Bug#464410: marked as done (cryptoroot remote unlocking: network configuration without nfs, sshd)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Fri, 15 Feb 2008 15:42:02 +0100
with message-id <47B5A4BA.3030103@x.ray.net>
and subject line obsoleted
has caused the Debian Bug report #464410,
regarding cryptoroot remote unlocking: network configuration without nfs, sshd
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
464410: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464410
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: cryptoroot remote unlocking: network configuration without nfs, sshd
• From: debian@x.ray.net
• Date: Wed, 06 Feb 2008 18:59:14 +0100
• Message-id: <[🔎] 47A9F572.5030108@x.ray.net>

Package: initramfs-tools
Version: 0.91d
Severity: wishlist

hi!

for remote boot/remote unlocking of a cryptoroot system there should be
initrd support at least for a ssh login. i'd suggest:

move the configure_networking (from /script/functions) call from
/script/nfs to /init, after init-premount (just before maybe_break mount):
[ -n "$IPOPTS" ] && configure_networking

(off-topic but relating, so just for completeness: installer should add
an ip=... argument corresponding to the network config to the kernel
boot parameters in menu.lst in case of a cryptoroot install)

mkinitramfs has to add the respective nic-module to the initrd modules
and add the respective entry to /conf/modules if the kernel-entry in
menu.lst has boot parameters containing an ip=... argument.

mkinitramfs schould install dropbear, either just in case of a
cryptoroot setup, or in case of an ip=... kernel boot parameter.
a statically linked minimal version of dropbear probably comes to mind
first. the existing dropbear package contains a dynamically linked
version, but installing this plus the dependencies (libc6 and zlib1g)
proved to work, with a probably acceptable increase in size of the
initrd (here: 6.1m to 9.7m).

add dropbear to the configure_networking line in /init mentioned above:
[ -n "$IPOPTS" ] && configure_networking && /usr/sbin/dropbear

mkinitramfs should add a /etc/passwd with an entry for root, create
/root/.ssh, and copy an authorized_keys file there. i don't have a
conclusion yet where this authorized_keys file should come from, but
thinking of the installer again, the installer should probably create
the keypair in case of a cryptoroot install, and just save them
somewhere in /etc, probably somewhere in /etc/initramfs-tools. the same
location is probably also a good idea to put the
dropbear_[dss|rsa]_host_key files which should be copied by mkinitramfs
to /etc/dropbear (which should be generated by the installer in case of
a cryptoroot install).

this way issuing a cryptsetup luksOpen followed by a vgchange -a y, and
then killing the console's cryptsetup via ssh works.



	Chris

--- End Message ---

--- Begin Message ---

• To: 464410-done@bugs.debian.org
• Subject: obsoleted
• From: debian@x.ray.net
• Date: Fri, 15 Feb 2008 15:42:02 +0100
• Message-id: <47B5A4BA.3030103@x.ray.net>

obsolete wishlist-report, replaced by a new wishlist-report providing a patch which does the job and matches the relating patches provided for the other packages involved (cryptsetup, dropbear).

--- End Message ---