Debian 9 remote unlock via dropbear

Du kommst mit der Installation nicht voran oder willst noch was nachfragen? Schau auch in den "Tipps und Tricks"-Bereich.
Antworten
Superbunny79
Beiträge: 17
Registriert: 30.12.2009 20:35:08

Debian 9 remote unlock via dropbear

Beitrag von Superbunny79 » 08.06.2020 21:26:10

Hallo zusammen,

ich würde gern meinen Server welchen ich voll verschlüsselt habe via Dropbear remote unlocken.

leider bekomme ich trotz erfolgreichen Login immer wieder eine Fehler-Meldung die ich so noch nie gesehen habe.

Code: Alles auswählen

login as: root
Authenticating with public key "Imported-Openssh-Key: C:\\Users\\Andreas\\Documents\\id_rsa"

Error: Timeout reached while waiting for askpass.
Googlen hat leider nicht den erwünschten Hinweis erbracht

eggy
Beiträge: 3334
Registriert: 10.05.2008 11:23:50

Re: Debian 9 remote unlock via dropbear

Beitrag von eggy » 08.06.2020 22:44:37

Ich befürchte Du musst mehr Infos geben, bevor jemand helfen kann: wie bist Du genau vorgegangen, hat es schon mal remote funktioniert (falls ja, was hast Du seitdem gemacht), funktioniert lokales Entschlüsseln, gibts die Datei askpass funktionierend auf dem Rechner, an richtiger Stelle?

Geraten: wahrscheinlich steht in irgendnem Script "askpass" statt "/lib/cryptsetup/askpass".

Superbunny79
Beiträge: 17
Registriert: 30.12.2009 20:35:08

Re: Debian 9 remote unlock via dropbear

Beitrag von Superbunny79 » 10.06.2020 20:13:09

eggy hat geschrieben: ↑ zum Beitrag ↑
08.06.2020 22:44:37
Ich befürchte Du musst mehr Infos geben, bevor jemand helfen kann: wie bist Du genau vorgegangen, hat es schon mal remote funktioniert (falls ja, was hast Du seitdem gemacht), funktioniert lokales Entschlüsseln, gibts die Datei askpass funktionierend auf dem Rechner, an richtiger Stelle?

Geraten: wahrscheinlich steht in irgendnem Script "askpass" statt "/lib/cryptsetup/askpass".
Hey,

vorerst Danke für Dein Feedback und Hinweis.... :mrgreen:

Lokales entschlüsseln ist leider nicht möglich, da die Kiste gemietet ist und im Rechnenzentrum steht.. 8)

bezüglich dem Unlock habe ich dafür ein script gefunden welches ich genutzt habe:

Code: Alles auswählen

#!/bin/busybox ash

# Remotely unlock encrypted volumes.
#
# Copyright © 2015-2018 Guilhem Moulin <guilhem@debian.org>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

set -ue
PATH=/sbin:/bin

TIMEOUT=10
PASSFIFO=/lib/cryptsetup/passfifo
ASKPASS=/lib/cryptsetup/askpass
UNLOCK_ALL=n

CRYPTTAB="/cryptroot/crypttab"
if [ ! -f "$CRYPTTAB" ] || [ "$CRYPTTAB" -ot "/proc/1" ]; then
	# Too early, init-top/cryptroot hasn't finished yet
	echo "Try again later" >&2
	exit 1
fi

# The list of configured devices to unlock.
CRYPTDEVS="$(sed -nr 's/^\s*([^#[:blank:]]\S*)\s.*/\1/p' "$CRYPTTAB")"

# Print the list of PIDs the executed command of which is $exe.
pgrep_exe() {
	local exe="$1" pid
	ps -eo pid= | while read pid; do
		[ "$(readlink -f /proc/$pid/exe)" != "$exe" ] || printf '%i\n' "$pid"
	done
}

# Return 0 if $pid has a file descriptor pointing to $name, and 1
# otherwise.
in_fds() {
	local pid="$1" name="$2" fd
	for fd in $(find "/proc/$pid/fd" -type l); do
		[ "$(readlink -f "$fd")" != "$name" ] || return 0
	done
	return 1
}

# Print the PID of the askpass process with a file descriptor opened to
# /lib/cryptsetup/passfifo.
get_askpass_pid() {
	local pid
	for pid in $(pgrep_exe "$ASKPASS"); do
		if in_fds "$pid" "$PASSFIFO"; then
			echo "$pid"
			return 0
		fi
	done
	return 1
}

# Print the number of configured crypt devices that have not been unlocked yet.
count_locked_devices() {
	local dev n=0
	for dev in $CRYPTDEVS; do
		[ -b "/dev/mapper/$dev" ] || n=$(( $n + 1 ))
	done
	echo $n
}

# Return 0 if the $target is in $CRYPTDEVS, and 1 otherwise.
is_device_known() {
	local dev target="$1"
	for dev in $CRYPTDEVS; do
		[ "$dev" != "$target" ] || return 0
	done
	return 1
}

# Wait for askpass, then set $PID (resp. $BIRTH) to the PID (resp.
# birth date) of the cryptsetup process with same $CRYPTTAB_NAME.
wait_for_prompt() {
	local pid timer num_locked_devices=-1 n

	# wait for the fifo
	while :; do
		n=$(count_locked_devices)
		if [ $n -eq 0 ]; then
			# all configured devices have been unlocked, we're done
			exit 0
		elif [ $num_locked_devices -lt 0 ] || [ $n -lt $num_locked_devices ]; then
			# reset $timer if a device was unlocked (for instance using
			# a keyscript) while we were waiting
			timer=$(( 10 * $TIMEOUT ))
		fi
		num_locked_devices=$n

		if pid=$(get_askpass_pid) && [ -p "$PASSFIFO" ]; then
			break
		fi

		usleep 100000
		timer=$(( $timer - 1 ))
		if [ $timer -le 0 ]; then
			echo "Error: Timeout reached while waiting for askpass." >&2
			exit 1
		fi
	done

	# find the cryptsetup process with same $CRYPTTAB_NAME
	CRYPTTAB_OPTION_tries=
	eval $(grep -Ez '^CRYPTTAB_(NAME|TRIED|SOURCE|OPTION_tries)=' "/proc/$pid/environ" | tr '\0' '\n')
	if ! is_device_known "$CRYPTTAB_NAME"; then
		echo "Error: Refusing to process unknown device $CRYPTTAB_NAME" >&2
		exit 1
	fi

	for pid in $(pgrep_exe "/sbin/cryptsetup"); do
		if grep -Fxqz "CRYPTTAB_NAME=$CRYPTTAB_NAME" "/proc/$pid/environ"; then
			PID=$pid
			BIRTH=$(stat -c'%Z' "/proc/$PID")
			return 0
		fi
	done

	PID=
	BIRTH=
	return 1
}

# Wait until $PID no longer exists or has a birth date greater that
# $BIRTH (ie was reallocated).  Then return with exit value 0 if
# /dev/mapper/$CRYPTTAB_NAME exists, and with exit value 1 if the
# maximum number of tries exceeded.  Otherwise (if the unlocking
# failed), return with value 1.
wait_for_answer() {
	local timer=$(( 10 * $TIMEOUT )) dev
	until [ ! -d "/proc/$PID" ] || [ $(stat -c'%Z' "/proc/$PID") -gt $BIRTH ]; do
		usleep 100000
		timer=$(( $timer - 1 ))
		if [ $timer -le 0 ]; then
			echo "Error: Timeout reached while waiting for PID $PID." >&2
			exit 1
		fi
	done

	if [ -b "/dev/mapper/$CRYPTTAB_NAME" ]; then
		echo "cryptsetup: $CRYPTTAB_NAME set up successfully" >&2
		[ "$UNLOCK_ALL" = y ] && return 0 || exit 0
	elif [ $(( ${CRYPTTAB_TRIED:-0} + 1 )) -ge ${CRYPTTAB_OPTION_tries:-3} ]; then
		echo "cryptsetup: maximum number of tries exceeded for $CRYPTTAB_NAME" >&2
		exit 1
	else
		echo "cryptsetup: cryptsetup failed, bad password or options?" >&2
		return 1
	fi
}


if [ -t 0 ] && [ -x "$ASKPASS" ]; then
	# interactive mode on a TTY: keep trying until all configured devices have
	# been unlocked or the maximum number of tries exceeded
	UNLOCK_ALL=y
	while :; do
		# note: if the script is not killed before pivot_root it should
		# exit on its own once $TIMEOUT is reached
		wait_for_prompt || continue
		read -rs -p "Please unlock disk $CRYPTTAB_NAME: "; echo
		printf '%s' "$REPLY" >"$PASSFIFO"
		wait_for_answer || true
	done
else
	# non-interactive mode: slurp the passphrase from stdin and exit
	wait_for_prompt || continue
	echo "Please unlock disk $CRYPTTAB_NAME"
	cat >"$PASSFIFO"
	wait_for_answer || exit 1
fi
Das wäre dazu meine initramfs.conf:

Code: Alles auswählen

#
# initramfs.conf
# Configuration file for mkinitramfs(8). See initramfs.conf(5).
#
# Note that configuration options from this file can be overridden
# by config files in the /etc/initramfs-tools/conf.d directory.

#
# MODULES: [ most | netboot | dep | list ]
#
# most - Add most filesystem and all harddrive drivers.
#
# dep - Try and guess which modules to load.
#
# netboot - Add the base modules, network modules, but skip block devices.
#
# list - Only include modules from the 'additional modules' list
#

MODULES=most

#
# BUSYBOX: [ y | n | auto ]
#
# Use busybox shell and utilities.  If set to n, klibc utilities will be used.
# If set to auto (or unset), busybox will be used if installed and klibc will
# be used otherwise.
#

BUSYBOX=y

#
# KEYMAP: [ y | n ]
#
# Load a keymap during the initramfs stage.
#

KEYMAP=n

#
# COMPRESS: [ gzip | bzip2 | lzma | lzop | xz ]
#

COMPRESS=gzip

#
# NFS Section of the config.
#

#
# DEVICE: ...
#
# Specify a specific network interface, like eth0
# Overridden by optional ip= bootarg
#

#DEVICE=
DEVICE=enp3s0
IP=xx.x.xx.xxx::xx.x.xx.xxx:xxx.xxx.xxx.xxx::enp3s0:off
#
# NFSROOT: [ auto | HOST:MOUNT ]
#

NFSROOT=auto

#
#RUNSIZE=10%
# enable dropbear explicitly
#DROPBEAR=y

Es kommt nach erfolgreichen Login gefühlt nach 5-10 Sekunden der Fehler....

eggy
Beiträge: 3334
Registriert: 10.05.2008 11:23:50

Re: Debian 9 remote unlock via dropbear

Beitrag von eggy » 10.06.2020 20:49:16

Versuch mal nen manuelles remote unlock statt dem Script, /lib/cryptsetup/askpass sollte auf dem System zu finden sein, check das mal.

Antworten