-
Notifications
You must be signed in to change notification settings - Fork 8
/
RemoteUnlock
182 lines (155 loc) · 7.32 KB
/
RemoteUnlock
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
# Unlocking a native encrypted ZFS root partition remotely via Dropbear
# SSH server
# exit if you are in root
exit
ls -l ~/.ssh/id_*.pub
# If there are existing keys, you can either use those and skip the next step or backup up the old keys and generate new ones.
# Generate a new 4096 bits SSH key pair with your email address as a comment by typing:
mkdir ~/.ssh
chmod 700 ~/.ssh
ssh-keygen -t rsa -b 4096 -C "[email protected]"
# To verify your new SSH key pair is generated, type:
ls ~/.ssh/id_*
# Copy the Public Key to Ubuntu Server
# Now that you generated your SSH key pair, the next step is to copy the public key to the server you want to manage.
# The easiest and the recommended way to copy your public key to the server is to use a utility called ssh-copy-id.
# On your local machine terminal type:
# ssh-copy-id remote_username@server_ip_address
# If by some reason the ssh-copy-id utility is not available on your local computer, you can use the following command to copy the public key:
cat ~/.ssh/id_rsa.pub | ssh remote_username@server_ip_address "
mkdir -p ~/.ssh
chmod 700 ~/.ssh
cat >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys"
# Disabling the password authentication adds an extra layer of security to your server.
# sed -i "s/.RSAAuthentication./RSAAuthentication yes/g" /etc/ssh/sshd_config
# sed -i "s/.PubkeyAuthentication./PubkeyAuthentication yes/g" /etc/ssh/sshd_config
# sed -i "s/.PasswordAuthentication./PasswordAuthentication no/g" /etc/ssh/sshd_config
# sed -i "s/.AuthorizedKeysFile./AuthorizedKeysFile\t.ssh/authorized_keys/g" /etc/ssh/sshd_config
# sed -i "s/.PermitRootLogin./PermitRootLogin no/g" /etc/ssh/sshd_config
# echo "your_userrname ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
# sudo systemctl restart ssh
# Install on server
sudo apt install --yes dropbear busybox
# Enable and configure
sudo -i
sed -i 's/NO_START=1/NO_START=0/g' /etc/default/dropbear
sed -i 's/DROPBEAR_PORT=22/DROPBEAR_PORT=2222/g' /etc/default/dropbear
sed -i '/BUSYBOX=auto/c\BUSYBOX=y' /etc/initramfs-tools/initramfs.conf
sudo echo "DROPBEAR=y" >> /etc/initramfs-tools/initramfs.conf
m_value='DROPBEAR_OPTIONS="-p 2222 -s -j -k -I 60"'
sudo sed -i "s/.DROPBEAR_OPTIONS./${m_value}/g" /etc/dropbear-initramfs/config
def=$(ip link | awk -F: '$0 !~ "lo|vir|wl|^[^0-9]"{print $2;getline}')
read -e -p "Type the name of your network interface: " -i "$def" IFACE && : ${IFACE:=$defa} && echo "Network interface set to $IFACE" &&
read -e -p "$IFACE address mask (192.168.100.) to install: " -i 192.168.100. IFACEMASK && echo "address mask 1 set to $IFACEMASK"
read -e -p "$IFACE address (${IFACEMASK}10) to install: " -i ${IFACEMASK}10 IFACEADDRESS && echo "address mask 1 set to $IFACEADDRESS"
read -e -p "Gateway for $IFACE (${IFACEMASK}2) : " -i ${IFACEMASK}2 GATEWAYADDRESS && echo "Gateway address set to $GATEWAYADDRESS"
# Create a static IP (or skip this step to use DHCP (but I never use DHCP , not tested that)
# Edit /etc/initramfs-tools/initramfs.conf to add (or change) the line:
cp /etc/initramfs-tools/initramfs.conf /etc/initramfs-tools/initramfs.conf.old
cat > /etc/initramfs-tools/initramfs.conf << EOF
MODULES=most
BUSYBOX=y
DROPBEAR=y
COMPCACHE_SIZE=""
COMPRESS=lz4
DEVICE=${IFACE}
IP=${IFACEADDRESS}::${GATEWAYADDRESS}:255.255.255.0::${IFACE}:off
NFSROOT=auto
RUNSIZE=10%
EOF
# The initramfs static IP configuration will cause the Ubuntu server to freeze for some time during the boot process.
# To overcome this problem, down the network adapter after the initramfs.
# Edit the /usr/share/initramfs-tools/scripts/init-bottom/dropbear
echo "ifconfig ${IFACE} 0.0.0.0 down" >> /usr/share/initramfs-tools/scripts/init-bottom/dropbear
# Generate our keys, convert the openssh key to dropbear format, and
# copy all of the files into /etc/dropbear-initramfs where they belong.
# not in sudo
cd ~/.ssh
dropbearkey -t dss -f dropbear_dss_host_key dropbearkey -t rsa -f dropbear_rsa_host_key
dropbearkey -t rsa -f id_rsa.dropbear
/usr/lib/dropbear/dropbearconvert dropbear openssh id_rsa.dropbear id_rsa touch id_rsa.pub
dropbearkey -y -f id_rsa.dropbear | grep "^ssh-rsa " > id_rsa.pub
touch authorized_keys
cat id_rsa.pub >> authorized_keys
sudo cp dropbear_* /etc/dropbear-initramfs/
sudo cp id_* /etc/dropbear-initramfs/
sudo cp authorized_keys /etc/dropbear-initramfs/
# Note, if you don’t HAVE a /etc/dropbear-initramfs folder, do the following:
# sudo mkdir /etc/initramfs-tools/root
# sudo mkdir /etc/initramfs-tools/root/.ssh
# sudo cp dropbear_* /etc/initramfs-tools/root/.ssh/
sudo cp id_* /etc/initramfs-tools/root/.ssh/
# sudo cp authorized_keys /etc/initramfs-tools/root/.ssh/
# Create the crypt_unlock script
# /etc/initramfs-tools/hooks/crypt_unlock.sh
sudo -i
cat > /usr/share/initramfs-tools/hooks/crypt_unlock.sh << EOFD
#!/bin/sh PREREQ="dropbear"
prereqs() { echo "$PREREQ" }
case "$1" in prereqs) prereqs exit 0 ;; esac
. "${CONFDIR}/initramfs.conf"
. /usr/share/initramfs-tools/hook-functions
if [ "${DROPBEAR}" != "n" ] && [ -r "/etc/zfs" ] ; then
cat > "${DESTDIR}/bin/unlock" << EOF
#!/bin/sh
if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot; then
/sbin/zfs load-key -a
# rpool/root
# your zpool name and root zfs name and the mountpoint
mount -o zfsutil -t zfs rpool/root /
kill `ps | grep zfs | grep -v "grep" | awk '{print $1}'`
kill `ps | grep plymouth | grep -v "grep" | awk '{print $1}'`
kill `ps | grep cryptroot | grep -v "grep" | awk '{print $1}'`
# following line kill the remote shell right after the passphrase has been entered.
kill -9 `ps | grep "-sh" | grep -v "grep" | awk '{print $1}'`
exit 0
fi
exit 1
EOF
chmod 755 "${DESTDIR}/bin/unlock"
mkdir -p "${DESTDIR}/lib/unlock"
cat > "${DESTDIR}/lib/unlock/plymouth" << EOF
#!/bin/sh
[ "$1" == "--ping" ] && exit 1
/bin/plymouth "$@"
EOF
chmod 755 "${DESTDIR}/lib/unlock/plymouth"
echo To unlock root-partition run "unlock" >> ${DESTDIR}/etc/motd
fi
chmod 755 "${DESTDIR}/lib/unlock/plymouth"
echo To unlock root-partition run "unlock" >> ${DESTDIR}/etc/motd
fi
EOFD
chmod +x /usr/share/initramfs-tools/hooks/crypt_unlock.sh
update-initramfs -u -k all
update-grub
# Copy the ssh keys. Note: Password logins for root is disabled by default dropbear configuration.
# sudo cp /etc/initramfs-tools/root/.ssh/id_rsa ~/.ssh/id_rsa_dropbear
# this is a right place
sudo cp /etc/dropbear-initramfs/id_rsa ~/.ssh/id_rsa_dropbear
USER=your_username
sudo chown $USER:$USER ~/.ssh/id_rsa_dropbear
# Copy the id_rsa_dropbear
# For real world setup, you should already generated your personal key.
# With that, just append your public key to the dropbear’s
# /etc/initramfs-tools/root/.ssh/authorized_keys
sudo -i cat /home/$USER/.ssh/id_rsa.pub >> /etc/dropbear-initramfs/authorized_keys
# Disable dropbear on your booted system.
# sudo update-rc.d dropbear disable
systemctl disable dropbear
KERNEL=ls /usr/lib/modules/ | cut -d/ -f1 | sed 's/linux-image-//'
update-initramfs -u -k $KERNEL
# update-initramfs -u -k all
update-grub
# How to Convert OpenSSH keys to Putty (.ppk) on Linux
sudo apt install -y putty-tools
puttygen keyname -o keyname.ppk
# for example
cd /home/username/.ssh
puttygen id_rsa_dropbear -o drop.ppk
# COPY DROPBEAR SSH KEY
scp server:/home/username/id_rsa ~/.ssh/id_rsa_server # on client
scp server:/home/username/drop.ppk ~/.ssh/id_rsa_dropbear_server # on client
# You need the drop.ppk key the remote unlock operation
# CONNECT TO SERVER in boot process