Ubuntu – Dropbear-initramfs on ubuntu 18.04

18.04initramfsserver

I’m trying to setup a dedicated server with an encrypted drive, I’ve found some help online to get that up and running but I’m running in some troubles getting dropbear-initramfs to start properly. (tutorial along those lines https://hamy.io/post/0005/remote-unlocking-of-luks-encrypted-root-in-ubuntu-debian/)

So I install the dropbear-initramfs package and get an error that the keys are missing and it won’t work. I add the authorized_keys I configure dropbear to run on a different port and i update initramfs but at boot dropbear doesn’t start and I just get prompted the normal username/password. I’ve tried a couple of things to get that up and running, I tried to dpkg reconfigure the package once the keys are setup properly and I don’t get an error message anymore but dropbear still doesn’t start.

If anyone has any pointer that would be very appreciated 🙂

Best regards

P.S: I had a look for the already opened questions but the majority of them are now quite old and the dropbear + initramfs is suppose to be easier since ubuntu 16.04 (with the dropbear-initramfs package).

Best Answer

You almost did what what must be done.

###The short version:

###TL;DR Due to a security issue, the authorized_keys, containing the public key of your client was deleted...

  1. Dropbear and openssh are both SSH servers but don't share the same format of keys, although they share same principle of private-public keys:
  • DER format for dropbear
  • PEM format for openssh for private keys
  • An authorized_keys file on the server side,
  • A known_hosts file on the client side.

That's why to connect to a dropbear server, both ssh and dbclient can be used, but /usr/lib/dropbear/dropbearconvert must be used to convert the public keys ensure ssh is compatible with dropbear, or to make dbclient compatible with sshd.

  1. Dropbear is much smaller than sshd and even though it's more basic, it's good to have an SSH public key-only server available at an early stage of the Linux boot process, specifically when you use a boot loader such as PXE and/or iPXE.
    To do that, dropbear must be integrated to the init filesystem (The initrd image).
    The Ubuntu package dropbear-initramfs must be installed (I'm using version 2017.75-3build1 on Ubuntu 18.04).
    All dropbear's settings are in the /etc/dropbear-initramfs/ folder, including the configuration file (config), server private keys, rsa, dss, ecdsa (dropbear_*_host_key), and client's public keys to accepted (authorized_keys) must be placed here in the correct dropbear format.
    Then to update your current initrd image file in the /boot/ directory, you must launch:

     sudo update-initramfs -u

This package comes with scripts to build initrd images in /usr/share/initramfs-tools/hooks/dropbear, and scripts to run in the early stages of the boot process in /usr/share/initramfs-tools/scripts/init-premount/dropbear, and only then are those last scripts embedded inside the initrd images.

  1. Some distributions delete authorized_keys under certain conditions to prevent ssh connections in early stages. To circumvent this, you must check this and workaround such as below:

     $ cd /usr/share/initramfs-tools/scripts/
 $ grep -R authorized_keys *
 init-bottom/dropbear:# delete authorized_keys(5) file to forbid new SSH sessions
 init-bottom/dropbear:#rm -f ~root/.ssh/authorized_keys
 init-bottom/dropbear:    # just kill this script), so deleting root's authorized_keys(5) file

In the workaround, we mitigate the deletion of authorized_keys to be able to connect into a machine when something goes wrong in the initramfs stage.

Related Question