Ubuntu – Ubuntu will not boot into busybox for remote LUKS decryption using dropbear

16.04busyboxlvmserver

I want to unlock an encrypted LVM at startup on a headless Ubuntu 16.04 server. This is a fairly fresh install. The only installs I have done are mate-desktop, xrdp, dropbear, and busybox. My client is PuTTY on a Windows machine. I am fairly new to Linux, but here is the progress I have made:

  1. Installed dropbear and busybox

  2. Used puttygen to generate a key pair

  3. Copied public key to ~/.ssh/authorized_keys and set proper permissions (700 on directory, 600 on file)

  4. Copied public key to /etc/initramfs-tools/root/.ssh/authorized_keys and set proper permissions (700 on directory, 600 on file)

  5. Confirmed my keys are good by successfully connecting to normal user session via PuTTY using key authentication

  6. Created the script and modified the config files as outlined at this link

    (Note: I did not perform step 8, but my /var/log/auth.log file did not contain the errors showcased in the Troubleshoot section of that blogpost if step 8 is not performed.)

  7. Updated initramfs

When the system boots and shows the graphical LUKS unlock prompt, I get no response from the server when I try to connect via PuTTY. The connection times out. I have not been able to find any resources that deal with dropbear/busybox not running on boot. I am certain that if I could get a response, my key would work and I could unlock without problems.

How can I find out why dropbear/busybox isn't running at boot?

(For clarification, I can still unlock at the server and SSH into user session.)

Best Answer

After what feels like an eternity of deep diving into Google and trial and error, I finally got this figured out.

Here are the steps I took relative to the steps I outlined in the question:

  1. Removed the script in the blogpost referenced in the question
  2. In the crossfire of trial and error, ended up removing ifconfig eth0 0.0.0.0 down from usr/share/initramfs-tools/scripts/init-bottom/dropbear that step 6 in the blogpost outlined; I never added it back but never needed it

  3. Modified and added the following scripts from this post:

    # Comment lines in /usr/share/initramfs-tools/scripts/local-top/cryptroot as follows:
#
if [ -z "$cryptkeyscript" ]; then
cryptkey="Unlocking the disk $cryptsource ($crypttarget)\nEnter passphrase: "
#if [ -x /bin/plymouth ] && plymouth --ping; then
# cryptkeyscript="plymouth ask-for-password --prompt"
# cryptkey=$(echo -e "$cryptkey")
#else
cryptkeyscript="/lib/cryptsetup/askpass"
#fi
fi



# Add /usr/share/initramfs-tools/hooks/cryptroot_unlock and make executable
#
# Prompt to unlock LUKS encrypted root partition remotely
#
# See linked post for sources and acknowledgements
#
#!/bin/sh
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
. /usr/share/initramfs-tools/hook-functions
#
# Begin real processing
#
SCRIPTNAME=unlock
# 1) Create script to unlock luks partitions
cat > ${DESTDIR}/bin/${SCRIPTNAME} << '__EOF'
#!/bin/sh
/lib/cryptsetup/askpass "Enter volume password: " > /lib/cryptsetup/passfifo
__EOF
chmod 700 ${DESTDIR}/bin/${SCRIPTNAME}
# 2) Enhance Message Of The Day (MOTD) with info how to unlock luks partition
cat >> ${DESTDIR}/etc/motd << '__EOF'
To unlock root-partition run "${SCRIPTNAME}"
__EOF



# Add /usr/share/initramfs-tools/scripts/local-bottom/dropbear_kill_clients and make executable
#
#
# Kills all DropBear client sessions if InitRAMFS is left
#
# See linked post for sources and acknowledgements
#
#!/bin/sh
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
#
# Begin real processing
#
NAME=dropbear
PROG=/sbin/dropbear
# get all server pids that should be ignored
ignore=""
for server in `cat /var/run/${NAME}*.pid`
do
ignore="${ignore} ${server}"
done
# get all running pids and kill client connections
for pid in `pidof "${NAME}"`
do
# check if correct program, otherwise process next pid
grep -F -q -e "${PROG}" "/proc/${pid}/cmdline" || {
continue
}
# check if pid should be ignored (servers)
skip=0
for server in ${ignore}
do
if [ "${pid}" == "${server}" ]
then
skip=1
break
fi
done
[ "${skip}" -ne 0 ] && continue
# kill process
echo "$0: Killing ${pid}..."
kill -KILL ${pid}
done

After modifying and adding those scripts, dropbear was able to start, but my network device was failing to connect to the network, so I was still unable to connect to the server.

I finally discovered by using ls /sys/class/net that my network adapter was not called eth0; apparently that is an old notation no longer used by recent versions of Ubuntu, and since all the posts I have found are old if not ancient, eth0 is all I found references to.

So, armed with that information and a few more snippets I found from other sources, I modified initramfs.conf as follows:

  1. Modified the DEVICE= portion of /etc/initramfs-tools/initramfs.conf to read:

    DEVICE=<name of network adapter discovered using ls /sys/class/net>
IP=<Static IP Address>::<Default Gateway>:<Subnet Mask>::<name of network adapter>:off

  2. Updated initramfs (sudo update-initramfs -u)

Now dropbear connects to the network and I can connect to the server and unlock remotely.

Related Question