eggy hat geschrieben: 08.06.2020 22:44:37
Ich befürchte Du musst mehr Infos geben, bevor jemand helfen kann: wie bist Du genau vorgegangen, hat es schon mal remote funktioniert (falls ja, was hast Du seitdem gemacht), funktioniert lokales Entschlüsseln, gibts die Datei askpass funktionierend auf dem Rechner, an richtiger Stelle?
Geraten: wahrscheinlich steht in irgendnem Script "askpass" statt "/lib/cryptsetup/askpass".
Hey,
vorerst Danke für Dein Feedback und Hinweis....
Lokales entschlüsseln ist leider nicht möglich, da die Kiste gemietet ist und im Rechnenzentrum steht..
bezüglich dem Unlock habe ich dafür ein script gefunden welches ich genutzt habe:
Code: Alles auswählen
#!/bin/busybox ash
# Remotely unlock encrypted volumes.
#
# Copyright © 2015-2018 Guilhem Moulin <guilhem@debian.org>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
set -ue
PATH=/sbin:/bin
TIMEOUT=10
PASSFIFO=/lib/cryptsetup/passfifo
ASKPASS=/lib/cryptsetup/askpass
UNLOCK_ALL=n
CRYPTTAB="/cryptroot/crypttab"
if [ ! -f "$CRYPTTAB" ] || [ "$CRYPTTAB" -ot "/proc/1" ]; then
# Too early, init-top/cryptroot hasn't finished yet
echo "Try again later" >&2
exit 1
fi
# The list of configured devices to unlock.
CRYPTDEVS="$(sed -nr 's/^\s*([^#[:blank:]]\S*)\s.*/\1/p' "$CRYPTTAB")"
# Print the list of PIDs the executed command of which is $exe.
pgrep_exe() {
local exe="$1" pid
ps -eo pid= | while read pid; do
[ "$(readlink -f /proc/$pid/exe)" != "$exe" ] || printf '%i\n' "$pid"
done
}
# Return 0 if $pid has a file descriptor pointing to $name, and 1
# otherwise.
in_fds() {
local pid="$1" name="$2" fd
for fd in $(find "/proc/$pid/fd" -type l); do
[ "$(readlink -f "$fd")" != "$name" ] || return 0
done
return 1
}
# Print the PID of the askpass process with a file descriptor opened to
# /lib/cryptsetup/passfifo.
get_askpass_pid() {
local pid
for pid in $(pgrep_exe "$ASKPASS"); do
if in_fds "$pid" "$PASSFIFO"; then
echo "$pid"
return 0
fi
done
return 1
}
# Print the number of configured crypt devices that have not been unlocked yet.
count_locked_devices() {
local dev n=0
for dev in $CRYPTDEVS; do
[ -b "/dev/mapper/$dev" ] || n=$(( $n + 1 ))
done
echo $n
}
# Return 0 if the $target is in $CRYPTDEVS, and 1 otherwise.
is_device_known() {
local dev target="$1"
for dev in $CRYPTDEVS; do
[ "$dev" != "$target" ] || return 0
done
return 1
}
# Wait for askpass, then set $PID (resp. $BIRTH) to the PID (resp.
# birth date) of the cryptsetup process with same $CRYPTTAB_NAME.
wait_for_prompt() {
local pid timer num_locked_devices=-1 n
# wait for the fifo
while :; do
n=$(count_locked_devices)
if [ $n -eq 0 ]; then
# all configured devices have been unlocked, we're done
exit 0
elif [ $num_locked_devices -lt 0 ] || [ $n -lt $num_locked_devices ]; then
# reset $timer if a device was unlocked (for instance using
# a keyscript) while we were waiting
timer=$(( 10 * $TIMEOUT ))
fi
num_locked_devices=$n
if pid=$(get_askpass_pid) && [ -p "$PASSFIFO" ]; then
break
fi
usleep 100000
timer=$(( $timer - 1 ))
if [ $timer -le 0 ]; then
echo "Error: Timeout reached while waiting for askpass." >&2
exit 1
fi
done
# find the cryptsetup process with same $CRYPTTAB_NAME
CRYPTTAB_OPTION_tries=
eval $(grep -Ez '^CRYPTTAB_(NAME|TRIED|SOURCE|OPTION_tries)=' "/proc/$pid/environ" | tr '\0' '\n')
if ! is_device_known "$CRYPTTAB_NAME"; then
echo "Error: Refusing to process unknown device $CRYPTTAB_NAME" >&2
exit 1
fi
for pid in $(pgrep_exe "/sbin/cryptsetup"); do
if grep -Fxqz "CRYPTTAB_NAME=$CRYPTTAB_NAME" "/proc/$pid/environ"; then
PID=$pid
BIRTH=$(stat -c'%Z' "/proc/$PID")
return 0
fi
done
PID=
BIRTH=
return 1
}
# Wait until $PID no longer exists or has a birth date greater that
# $BIRTH (ie was reallocated). Then return with exit value 0 if
# /dev/mapper/$CRYPTTAB_NAME exists, and with exit value 1 if the
# maximum number of tries exceeded. Otherwise (if the unlocking
# failed), return with value 1.
wait_for_answer() {
local timer=$(( 10 * $TIMEOUT )) dev
until [ ! -d "/proc/$PID" ] || [ $(stat -c'%Z' "/proc/$PID") -gt $BIRTH ]; do
usleep 100000
timer=$(( $timer - 1 ))
if [ $timer -le 0 ]; then
echo "Error: Timeout reached while waiting for PID $PID." >&2
exit 1
fi
done
if [ -b "/dev/mapper/$CRYPTTAB_NAME" ]; then
echo "cryptsetup: $CRYPTTAB_NAME set up successfully" >&2
[ "$UNLOCK_ALL" = y ] && return 0 || exit 0
elif [ $(( ${CRYPTTAB_TRIED:-0} + 1 )) -ge ${CRYPTTAB_OPTION_tries:-3} ]; then
echo "cryptsetup: maximum number of tries exceeded for $CRYPTTAB_NAME" >&2
exit 1
else
echo "cryptsetup: cryptsetup failed, bad password or options?" >&2
return 1
fi
}
if [ -t 0 ] && [ -x "$ASKPASS" ]; then
# interactive mode on a TTY: keep trying until all configured devices have
# been unlocked or the maximum number of tries exceeded
UNLOCK_ALL=y
while :; do
# note: if the script is not killed before pivot_root it should
# exit on its own once $TIMEOUT is reached
wait_for_prompt || continue
read -rs -p "Please unlock disk $CRYPTTAB_NAME: "; echo
printf '%s' "$REPLY" >"$PASSFIFO"
wait_for_answer || true
done
else
# non-interactive mode: slurp the passphrase from stdin and exit
wait_for_prompt || continue
echo "Please unlock disk $CRYPTTAB_NAME"
cat >"$PASSFIFO"
wait_for_answer || exit 1
fi
Das wäre dazu meine initramfs.conf:
Code: Alles auswählen
#
# initramfs.conf
# Configuration file for mkinitramfs(8). See initramfs.conf(5).
#
# Note that configuration options from this file can be overridden
# by config files in the /etc/initramfs-tools/conf.d directory.
#
# MODULES: [ most | netboot | dep | list ]
#
# most - Add most filesystem and all harddrive drivers.
#
# dep - Try and guess which modules to load.
#
# netboot - Add the base modules, network modules, but skip block devices.
#
# list - Only include modules from the 'additional modules' list
#
MODULES=most
#
# BUSYBOX: [ y | n | auto ]
#
# Use busybox shell and utilities. If set to n, klibc utilities will be used.
# If set to auto (or unset), busybox will be used if installed and klibc will
# be used otherwise.
#
BUSYBOX=y
#
# KEYMAP: [ y | n ]
#
# Load a keymap during the initramfs stage.
#
KEYMAP=n
#
# COMPRESS: [ gzip | bzip2 | lzma | lzop | xz ]
#
COMPRESS=gzip
#
# NFS Section of the config.
#
#
# DEVICE: ...
#
# Specify a specific network interface, like eth0
# Overridden by optional ip= bootarg
#
#DEVICE=
DEVICE=enp3s0
IP=xx.x.xx.xxx::xx.x.xx.xxx:xxx.xxx.xxx.xxx::enp3s0:off
#
# NFSROOT: [ auto | HOST:MOUNT ]
#
NFSROOT=auto
#
#RUNSIZE=10%
# enable dropbear explicitly
#DROPBEAR=y
Es kommt nach erfolgreichen Login gefühlt nach 5-10 Sekunden der Fehler....