之前使用preseed安装ubuntu luks全盘加密,这样每次重启系统都要通过vnc输入密码,可以将dropbear添加到initramfs,通过ssh解锁要方便很多。
安装dropbear-initramfs:
1 | apt install dropbear-initramfs |
安装时会提示:
1 | dropbear: WARNING: Invalid authorized_keys file, remote unlocking of cryptroot via SSH won't work! |
因为生成initramfs时要包含/etc/dropbear-initramfs/authorized_keys,复制ssh验证密钥:
1 2 3 4 | #本地执行ssh-copy-id root@www.haiyun.me#远程执行cp -p ~/.ssh/authorized_keys /etc/dropbear-initramfs/ |
修改dropbear ssh端口:
1 | echo 'DROPBEAR_OPTIONS="-p 2222"' >> /etc/dropbear-initramfs/config |
配置initramfs ip:
1 2 | #IP="${ip_address}::${gateway_ip}:${netmask}:${optional_fqdn}:${interface_name}:${auto_config}:${name_server}echo 'IP=192.168.1.2::192.168.1.1:255.255.255.0::eth0:none:1.1.1.1' >> /etc/initramfs-tools/initramfs.conf |
ip配置也可添加到grub启动参数:
1 | GRUB_CMDLINE_LINUX="ip=192.168.1.2::192.168.1.1:255.255.255.0::eth0:none:1.1.1.1" |
可选修改cryptroot-unlock解锁程序通过参数输入加密密码:
1 2 3 | sed -i '/^set/i if [ ! -n "\$1" ] ; then echo "use cryptroot-unlock password";exit;fi' /usr/share/cryptsetup/initramfs/bin/cryptroot-unlocksed -i 's/read -rs/#read -rs/' /usr/share/cryptsetup/initramfs/bin/cryptroot-unlocksed -i 's/\$REPLY/\$1/' /usr/share/cryptsetup/initramfs/bin/cryptroot-unlock |
重新生成initramfs:
1 | update-initramfs -u -k all |
重启后通过ssh连接执行解锁luks:
1 | cryptroot-unlock password |
虽然/usr/share/initramfs-tools/scripts/init-bottom/dropbear有包含解锁luks后删除ip信息,但是启动后还是包含在initramfs内配置的ip信息,使用ubuntu在配置网络前清除ip信息:
1 | sed -i '/iface eth0/a pre-up ip addr flush dev eth0' /etc/network/interfaces |
20240325更新,debian12新版本ssh不能登录,提示:
1 2 3 4 | debug1: Offering public key: /dev/shm/id_rsa RSA SHA256:xxxxx explicit debug1: send_pubkey_test: no mutual signature algorithm debug1: No more authentication methods to try. root@www.haiyun.me: Permission denied (publickey). |
添加ssh配置:
1 2 3 4 | cat .ssh/config Host * PubkeyAcceptedKeyTypes=+ssh-rsa HostKeyAlgorithms=+ssh-rsa |
使用php调用expect ssh远程自动解锁luks:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 | <?phpini_set("expect.timeout", 5);ini_set("expect.loguser", "off");$host = "www.haiyun.me";$port = 22;$pass = "xxxxxx";$stream = expect_popen("ssh -o StrictHostKeyChecking=no -p {$port} root@{$host}");$cases = array( array("password:", "pass"), array("Enter 'help'", "shell"), array("Please unlock disk", "unlock"), array("set up successfully", "sus"), array("Permission denied", "den"), array("cryptsetup failed", "fai"));while (true) { switch (expect_expectl($stream, $cases)) { case "den": echo 'Permission denied'.PHP_EOL; break 2; case "pass": fwrite($stream, "password\n"); break; case "shell": fwrite($stream, "/usr/bin/cryptroot-unlock\n"); //fwrite($stream, "/usr/bin/cryptroot-unlock {$pass}\n"); break; case "unlock": fwrite($stream, "{$pass}\n"); break; case "fai": echo 'unlock failed, bad password or options?'.PHP_EOL; break 2; case "sus": echo 'unlock sus'.PHP_EOL; break 2; case EXP_TIMEOUT: echo 'timeout'.PHP_EOL; break 2; case EXP_EOF: echo 'eof'.PHP_EOL; break 2; default: die("Error has occurred!"); }}fclose ($stream); |
php调用ssh2扩展远程解锁luks加密:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 | <?php$host = 'www.haiyun.me';$port = 2222;$pass = 'xxxx';if (!($conn = ssh2_connect($host, $port, array('hostkey'=>'ssh-rsa')))) { die("conn fail\n");}//注意路径不要使用~/.ssh/id_rsa.pub,会遇到段错误和其它莫名其妙的问题if (ssh2_auth_pubkey_file($conn, 'root', '/root/.ssh/id_rsa.pub', '/root/.ssh/id_rsa')) { echo "auth sus\n";} else { die("auth fail\n");}function expect($stream, $match) { $time = time(); $res = ''; while(!feof($stream)){ //if (($buffer = fgets($stream, 4096)) !== false) { if (($buffer = fread($stream, 4096)) !== false) { $res .= $buffer; } if (stristr($res, $match)) { return 'sus'; } $now = time(); if (($now - $time) >= 10) { return 'timeout'; } usleep(100); } return 'disconnect';} $shell=ssh2_shell($conn, 'xterm');fwrite($shell, "/usr/bin/cryptroot-unlock\n");$res = expect($shell, 'Please unlock disk');if ($res == 'sus') { fwrite($shell, "{$pass}\n"); $res = expect($shell, 'set up successfully'); if ($res == 'sus') { } var_dump($res);} |
发现的问题:此方法在ubuntu20.04使用编译的4.14内核bbrplus下导致系统启动很慢,5.4及5.10内核测试正常。
另外一种通过dracut生成initramfs调用openssh解锁luks的方法:
https://github.com/gsauthof/dracut-sshd
参考:
https://hamy.io/post/0009/how-to-install-luks-encrypted-ubuntu-18.04.x-server-and-enable-remote-unlocking/
