Debian – Dropbear terminates before LUKS password prompt on Debian Jessie

debiandropbearencryptionluks

I'm trying to use dropbear as a ssh server to unlock an encrypted partition which was created during Debian 8.2 setup. It boots to the password prompt (and unlocks if correct password is typed) but before the prompt appears, dropbear exits with Early exit: Terminated by signal. The system is pingable – I've added DROPBEAR=y, added correct DEVICE/IP settings in the initramfs conf file, did a NO_START=0 in /etc/default/dropbear file and did update-initramfs.

If I'm adding a sleep 60 in the /usr/share/initramfs-tools/scripts/init-premount/dropbear script I am able to connect to the dropbear ssh. But after the sleep it executes /usr/share/initramfs-tools/scripts/init-bottom/dropbear wich kills dropbear right before the password prompt appears.

Why is the init-bottom script called and how to avoid that?

Best Answer

After days of trying and testing, the solution (or the problem) is very simple: be sure to have your / mount point inside your encrypted volumes - if not, the init-bottom script is called right after the init-premount scripts (because the / doesn't need to be decrypted).

Related Solutions

SSH – How to Open a Port Early in Boot Process to Unlock LUKS

I got this same problem a few weeks ago (Debian Wheezy 7.6) and after some days of troubleshooting I found out that there was a config file missing which was preventing to the cryptroot script on init-top to run correctly, hence it was not stopping to ask the password via ssh, killing the dropbear at the end of the sequence (init-bottom).

The config file is called cryptroot and should be under /etc/initramfs-tools/conf.d/ If I am not mistaken that config file should have been created automatically during install (I have read just one tutorial talking about that config file) but somehow it did not (tested in a physical server and in a VM, same OS and versions)

It took me a couple of tries to configure it properly, since I could not find the proper syntax at that time. My cryptroot config file is as follows:

target=crypt-root,source=/dev/vg0/root,lvm=root

Once created the config file just update the initramfs and try again:

update-initramfs -u

Linux Mint – Setting Laptop Screen Brightness After Boot with Full Disk Encryption

You need to add that script to your initramfs. On Debian (I suspect Mint is the same), it appears that the password prompt comes from /usr/share/initramfs-tools/scripts/local-top/cryptroot. That script arranges itself to be called last out of the local-top scripts. There is a parallel set of directories in /etc intended for local customization. So you just need to plop a file that looks something like:

#!/bin/sh
PREREQ=""
prereqs()
{
     echo "$PREREQ"
}

case $1 in
prereqs)
     prereqs
     exit 0
     ;;
esac

echo 50 > /sys/class/backlight/acpi_video0/brightness

into either /etc/initramfs-tools/scripts/local-top or /etc/initramfs-tools/scripts/init-premount. The file name doesn't matter, though I'd pick something like local-backlight-brightness to make sure it doesn't conflict with some package-provided script. (The prereqs boilerplate comes straight from the initramfs-tools manpage.)

Then, run update-initramfs -u.

Best Answer

Related Solutions

SSH – How to Open a Port Early in Boot Process to Unlock LUKS

Linux Mint – Setting Laptop Screen Brightness After Boot with Full Disk Encryption

Related Question