I have a fully encrypted server running Debian 7 and have set up dropbear and busybox to unlock the LUKS container via SSH (as described in this tutorial and in this U&L answer).
Unfortunately, whenever I try and SSH to the server (over the LAN) at reboot, I get a "Connection refused" error. I have tried telnet
and nmap
to the default port (22) and both say the port is closed.
The server has a ufw
rule to accept all traffic from the LAN:
Anywhere ALLOW 192.168.1.0/24
I have tried changing the port that dropbear listens on in /etc/defaults/dropbear
but ssh
and telnet
are still refused connections1.
How can I ensure that a port is open at that stage in the boot process so that I can connect to unlock the LUKS container?
Disabling the firewall makes no difference: nmap
shows all ports still closed.
Update 2/14
I added break=premount
to the kernel line and had a poke around in the initramfs. dropbear
has started, but the network is not up at that point. After exiting, the network comes up and boot continues until the prompt to unlock the LUKS device.
At this point, the network is up, and the host has been assigned the correct IP address, but port 22 is still closed.
The IP line in /etc/initramfs-tools/intiramfs.conf
I am using is:
export IP=192.168.1.200::192.168.1.1:255.255.255.0::eth0:off
Consistent with the directions in /usr/share/doc/cryptsetup/README.remote.gz
I have tried just adding the device option, but that is not sufficient to bring the network up and obtain a dhcp lease.
Update 11/10/14
Karl's answer was what was required: setting up /etc/initramfs-tools/conf.d/cryptroot
was the key:
target=md1_crypt,source=UUID=8570d12k-ccha-4985-s09f-e43dhed9fa2a
This guide also proved more up-to-date and relevant (and successful).
Best Answer
I got this same problem a few weeks ago (Debian Wheezy 7.6) and after some days of troubleshooting I found out that there was a config file missing which was preventing to the cryptroot script on init-top to run correctly, hence it was not stopping to ask the password via ssh, killing the dropbear at the end of the sequence (init-bottom).
The config file is called
cryptroot
and should be under/etc/initramfs-tools/conf.d/
If I am not mistaken that config file should have been created automatically during install (I have read just one tutorial talking about that config file) but somehow it did not (tested in a physical server and in a VM, same OS and versions)It took me a couple of tries to configure it properly, since I could not find the proper syntax at that time. My cryptroot config file is as follows:
Once created the config file just update the initramfs and try again: