之前使用preseed安装ubuntu luks全盘加密,这样每次重启系统都要通过vnc输入密码,可以将dropbear添加到initramfs,通过ssh解锁要方便很多。
安装dropbear-initramfs:
1 | apt install dropbear-initramfs |
安装时会提示:
1 | dropbear: WARNING: Invalid authorized_keys file, remote unlocking of cryptroot via SSH won't work! |
因为生成initramfs时要包含/etc/dropbear-initramfs/authorized_keys,复制ssh验证密钥:
1 2 3 4 | #本地执行 ssh-copy-id root@www.haiyun.me #远程执行 cp -p ~/.ssh/authorized_keys /etc/dropbear-initramfs/ |
修改dropbear ssh端口:
1 | echo 'DROPBEAR_OPTIONS="-p 2222"' >> /etc/dropbear-initramfs/config |
配置initramfs ip:
1 2 | #IP="${ip_address}::${gateway_ip}:${netmask}:${optional_fqdn}:${interface_name}:${auto_config}:${name_server} echo 'IP=192.168.1.2::192.168.1.1:255.255.255.0::eth0:none:1.1.1.1' >> /etc/initramfs-tools/initramfs .conf |
ip配置也可添加到grub启动参数:
1 | GRUB_CMDLINE_LINUX="ip=192.168.1.2::192.168.1.1:255.255.255.0::eth0:none:1.1.1.1" |
可选修改cryptroot-unlock解锁程序通过参数输入加密密码:
1 2 3 | sed -i '/^set/i if [ ! -n "\$1" ] ; then echo "use cryptroot-unlock password";exit;fi' /usr/share/cryptsetup/initramfs/bin/cryptroot-unlock sed -i 's/read -rs/#read -rs/' /usr/share/cryptsetup/initramfs/bin/cryptroot-unlock sed -i 's/\$REPLY/\$1/' /usr/share/cryptsetup/initramfs/bin/cryptroot-unlock |
重新生成initramfs:
1 | update-initramfs -u -k all |
重启后通过ssh连接执行解锁luks:
1 | cryptroot-unlock password |
虽然/usr/share/initramfs-tools/scripts/init-bottom/dropbear有包含解锁luks后删除ip信息,但是启动后还是包含在initramfs内配置的ip信息,使用ubuntu在配置网络前清除ip信息:
1 | sed -i '/iface eth0/a pre-up ip addr flush dev eth0' /etc/network/interfaces |
20240325更新,debian12新版本ssh不能登录,提示:
1 2 3 4 | debug1: Offering public key: /dev/shm/id_rsa RSA SHA256:xxxxx explicit debug1: send_pubkey_test: no mutual signature algorithm debug1: No more authentication methods to try. root@www.haiyun.me: Permission denied (publickey). |
添加ssh配置:
1 2 3 4 | cat .ssh/config Host * PubkeyAcceptedKeyTypes=+ssh-rsa HostKeyAlgorithms=+ssh-rsa |
使用php调用expect ssh远程自动解锁luks:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 | <?php ini_set ( "expect.timeout" , 5); ini_set ( "expect.loguser" , "off" ); $host = "www.haiyun.me" ; $port = 22; $pass = "xxxxxx" ; $stream = expect_popen( "ssh -o StrictHostKeyChecking=no -p {$port} root@{$host}" ); $cases = array ( array ( "password:" , "pass" ), array ( "Enter 'help'" , "shell" ), array ( "Please unlock disk" , "unlock" ), array ( "set up successfully" , "sus" ), array ( "Permission denied" , "den" ), array ( "cryptsetup failed" , "fai" ) ); while (true) { switch (expect_expectl( $stream , $cases )) { case "den" : echo 'Permission denied' .PHP_EOL; break 2; case "pass" : fwrite( $stream , "password\n" ); break ; case "shell" : fwrite( $stream , "/usr/bin/cryptroot-unlock\n" ); //fwrite($stream, "/usr/bin/cryptroot-unlock {$pass}\n"); break ; case "unlock" : fwrite( $stream , "{$pass}\n" ); break ; case "fai" : echo 'unlock failed, bad password or options?' .PHP_EOL; break 2; case "sus" : echo 'unlock sus' .PHP_EOL; break 2; case EXP_TIMEOUT: echo 'timeout' .PHP_EOL; break 2; case EXP_EOF: echo 'eof' .PHP_EOL; break 2; default : die ( "Error has occurred!" ); } } fclose ( $stream ); |
php调用ssh2扩展远程解锁luks加密:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 | <?php $host = 'www.haiyun.me' ; $port = 2222; $pass = 'xxxx' ; if (!( $conn = ssh2_connect( $host , $port , array ( 'hostkey' => 'ssh-rsa' )))) { die ( "conn fail\n" ); } //注意路径不要使用~/.ssh/id_rsa.pub,会遇到段错误和其它莫名其妙的问题 if (ssh2_auth_pubkey_file( $conn , 'root' , '/root/.ssh/id_rsa.pub' , '/root/.ssh/id_rsa' )) { echo "auth sus\n" ; } else { die ( "auth fail\n" ); } function expect( $stream , $match ) { $time = time(); $res = '' ; while (! feof ( $stream )){ //if (($buffer = fgets($stream, 4096)) !== false) { if (( $buffer = fread ( $stream , 4096)) !== false) { $res .= $buffer ; } if ( stristr ( $res , $match )) { return 'sus' ; } $now = time(); if (( $now - $time ) >= 10) { return 'timeout' ; } usleep(100); } return 'disconnect' ; } $shell =ssh2_shell( $conn , 'xterm' ); fwrite( $shell , "/usr/bin/cryptroot-unlock\n" ); $res = expect( $shell , 'Please unlock disk' ); if ( $res == 'sus' ) { fwrite( $shell , "{$pass}\n" ); $res = expect( $shell , 'set up successfully' ); if ( $res == 'sus' ) { } var_dump( $res ); } |
发现的问题:此方法在ubuntu20.04使用编译的4.14内核bbrplus下导致系统启动很慢,5.4及5.10内核测试正常。
另外一种通过dracut生成initramfs调用openssh解锁luks的方法:
https://github.com/gsauthof/dracut-sshd
参考:
https://hamy.io/post/0009/how-to-install-luks-encrypted-ubuntu-18.04.x-server-and-enable-remote-unlocking/