0.91d
Severity: wishlist

hi!

for remote boot/remote unlocking of a cryptoroot system there should be
initrd support at least for a ssh login. i'd suggest:

move the configure_networking (from /script/functions) call from
/script/nfs to /init, after init-premount (just before maybe_break mount):
[ -n "$IPOPTS" ] && configure_networking

(off-topic but relating, so just for completeness: installer should add
an ip=... argument corresponding to the network config to the kernel
boot parameters in menu.lst in case of a cryptoroot install)

mkinitramfs has to add the respective nic-module to the initrd modules
and add the respective entry to /conf/modules if the kernel-entry in
menu.lst has boot parameters containing an ip=... argument.

mkinitramfs schould install dropbear, either just in case of a
cryptoroot setup, or in case of an ip=... kernel boot parameter.
a statically linked minimal version of dropbear probably comes to mind
first. the existing dropbear package contains a dynamically linked
version, but installing this plus the dependencies (libc6 and zlib1g)
proved to work, with a probably acceptable increase in size of the
initrd (here: 6.1m to 9.7m).

add dropbear to the configure_networking line in /init mentioned above:
[ -n "$IPOPTS" ] && configure_networking && /usr/sbin/dropbear

mkinitramfs should add a /etc/passwd with an entry for root, create
/root/.ssh, and copy an authorized_keys file there. i don't have a
conclusion yet where this authorized_keys file should come from, but
thinking of the installer again, the installer should probably create
the keypair in case of a cryptoroot install, and just save them
somewhere in /etc, probably somewhere in /etc/initramfs-tools. the same
location is probably also a good idea to put the
dropbear_[dss|rsa]_host_key files which should be copied by mkinitramfs
to /etc/dropbear (which should be generated by the installer in case of
a cryptoroot install).

this way issuing a cryptsetup luksOpen followed by a vgchange -a y, and
then killing the console's cryptsetup via ssh works.



	Chris

Reply to:

Follow-Ups:
- Bug#464410: marked as done (cryptoroot remote unlocking: network configuration without nfs, sshd)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#464387: BUG: soft lockup - CPU#0 stuck for 11s! [swapper:0]
Next by Date: help needed with cryptsetup bug #382375 - passphrase prompt gets drowned during initramfs
Previous by thread: Bug#464387: BUG: soft lockup - CPU#0 stuck for 11s! [swapper:0]
Next by thread: Bug#464410: marked as done (cryptoroot remote unlocking: network configuration without nfs, sshd)
Index(es):
- Date
- Thread