It's unclear which known_hosts are troubling you - on the server or on the client. I used the instructions at http://blog.neutrino.es/2011/unlocking-a-luks-encrypted-root-partition-remotely-via-ssh/
on Debian. I am going to paraphrase that page and add some tweak I found useful. Contemporary Debian dropbox packages create all the needed keys on the server at installation time, but the referenced tutorial is so old, that it mentions cases when the keys need to be manually created. YMMV.
A. On the server. As you correctly mentioned, dropbear and OpenSSH keys differ, but are supposedly inter-convertible. The tutorial says that you could create on the server the host keys with:
dropbearkey -t rsa -f /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
In fact, it is a bit harder than that. For me on Debian Jessie, the steps were:
Create a OpenSSH key.
ssh-keygen -t rsa -b 4096 -m PEM -f bootkey_rsa
Copy it on the server, that is, the computer where you are more likely to have dropbearconvert. There, convert it to dropbear format:
/usr/lib/dropbear/dropbearconvert openssh dropbear bootkey_rsa bootkey_dropbear_rsa
Stil on the server, login to root, and extract from Dropbear key the public part to the file where boot dropbear looks for it:
dropbearkey -y -f bootkey_dropbear_rsa | grep "^ssh-rsa" > /etc/dropbear-initramfs/authorized_keys
Update initramfs:
update-initramfs -u -k all
Cleanup: remove bootkey_dropbear_rsa and bootkey_rsa from server.
Note that the location where the known_hosts is expected by update-initramfs, given above as /etc/dropbear-initramfs/authorized_keys
, is flexible, and probably changes from distro to distro. To be sure you put it in the right place, read the source file from /usr/share/initramfs-tools/hooks/dropbear
.
The other needed key is created with:
dropbearkey -t rsa -f /etc/initramfs-tools/root/.ssh/id_rsa.dropbear
B. On the client you need both kinds of keys, so there is another known_hosts
. In the referenced tutorial, the command to connect is:
ssh -o "UserKnownHostsFile=~/.ssh/known_hosts.initramfs" \
-i "~/id_rsa.initramfs" root@my.server.ip.addr \
"echo -ne \"MyS3cr3tK3y\" >/lib/cryptsetup/passfifo"
One of the keys, id_rsa.initramfs
, is the file /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
or bootkey_rsa
from the server section.
On the client known_hosts
, there may be a conflict between the key you already have for the OpenSSH server and the dropbear server you just installed. I temporarily removed from known_hosts
the keys for the regular OpenSSH service, connected using the command above (leaving out the -o
parameter), got prompted if I trust the host-key, said yes, and got it appended to my known hosts
. From there on, you need to move that last line to its own known_hosts (~/.ssh/known_hosts.initramfs
in the example above).
Best Answer
You almost did what what must be done.
###The short version:
###TL;DR Due to a security issue, the authorized_keys, containing the public key of your client was deleted...
authorized_keys
file on the server side,known_hosts
file on the client side.That's why to connect to a dropbear server, both
ssh
anddbclient
can be used, but/usr/lib/dropbear/dropbearconvert
must be used to convert the public keys ensuressh
is compatible with dropbear, or to makedbclient
compatible withsshd
.Dropbear is much smaller than
sshd
and even though it's more basic, it's good to have an SSH public key-only server available at an early stage of the Linux boot process, specifically when you use a boot loader such as PXE and/or iPXE.To do that, dropbear must be integrated to the init filesystem (The
initrd
image).The Ubuntu package
dropbear-initramfs
must be installed (I'm using version 2017.75-3build1 on Ubuntu 18.04).All dropbear's settings are in the
/etc/dropbear-initramfs/
folder, including the configuration file (config
), server private keys, rsa, dss, ecdsa (dropbear_*_host_key
), and client's public keys to accepted (authorized_keys
) must be placed here in the correct dropbear format.Then to update your current
initrd
image file in the/boot/
directory, you must launch:This package comes with scripts to build
initrd
images in/usr/share/initramfs-tools/hooks/dropbear
, and scripts to run in the early stages of the boot process in/usr/share/initramfs-tools/scripts/init-premount/dropbear
, and only then are those last scripts embedded inside theinitrd
images.Some distributions delete
authorized_keys
under certain conditions to preventssh
connections in early stages. To circumvent this, you must check this and workaround such as below:In the workaround, we mitigate the deletion of
authorized_keys
to be able to connect into a machine when something goes wrong in theinitramfs
stage.